Weekend Sale 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: Board70

CRISC Exam Dumps - Isaca Certification Questions and Answers

Question # 304

Which of the following provides the MOST reliable evidence of a control's effectiveness?

Options:

A.

A risk and control self-assessment

B.

Senior management's attestation

C.

A system-generated testing report

D.

detailed process walk-through

Buy Now
Question # 305

When of the following standard operating procedure (SOP) statements BEST illustrates appropriate risk register maintenance?

Options:

A.

Remove risk that has been mitigated by third-party transfer

B.

Remove risk that management has decided to accept

C.

Remove risk only following a significant change in the risk environment

D.

Remove risk when mitigation results in residual risk within tolerance levels

Buy Now
Question # 306

Which of the following is MOST important to update when an organization's risk appetite changes?

Options:

A.

Key risk indicators (KRIs)

B.

Risk reporting methodology

C.

Key performance indicators (KPIs)

D.

Risk taxonomy

Buy Now
Question # 307

Which of the following is the GREATEST benefit of a three lines of defense structure?

Options:

A.

An effective risk culture that empowers employees to report risk

B.

Effective segregation of duties to prevent internal fraud

C.

Clear accountability for risk management processes

D.

Improved effectiveness and efficiency of business operations

Buy Now
Question # 308

An organization is implementing robotic process automation (RPA) to streamline business processes. Given that implementation of this technology is expected to impact existing controls, which of the following is the risk practitioner's BEST course of action?

Options:

A.

Reassess whether mitigating controls address the known risk in the processes.

B.

Update processes to address the new technology.

C.

Update the data governance policy to address the new technology.

D.

Perform a gap analysis of the impacted processes.

Buy Now
Question # 309

When establishing an enterprise IT risk management program, it is MOST important to:

Options:

A.

review alignment with the organizations strategy.

B.

understand the organization's information security policy.

C.

validate the organization's data classification scheme.

D.

report identified IT risk scenarios to senior management.

Buy Now
Question # 310

A risk practitioner observed Vial a high number of pokey exceptions were approved by senior management. Which of the following is the risk practitioner’s BEST course of action to determine root cause?

Options:

A.

Review the risk profile

B.

Review pokey change history

C.

interview the control owner

D.

Perform control testing

Buy Now
Question # 311

Who is MOST appropriate to be assigned ownership of a control

Options:

A.

The individual responsible for control operation

B.

The individual informed of the control effectiveness

C.

The individual responsible for resting the control

D.

The individual accountable for monitoring control effectiveness

Buy Now
Question # 312

Which of the following is PRIMARILY a risk management responsibly of the first line of defense?

Options:

A.

Implementing risk treatment plans

B.

Validating the status of risk mitigation efforts

C.

Establishing risk policies and standards

D.

Conducting independent reviews of risk assessment results

Buy Now
Question # 313

Which of the following is the BEST way to ensure adequate resources will be allocated to manage identified risk?

Options:

A.

Prioritizing risk within each business unit

B.

Reviewing risk ranking methodology

C.

Promoting an organizational culture of risk awareness

D.

Assigning risk ownership to appropriate roles

Buy Now
Question # 314

Which of the following is MOST helpful to understand the consequences of an IT risk event?

Options:

A.

Fault tree analysis

B.

Historical trend analysis

C.

Root cause analysis

D.

Business impact analysis (BIA)

Buy Now
Question # 315

Which of the following resources is MOST helpful to a risk practitioner when updating the likelihood rating in the risk register?

Options:

A.

Risk control assessment

B.

Audit reports with risk ratings

C.

Penetration test results

D.

Business impact analysis (BIA)

Buy Now
Question # 316

An organization's chief information officer (CIO) has proposed investing in a new. untested technology to take advantage of being first to market Senior management has concerns about the success of the project and has set a limit for expenditures before final approval. This conditional approval indicates the organization's risk:

Options:

A.

capacity.

