Watch this video on YouTube
What should the information security manager do first when an organization needs to comply with industry regulatory requirements that may have high implementation costs?