Certified in Risk and Information Systems Control (CRISC) — Question 1305

A large organization recently restructured the IT department and has decided to outsource certain functions. What action should the control owners in the IT department take?

Answer options

• A. Determine whether risk responses still effectively address risk.
• B. Conduct risk classification for associated IT controls.
• C. Perform vulnerability and threat assessments.
• D. Analyze and update IT control assessments.

Correct answer: A

Explanation

The correct action is to determine whether risk responses still effectively address risk, as outsourcing can introduce new risks that may not have been previously considered. The other options focus on classification, assessments, and evaluations, which are important but do not directly address the need to reassess existing risk responses in light of the changes brought about by outsourcing.