Certified in Risk and Information Systems Control (CRISC) — Question 1013

Which of the following provides the BEST assurance of control effectiveness for security risk scenarios in a service provider’s environment?

Answer options

• A. Independent assessment report
• B. Penetration testing
• C. Service-level monitoring
• D. Service provider’s control self-assessment (CSA)

Correct answer: A

Explanation

The correct answer, A, an Independent assessment report, provides an objective evaluation of control effectiveness from an external source, ensuring credibility. While penetration testing (B) assesses vulnerabilities, it does not evaluate overall control effectiveness. Service-level monitoring (C) tracks performance but does not directly measure control effectiveness, and a control self-assessment (D) lacks the impartiality of an independent review.