CISM Question #788: Real Exam Question with Answer & Explanation

The correct answer is C: Investigate to determine whether the new requirement applies to the business.. Before taking any compliance steps, the information security manager must first assess whether the regulation is applicable to the organization. This ensures resources are not spent unnecessarily. "The applicability of legal, regulatory, and contractual requirements must be deter

Submitted by brentm· Apr 18, 2026Information Security Governance

Question

A new information security reporting requirement will soon become effective. Which of the following should be the information security manager's FIRST action?

Options

AConduct a cost-benefit analysis related to noncompliance with the new requirement.
BPerform a gap assessment against the new requirement.
CInvestigate to determine whether the new requirement applies to the business.
DInform senior management of the new requirement.

Explanation

Before taking any compliance steps, the information security manager must first assess whether the regulation is applicable to the organization. This ensures resources are not spent unnecessarily. "The applicability of legal, regulatory, and contractual requirements must be determined before initiating compliance activities."

Topics

#Regulatory compliance#Legal & regulatory requirements#Information security governance#Compliance management

Community Discussion

No community discussion yet for this question.

Full CISM Practice Browse All CISM Questions