Exam CISM topic 1 question 3 discussion

Clearly it is B, how do you gain a clear understanding of the impact of new regulations: perform a risk assessment. If the question was: What is the first step on getting compliant? Then a gap analysis would be correct. But not in this case.

This has to be B. A risk assessment will identify any risks with adopting new policies and technologies. A gap analysis is a method of assessing the performance of a business unit to determine whether business requirements or objectives are being met and, if not, what steps should be taken to meet them.

Gap Analysis is the answer

Gap Analysis before RA.

B, risks assessment

The answer is B. Risk Assessment vs Gap Analysis To conform to a new regulation, you should start with a risk assessment. A risk assessment is essential for identifying and prioritizing potential risks, which is a fundamental requirement for conforming to regulations like ISO 27001. This process helps you understand the specific risks your organization faces and how to mitigate them effectively. While a gap analysis can provide a high-level view of what controls are missing, it does not offer the prioritized action plan that a risk assessment does. After conducting the risk assessment, you can use the insights gained to perform a gap analysis. The gap analysis will help you identify the specific areas where your current practices fall short of the new regulatory requirements, allowing you to develop a targeted plan to address these gaps

D. perform a gap analysis. Performing a gap analysis will help identify the differences between the current state of the organization's information security controls and the requirements of the new regulation. This analysis will highlight areas that need to be addressed to achieve compliance, making it a crucial first step before conducting further assessments or analyses.

A risk assessment would aid in identifying and evaluating current/existing security controls. The outcome of the risk assessment, especially the evaluation of existing security controls, then becomes input into the gap analysis which identifies any compliance gaps according to the new regulatory requirements. Keyword in the question is FIRST.

Understanding the impact involves doing an gap analysis of the current state of security vs the new requirements of the regulation.

when addressing a new regulatory requirement, the initial step should be to perform a gap analysis (Option D). This allows you to identify the specific areas where current controls fall short in meeting the new requirements. Once you have identified these gaps, you can then conduct a risk assessment to understand the potential impact and prioritize the necessary changes.

It says what impact new regulation will have on org controls hence we need to do a gap analysis of current state (with current controls) and desired state (because of new regulations), hence ans is D.

The answer is D. Since they are regulatory requirements, the first step would be for the security manager to perform a gap analysis to determine the level of compliance already in place.

I would go for B,

B - When new regulations are announced, the first step is typically to perform a risk assessment, not a gap analysis. A risk assessment involves identifying and assessing potential risks that the new regulation might introduce to the organization's information security controls. This step helps to understand the impact of the regulation and prioritize necessary actions to comply with it effectively. After conducting the risk assessment, a gap analysis can be performed. The gap analysis identifies differences between the organization's current state of compliance and the requirements of the new regulation.

Gap Analysis: By identifying the gaps between current controls and the new regulatory requirements, the manager can assess what changes or additional measures are necessary. This analysis provides a foundation for any subsequent risk assessment or control adjustments.

the answer remains D. Perform a gap analysis because it’s the initial diagnostic step to understand the controls required for compliance. After the gaps are known, risk assessments can better evaluate the consequences of those gaps.

Two references from ISACA REVIEW MANUAL support B, Risk Assessment, as the right answer: 1. Page 32. last paragraph states that "regulatory compliance should be treated as any other risk". 2. Page 152 Figure 3.1, shows that Risk Management informs Current State which is in turn used in gap analysis. When there is a new regulatory requirement, one should conduct a risk assessment first to determine the IMPACT (RISK) OF NONCOMPLIANCE. Risk assessment will DETERMINE IF THE RISK OF NON-COMPLIANCE IS WITHIN ACCEPTABLE LEVELS. If the risk is above acceptable levels, then it makes sense to conduct a gap analysis to understand the existing control effectiveness and identify additional/compensatory controls that will be required for compliance.