Certified in Risk and Information Systems Control (CRISC) — Question 1300

An organization has outsourced its backup and recovery procedures to a third-party cloud provider. Which of the following should be the risk practitioner's NEXT course of action?

Answer options

• A. Remove the associated risk from the register.
• B. Validate control effectiveness and update the risk register.
• C. Review the contract and service level agreements (SLAs).
• D. Obtain an assurance report from the third-party provider.

Correct answer: B

Explanation

The correct answer is B because validating control effectiveness ensures that the outsourced services are meeting security requirements and allows for necessary updates to the risk register. Option A is incorrect as simply removing the risk does not address the ongoing management of that risk. Option C, while important, does not directly address the immediate need to assess control effectiveness. Option D is also valuable but follows after ensuring current controls are effective.