To gain a clear understanding of the impact that a new regulatory requirement will have on an organization’s information security controls, an information security manager should FIRST:

A. conduct a risk assessment.
B. perform a gap analysis.
C. conduct a cost-benefit analysis.
D. interview senior management.