B.

appetite.

C.

management capability.

D.

treatment strategy.

Buy Now
Question # 317

Which of The following BEST represents the desired risk posture for an organization?

Options:

A.

Inherent risk is lower than risk tolerance.

B.

Operational risk is higher than risk tolerance.

C.

Accepted risk is higher than risk tolerance.

D.

Residual risk is lower than risk tolerance.

Buy Now
Question # 318

What is the BEST approach for determining the inherent risk of a scenario when the actual likelihood of the risk is unknown?

Options:

A.

Use the severity rating to calculate risk.

B.

Classify the risk scenario as low-probability.

C.

Use the highest likelihood identified by risk management.

D.

Rely on range-based estimates provided by subject-matter experts.

Buy Now
Question # 319

Who is responsible for IT security controls that are outsourced to an external service provider?

Options:

A.

Organization's information security manager

B.

Organization's risk function

C.

Service provider's IT management

D.

Service provider's information security manager

Buy Now
Question # 320

Which of the following is MOST important for a risk practitioner to consider when evaluating plans for changes to IT services?

Options:

A.

Change testing schedule

B.

Impact assessment of the change

C.

Change communication plan

D.

User acceptance testing (UAT)

Buy Now
Question # 321

An identified high probability risk scenario involving a critical, proprietary business function has an annualized cost of control higher than the annual loss expectancy. Which of the following is the BEST risk response?

Options:

A.

Mitigate

B.

Accept

C.

Transfer

D.

Avoid

Buy Now
Question # 322

Which of the following BEST facilitates the identification of appropriate key performance indicators (KPIs) for a risk management program?

Options:

A.

Reviewing control objectives

B.

Aligning with industry best practices

C.

Consulting risk owners

D.

Evaluating KPIs in accordance with risk appetite

Buy Now
Question # 323

Which of the following is MOST important for mitigating ethical risk when establishing accountability for control ownership?

Options:

A.

Ensuring processes are documented to enable effective control execution

B.

Ensuring regular risk messaging is Included in business communications from leadership

C.

Ensuring schedules and deadlines for control-related deliverables are strictly monitored

D.

Ensuring performance metrics balance business goals with risk appetite

Buy Now
Question # 324

Which of the following management action will MOST likely change the likelihood rating of a risk scenario related to remote network access?

Options:

A.

Updating the organizational policy for remote access

B.

Creating metrics to track remote connections

C.

Implementing multi-factor authentication

D.

Updating remote desktop software

Buy Now
Question # 325

Which of the following is the GREATEST benefit of identifying appropriate risk owners?

Options:

A.

Accountability is established for risk treatment decisions

B.

Stakeholders are consulted about risk treatment options

C.

Risk owners are informed of risk treatment options

D.

Responsibility is established for risk treatment decisions.

Buy Now
Question # 326

An organization has agreed to a 99% availability for its online services and will not accept availability that falls below 98.5%. This is an example of:

Options:

A.

risk mitigation.

B.

risk evaluation.

C.

risk appetite.

D.

risk tolerance.

Buy Now
Question # 327

Which of the following would be the GREATEST concern for an IT risk practitioner when an employees.....

Options:

A.

The organization's structure has not been updated

B.

Unnecessary access permissions have not been removed.

C.

Company equipment has not been retained by IT

D.

Job knowledge was not transferred to employees m the former department

Buy Now
Question # 328

What is the MAIN benefit of using a top-down approach to develop risk scenarios?

Options:

A.

It describes risk events specific to technology used by the enterprise.

B.

It establishes the relationship between risk events and organizational objectives.

C.

It uses hypothetical and generic risk events specific to the enterprise.

D.

It helps management and the risk practitioner to refine risk scenarios.

Buy Now
Question # 329

Which of the following is the MAIN benefit to an organization using key risk indicators (KRIs)?

Options:

A.

KRIs assist in the preparation of the organization's risk profile.

