An organization has to comply with recently published industry regulatory requirements- compliance that potentially has high implementation costs. What should the information security manager do FIRST?

A.
Implement a security committee.

B.
Perform a gap analysis.

C.
Implement compensating controls.

D.
Demand immediate compliance.

Explanation:
Since they are regulatory requirements, a gap analysis would be the first step to determine the level of compliance already in place. Implementing a security committee or compensating controls would not be the first step. Demanding immediate compliance would not assess the situation.