Certified in Risk and Information Systems Control (CRISC) — Question 781

Which of the following would be a risk practitioner's BEST recommendation upon learning of an updated cybersecurity regulation that could impact the organization?

Answer options

• A. Update security policies
• B. Conduct system testing
• C. Implement compensating controls
• D. Perform a gap analysis

Correct answer: D

Explanation

Performing a gap analysis is essential as it helps identify the discrepancies between current security practices and the new regulatory requirements. While updating policies, testing systems, and implementing controls are important steps, they should be based on the findings from the gap analysis to ensure compliance.