CRISC Certified in Risk and Information Systems Control – Question511

A risk practitioner has determined that a key control does not meet design expectations. Which of the following should be done NEXT?

A.
Invoke the incident response plan
B. Modify the design of the control
C. Document the finding in the risk register
D. Re-evaluate key risk indicators

Correct Answer: C