Exam CRISC topic 1 question 1104 discussion

Policy framework will be FIRST step towards addressing non-compliance. Performing gap analysis is MOST IMPORTANT step for finding out noncompliance.

Going with D. Policy is the first step towards compliance with regulations.

basing on how ISACA thinks i am going with B.

The question clearly states that the regulation is not new. What is the MOST important step to ensure regulatory requirements are adequately addressed within an organization? Gap analysis can be done if the regulation is new – or if there is a change in regulation. This is focused more towards adequately addressing regulatory requirements which start from the policy development. policy is not just a guidance it needs to be adhered to or an approved exception needs to be in place

Correction to 'B', reason: A gap analysis is a systematic process of comparing the organization's current state to the regulatory requirements to identify areas of noncompliance or weakness. By performing a gap analysis, an organization can identify where it falls short of regulatory requirements and develop plans to address those gaps. Developing a policy framework that addresses regulatory requirements is also important, but it is not the most important step. Policies provide guidance and direction on how to meet regulatory requirements, but if the organization is not aware of where it falls short, the policies may not be effective.

Of all the options, the regulatory requirements must be set out in a policy.

Regulatory requirement should be treated as any other risk, so why separate policy framework is required for the same?

Shouldnt it be B? to do gap analysis to compare current state and regulatory ask.