After implementing an information security governance framework, which of the following would provide the BEST information to develop an information security project plan?

A. Balanced scorecard
B. Recent audit results
C. Risk heat map
D. Gap analysis