Certified in Risk and Information Systems Control (CRISC) — Question 365

Who should have the authority to approve an exception to a control?

Answer options

• A. Information security manager
• B. Risk manager
• C. Control owner
• D. Risk owner

Correct answer: D

Explanation

The Risk owner is responsible for overseeing the risks associated with their area and thus has the authority to approve exceptions to controls. The Information security manager, Risk manager, and Control owner may provide input or recommendations, but ultimately, it is the Risk owner who must make the final decision on exceptions.