Which of the following will identify a deviation in the information security management process from generally accepted standards of good practices?

A. Risk assessment
B. Business impact analysis (BIA)
C. Penetration testing
D. Gap analysis