Certified in Risk and Information Systems Control (CRISC) — Question 1447

An organization must implement changes as the result of new regulations. Which of the following should the risk practitioner do FIRST to prepare for these changes?

Answer options

• A. Engage the legal department.
• B. Conduct a gap analysis.
• C. Implement compensating controls.
• D. Review the risk profile.

Correct answer: B

Explanation

The correct action is to conduct a gap analysis (B), as it helps identify the differences between current practices and the new regulatory requirements. Engaging the legal department (A) and reviewing the risk profile (D) are important but come after understanding the specific gaps. Implementing compensating controls (C) is a subsequent step that follows the gap analysis.