Certified in Risk and Information Systems Control (CRISC) — Question 115

A risk practitioner is reviewing the status of an action plan to mitigate an emerging IT risk and finds the risk level has increased. The BEST course of action would be to:

Answer options

• A. evaluate whether selected controls are still appropriate.
• B. implement the planned controls and accept the remaining risk.
• C. suspend the current action plan in order to reassess the risk.
• D. revise the action plan to include additional mitigating controls.

Correct answer: A

Explanation

The best response is to evaluate whether selected controls are still appropriate, as an increased risk level may indicate that the current controls are insufficient. Implementing planned controls without reassessment may not address the new risk level effectively. Suspending the action plan or revising it without first understanding the efficacy of existing controls could lead to further complications in risk management.