The best answer is C. Patch-related risk may not be adequately assessed.
ISACA guidance on emergency changes emphasizes that emergency changes must still be declared, assessed, approved, authorized after the fact, and recorded. The key risk with emergency patching is that urgency can cause insufficient assessment of the patch’s effect on security, stability, compatibility, and business operations. If risk is not adequately assessed, the organization may introduce outages, vulnerabilities, or unintended consequences into production.
Option A is a concern, but incomplete records are generally secondary to poor risk evaluation. Option B may be necessary operationally and can be controlled. Option D is less compelling because ISACA’s guidance recognizes that emergency changes may receive preliminary approval and retroactive authorization, so the key issue is not the absence of standard documented approvals upfront, but whether the change is properly controlled and assessed.
Therefore, the correct answer is C, because inadequate risk assessment is the most serious concern when applying emergency patches.
References (Official ISACA):
ISACA, Improving the RFP and Contracts Process With COBIT 5 — emergency changes should be declared, assessed, authorized, and recorded.
ISACA Journal, Speeding Up Software Delivery With Effective Change Management — emergency change procedures should still be run through standard review retrospectively.
ISACA, Protecting SAP Systems in the Cybersecurity Era — patch management should include risk and applicability assessment before deployment.
