Exam CISM topic 1 question 203 discussion

A gap analysis will help the information security manager to identify the difference between the current information security controls and the requirements of the new regulation

According to ISACA, the FIRST thing an information security manager should do after a new cybersecurity regulation has been introduced is to perform a gap analysis. While consulting corporate legal counsel is an important step, it often comes after the initial gap analysis to gain legal insights and guidance on specific compliance requirements. Conducting a cost-benefit analysis and updating the information security policy are also important but typically occur as part of the broader compliance efforts once gaps have been identified. The gap analysis serves as the foundation for developing a compliance strategy and roadmap to meet the new regulatory requirements efficiently and effectively.

D. After any thing new is introduced especially regulation or new business an assessment needs to be done or some form of assessment needs to be done for context. The closest to this rule is "gap assessment".

Just following common sense I would consulta legal first... to get it clear and then do the gap analysis... maybe my common sense is wrong of course...

What is the impact

I believe the gap analysis will cover the requirements of the new regulation. In this process, legal team will be consulted anyways to understand the implications. Very similar question has been asked several times before and the answer was gap analysis so unsure why this would need a legal consultation first.

You would do a Gap analysis before seeking legal counsel or cost benefit analysis.

D. Perform a gap analysis. Performing a gap analysis involves evaluating the organization's existing cybersecurity practices and policies in comparison to the new regulatory requirements. This will help identify areas where the organization falls short in compliance with the regulation. Once the gaps are identified, the information security manager can then develop a plan to address these shortcomings and work towards compliance.

Something new = gap analysis

gap analysis first

Perform the gap analysis first, then once identified, consult with the legal counsel

Correct Answer id D: Because Gap analysis find is there any current controls exist to support the new regulatory changes.

A. Consult corporate legal counsel.

A. Consult corporate legal counsel. An information security manager should first consult corporate legal counsel after a new cybersecurity regulation has been introduced. This is because legal counsel can provide guidance on the legal implications and requirements of the new regulation, and help the information security manager understand how it applies to their organization. Understanding the legal implications of the new regulation is crucial in ensuring compliance and avoiding potential legal and financial risks. Once the legal implications have been clarified, the information security manager can then proceed with conducting a cost-benefit analysis, updating the information security policy, and performing a gap analysis as needed to align their organization with the new regulation. However, consulting corporate legal counsel should be the first step to ensure that the organization's response to the new cybersecurity regulation is legally sound.

When there are regulatory changes, you must consult with your legal department first, them, you can perform the GAP analysis

I'd consult corporate legal counsel since they are the one who understand most on the regulatory.