Certified Information Security Manager (CISM) — Question 348

An information security manager has been made aware of a new data protection regulation that will soon go into effect. Which of the following is the BEST way to manage the risk of noncompliance?

Answer options

• A. Perform a gap analysis.
• B. Consult with senior management on the best course of action.
• C. Implement a program of work to comply with the new legislation.
• D. Understand the cost of noncompliance.

Correct answer: A

Explanation

Performing a gap analysis is the best way to identify the current state of compliance versus the requirements of the new regulation, allowing for targeted actions. While consulting with management, implementing a program, and understanding costs are important, they are secondary steps that can follow the insights gained from the gap analysis.