Certified in Risk and Information Systems Control (CRISC) — Question 599

An organization will be impacted by a new data privacy regulation due to the location of its production facilities. What action should the risk practitioner take when evaluating the new regulation?

Answer options

• A. Perform an analysis of the new regulation to ensure current risk is identified.
• B. Evaluate if the existing risk responses to the previous regulation are still adequate.
• C. Assess the validity and perform update testing on data privacy controls.
• D. Develop internal control assessments over data privacy for the new regulation.

Correct answer: A

Explanation

The correct answer is A because it emphasizes the need to analyze the new regulation to identify any current risks associated with it. Option B incorrectly focuses on evaluating past responses, while C and D address testing and control development rather than initial risk identification, which is the priority when facing a new regulation.