The correct option is Select and apply controls that align with the charity risk assessment.

Selecting controls based on the charity risk assessment ensures limited funds and staff are focused on mitigating the most likely and highest impact risks. A risk informed approach lets the organization tailor NIST Special Publication 800 53 controls to its size and mission and provide documented rationale for implemented and omitted controls.

This approach supports mapping identified risks to specific controls and evaluating cost and effectiveness so the charity can implement the most valuable protections first and plan for additional controls as resources allow.

Leverage managed security services from a cloud provider is not the best choice because outsourcing can be part of a mitigation strategy but it is not a method for choosing which controls to implement. The charity still needs a risk assessment to determine which services to consume and to understand any remaining responsibilities and residual risks.

Implement only controls that are required by regulators or funders is incorrect because meeting only external mandates may leave important risks unaddressed. Regulatory or funder requirements may not cover the charity specific threats and a risk assessment will identify additional priorities that matter to the organization.

Deploy only the security controls that are easiest to put in place is incorrect because ease of implementation does not equal effectiveness. Prioritizing simple controls over those that address the highest risks can leave critical vulnerabilities exposed and waste scarce resources on low impact activities.

Full AWS Practitioner Certification Question