Certified in Risk and Information Systems Control (CRISC) — Question 1292

When outsourcing a business process to a cloud service provider, it is MOST important to understand that:

Answer options

• A. insurance could be acquired for the risk associated with the outsourced process.
• B. service accountability remains with the cloud service provider.
• C. a risk owner must be designated within the cloud service provider.
• D. accountability for the risk will remain with the organization.

Correct answer: D

Explanation

The correct answer is D because when an organization outsources a process, it retains overall accountability for the associated risks, even though some responsibilities may be shared with the cloud service provider. Options A, B, and C misinterpret the nature of risk ownership; acquiring insurance does not eliminate accountability, and while the provider may handle some service aspects, the ultimate risk responsibility lies with the organization.