Special Summer Sale 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: Board70

CRISC Exam Dumps - Isaca Certification Questions and Answers

Question # 254

Which of the following is the MAIN reason to continuously monitor IT-related risk?

Options:

A.

To redefine the risk appetite and risk tolerance levels based on changes in risk factors

B.

To update the risk register to reflect changes in levels of identified and new IT-related risk

C.

To ensure risk levels are within acceptable limits of the organization's risk appetite and risk tolerance

D.

To help identify root causes of incidents and recommend suitable long-term solutions

Buy Now
Question # 255

Which of the following is the MOST important consideration when developing an organization's risk taxonomy?

Options:

A.

Leading industry frameworks

B.

Business context

C.

Regulatory requirements

D.

IT strategy

Buy Now
Question # 256

Which of the following is the MOST important outcome of reviewing the risk management process?

Options:

A.

Assuring the risk profile supports the IT objectives

B.

Improving the competencies of employees who performed the review

C.

Determining what changes should be made to IS policies to reduce risk

D.

Determining that procedures used in risk assessment are appropriate

Buy Now
Question # 257

Which of the following is the MOST important consideration for prioritizing risk treatment plans when faced with budget limitations?

Options:

A.

Inherent risk and likelihood

B.

Management action plans associated with audit findings

C.

Residual risk relative to appetite and tolerance

D.

Key risk indicator (KRI) trends

Buy Now
Question # 258

Which of the following will BEST quantify the risk associated with malicious users in an organization?

Options:

A.

Business impact analysis

B.

Risk analysis

C.

Threat risk assessment

D.

Vulnerability assessment

Buy Now
Question # 259

An organization has identified a risk exposure due to weak technical controls in a newly implemented HR system. The risk practitioner is documenting the risk in the risk register. The risk should be owned by the:

Options:

A.

chief risk officer.

B.

project manager.

C.

chief information officer.

D.

business process owner.

Buy Now
Question # 260

Management has noticed storage costs have increased exponentially over the last 10 years because most users do not delete their emails. Which of the following can BEST alleviate this issue while not sacrificing security?

Options:

A.

Implementing record retention tools and techniques

B.

Establishing e-discovery and data loss prevention (DLP)

C.

Sending notifications when near storage quota

D.

Implementing a bring your own device 1BVOD) policy

Buy Now
Question # 261

To implement the MOST effective monitoring of key risk indicators (KRIs), which of the following needs to be in place?

Options:

A.

Threshold definition

B.

Escalation procedures

C.

Automated data feed

D.

Controls monitoring

Buy Now
Question # 262

A risk heat map is MOST commonly used as part of an IT risk analysis to facilitate risk:

Options:

A.

identification.

B.

treatment.

C.

communication.

D.

assessment

Buy Now
Question # 263

An organization that has been the subject of multiple social engineering attacks is developing a risk awareness program. The PRIMARY goal of this program should be to:

Options:

A.

reduce the risk to an acceptable level.

B.

communicate the consequences for violations.

C.

implement industry best practices.

D.

reduce the organization's risk appetite

Buy Now
Question # 264

The PRIMARY reason a risk practitioner would be interested in an internal audit report is to:

Options:

A.

plan awareness programs for business managers.

B.

evaluate maturity of the risk management process.

C.

assist in the development of a risk profile.

D.

maintain a risk register based on noncompliance.

Buy Now
Question # 265

Which of the following situations reflects residual risk?

Options:

A.

Risk that is present before risk acceptance has been finalized

B.

Risk that is removed after a risk acceptance has been finalized

C.

Risk that is present before mitigation controls have been applied

D.

Risk that remains after mitigation controls have been applied

Buy Now
Question # 266

Which of the following is the BEST way to identify changes to the risk landscape?

Options:

A.

Internal audit reports

B.

Access reviews

C.

Threat modeling

D.

Root cause analysis

Buy Now
Question # 267

Which of the following would BEST help to ensure that identified risk is efficiently managed?

