An organization has to comply with recently published industry regulatory requirements " compliance that potentially has high implementation costs. What should the information security manager do FIRST? 

Answer options:

A. Implement a security committee.
B. Perform a gap analysis.
C. Implement compensating controls.
D. Demand immediate compliance.

B

Since they are regulatory requirements, a gap analysis would be the first step to determine the level of compliance already in place. Implementing a security committee or compensating controls would not be the first step. Demanding immediate compliance would not assess the situation.