Certified in Risk and Information Systems Control (CRISC) — Question 716

The head of a business operations department asks to review the entire IT risk register. Which of the following would be the risk manager's BEST approach to this request before sharing the register?

Answer options

• A. Determine the purpose of the request.
• B. Require a nondisclosure agreement.
• C. Sanitize portions of the register.
• D. Escalate to senior management.

Correct answer: A

Explanation

The best initial step is to understand the reason behind the request, as this will inform how to handle the risk register appropriately. Requiring a nondisclosure agreement may not be necessary if the purpose is clear, while sanitizing parts of the register or escalating to senior management may be premature without first understanding the request's intent.