A new version of an information security regulation is published that requires an organization’s compliance. The information security manager should FIRST:
A . perform an audit based on the new version of the regulation.
B . conduct a risk assessment to determine the risk of noncompliance.
C . conduct benchmarking against similar organizations.
D . perform a gap analysis against the new regulation.
Answer: D