CRISC Certified in Risk and Information Systems Control – Question805

An organization must implement changes as the result of new regulations. Which of the following should the risk practitioner do FIRST to prepare for these changes?

A.
Engage the legal department.
B. Conduct a gap analysis.
C. Implement compensating controls.
D. Review the risk profile.

Correct Answer: B