To gain a clear understanding of the impact that a new regulatory requirement will have on an organization`s information security controls, an information security manager should FIRST: 

Answer options:

A. interview senior management
B. conduct a risk assessment
C. conduct a cost-benefit analysis
D. perform a gap analysis

D