Certified in Risk and Information Systems Control (CRISC) — Question 566

One of an organization’s key IT systems cannot be patched because the patches interfere with critical business application functionalities. Which of the following would be the risk practitioner’s BEST recommendation?

Answer options

• A. The associated IT risk should be accepted by management.
• B. The organization’s IT risk appetite should be adjusted.
• C. Additional mitigating controls should be identified.
• D. The system should not be used until the application is changed.

Correct answer: C

Explanation

The best recommendation is to identify additional mitigating controls, as this allows the organization to manage the risk without disrupting critical functionalities. Accepting the risk or adjusting the risk appetite does not address the underlying issue, and stopping the use of the system could halt essential business operations.