Special Summer Sale 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: Board70

CRISC Exam Dumps - Isaca Certification Questions and Answers

Question # 54

Risk mitigation is MOST effective when which of the following is optimized?

Options:

A.

Operational risk

B.

Residual risk

C.

Inherent risk

D.

Regulatory risk

Buy Now
Question # 55

After undertaking a risk assessment of a production system, the MOST appropriate action is fcr the risk manager to

Options:

A.

recommend a program that minimizes the concerns of that production system.

B.

inform the process owner of the concerns and propose measures to reduce them.

C.

inform the IT manager of the concerns and propose measures to reduce them.

D.

inform the development team of the concerns and together formulate risk reduction measures.

Buy Now
Question # 56

A risk practitioner's BEST guidance to help an organization develop relevant risk scenarios is to ensure the scenarios are:

Options:

A.

based on industry trends.

B.

mapped to incident response plans.

C.

related to probable events.

D.

aligned with risk management capabilities.

Buy Now
Question # 57

An organization is measuring the effectiveness of its change management program to reduce the number of unplanned production changes. Which of the following would be the BEST metric to determine if the program is performing as expected?

Options:

A.

Decrease in the time to move changes to production

B.

Ratio of emergency fixes to total changes

C.

Ratio of system changes to total changes

D.

Decrease in number of changes without a fallback plan

Buy Now
Question # 58

An organization has received notification that it is a potential victim of a cybercrime that may have compromised sensitive customer data. What should be The FIRST course of action?

Options:

A.

Invoke the incident response plan.

B.

Determine the business impact.

C.

Conduct a forensic investigation.

D.

Invoke the business continuity plan (BCP).

Buy Now
Question # 59

When a risk practitioner is building a key risk indicator (KRI) from aggregated data, it is CRITICAL that the data is derived from:

Options:

A.

business process owners.

B.

representative data sets.

C.

industry benchmark data.

D.

data automation systems.

Buy Now
Question # 60

Which of the following deficiencies identified during a review of an organization's cybersecurity policy should be of MOST concern?

Options:

A.

The policy lacks specifics on how to secure the organization's systems from cyberattacks.

B.

The policy has gaps against relevant cybersecurity standards and frameworks.

C.

The policy has not been reviewed by the cybersecurity team in over a year.

D.

The policy has not been approved by the organization's board.

Buy Now
Question # 61

Which of the following will BEST help an organization evaluate the control environment of several third-party vendors?

Options:

A.

Review vendors' internal risk assessments covering key risk and controls.

B.

Obtain independent control reports from high-risk vendors.

C.

Review vendors performance metrics on quality and delivery of processes.

D.

Obtain vendor references from third parties.

Buy Now
Question # 62

Which of the following is the BEST indication of an improved risk-aware culture following the implementation of a security awareness training program for all employees?

Options:

A.

A reduction in the number of help desk calls

B.

An increase in the number of identified system flaws

C.

A reduction in the number of user access resets

D.

An increase in the number of incidents reported

Buy Now
Question # 63

Which of the following is the BEST risk management approach for the strategic IT planning process?

Options:

A.

Key performance indicators (KPIs) are established to track IT strategic initiatives.

B.

The IT strategic plan is reviewed by the chief information security officer (CISO) and enterprise risk management (ERM).

C.

The IT strategic plan is developed from the organization-wide risk management plan.

D.

Risk scenarios associated with IT strategic initiatives are identified and assessed.

Buy Now
Question # 64

A risk practitioner is summarizing the results of a high-profile risk assessment sponsored by senior management. The BEST way to support risk-based decisions by senior management would be to:

Options:

A.

map findings to objectives.

B.

provide quantified detailed analysis

C.

recommend risk tolerance thresholds.

D.

quantify key risk indicators (KRls).

Buy Now
Question # 65

Real-time monitoring of security cameras implemented within a retail store is an example of which type of control?

Options:

A.

Preventive

B.

Deterrent

C.

Compensating

D.

Detective

Buy Now
Question # 66

After several security incidents resulting in significant financial losses, IT management has decided to outsource the security function to a third party that provides 24/7 security operation services. Which risk response option has management implemented?

Options:

A.

Risk mitigation

B.

Risk avoidance

C.

Risk acceptance

D.

Risk transfer

Buy Now
Question # 67

Which of the following is the BEST approach when a risk treatment plan cannot be completed on time?

Options:

A.

Implement compensating controls until the preferred action can be completed.

B.

Develop additional key risk indicators (KRIs) until the preferred action can be completed.

C.

Replace the action owner with a more experienced individual.

D.

Change the risk response strategy of the relevant risk to risk avoidance.

Buy Now
Question # 68

Which of the following describes the relationship between risk appetite and risk tolerance?

Options:

A.

Risk appetite is completely independent of risk tolerance.

B.

Risk tolerance is used to determine risk appetite.

C.

Risk appetite and risk tolerance are synonymous.

D.

Risk tolerance may exceed risk appetite.

Buy Now
Question # 69

Which of the following BEST mitigates the risk associated with inadvertent data leakage by users who work remotely?

Options:

A.

Conducting training on the protection of organizational assets

B.

