Due to technical and operational constraints, the preferred control to lower the risks identified is to outsource part of IT operations to an external vendor. What type of risk treatment is applied here?
Outsourcing IT operations to an external vendor is a form ofrisk transfer(C), where the responsibility for managing certain risks (e.g., operational or technical risks) is shifted to the vendor. According toISO 31000, risk treatment strategies include transferring risk to a third party, often through contracts or outsourcing agreements, where the vendor assumes responsibility for mitigating specific risks.
Sharing (A):Involves distributing risk among multiple parties, not fully transferring it to one.
Retention (B):Means accepting the risk without mitigation, not applicable here.
Modification (D):Refers to changing processes or controls to reduce risk, not outsourcing.
[Reference:EPI CITM study guide, under Risk Management, likely references ISO 31000’s risk treatment strategies, including risk transfer. Check sections on risk treatment or outsourcing., ]
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit