Certified in Risk and Information Systems Control (CRISC) — Question 305

Reviewing results from which of the following is the BEST way to identify information systems control deficiencies?

Answer options

• A. Control self-assessment (CSA)
• B. Vulnerability and threat analysis
• C. User acceptance testing (UAT)
• D. Control remediation planning

Correct answer: A

Explanation

The correct answer is A, as Control Self-Assessment (CSA) provides a comprehensive approach to evaluating the effectiveness of controls and identifying weaknesses. Other options, such as Vulnerability and Threat Analysis, focus on identifying potential risks rather than assessing existing controls, while User Acceptance Testing (UAT) is aimed at validating system functionality rather than control effectiveness. Control Remediation Planning is a follow-up process that addresses identified deficiencies but does not itself identify them.