Configuring devices to use virtual IP addresses

C.

Ensuring patching for end-user devices

D.

Providing encrypted access to organizational assets

Buy Now
Question # 70

Which of the following is MOST helpful in identifying new risk exposures due to changes in the business environment?

Options:

A.

Standard operating procedures

B.

SWOT analysis

C.

Industry benchmarking

D.

Control gap analysis

Buy Now
Question # 71

Which of the following BEST enables detection of ethical violations committed by employees?

Options:

A.

Transaction log monitoring

B.

Access control attestation

C.

Periodic job rotation

D.

Whistleblower program

Buy Now
Question # 72

Which of the following is the PRIMARY objective of a risk awareness program?

Options:

A.

To demonstrate senior management support

B.

To enhance organizational risk culture

C.

To increase awareness of risk mitigation controls

D.

To clearly define ownership of risk

Buy Now
Question # 73

Which of the following is the PRIMARY risk management responsibility of the third line of defense?

Options:

A.

Providing assurance of the effectiveness of risk management activities

B.

Providing guidance on the design of effective controls

C.

Providing advisory services on enterprise risk management (ERM)

D.

Providing benchmarking on other organizations' risk management programs

Buy Now
Question # 74

During the creation of an organization's IT risk management program, the BEST time to identify key risk indicators (KRIs) is while:

Options:

A.

Interviewing data owners

B.

Reviewing risk response plans with internal audit

C.

Developing a risk monitoring process

D.

Reviewing an external risk assessment

Buy Now
Question # 75

Which of the following provides the BEST evidence that risk responses are effective?

Options:

A.

Residual risk is within risk tolerance.

B.

Risk with low impact is accepted.

C.

Risk ownership is identified and assigned.

D.

Compliance breaches are addressed in a timely manner.

Buy Now
Question # 76

A large organization needs to report risk at all levels for a new centralized visualization project to reduce cost and improve performance. Which of the following would MOST effectively represent the overall risk of the project to senior management?

Options:

A.

Aggregated key performance indicators (KPls)

B.

Key risk indicators (KRIs)

C.

Centralized risk register

D.

Risk heat map

Buy Now
Question # 77

Which of the following provides The BEST information when determining whether to accept residual risk of a critical system to be implemented?

Options:

A.

Single loss expectancy (SLE)

B.

Cost of the information system

C.

Availability of additional compensating controls

D.

Potential business impacts are within acceptable levels

Buy Now
Question # 78

When determining risk ownership, the MAIN consideration should be:

Options:

A.

who owns the business process.

B.

the amount of residual risk.

C.

who is responsible for risk mitigation.

D.

the total cost of risk treatment.

Buy Now
Question # 79

Which of the following is the MOST effective way to validate organizational awareness of cybersecurity risk?

Options:

A.

Conducting security awareness training

B.

Updating the information security policy

C.

Implementing mock phishing exercises

D.

Requiring two-factor authentication

Buy Now
Question # 80

Which of the following helps ensure compliance with a nonrepudiation policy requirement for electronic transactions?

Options:

A.

Digital signatures

B.

Encrypted passwords

C.

One-time passwords

D.

Digital certificates

Buy Now
Question # 81

Which of the following is the GREATEST concern when using artificial intelligence (AI) language models?

Options:

A.

The model could be hacked or exploited.

B.

The model could be used to generate inaccurate content.

C.

Staff could become overly reliant on the model.

D.

It could lead to biased recommendations.

Buy Now
Question # 82

Which of the following BEST mitigates ethical risk?

Options:

A.

Ethics committees

B.

Contingency scenarios

C.

Awareness of consequences for violations

D.

Routine changes in senior management

Buy Now
Question # 83

IT risk assessments can BEST be used by management:

Options:

A.

for compliance with laws and regulations

B.

as a basis for cost-benefit analysis.

C.

as input for decision-making

D.

to measure organizational success.

Buy Now
Question # 84

Which of the following is the GREATEST benefit of updating the risk register to include outcomes from a risk assessment?

Options:

A.

It maintains evidence of compliance with risk policy.

B.

It facilitates timely risk-based decisions.

C.

It validates the organization's risk appetite.

D.

It helps to mitigate internal and external risk factors.

Buy Now
Question # 85

Which of the following roles should be assigned accountability for monitoring risk levels?

Options:

A.

Risk practitioner

B.

Business manager

C.

Risk owner

D.

Control owner

Buy Now
Question # 86

A MAJOR advantage of using key risk indicators (KRIs) is that they:

Options:

A.

Identify scenarios that exceed defined risk appetite.

B.

Help with internal control assessments concerning risk appetite.

C.

Assess risk scenarios that exceed defined thresholds.

D.

Identify when risk exceeds defined thresholds.

Buy Now
Question # 87

A risk heat map is MOST commonly used as part of an IT risk analysis to facilitate risk:

Options:

A.

communication

B.

identification.

C.

treatment.

D.

assessment.

Buy Now
Question # 88

Which of the following activities should only be performed by the third line of defense?

Options:

A.

Operating controls for risk mitigation

B.

Testing the effectiveness and efficiency of internal controls

C.

