Certified in Risk and Information Systems Control (CRISC) — Question 1412

An organization is planning to engage a cloud-based service provider for some of its data-intensive business processes. Which of the following is MOST important to help define the IT risk associated with this outsourcing activity?

Answer options

• A. Service level agreement
• B. Right to audit the provider
• C. Customer service reviews
• D. Scope of services provided

Correct answer: D

Explanation

The scope of services provided is critical as it outlines the specific functions and responsibilities of the cloud service provider, which directly impacts the overall risk. While the service level agreement and the right to audit are important, they are secondary to understanding what services will be delivered. Customer service reviews, although valuable, do not address the core risk factors associated with the outsourcing itself.