A new version of an information security regulation is published that requires an organization`s compliance. The information security manager should FIRST: 

Answer options:

A. perform an audit based on the new version of the regulation.
B. conduct a risk assessment to determine the risk of noncompliance.
C. conduct benchmarking against similar organizations.
D. perform a gap analysis against the new regulation.

D