Certified in Risk and Information Systems Control (CRISC) — Question 879

As part of its vendor management program, an organization has commissioned an audit of a vendor's control framework for the purpose of implementing compensating controls into its environment. Which risk response option has been decided?

Answer options

• A. Transfer
• B. Avoidance
• C. Acceptance
• D. Mitigation

Correct answer: D

Explanation

The correct answer is D, Mitigation, because the organization is looking to implement compensating controls, which is a form of risk reduction. Options A, B, and C do not align with the intent of actively addressing and reducing risk through additional controls.