Certified in Risk and Information Systems Control (CRISC) — Question 236

Which of the following should be the FIRST step when a company is made aware of new regulatory requirements impacting IT?

Answer options

• A. Perform a risk assessment.
• B. Prioritize impact to the business units.
• C. Perform a gap analysis.
• D. Review the risk tolerance and appetite.

Correct answer: C

Explanation

The correct answer is C, as performing a gap analysis is essential to identify the differences between current practices and the new regulatory requirements. The other options, while important, should follow the gap analysis to understand what specific changes need to be addressed.