To gain a clear understanding of the impact that a new regulatory requirement will have on an organization’s information security controls, an information security manager should FIRST:

A. interview senior management
B. conduct a risk assessment
C. conduct a cost-benefit analysis
D. perform a gap analysis