Certified in Risk and Information Systems Control (CRISC) — Question 102

An assessment of information security controls has identified ineffective controls. Which of the following should be the risk practitioner's FIRST course of action?

Answer options

• A. Deploy a compensating control to address the identified deficiencies
• B. Report the ineffective control for inclusion in the next audit report
• C. Determine if the impact is outside the risk appetite
• D. Request a formal acceptance of risk from senior management

Correct answer: C

Explanation

The correct answer is C because understanding whether the impact exceeds the risk appetite is crucial before taking any further actions. Options A, B, and D are premature steps that should only be considered after evaluating the risk impact.