Certified in Risk and Information Systems Control (CRISC) — Question 273

The PRIMARY objective for requiring an independent review of an organizations IT risk management process should be to:

Answer options

• A. ensure IT risk management is focused on mitigating potential risk.
• B. confirm that IT risk assessment results are expressed as business impact.
• C. assess gaps in IT risk management operations and strategic focus.
• D. verify implemented controls to reduce the likelihood of threat materialization.

Correct answer: C

Explanation

The correct answer, C, highlights the importance of identifying weaknesses in the IT risk management approach and aligning it with strategic objectives. Options A and B focus on specific aspects of risk management but do not address the overall evaluation of the process. Option D, while important, relates to control verification rather than assessing the broader strategic focus of risk management.