B.

KRIs signal that a change in the control environment has occurred.

C.

KRIs provide a basis to set the risk appetite for an organization

D.

KRIs provide an early warning that a risk threshold is about to be reached.

Buy Now
Question # 330

Which of the following is the BEST method to mitigate the risk of an unauthorized employee viewing confidential data in a database''

Options:

A.

Implement role-based access control

B.

Implement a data masking process

C.

Include sanctions in nondisclosure agreements (NDAs)

D.

Install a data loss prevention (DLP) tool

Buy Now
Question # 331

An organization's control environment is MOST effective when:

Options:

A.

controls perform as intended.

B.

controls operate efficiently.

C.

controls are implemented consistent

D.

control designs are reviewed periodically

Buy Now
Question # 332

Which risk response strategy could management apply to both positive and negative risk that has been identified?

Options:

A.

Transfer

B.

Accept

C.

Exploit

D.

Mitigate

Buy Now
Question # 333

it was determined that replication of a critical database used by two business units failed. Which of the following should be of GREATEST concern1?

Options:

A.

The underutilization of the replicated Iink

B.

The cost of recovering the data

C.

The lack of integrity of data

D.

The loss of data confidentiality

Buy Now
Question # 334

A zero-day vulnerability has been discovered in a globally used brand of hardware server that allows hackers to gain

access to affected IT systems. Which of the following is MOST likely to change as a result of this situation?

Options:

A.

Control effectiveness

B.

Risk appetite

C.

Risk likelihood

D.

Key risk indicator (KRI)

Buy Now
Question # 335

An organization has outsourced its backup and recovery procedures to a third-party cloud provider. Which of the following should be the risk practitioner's NEXT course of action?

Options:

A.

Remove the associated risk from the register.

B.

Validate control effectiveness and update the risk register.

C.

Review the contract and service level agreements (SLAs).

D.

Obtain an assurance report from the third-party provider.

Buy Now
Question # 336

An organization has decided to outsource a web application, and customer data will be stored in the vendor's public cloud. To protect customer data, it is MOST important to ensure which of the following?

Options:

A.

The organization's incident response procedures have been updated.

B.

The vendor stores the data in the same jurisdiction.

C.

Administrative access is only held by the vendor.

D.

The vendor's responsibilities are defined in the contract.

Buy Now
Question # 337

Which of the following is MOST important for an organization that wants to reduce IT operational risk?

Options:

A.

Increasing senior management's understanding of IT operations

B.

Increasing the frequency of data backups

C.

Minimizing complexity of IT infrastructure

D.

Decentralizing IT infrastructure

Buy Now
Question # 338

A cote data center went offline abruptly for several hours affecting many transactions across multiple locations. Which of the to" owing would provide the MOST useful information to determine mitigating controls?

Options:

A.

Forensic analysis

B.

Risk assessment

C.

Root cause analysis

D.

Business impact analysis (BlA)

Buy Now
Question # 339

A chief information officer (CIO) has identified risk associated with shadow systems being maintained by business units to address specific functionality gaps in the organization'senterprise resource planning (ERP) system. What is the BEST way to reduce this risk going forward?

Options:

A.

Align applications to business processes.

B.

Implement an enterprise architecture (EA).

C.

Define the software development life cycle (SDLC).

D.

Define enterprise-wide system procurement requirements.

Buy Now
Question # 340

Days before the realization of an acquisition, a data breach is discovered at the company to be acquired. For the accruing organization, this situation represents which of the following?

Options:

A.

Threat event

B.

Inherent risk

C.

Risk event

D.

Security incident

Buy Now
Question # 341

Which of the following poses the GREATEST risk to an organization's operations during a major it transformation?

Options:

A.

Lack of robust awareness programs

B.

infrequent risk assessments of key controls

C.

Rapid changes in IT procedures

D.

