Certified in Risk and Information Systems Control (CRISC) — Question 1424
A risk practitioner has determined that a key control does not meet design expectations. Which of the following should be done NEXT?
Answer options
- A. Invoke the incident response plan
- B. Modify the design of the control
- C. Document the finding in the risk register
- D. Re-evaluate key risk indicators
Correct answer: C
Explanation
The correct course of action is to document the finding in the risk register, as this ensures that the issue is recorded and can be addressed in future assessments. Modifying the design of the control or invoking the incident response plan may not be appropriate without first acknowledging the issue in the risk register. Re-evaluating key risk indicators is also premature without proper documentation of the control's failure.