Exam CISM topic 1 question 3 discussion

Clearly it is B, how do you gain a clear understanding of the impact of new regulations: perform a risk assessment. If the question was: What is the first step on getting compliant? Then a gap analysis would be correct. But not in this case.

This has to be B. A risk assessment will identify any risks with adopting new policies and technologies. A gap analysis is a method of assessing the performance of a business unit to determine whether business requirements or objectives are being met and, if not, what steps should be taken to meet them.

D. perform a gap analysis. Performing a gap analysis will help identify the differences between the current state of the organization's information security controls and the requirements of the new regulation. This analysis will highlight areas that need to be addressed to achieve compliance, making it a crucial first step before conducting further assessments or analyses.

The answer remains D. Perform a gap analysis because it’s the initial diagnostic step to understand the controls required for compliance. Try Certsleader for the best certification prep experience.

A risk assessment would aid in identifying and evaluating current/existing security controls. The outcome of the risk assessment, especially the evaluation of existing security controls, then becomes input into the gap analysis which identifies any compliance gaps according to the new regulatory requirements. Keyword in the question is FIRST.

Understanding the impact involves doing an gap analysis of the current state of security vs the new requirements of the regulation.

when addressing a new regulatory requirement, the initial step should be to perform a gap analysis (Option D). This allows you to identify the specific areas where current controls fall short in meeting the new requirements. Once you have identified these gaps, you can then conduct a risk assessment to understand the potential impact and prioritize the necessary changes.

It says what impact new regulation will have on org controls hence we need to do a gap analysis of current state (with current controls) and desired state (because of new regulations), hence ans is D.

The answer is D. Since they are regulatory requirements, the first step would be for the security manager to perform a gap analysis to determine the level of compliance already in place.

I would go for B,

B - When new regulations are announced, the first step is typically to perform a risk assessment, not a gap analysis. A risk assessment involves identifying and assessing potential risks that the new regulation might introduce to the organization's information security controls. This step helps to understand the impact of the regulation and prioritize necessary actions to comply with it effectively. After conducting the risk assessment, a gap analysis can be performed. The gap analysis identifies differences between the organization's current state of compliance and the requirements of the new regulation.

Gap Analysis: By identifying the gaps between current controls and the new regulatory requirements, the manager can assess what changes or additional measures are necessary. This analysis provides a foundation for any subsequent risk assessment or control adjustments.

the answer remains D. Perform a gap analysis because it’s the initial diagnostic step to understand the controls required for compliance. After the gaps are known, risk assessments can better evaluate the consequences of those gaps.

Two references from ISACA REVIEW MANUAL support B, Risk Assessment, as the right answer: 1. Page 32. last paragraph states that "regulatory compliance should be treated as any other risk". 2. Page 152 Figure 3.1, shows that Risk Management informs Current State which is in turn used in gap analysis. When there is a new regulatory requirement, one should conduct a risk assessment first to determine the IMPACT (RISK) OF NONCOMPLIANCE. Risk assessment will DETERMINE IF THE RISK OF NON-COMPLIANCE IS WITHIN ACCEPTABLE LEVELS. If the risk is above acceptable levels, then it makes sense to conduct a gap analysis to understand the existing control effectiveness and identify additional/compensatory controls that will be required for compliance.

3 arguments why I would choose B: 1. "understanding the impact" as in the question itself relates to risk assessment. 2. introduction of compliance is a "change", that a security manager should treat as a trigger for risk assessment 3. Once risk assessment suggests required controls (mitigation strategy), we do gap analysis to identify current controls and controls required in future, to draw the ways/actions to achieve the future controls

Once the risks are assessed and understood, the organization can then proceed to make informed decisions about whether to implement additional controls, modify existing ones, or accept the risk. Afterward, a cost-benefit analysis, interviews with senior management, and gap analysis can be conducted to further refine the approach and ensure compliance with the regulatory requirement while considering the organization's overall objectives and constraints.

page 123: If its found that the enterprise is noncompliant, then the regulations must be evaluated to determine the level of risk they pose...