Certified in Risk and Information Systems Control (CRISC) — Question 607

Who should be accountable for ensuring effective cybersecurity controls are established?

Answer options

• A. Security management function
• B. Enterprise risk function
• C. Risk owner
• D. IT management

Correct answer: C

Explanation

The risk owner is the individual or entity that has the accountability to ensure that appropriate cybersecurity controls are implemented and maintained. While the security management function, enterprise risk function, and IT management play significant roles, they do not carry the ultimate accountability that rests with the risk owner.