Certified in Risk and Information Systems Control (CRISC) — Question 758

A service provider is managing a client's servers. During an audit of the service, a noncompliant control is discovered that will not be resolved before the next audit because the client cannot afford the downtime required to correct the issue. The service provider's MOST appropriate action would be to:

Answer options

• A. develop a risk remediation plan overriding the client's decision.
• B. ask the client to document the formal risk acceptance for the provider.
• C. insist that the remediation occur for the benefit of other customers.
• D. make a note for this item in the next audit explaining the situation.

Correct answer: B

Explanation

The most appropriate action in this scenario is for the service provider to ask the client to document the formal risk acceptance, as it ensures that both parties acknowledge the existing risk. Developing a risk remediation plan without the client's agreement (option A) could lead to further issues. Insisting on remediation for the sake of other customers (option C) does not consider the client's situation, and merely noting the issue for the next audit (option D) does not actively manage the compliance risk.