What should be an information security manager-s FIRST course of action when an organization is subject to a new regulatory requirement?
A. Perform a gap analysis
B. Complete a control assessment
C. Submit a business case to support compliance
D. Update the risk register