Options:

A.

Reviewing the maturity of the control environment

B.

Regularly monitoring the project plan

C.

Maintaining a key risk indicator for each asset in the risk register

D.

Periodically reviewing controls per the risk treatment plan

Buy Now
Question # 268

Which of the following is MOST helpful to ensure effective security controls for a cloud service provider?

Options:

A.

A control self-assessment

B.

A third-party security assessment report

C.

Internal audit reports from the vendor

D.

Service level agreement monitoring

Buy Now
Question # 269

A review of an organization s controls has determined its data loss prevention {DLP) system is currently failing to detect outgoing emails containing credit card data. Which of the following would be MOST impacted?

Options:

A.

Key risk indicators (KRls)

B.

Inherent risk

C.

Residual risk

D.

Risk appetite

Buy Now
Question # 270

Which of the following should be the risk practitioner s PRIMARY focus when determining whether controls are adequate to mitigate risk?

Options:

A.

Sensitivity analysis

B.

Level of residual risk

C.

Cost-benefit analysis

D.

Risk appetite

Buy Now
Question # 271

Which of the following is the BEST method to ensure a terminated employee's access to IT systems is revoked upon departure from the organization?

Options:

A.

Login attempts are reconciled to a list of terminated employees.

B.

A list of terminated employees is generated for reconciliation against current IT access.

C.

A process to remove employee access during the exit interview is implemented.

D.

The human resources (HR) system automatically revokes system access.

Buy Now
Question # 272

Which of the following is the MOST important characteristic of an effective risk management program?

Options:

A.

Risk response plans are documented

B.

Controls are mapped to key risk scenarios.

C.

Key risk indicators are defined.

D.

Risk ownership is assigned

Buy Now
Question # 273

Which of the following is the FIRST step in managing the risk associated with the leakage of confidential data?

Options:

A.

Maintain and review the classified data inventor.

B.

Implement mandatory encryption on data

C.

Conduct an awareness program for data owners and users.

D.

Define and implement a data classification policy

Buy Now
Question # 274

Which of the following BEST helps to identify significant events that could impact an organization?

Options:

A.

Control analysis

B.

Vulnerability analysis

C.

Scenario analysis

D.

Heat map analysis

Buy Now
Question # 275

Before assigning sensitivity levels to information it is MOST important to:

Options:

A.

define recovery time objectives (RTOs).

B.

define the information classification policy

C.

conduct a sensitivity analyse

D.

Identify information custodians

Buy Now
Question # 276

Which of the following is the BEST way for a risk practitioner to present an annual risk management update to the board''

Options:

A.

A summary of risk response plans with validation results

B.

A report with control environment assessment results

C.

A dashboard summarizing key risk indicators (KRIs)

D.

A summary of IT risk scenarios with business cases

Buy Now
Question # 277

An organization has made a decision to purchase a new IT system. During when phase of the system development life cycle (SDLC) will identified risk MOST likely lead to architecture and design trade-offs?

Options:

A.

Acquisition

B.

Implementation

C.

Initiation

D.

Operation and maintenance

Buy Now
Question # 278

When developing a response plan to address security incidents regarding sensitive data loss, it is MOST important

Options:

A.

revalidate current key risk indicators (KRIs).

B.

revise risk management procedures.

C.

review the data classification policy.

D.

revalidate existing risk scenarios.

Buy Now
Question # 279

Senior management wants to increase investment in the organization's cybersecurity program in response to changes in the external threat landscape. Which of the following would BEST help to prioritize investment efforts?

Options:

A.

Analyzing cyber intelligence reports

B.

Engaging independent cybersecurity consultants

C.

Increasing the frequency of updates to the risk register

D.

Reviewing the outcome of the latest security risk assessment

Buy Now
Question # 280

An organization has decided to commit to a business activity with the knowledge that the risk exposure is higher than the risk appetite. Which of the following is the risk practitioner's MOST important action related to this decision?

Options:

A.

