Certified in Risk and Information Systems Control (CRISC) — Question 568

A recent regulatory requirement has the potential to affect an organization’s use of a third party to supply outsourced business services. Which of the following is the BEST course of action?

Answer options

• A. Identify compensating controls.
• B. Terminate the outsourcing agreement.
• C. Transfer risk to the third party.
• D. Conduct a gap analysis.

Correct answer: D

Explanation

Conducting a gap analysis is the best approach as it allows the organization to identify discrepancies between current practices and regulatory requirements. The other options, such as terminating the agreement or transferring risk, do not directly address the need to understand how the regulation impacts existing services.