Certified in Risk and Information Systems Control (CRISC) — Question 611
When implementing an IT risk management program, which of the following is the BEST time to evaluate current control effectiveness?
Answer options
- A. Before defining a framework
- B. During the risk assessment
- C. When evaluating risk response
- D. When updating the risk register
Correct answer: B
Explanation
The best time to evaluate current control effectiveness is during the risk assessment, as this phase allows for a thorough analysis of how well existing controls mitigate identified risks. The other options occur either before controls are defined or after the assessment phase, which does not provide the same level of insight into their effectiveness.