Isaca Certified in Risk and Information Systems Control CRISC Question # 205 Topic 21 Discussion

CRISC Exam Topic 21 Question 205 Discussion:

Question #: 205

Topic #: 21

A trusted third-party service provider has determined that the risk of a client's systems being hacked is low. Which of the following would be the client's BEST course of action?

Perform their own risk assessment

Implement additional controls to address the risk.

Accept the risk based on the third party's risk assessment

Perform an independent audit of the third party.

Get Premium CRISC Questions

Explanation

A risk assessment is a process that identifies, analyzes, and evaluates the risks that an organization faces in relation to its objectives, assets, and operations. A risk assessment helps to determine the likelihood and impact of potential threats, as well as the adequacy and effectiveness of existing controls. A risk assessment also provides the basis for risk treatment, which involves selecting and implementing the appropriate risk responses, such as avoiding,transferring, mitigating, or accepting the risk. The client’s best course of action in this scenario is to perform their own risk assessment, rather than relying on the third-party service provider’s risk assessment. This is because the third-party service provider may have different risk criteria, assumptions, methods, or perspectives than the client, and may not fully understand or address the client’s specific risk context, needs, and expectations. The third-party service provider’s risk assessment may also be biased, outdated, or inaccurate, and may not reflect the current or future risk environment. By performing their own risk assessment, the client can ensure that the risk of their systems being hacked is properly identified, measured, and managed, and that the risk level is acceptable and aligned with their risk appetite and tolerance. The other options are not the best courses of action for the client, as they may expose the client to unnecessary or unacceptable risk. Implementing additional controls to address the risk may be costly, ineffective, or redundant, and may not be justified by the actual risk level. Accepting the risk based on the third-party service provider’s risk assessment may be risky, as the client may not have a clear or accurate understanding of the risk exposure or consequences. Performing an independent audit of the third party may be useful, but it may not be sufficient or timely to assess and address the risk of the client’s systems being hacked. References = CRISC Review Manual, pages 38-391; CRISC Review Questions, Answers & Explanations Manual, page 792

Actual exam question for Isaca CRISC exam by Vega86889 at Nov 17, 2025, 12:57:01 AM

Contribute your Thoughts:

Chosen Answer: A B C D
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.

Month End Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: simple70

Isaca Certified in Risk and Information Systems Control CRISC Question # 205 Topic 21 Discussion

Isaca Certified in Risk and Information Systems Control CRISC Question # 205 Topic 21 Discussion

Correct Answer:

Options Selected by Other Users:

Contribute your Thoughts:

Month End Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: simple70

Isaca Certified in Risk and Information Systems Control CRISC Question # 205 Topic 21 Discussion

Isaca Certified in Risk and Information Systems Control CRISC Question # 205 Topic 21 Discussion

Correct Answer:

Options Selected by Other Users:

Contribute your Thoughts:

Awaiting moderator approval