An organization has to comply with recently published industry regulatory
requirements—compliance that potentially has high implementation costs. What should the
information security manager do FIRST?

A.
Implement a security committee.

B.
Perform a gap analysis.

C.
Implement compensating controls.

D.
Demand immediate compliance.

Explanation:

Since they are regulatory requirements, a gap analysis would be the first step to determine the
level of compliance already in place. Implementing a security committee or compensating controls
would not be the first step. Demanding immediate compliance would not assess the situation.