Certified in Risk and Information Systems Control (CRISC) — Question 1194

As part of its risk strategy, an organization decided to transition its financial system from a cloud-based provider to an internally managed system. Which of the following should the risk practitioner do FIRST?

Answer options

• A. Evaluate existing control test plans of the system for potential changes.
• B. Analyze the risk register to identify potential updates and changes.
• C. Reassess whether the risk responses properly address known risk and vulnerabilities.
• D. Update the processes within impacted financial control assessments.

Correct answer: B

Explanation

The correct answer is B because analyzing the risk register is essential to understand existing risks and identify any necessary changes due to the transition. The other options, while important, should come after the risk register has been reviewed to ensure that all potential risks associated with the transition are addressed effectively.