Special Summer Sale 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: Board70

CRISC Exam Dumps - Isaca Certification Questions and Answers

Question # 354

Which of the following will BEST help mitigate the risk associated with malicious functionality in outsourced application development?

Options:

A.

Perform an m-depth code review with an expert

B.

Validate functionality by running in a test environment

C.

Implement a service level agreement.

D.

Utilize the change management process.

Buy Now
Question # 355

During the risk assessment of an organization that processes credit cards, a number of existing controls have been found to be ineffective and do not meet industry standards. The overall control environment may still be effective if:

Options:

A.

compensating controls are in place.

B.

a control mitigation plan is in place.

C.

risk management is effective.

D.

residual risk is accepted.

Buy Now
Question # 356

Which of the following would BEST mitigate the ongoing risk associated with operating system (OS) vulnerabilities?

Options:

A.

Temporarily mitigate the OS vulnerabilities

B.

Document and implement a patching process

C.

Evaluate permanent fixes such as patches and upgrades

D.

Identify the vulnerabilities and applicable OS patches

Buy Now
Question # 357

Which of the following is the MOST important outcome of a business impact analysis (BIA)?

Options:

A.

Understanding and prioritization of critical processes

B.

Completion of the business continuity plan (BCP)

C.

Identification of regulatory consequences

D.

Reduction of security and business continuity threats

Buy Now
Question # 358

Of the following, who is responsible for approval when a change in an application system is ready for release to production?

Options:

A.

Information security officer

B.

IT risk manager

C.

Business owner

D.

Chief risk officer (CRO)

Buy Now
Question # 359

An organization maintains independent departmental risk registers that are not automatically aggregated. Which of the following is the GREATEST concern?

Options:

A.

Management may be unable to accurately evaluate the risk profile.

B.

Resources may be inefficiently allocated.

C.

The same risk factor may be identified in multiple areas.

D.

Multiple risk treatment efforts may be initiated to treat a given risk.

Buy Now
Question # 360

Which of the following would BEST facilitate the implementation of data classification requirements?

Options:

A.

Assigning a data owner

B.

Implementing technical control over the assets

C.

Implementing a data loss prevention (DLP) solution

D.

Scheduling periodic audits

Buy Now
Question # 361

When reviewing the business continuity plan (BCP) of an online sales order system, a risk practitioner notices that the recovery time objective (RTO) has a shorter lime than what is defined in the disaster recovery plan (DRP). Which of the following is the BEST way for the risk practitioner to address this concern?

Options:

A.

Adopt the RTO defined in the BCR

B.

Update the risk register to reflect the discrepancy.

C.

Adopt the RTO defined in the DRP.

D.

Communicate the discrepancy to the DR manager for follow-up.

Buy Now
Question # 362

Reviewing which of the following BEST helps an organization gam insight into its overall risk profile''

Options:

A.

Risk register

B.

Risk appetite

C.

Threat landscape

D.

Risk metrics

Buy Now
Question # 363

Which of the following is the MOST important objective from a cost perspective for considering aggregated risk responses in an organization?

Options:

A.

Prioritize risk response options

B.

Reduce likelihood.

C.

Address more than one risk response

D.

Reduce impact

Buy Now
Question # 364

Who is BEST suited to provide objective input when updating residual risk to reflect the results of control effectiveness?

Options:

A.

Control owner

B.

Risk owner

C.

Internal auditor

D.

Compliance manager

Buy Now
Question # 365

Which of the following is the MOST important consideration for effectively maintaining a risk register?

Options:

A.

An IT owner is assigned for each risk scenario.

B.

The register is updated frequently.

C.

The register is shared with executive management.

D.

Compensating controls are identified.

Buy Now
Question # 366

As pan of business continuity planning, which of the following is MOST important to include m a business impact analysis (BlA)?

Options:

A.

An assessment of threats to the organization

B.

An assessment of recovery scenarios

C.

industry standard framework

D.

