The correct next step is to proceed only after the business owner formally accepts the remaining risk in writing. This is because the exhibit shows a residual risk rating of 'Medium' after the vendor's SOC report was reviewed, meaning that even after controls were applied, some risk remains. In the Security+ SY0-701 risk management framework, the business owner is the designated risk owner who must formally accept any residual risk before a system goes live, as they are ultimately accountable for the business impact. Proceeding without documented acceptance violates the principle of residual risk acceptance and could lead to unapproved exposure. On the exam, this concept tests your understanding of risk ownership and the formal sign-off process—a common trap is assuming the IT team or security officer can approve the go-live, but only the business owner has the authority to accept residual risk. Memory tip: think “Owner signs, system shines”—the business owner’s signature is the final gate before launch.
SY0-701 Security Program Management and Oversight Practice Question
This SY0-701 practice question tests your understanding of security program management and oversight. Read the scenario carefully and evaluate each option against the stated constraints before committing to an answer. A key principle to apply: residual risk is the risk remaining after controls are implemented.. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
Exhibit
Risk register excerpt:
- Third-party service: CampaignInsight SaaS
- Data stored: Campaign names, business contact emails, and campaign performance metrics
- Known gaps: No customer-managed encryption keys, SOC report is current but lists two low-severity findings, and the vendor cannot support custom log export this quarter
- Compensating controls: SSO, SCIM deprovisioning, monthly access review, and export restrictions
- Business impact if delayed: Launch slips by 45 days and a contract penalty may apply
- Residual risk rating after controls: Medium
Based on the exhibit, what is the best next step before the marketing SaaS platform goes live?
Clue words in this question
Noticing these words before you look at the options changes how you read each choice.
Clue: "best"
Why it matters: Signals that multiple options may be partially correct. Choose the option that most directly solves the exact problem described, not the one that sounds most complete.
Risk register excerpt:
- Third-party service: CampaignInsight SaaS
- Data stored: Campaign names, business contact emails, and campaign performance metrics
- Known gaps: No customer-managed encryption keys, SOC report is current but lists two low-severity findings, and the vendor cannot support custom log export this quarter
- Compensating controls: SSO, SCIM deprovisioning, monthly access review, and export restrictions
- Business impact if delayed: Launch slips by 45 days and a contract penalty may apply
- Residual risk rating after controls: Medium
A
Proceed only after the business owner formally accepts the remaining risk in writing.
The exhibit already shows compensating controls and a measured residual risk rating. When the remaining risk is understood and the business impact of delay is significant, the proper next step is a formal acceptance by the appropriate risk owner. That creates accountability and preserves an auditable record of the decision.
B
Ignore the residual risk because the vendor has a current SOC report.
Why wrong: A current SOC report helps, but it does not eliminate all risk. Residual risk still exists because the service lacks some desired controls and custom log export is unavailable.
C
Require the security team to approve the launch verbally so the project does not slow down.
Why wrong: Verbal approval is not a sufficient risk acceptance control. It creates weak accountability and no durable evidence that the business understood the tradeoff.
D
Cancel the contract immediately because any medium risk rating is unacceptable.
Why wrong: Medium risk is not automatically a stop condition. The correct response is to evaluate the business need, compensating controls, and whether a formal acceptance is justified.
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
✓
Proceed only after the business owner formally accepts the remaining risk in writing.
The exhibit shows a residual risk rating of 'Medium' after the vendor's SOC report was reviewed. In the SY0-701 risk management framework, the business owner is the risk owner who must formally accept any residual risk before a system goes live, as they are accountable for the business impact. Proceeding without documented acceptance violates the principle of risk acceptance and could lead to unapproved exposure.
Key principle: Residual risk is the risk remaining after controls are implemented.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
✓
Proceed only after the business owner formally accepts the remaining risk in writing.
Why this is correct
The exhibit already shows compensating controls and a measured residual risk rating. When the remaining risk is understood and the business impact of delay is significant, the proper next step is a formal acceptance by the appropriate risk owner. That creates accountability and preserves an auditable record of the decision.
Clue confirmation
The clue word "best" in the question point toward this answer.
