Isaca Certified in Risk and Information Systems Control CRISC Question # 309 Topic 31 Discussion

CRISC Exam Topic 31 Question 309 Discussion:

Question #: 309

Topic #: 31

Business areas within an organization have engaged various cloud service providers directly without assistance from the IT department. What should the risk practitioner do?

Recommend the IT department remove access to the cloud services.

Engage with the business area managers to review controls applied.

Escalate to the risk committee.

Recommend a risk assessment be conducted.

Get Premium CRISC Questions

Explanation

The best action for the risk practitioner to take when business areas within an organization have engaged various cloud service providers directly without assistance from the IT department is to recommend a risk assessment be conducted. A risk assessment is a process of identifying, analyzing, and evaluating the risks associated with the use of cloud services, such as financial, privacy, compliance, security, performance, quality, and technical risks12. A risk assessment can help to determine the current and potential risk exposure and impact of the cloud services, as well as the effectiveness and efficiency of theexisting or proposed controls. A risk assessment can also help to prioritize the risks and to develop and implement appropriate risk response strategies and plans, such as risk avoidance, reduction, sharing, or acceptance. Recommending a risk assessment is the best action, because it can provide valuable information and guidance to the business areas and the IT department for managing the cloud services in a consistent, effective, and efficient manner, and for aligning the cloud services with the organizational objectives, strategy, and risk appetite. The other options are not the best action, although they may be related or subsequent steps in the risk management process. Recommending the IT department remove access to the cloud services is a drastic and impractical action, as it may disrupt the business operations and services, and it may not address the underlying causes or drivers of the cloud service adoption. Engaging with the business area managers to review controls applied is a useful and collaborative action, as it can help to understand and evaluate the current state and practices of the cloud service usage, and to identify and address any gaps or issues in the control environment. However, this action should be based on or supported by a risk assessment, rather than preceding or replacing it. Escalating to the risk committee is a reporting and communication action, as it can help to inform and involve the senior management and other stakeholders in the risk management process, and to obtain their support and approval for the risk response actions. However, this action should be done after or along with a risk assessment, rather than before or instead of it. References = Best Practices to Manage Risks in the Cloud - ISACA, Cloud Risk Management - PwC UK

Actual exam question for Isaca CRISC exam by Solis9054 at Nov 17, 2025, 1:25:44 AM

Contribute your Thoughts:

Chosen Answer: A B C D
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.

Month End Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: simple70

Isaca Certified in Risk and Information Systems Control CRISC Question # 309 Topic 31 Discussion

Isaca Certified in Risk and Information Systems Control CRISC Question # 309 Topic 31 Discussion

Correct Answer:

Options Selected by Other Users:

Contribute your Thoughts:

Month End Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: simple70

Isaca Certified in Risk and Information Systems Control CRISC Question # 309 Topic 31 Discussion

Isaca Certified in Risk and Information Systems Control CRISC Question # 309 Topic 31 Discussion

Correct Answer:

Options Selected by Other Users:

Contribute your Thoughts:

Awaiting moderator approval