The correct answer is D because inherent risk is assessed before considering additional controls. For a cloud service provider, the SLA helps define the nature of the service, expected availability, responsibilities, dependencies, and service commitments. These elements help determine the exposure created by using the provider. The uploaded CRISC notes support this by stating that the greatest risk when engaging a cloud provider is an ambiguous SLA and that SLAs address threats such as financial losses from service interruption.
A CASB is a security tool/control used to track cloud use, reveal noncompliance, and help secure data, so it is more relevant to monitoring or mitigation than determining inherent risk. ISACA describes CASBs as tools for tracking authorized/unauthorized cloud application use, revealing possible regulatory noncompliance, and helping secure cloud data.
C, cloud service attestation, is useful for assurance over the provider’s control environment, but that relates more to control assurance/current or residual risk than inherent risk. ISACA notes that third-party risk management may involve evidence such as SOC reports, ISO 27001, and other attestation reports, but these are used as evidence of controls and compliance.
===========
