To gain a clear understanding of the impact that a new regulatory requirement will have on an organization's information security controls, an information security manager should FIRST:
Clearly it is B, how do you gain a clear understanding of the impact of new regulations: perform a risk assessment. If the question was: What is the first step on getting compliant? Then a gap analysis would be correct. But not in this case.
So many upvotes on an incorrect answer. Its D. You have controls, a new policy says you need these new X number of controls. A gap analysis shows you which you already have and which you dont have. The gap will show you the impact of the reg by showing all the items you need to do to become compliant
I believe you are wrong. D makes sense here. What would you do an assessment on? It's more logical to do a gap analysis on where the security program is for the NEW regulation (very specific) then do a risk assessment on a security program.
This has to be B. A risk assessment will identify any risks with adopting new policies and technologies.
A gap analysis is a method of assessing the performance of a business unit to determine whether business requirements or objectives are being met and, if not, what steps should be taken to meet them.
Typically, risk assessment comes first because it helps identify potential threats and vulnerabilities that could impact an organization or project. Once risks are understood, a gap analysis can be conducted to assess where current practices, controls, or resources fall short in mitigating those risks or achieving business goals.
In short:
Risk Assessment → Identify threats and vulnerabilities.
Gap Analysis → Find weaknesses and areas for improvement based on risks or objectives.
The answer is B.
Risk Assessment vs Gap Analysis
To conform to a new regulation, you should start with a risk assessment. A risk assessment is essential for identifying and prioritizing potential risks, which is a fundamental requirement for conforming to regulations like ISO 27001. This process helps you understand the specific risks your organization faces and how to mitigate them effectively. While a gap analysis can provide a high-level view of what controls are missing, it does not offer the prioritized action plan that a risk assessment does.
After conducting the risk assessment, you can use the insights gained to perform a gap analysis. The gap analysis will help you identify the specific areas where your current practices fall short of the new regulatory requirements, allowing you to develop a targeted plan to address these gaps
D. perform a gap analysis.
Performing a gap analysis will help identify the differences between the current state of the organization's information security controls and the requirements of the new regulation. This analysis will highlight areas that need to be addressed to achieve compliance, making it a crucial first step before conducting further assessments or analyses.
A risk assessment would aid in identifying and evaluating current/existing security controls. The outcome of the risk assessment, especially the evaluation of existing security controls, then becomes input into the gap analysis which identifies any compliance gaps according to the new regulatory requirements. Keyword in the question is FIRST.
when addressing a new regulatory requirement, the initial step should be to perform a gap analysis (Option D). This allows you to identify the specific areas where current controls fall short in meeting the new requirements. Once you have identified these gaps, you can then conduct a risk assessment to understand the potential impact and prioritize the necessary changes.
It says what impact new regulation will have on org controls hence we need to do a gap analysis of current state (with current controls) and desired state (because of new regulations), hence ans is D.
The answer is D. Since they are regulatory requirements, the first step would be for the security manager to perform a gap analysis to determine the level of compliance already in place.
B - When new regulations are announced, the first step is typically to perform a risk assessment, not a gap analysis. A risk assessment involves identifying and assessing potential risks that the new regulation might introduce to the organization's information security controls. This step helps to understand the impact of the regulation and prioritize necessary actions to comply with it effectively. After conducting the risk assessment, a gap analysis can be performed. The gap analysis identifies differences between the organization's current state of compliance and the requirements of the new regulation.
This section is not available anymore. Please use the main Exam Page.CISM Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Broesweelies
Highly Voted 9 months agoAzurefox79
1 year, 10 months agolockupmanjc
1 year, 2 months agoCarlLimps
2 years, 4 months agostrong1
1 year, 1 month agoYetiSpaghetti
Highly Voted 2 years, 3 months agohomeysl
Most Recent 1 month, 1 week agolj22HI
1 month, 1 week agoJoelSantos
1 month, 2 weeks agoAyotunde
2 months, 1 week agoAdabach
2 months, 2 weeks agoloderss
2 months, 2 weeks agoedmamol
3 months, 2 weeks agopassingtoday
4 months, 2 weeks ago0884a0d
5 months, 1 week agoiaredub
5 months, 2 weeks agoFarook05
5 months, 3 weeks agoAbhinavShri
6 months agoolutola
6 months agogreeklover84
6 months, 3 weeks agoandyprior
7 months ago