Certified in Risk and Information Systems Control (CRISC) — Question 1159

A risk practitioner has been asked to evaluate a new cloud-based service to enhance an organization’s access management capabilities. When is the BEST time for the risk practitioner to provide opinions on control strength?

Answer options

• A. After the initial design
• B. After a few weeks in use
• C. Before production rollout
• D. Before end-user testing

Correct answer: C

Explanation

The correct answer is C, as providing opinions on control strength before the production rollout allows for necessary adjustments to be made before full deployment. Options A and D are too late in the timeline for meaningful input, while B does not allow for preemptive changes based on control effectiveness.