After obtaining commitment from senior management, which of the following should be completed
NEXT when establishing an information security program?

A.
Define security metrics

B.
Conduct a risk assessment

C.
Perform a gap analysis

D.
Procure security tools

Explanation:

When establishing an information security program, conducting a risk assessment is key to
identifying the needs of the organization and developing a security strategy. Defining security
metrics, performing a gap analysis and procuring security tools are all subsequent considerations.