Providing assurance on risk management processes

D.

Recommending risk treatment options

Buy Now
Question # 89

Which of the following presents the GREATEST challenge for an IT risk practitioner who wants to report on trends in historical IT risk levels?

Options:

A.

Qualitative measures for potential loss events

B.

Changes in owners for identified IT risk scenarios

C.

Changes in methods used to calculate probability

D.

Frequent use of risk acceptance as a treatment option

Buy Now
Question # 90

Which of the following would be the BEST recommendation if the level of risk in the IT risk profile has decreased and is now below management's risk appetite?

Options:

A.

Optimize the control environment.

B.

Realign risk appetite to the current risk level.

C.

Decrease the number of related risk scenarios.

D.

Reduce the risk management budget.

Buy Now
Question # 91

A risk practitioner observes that hardware failure incidents have been increasing over the last few months. However, due to built-in redundancy and fault-tolerant architecture, there have been no interruptions to business operations. The risk practitioner should conclude that:

Options:

A.

a root cause analysis is required

B.

controls are effective for ensuring continuity

C.

hardware needs to be upgraded

D.

no action is required as there was no impact

Buy Now
Question # 92

A risk practitioner is assisting with the preparation of a report on the organization s disaster recovery (DR) capabilities. Which information would have the MOST impact on the overall recovery profile?

Options:

A.

The percentage of systems meeting recovery target times has increased.

B.

The number of systems tested in the last year has increased.

C.

The number of systems requiring a recovery plan has increased.

D.

The percentage of systems with long recovery target times has decreased.

Buy Now
Question # 93

Which of the following is the GREATEST concern when using a generic set of IT risk scenarios for risk analysis?

Options:

A.

Quantitative analysis might not be possible.

B.

Risk factors might not be relevant to the organization

C.

Implementation costs might increase.

D.

Inherent risk might not be considered.

Buy Now
Question # 94

The BEST metric to monitor the risk associated with changes deployed to production is the percentage of:

Options:

A.

changes due to emergencies.

B.

changes that cause incidents.

C.

changes not requiring user acceptance testing.

D.

personnel that have rights to make changes in production.

Buy Now
Question # 95

Which of the following provides the MOST useful information when developing a risk profile for management approval?

Options:

A.

Residual risk and risk appetite

B.

Strength of detective and preventative controls

C.

Effectiveness and efficiency of controls

D.

Inherent risk and risk tolerance

Buy Now
Question # 96

A risk practitioner has received an updated enterprise risk management (ERM) report showing that residual risk is now within the organization's defined appetite and tolerance levels. Which of the following is the risk practitioner's BEST course of action?

Options:

A.

Identify new risk entries to include in ERM.

B.

Remove the risk entries from the ERM register.

C.

Re-perform the risk assessment to confirm results.

D.

Verify the adequacy of risk monitoring plans.

Buy Now
Question # 97

Which of the following is MOST helpful when determining whether a system security control is effective?

Options:

A.

Control standard operating procedures

B.

Latest security assessment

C.

Current security threat report

D.

Updated risk register

Buy Now
Question # 98

Which of the following is the BEST way to quantify the likelihood of risk materialization?

Options:

A.

Balanced scorecard

B.

Threat and vulnerability assessment

C.

Compliance assessments

D.

Business impact analysis (BIA)

Buy Now
Question # 99

Which of the following is the PRIMARY reason for a risk practitioner to use global standards related to risk management?

Options:

A.

To build an organizational risk-aware culture

B.

To continuously improve risk management processes

C.

To comply with legal and regulatory requirements

D.

To identify gaps in risk management practices

Buy Now
Question # 100

The software version of an enterprise's critical business application has reached end-of-life and is no longer supported by the vendor. IT has decided to develop an in-house replacement application. Which of the following should be the PRIMARY concern?

Options:

A.

The system documentation is not available.

B.

Enterprise risk management (ERM) has not approved the decision.

C.

The board of directors has not approved the decision.

D.

The business process owner is not an active participant.

Buy Now
Question # 101

Which of the following is the BEST way for a risk practitioner to help management prioritize risk response?

Options:

A.

Align business objectives to the risk profile.

B.

Assess risk against business objectives

C.

Implement an organization-specific risk taxonomy.

D.

Explain risk details to management.

Buy Now
Question # 102

During which phase of the system development life cycle (SDLC) should information security requirements for the implementation of a new IT system be defined?

Options:

A.

Monitoring

B.

Development

C.

Implementation

D.

Initiation

Buy Now
Question # 103

Which of the following is the GREATEST benefit for an organization with a strong risk awareness culture?

Options:

A.

Reducing the involvement by senior management

B.

Using more risk specialists

C.

Reducing the need for risk policies and guidelines

D.

Discussing and managing risk as a team

Buy Now
Exam Code: CRISC
Exam Name: Certified in Risk and Information Systems Control
Last Update: Apr 2, 2025
Questions: 1575
CRISC pdf

CRISC PDF

$25.5  $84.99
CRISC Engine

CRISC Testing Engine

$28.5  $94.99
CRISC PDF + Engine

CRISC PDF + Testing Engine

$40.5  $134.99