The risk practitioner’s BEST course of action is to validate the transfer of risk and update the register to reflect the change, because outsourcing the backup and recovery procedures to a third-party cloud provider does not eliminate the risk, but rather transfers it to the service provider. The risk practitioner should verify that the service provider has adequate controls and capabilities to handle the backup and recovery procedures, and that the contractual agreement specifies the roles and responsibilities of both parties. The risk practitioner should also update the risk register to reflect the new risk owner and the residual risk level. The other options are not the best course of action, because:
Option A: Accepting the risk and documenting contingency plans for data disruption is not the best course of action, because it implies that the risk practitioner is still responsible for the risk, even though it has been transferred to the service provider. Contingency plans are also reactive measures, rather than proactive ones.
Option B: Removing the associated risk scenario from the risk register due to avoidance is not the best course of action, because it implies that the risk has been eliminated, which is not the case. The risk still exists, but it has been transferred to the service provider. The risk register should reflect the current risk status and ownership.
Option C: Mitigating the risk with compensating controls enforced by the third-party cloud provider is not the best course of action, because it implies that the risk practitioner is still involved in the risk management process, even though the risk has been transferred to the service provider. The risk practitioner should rely on the service provider’s controls and capabilities, andmonitor their performance and compliance. References = Risk and Information Systems Control Study Manual, 7th Edition, ISACA, 2020, p. 196.
