Certified in Risk and Information Systems Control (CRISC) — Question 1402

A risk assessment has identified that an organization may not be in compliance with industry regulations. The BEST course of action would be to:

Answer options

• A. collaborate with management to meet compliance requirements
• B. conduct a gap analysis against compliance criteria
• C. identify necessary controls to ensure compliance
• D. modify internal assurance activities to include control validation

Correct answer: B

Explanation

The best action is to conduct a gap analysis against compliance criteria, as it allows the organization to identify specific areas where they fall short of regulations. While collaborating with management, identifying controls, and modifying assurance activities are important, they are steps that follow after understanding the gaps in compliance.