Certified Information Security Manager (CISM) — Question 396

Which of the following should an information security manager do FIRST after a new cybersecurity regulation has been introduced?

Answer options

• A. Consult corporate legal counsel.
• B. Conduct a cost-benefit analysis.
• C. Update the information security policy.
• D. Perform a gap analysis.

Correct answer: D

Explanation

The first step in addressing a new cybersecurity regulation is to perform a gap analysis to identify where current practices may fall short compared to the new requirements. Consulting legal counsel, conducting a cost-benefit analysis, and updating policies are important steps but should follow the gap analysis to ensure compliance.