Recommend risk remediation

B.

Change the level of risk appetite

C.

Document formal acceptance of the risk

D.

Reject the business initiative

Buy Now
Question # 281

After the implementation of internal of Things (IoT) devices, new risk scenarios were identified. What is the PRIMARY reason to report this information to risk owners?

Options:

A.

To reevaluate continued use to IoT devices

B.

The add new controls to mitigate the risk

C.

The recommend changes to the IoT policy

D.

To confirm the impact to the risk profile

Buy Now
Question # 282

Which of the following should be the PRIMARY basis for prioritizing risk responses?

Options:

A.

The impact of the risk

B.

The replacement cost of the business asset

C.

The cost of risk mitigation controls

D.

The classification of the business asset

Buy Now
Question # 283

Which of the following BEST enables risk-based decision making in support of a business continuity plan (BCP)?

Options:

A.

Impact analysis

B.

Control analysis

C.

Root cause analysis

D.

Threat analysis

Buy Now
Question # 284

An organization has experienced a cyber-attack that exposed customer personally identifiable information (Pll) and caused extended outages of network services. Which of the following stakeholders are MOST important to include in the cyber response team to determine response actions?

Options:

A.

Security control owners based on control failures

B.

Cyber risk remediation plan owners

C.

Risk owners based on risk impact

D.

Enterprise risk management (ERM) team

Buy Now
Question # 285

A risk practitioner has collaborated with subject matter experts from the IT department to develop a large list of potential key risk indicators (KRIs) for all IT operations within theorganization of the following, who should review the completed list and select the appropriate KRIs for implementation?

Options:

A.

IT security managers

B.

IT control owners

C.

IT auditors

D.

IT risk owners

Buy Now
Question # 286

An organization's business gap analysis reveals the need for a robust IT risk strategy. Which of the following should be the risk practitioner's PRIMARY consideration when participating in development of the new strategy?

Options:

A.

Scale of technology

B.

Risk indicators

C.

Risk culture

D.

Proposed risk budget

Buy Now
Question # 287

An organization has asked an IT risk practitioner to conduct an operational risk assessment on an initiative to outsource the organization's customer service operations overseas. Which of the following would MOST significantly impact management's decision?

Options:

A.

Time zone difference of the outsourcing location

B.

Ongoing financial viability of the outsourcing company

C.

Cross-border information transfer restrictions in the outsourcing country

D.

Historical network latency between the organization and outsourcing location

Buy Now
Question # 288

Which stakeholder is MOST important to include when defining a risk profile during me selection process for a new third party application'?

Options:

A.

The third-party risk manager

B.

The application vendor

C.

The business process owner

D.

The information security manager

Buy Now
Question # 289

An organization is adopting block chain for a new financial system. Which of the following should be the GREATEST concern for a risk practitioner evaluating the system's production readiness?

Options:

A.

Limited organizational knowledge of the underlying technology

B.

Lack of commercial software support

C.

Varying costs related to implementation and maintenance

D.

Slow adoption of the technology across the financial industry

Buy Now
Question # 290

The PRIMARY objective of collecting information and reviewing documentation when performing periodic risk analysis should be to:

Options:

A.

Identify new or emerging risk issues.

B.

Satisfy audit requirements.

C.

Survey and analyze historical risk data.

D.

Understand internal and external threat agents.

Buy Now
Question # 291

Which of the following is the BEST way to help ensure risk will be managed properly after a business process has been re-engineered?

Options:

A.

Reassessing control effectiveness of the process

B.

Conducting a post-implementation review to determine lessons learned

C.

Reporting key performance indicators (KPIs) for core processes

D.

Establishing escalation procedures for anomaly events

Buy Now
Question # 292

Which of the following BEST enables effective IT control implementation?

Options:

A.

Key risk indicators (KRIs)

B.

Documented procedures

C.

Information security policies

D.

Information security standards

Buy Now
Question # 293

Which of the following is a risk practitioner's MOST important responsibility in managing risk acceptance that exceeds risk tolerance?

