If an organization must comply with industry regulatory requirements that have high implementation costs, what should the information security manager do FIRST?

Performing a gap analysis is the most appropriate first step for an information security manager when faced with the need to comply with industry regulatory requirements that come with high implementation costs. A gap analysis enables the organization to identify the discrepancies between its current security posture and the necessary compliance standards. It helps to clarify what controls and measures are lacking and which specific areas require attention.

By systematically assessing existing policies, practices, and controls against regulatory benchmarks, the information security manager can prioritize the necessary investments needed to achieve compliance. This structured approach allows for informed decision-making regarding which controls to implement, how to allocate resources effectively, and which areas may be candidates for compensating controls if immediate compliance is not feasible.

Engaging the security committee, implementing compensating controls, or demanding immediate compliance are actions that could be taken later, but they are less strategic without first understanding the specific gaps in compliance. Each of these actions may stem from data collected in the gap analysis but should not precede that foundational assessment.