CISM Certified Information Security Manager – Question1010

An internal control audit has revealed a control deficiency related to a legacy system where the compensating controls no longer appear to be effective.
Which of the following would BEST help the information security manager determine the security requirements to resolve the control deficiency?

A.
Risk assessment
B. Gap analysis
C. Cost-benefit analysis
D. Business case

Correct Answer: B