Certified in Risk and Information Systems Control (CRISC) — Question 462

An organization is required to comply with updates to an existing data protection regulation. Which of the following should the risk practitioner recommend be done
FIRST?

Answer options

• A. Perform effectiveness testing for the organization's data protection controls.
• B. Determine whether risk responses associated with the previous regulation are still adequate.
• C. Perform a gap analysis to determine if additional controls are required.
• D. Develop new internal control assessments for the updated regulation

Correct answer: C

Explanation

The correct answer, C, is essential as it helps identify any deficiencies in the current control framework against the new regulation. Options A and D are premature since understanding the gaps is necessary before testing effectiveness or developing new assessments. Option B is also incorrect because it does not address the immediate need to align with the updated regulation.