Certified Information Systems Auditor (CISA) — Question 264

An organization has decided to outsource a critical application due to a lack of specialized resources. Which risk response has been adopted?

Answer options

• A. Mitigation
• B. Avoidance
• C. Sharing
• D. Acceptance

Correct answer: C

Explanation

The correct answer is C, Sharing, as outsourcing involves transferring the risk to a third party who can manage it more effectively. Mitigation (A) focuses on reducing the impact of the risk, Avoidance (B) means eliminating the risk altogether, and Acceptance (D) indicates that the organization is willing to live with the risk without any changes.