Exam CRISC topic 1 question 468 discussion

I agree it should be D.

D. According to ISACA, when an organization outsources its IT security management function to an external service provider, the service provider’s IT security function is the best party to own the IT security controls under this arrangement. The service provider’s IT security function should be responsible for ensuring that the organization’s IT security controls are implemented and maintained in accordance with the agreed-upon service level agreements (SLAs) .

According to ISACA, when an organization outsources its IT security management function to an external service provider, the service provider’s IT security function is the best party to own the IT security controls under this arrangement. The service provider’s IT security function should be responsible for ensuring that the organization’s IT security controls are implemented and maintained in accordance with the agreed-upon service level agreements (SLAs) .

A. organization's risk function Even when an organization outsources its IT security management function, the ultimate responsibility for the organization's security posture remains with the organization itself. The service provider can be in charge of day-to-day management, but the organization's risk function should own the IT security controls. This is because the risk function understands the organization's risk tolerance and business objectives, and therefore is best positioned to ensure the controls meet these requirements. Even if the service provider implements, manages, or monitors controls, it's the organization's responsibility to ensure they are adequate and functioning correctly. Outsourcing security functions doesn't relieve the organization of the responsibility for its own security.

The IT Security function should be separate from the main IT function. The third party should not own the control as in this case they are the control, as it were. Leaves A.

Sorry, I rectify by 'A'. The risk function is responsible for identifying and managing risks that could impact the organization's business objectives. It has a broader view of the organization's risk landscape and is best positioned to oversee the IT security controls that are in place to mitigate those risks. Additionally, the risk function typically has the authority to make decisions that affect the organization's risk posture and can ensure that the IT security controls implemented by the external service provider are aligned with the organization's overall risk management strategy.

C. The Organization IT Management will own the security controls. The outsourcing was done for the security management.

Why not C. organization's IT management

I g will go for C

why not D?