Unavailability of critical IT systems

Buy Now
Question # 342

The BEST way to obtain senior management support for investment in a control implementation would be to articulate the reduction in:

Options:

A.

detected incidents.

B.

residual risk.

C.

vulnerabilities.

D.

inherent risk.

Buy Now
Question # 343

Which of the following is the BEST method for assessing control effectiveness against technical vulnerabilities that could be exploited to compromise an information system?

Options:

A.

Vulnerability scanning

B.

Systems log correlation analysis

C.

Penetration testing

D.

Monitoring of intrusion detection system (IDS) alerts

Buy Now
Question # 344

Which of the following is the GREATEST risk associated with an environment that lacks documentation of the architecture?

Options:

A.

Unknown vulnerabilities

B.

Legacy technology systems

C.

Network isolation

D.

Overlapping threats

Buy Now
Question # 345

Which of the following should be an element of the risk appetite of an organization?

Options:

A.

The effectiveness of compensating controls

B.

The enterprise's capacity to absorb loss

C.

The residual risk affected by preventive controls

D.

The amount of inherent risk considered appropriate

Buy Now
Question # 346

An organizations chief technology officer (CTO) has decided to accept the risk associated with the potential loss from a denial-of-service (DoS) attack. In this situation, the risk practitioner's BEST course of action is to:

Options:

A.

identify key risk indicators (KRls) for ongoing monitoring

B.

validate the CTO's decision with the business process owner

C.

update the risk register with the selected risk response

D.

recommend that the CTO revisit the risk acceptance decision.

Buy Now
Question # 347

Which of the following is the BEST indicator of the effectiveness of IT risk management processes?

Options:

A.

Percentage of business users completing risk training

B.

Percentage of high-risk scenarios for which risk action plans have been developed

C.

Number of key risk indicators (KRIs) defined

D.

Time between when IT risk scenarios are identified and the enterprise's response

Buy Now
Question # 348

Which of the following BEST protects an organization against breaches when using a software as a service (SaaS) application?

Options:

A.

Control self-assessment (CSA)

B.

Security information and event management (SIEM) solutions

C.

Data privacy impact assessment (DPIA)

D.

Data loss prevention (DLP) tools

Buy Now
Question # 349

A global organization is considering the acquisition of a competitor. Senior management has requested a review of the overall risk profile from the targeted organization. Which of the following components of this review would provide the MOST useful information?

Options:

A.

Risk appetite statement

B.

Enterprise risk management framework

C.

Risk management policies

D.

Risk register

Buy Now
Question # 350

Which of the following should be the PRIMARY input when designing IT controls?

Options:

A.

Benchmark of industry standards

B.

Internal and external risk reports

C.

Recommendations from IT risk experts

D.

Outcome of control self-assessments

Buy Now
Question # 351

An organization is planning to engage a cloud-based service provider for some of its data-intensive business processes. Which of the following is MOST important to help define the IT risk associated with this outsourcing activity?

Options:

A.

Service level agreement

B.

Customer service reviews

C.

Scope of services provided

D.

Right to audit the provider

Buy Now
Question # 352

Which of the following should be the PRIMARY consideration when implementing controls for monitoring user activity logs?

Options:

A.

Ensuring availability of resources for log analysis

B.

Implementing log analysis tools to automate controls

C.

Ensuring the control is proportional to the risk

D.

Building correlations between logs collected from different sources

Buy Now
Question # 353

Which of the following roles would provide the MOST important input when identifying IT risk scenarios?

Options:

A.

Information security managers

B.

Internal auditors

C.

Business process owners

D.

Operational risk managers

Buy Now
Exam Code: CRISC
Exam Name: Certified in Risk and Information Systems Control
Last Update: Apr 4, 2025
Questions: 1575
CRISC pdf

CRISC PDF

$25.5  $84.99
CRISC Engine

CRISC Testing Engine

$28.5  $94.99
CRISC PDF + Engine

CRISC PDF + Testing Engine

$40.5  $134.99