Related concept
Residual risk is the risk remaining after controls are implemented.
✗
Ignore the residual risk because the vendor has a current SOC report.
Why it's wrong here
A current SOC report helps, but it does not eliminate all risk. Residual risk still exists because the service lacks some desired controls and custom log export is unavailable.
✗
Require the security team to approve the launch verbally so the project does not slow down.
Why it's wrong here
Verbal approval is not a sufficient risk acceptance control. It creates weak accountability and no durable evidence that the business understood the tradeoff.
✗
Cancel the contract immediately because any medium risk rating is unacceptable.
Why it's wrong here
Medium risk is not automatically a stop condition. The correct response is to evaluate the business need, compensating controls, and whether a formal acceptance is justified.
Common exam traps
Common exam trap: answer the scenario, not the keyword
The trap here is that candidates assume a vendor SOC report fully transfers risk to the vendor, but CompTIA emphasizes that residual risk always remains and must be formally accepted by the business owner, not just the security team.
Detailed technical explanation
How to think about this question
Risk acceptance is a formal, documented decision by the risk owner (typically the business owner) to acknowledge the residual risk and proceed. This is often recorded in a risk register with a sign-off date, and it triggers ongoing monitoring. In real-world scenarios, failing to obtain written acceptance can lead to audit findings, regulatory penalties, or liability if the residual risk materializes into a breach.
KKey Concepts to Remember
Residual risk is the risk remaining after controls are implemented.
Formal risk acceptance is a documented decision by a risk owner.
Risk acceptance balances security with business objectives.
Written acceptance provides accountability and an audit trail.
TExam Day Tips
→Watch for words such as best, first, most likely and least administrative effort.
→Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
Residual risk is the risk remaining after controls are implemented.
Real-world example
How this comes up in practice
A security analyst at a medium-sized enterprise encounters this scenario during an investigation or architecture review. The correct answer reflects best practice for the specific threat or control described. Residual risk is the risk remaining after controls are implemented. Security exam questions test whether you can match controls to threats in context — not just recall definitions.
Related glossary terms
Concepts from this question explained
These glossary pages explain the core terms tested in this SY0-701 question in full detail.
Review residual risk is the risk remaining after controls are implemented., then practise related SY0-701 questions on the same topic to reinforce the concept.
Security Program Management and Oversight — This question tests Security Program Management and Oversight — Residual risk is the risk remaining after controls are implemented..
What is the correct answer to this question?
The correct answer is: Proceed only after the business owner formally accepts the remaining risk in writing. — The exhibit shows a residual risk rating of 'Medium' after the vendor's SOC report was reviewed. In the SY0-701 risk management framework, the business owner is the risk owner who must formally accept any residual risk before a system goes live, as they are accountable for the business impact. Proceeding without documented acceptance violates the principle of risk acceptance and could lead to unapproved exposure.
What should I do if I get this SY0-701 question wrong?
Review residual risk is the risk remaining after controls are implemented., then practise related SY0-701 questions on the same topic to reinforce the concept.
Are there clue words in this question I should notice?
Yes — watch for: "best". Signals that multiple options may be partially correct. Choose the option that most directly solves the exact problem described, not the one that sounds most complete.
What is the key concept behind this question?
Residual risk is the risk remaining after controls are implemented.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.
Variation 1. Based on the exhibit, what is the best next step before onboarding the vendor?
medium
A.Approve the vendor because it already passed a penetration test.
✓ B.Require a security addendum with breach-notification timing, subprocessor approval, and audit rights.
C.Ask the vendor to provide source code so developers can review it.
D.Move the workload to an internal shared drive until the vendor is ready.
Why B: The exhibit indicates the vendor has not yet provided a security addendum, which is a critical contractual document that defines security obligations such as breach-notification timing, subprocessor approval, and audit rights. Without this addendum, the organization lacks enforceable guarantees for data protection and incident response, making onboarding premature. Option B directly addresses this gap by requiring the addendum before proceeding.
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
This SY0-701 practice question is part of Courseiva's free CompTIA certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the SY0-701 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.