Options:

A.

Verify authorization by senior management.

B.

Increase the risk appetite to align with the current risk level

C.

Ensure the acceptance is set to expire over lime

D.

Update the risk response in the risk register.

Buy Now
Question # 294

During a risk assessment, a key external technology supplier refuses to provide control design and effectiveness information, citing confidentiality concerns. What should the risk practitioner do NEXT?

Options:

A.

Escalate the non-cooperation to management

B.

Exclude applicable controls from the assessment.

C.

Review the supplier's contractual obligations.

D.

Request risk acceptance from the business process owner.

Buy Now
Question # 295

Which of the following BEST balances the costs and benefits of managing IT risk*?

Options:

A.

Prioritizing and addressing risk in line with risk appetite. Eliminating risk through preventive and detective controls

B.

Considering risk that can be shared with a third party

C.

Evaluating the probability and impact of risk scenarios

Buy Now
Question # 296

Which of the following BEST enables a risk practitioner to understand management's approach to organizational risk?

Options:

A.

Organizational structure and job descriptions

B.

Risk appetite and risk tolerance

C.

Industry best practices for risk management

D.

Prior year's risk assessment results

Buy Now
Question # 297

A recent vulnerability assessment of a web-facing application revealed several weaknesses. Which of the following should be done NEXT to determine the risk exposure?

Options:

A.

Code review

B.

Penetration test

C.

Gap assessment

D.

Business impact analysis (BIA)

Buy Now
Question # 298

Senior management is deciding whether to share confidential data with the organization's business partners. The BEST course of action for a risk practitioner would be to submit a report to senior management containing the:

Options:

A.

possible risk and suggested mitigation plans.

B.

design of controls to encrypt the data to be shared.

C.

project plan for classification of the data.

D.

summary of data protection and privacy legislation.

Buy Now
Question # 299

A risk practitioner has identified that the agreed recovery time objective (RTO) with a Software as a Service (SaaS) provider is longer than the business expectation. Which of the following is the risk practitioner's BEST course of action?

Options:

A.

Collaborate with the risk owner to determine the risk response plan.

B.

Document the gap in the risk register and report to senior management.

C.

Include a right to audit clause in the service provider contract.

D.

Advise the risk owner to accept the risk.

Buy Now
Question # 300

Which of the following is the BEST way to ensure data is properly sanitized while in cloud storage?

Options:

A.

Deleting the data from the file system

B.

Cryptographically scrambling the data

C.

Formatting the cloud storage at the block level

D.

Degaussing the cloud storage media

Buy Now
Question # 301

Which of the following is the PRIMARY objective of establishing an organization's risk tolerance and appetite?

Options:

A.

To align with board reporting requirements

B.

To assist management in decision making

C.

To create organization-wide risk awareness

D.

To minimize risk mitigation efforts

Buy Now
Question # 302

What should be the PRIMARY consideration related to data privacy protection when there are plans for a business initiative to make use of personal information?

Options:

A.

Do not collect or retain data that is not needed.

B.

Redact data where possible.

C.

Limit access to the personal data.

D.

Ensure all data is encrypted at rest and during transit.

Buy Now
Question # 303

A bank recently incorporated Blockchain technology with the potential to impact known risk within the organization. Which of the following is the risk practitioner’s BEST course of action?

Options:

A.

Determine whether risk responses are still adequate.

B.

Analyze and update control assessments with the new processes.

C.

Analyze the risk and update the risk register as needed.

D.

Conduct testing of the control that mitigate the existing risk.

Buy Now
Exam Code: CRISC
Exam Name: Certified in Risk and Information Systems Control
Last Update: Apr 2, 2025
Questions: 1575
CRISC pdf

CRISC PDF

$25.5  $84.99
CRISC Engine

CRISC Testing Engine

$28.5  $94.99
CRISC PDF + Engine

CRISC PDF + Testing Engine

$40.5  $134.99