Exam CRISC topic 1 question 598 discussion

C Risk Owner - the key word here is "Accountable"

A. Security management function. The accountability for ensuring effective cybersecurity controls are established typically lies with the "A. Security management function." This function is responsible for overseeing the organization's cybersecurity strategy, policies, and controls. They ensure that appropriate security measures are in place to protect the organization's information assets from cyber threats. While the other options (enterprise risk function, risk owner, IT management) may play roles in the overall cybersecurity effort, the primary accountability for cybersecurity control establishment usually rests with the security management function.

Agree it is C. The question is about accountability, so the risk owner. The other options are more on the responsibility side of the equation.

The risk owner also has a responsibility to ensure effective cybersecurity controls are established, but this is typically only within the scope of their specific area of responsibility or risk. For example, a risk owner might be responsible for ensuring that a particular system or application is secure and that appropriate controls are in place to protect it. However, they may not have the authority or expertise to establish cybersecurity controls across the entire organization. The security management function, on the other hand, is responsible for the overall cybersecurity posture of the organization, including the development and implementation of controls that address risks across the enterprise. Therefore, while the risk owner has an important role to play in cybersecurity, they are not typically the primary party responsible for ensuring effective cybersecurity controls are established.

Agree.

why not A?