Certified in Risk and Information Systems Control (CRISC) — Question 423

An IT control gap has been identified in a key process. Who would be the MOST appropriate owner of the risk associated with this gap?

Answer options

• A. Business process owner
• B. Chief information security officer
• C. Operational risk manager
• D. Key control owner

Correct answer: A

Explanation

The Business process owner is most suited to oversee the risk because they are directly responsible for the process where the control gap exists. The Chief information security officer, Operational risk manager, and Key control owner have roles that may involve risk management but do not have the same direct accountability for the specific process as the Business process owner does.