Certified in Risk and Information Systems Control (CRISC) — Question 759

An organization recently received an independent security audit report of its cloud service provider that indicates significant control weaknesses. What should be done NEXT in response to this report?

Answer options

• A. Conduct a follow-up audit to verify the provider's control weaknesses.
• B. Review the contract to determine if penalties should be levied against the provider.
• C. Analyze the impact of the provider's control weaknesses to the business.
• D. Migrate all data to another compliant service provider.

Correct answer: C

Explanation

The correct answer is C because understanding the impact of the control weaknesses on the business is crucial for making informed decisions regarding risk management and mitigation strategies. A follow-up audit (A) may be necessary later, but it is not the immediate next step. Reviewing the contract (B) and migrating data (D) are reactive measures that may follow after assessing the impact.