Certified in Risk and Information Systems Control (CRISC) — Question 216

An organization has outsourced its IT security management function to an external service provider. The BEST party to own the IT security controls under this arrangement is the:

Answer options

• A. organization's risk function
• B. service provider's audit function
• C. organization's IT management
• D. service provider's IT security function

Correct answer: A

Explanation

The organization's risk function is best positioned to own the IT security controls because it is responsible for identifying, assessing, and managing risks associated with security. The service provider's audit function is focused on compliance and oversight, while the organization's IT management and the service provider's IT security function may not have the same level of accountability for overall risk management.