Exam CISM topic 1 question 571 discussion

The right answer is D. If the risk of non-compliance is minimal, why doing the bothering task to conduct a gap analysis? It's always: get a clear picture of the situation first and decide for further actions afterwards.

I would assess the risk of non-compliance and put it on the risk register. Then I would proceed with a gap analysis.

Always evaluate how to achieve it first rather than a negative thought about noncompliance.

Perform a gap analysis is the best bet here.

As others have said - first D, then other stuff (if necessary; maybe management decides that it's more cost-effective to pay fines then to implement controls).

I go with D then B

Performing a gap analysis involves comparing the organization's current security controls and practices against the specific security controls mandated by the new law. This analysis will identify any gaps or areas where the organization does not meet the requirements.

D no other option!

B. Perform a gap analysis on the new requirements.

The first thing the information security manager should do is perform a gap analysis on the new requirements. A gap analysis is a process of comparing the current state of the organization's security against the new legal requirements to identify any areas where the organization falls short of meeting the new requirements. This step is important to identify the specific areas where the organization needs to improve its security controls in order to comply with the new law. Once the gap analysis is complete, the organization can develop a control implementation plan, integrate the new requirements into the security policy, and assess the risk of noncompliance with the new requirements.