Key performance indicators (KPIs) are metrics used to measure and evaluate the achievement of the organization’s objectives and strategies1. KPIs for critical IT assets are KPIs that focus onthe performance and value of the IT assets that are essential for the organization’s operations and functions2. KPIs for critical IT assets may include metrics such as availability, reliability, utilization, cost, and security of the IT assets3. The need to review and update KPIs for critical IT assets may be driven by various factors, such as changes in the business environment, customer expectations, or regulatory requirements. However, the most likely factor that would drive the need to review and update KPIs for critical IT assets is the outcomes of periodic risk assessments. A risk assessment is a process that involves identifying, analyzing, and evaluating the risks and their potential impacts on the organization’s objectives and performance4. A periodic risk assessment is a risk assessment that is performed at regular intervals, such as monthly, quarterly, or annually, to capture the changes and updates in the risk environment and the risk profile5. The outcomes of periodic risk assessments would most likely drive the need to review and update KPIs for critical IT assets, as they would provide insights into the current and emerging risks that may affect the performance and value of the critical IT assets, as well as the effectiveness and efficiency of the existingand planned controls and responses. By reviewing and updating the KPIs for critical IT assets based on the outcomes of periodic risk assessments, the organization can ensure that the KPIs are relevant, realistic, and aligned with the organization’s risk appetite and tolerance, and that they provide accurate and timely information for decision making and reporting. The outsourcing of related IT processes, changes in service level objectives, and findings from continuous monitoring are not the most likely factors that would drive the need to review and update KPIs for critical IT assets, as they do not provide the same level of information and impact as the outcomes of periodic risk assessments. The outsourcing of related IT processes is a decision that involves transferring some or all of the IT processes that support or enable the critical IT assets to an external service provider. The outsourcing of related IT processes may affect the performance and value of the critical IT assets, but it does not necessarily require a review and update of the KPIs for critical IT assets, as the KPIs may still be valid and applicable for the outsourced IT processes. Changes in service level objectives are changes in the expected or agreed level of quality or performance of the IT services that support or enable the critical IT assets. Changes in service level objectives may affect the performance and value of the critical IT assets, but they do not necessarily require a review and update of theKPIs for critical IT assets, as the KPIs may still be consistent and compatible with the changed service level objectives. Findings from continuous monitoring are the results or outcomes of the ongoing observation and measurement of the performance and compliance of the IT processes and systems that support or enable the critical IT assets. Findings from continuous monitoring may affect the performance and value of the critical IT assets, but they do not necessarily require a review and update of the KPIs for critical IT assets, as the KPIs may still be relevant and reliable for the continuously monitored IT processes and systems. References = Risk and Information Systems Control Study Manual, Chapter 4: Risk and Control Monitoring and Reporting, Section 4.2: Risk Monitoring, pp. 189-191.