Certified in Risk and Information Systems Control (CRISC) — Question 37

An organization has experienced several incidents of extended network outages that have exceeded tolerance. Which of the following should be the risk practitioner's FIRST step to address this situation?

Answer options

• A. Recommend a root cause analysis of the incidents
• B. Update the risk tolerance level to acceptable thresholds
• C. Recommend additional controls to address the risk
• D. Update the incident-related risk trend in the risk register

Correct answer: A

Explanation

The correct answer is A because conducting a root cause analysis will help identify the underlying issues causing the network outages, which is essential for effective resolution. Updating the risk tolerance level (B) without understanding the root causes may lead to ineffective measures. Recommending additional controls (C) also requires insight into the incidents, and merely updating the risk trend (D) does not address the underlying problems.