Certified in Risk and Information Systems Control (CRISC) — Question 1373

An IT operations team implements disaster recovery controls based on decisions from application owners regarding the level of resiliency needed. Who is the control owner in this scenario?

Answer options

• A. The IT operations team
• B. The application owner
• C. The disaster recovery team
• D. The business resilience team

Correct answer: B

Explanation

The application owner is considered the control owner because they determine the necessary level of resiliency for their applications, which informs the disaster recovery controls. The IT operations team, disaster recovery team, and business resilience team support these decisions but do not own the controls themselves.