Documentation of testing procedures

Buy Now
Question # 367

A risk practitioner recently discovered that personal information from the production environment is required for testing purposes in non-production environments. Which of the following is the BEST recommendation to address this situation?

Options:

A.

Enable data encryption in the test environment.

B.

Prevent the use of production data in the test environment

C.

De-identify data before being transferred to the test environment.

D.

Enforce multi-factor authentication within the test environment.

Buy Now
Question # 368

A control process has been implemented in response to a new regulatory requirement, but has significantly reduced productivity. Which of the following is the BEST way to resolve this concern?

Options:

A.

Absorb the loss in productivity.

B.

Request a waiver to the requirements.

C.

Escalate the issue to senior management

D.

Remove the control to accommodate business objectives.

Buy Now
Question # 369

Which of the following will BEST help to ensure new IT policies address the enterprise's requirements?

Options:

A.

involve IT leadership in the policy development process

B.

Require business users to sign acknowledgment of the poises

C.

involve business owners in the pokey development process

D.

Provide policy owners with greater enforcement authority

Buy Now
Question # 370

A segregation of duties control was found to be ineffective because it did not account for all applicable functions when evaluating access. Who is responsible for ensuring the control is designed to effectively address risk?

Options:

A.

Risk manager

B.

Control owner

C.

Control tester

D.

Risk owner

Buy Now
Question # 371

An organization has operations in a location that regularly experiences severe weather events. Which of the following would BEST help to mitigate the risk to operations?

Options:

A.

Prepare a cost-benefit analysis to evaluate relocation.

B.

Prepare a disaster recovery plan (DRP).

C.

Conduct a business impact analysis (BIA) for an alternate location.

D.

Develop a business continuity plan (BCP).

Buy Now
Question # 372

An organization is analyzing the risk of shadow IT usage. Which of the following is the MOST important input into the assessment?

Options:

A.

Business benefits of shadow IT

B.

Application-related expresses

C.

Classification of the data

D.

Volume of data

Buy Now
Question # 373

Which of the following is the MAIN benefit to an organization using key risk indicators (KRIs)?

Options:

A.

KRIs provide an early warning that a risk threshold is about to be reached.

B.

KRIs signal that a change in the control environment has occurred.

C.

KRIs provide a basis to set the risk appetite for an organization.

D.

KRIs assist in the preparation of the organization's risk profile.

Buy Now
Question # 374

A MAJOR advantage of using key risk indicators (KRis) is that (hey

Options:

A.

identify when risk exceeds defined thresholds

B.

assess risk scenarios that exceed defined thresholds

C.

identify scenarios that exceed defined risk appetite

D.

help with internal control assessments concerning risk appellate

Buy Now
Question # 375

Which of the following would be a risk practitioner's BEST course of action when a project team has accepted a risk outside the established risk appetite?

Options:

A.

Reject the risk acceptance and require mitigating controls.

B.

Monitor the residual risk level of the accepted risk.

C.

Escalate the risk decision to the project sponsor for review.

D.

Document the risk decision in the project risk register.

Buy Now
Question # 376

The MAIN reason for prioritizing IT risk responses is to enable an organization to:

Options:

A.

determine the risk appetite.

B.

determine the budget.

C.

define key performance indicators (KPIs).

D.

optimize resource utilization.

Buy Now
Question # 377

Which of the following is the GREATEST concern when establishing key risk indicators (KRIs)?

Options:

A.

High percentage of lagging indicators

B.

Nonexistent benchmark analysis

C.

Incomplete documentation for KRI monitoring

D.

Ineffective methods to assess risk

Buy Now
Question # 378

Which of the following stakeholders are typically included as part of a line of defense within the three lines of defense model?

Options:

A.

Board of directors

B.

Vendors

C.

Regulators

D.

Legal team

Buy Now
Question # 379

Which of the following is the MOST useful information for a risk practitioner when planning response activities after risk identification?

Options:

A.

Risk register

B.

Risk appetite

C.

Risk priorities

D.

Risk heat maps

Buy Now
Question # 380

A business unit is updating a risk register with assessment results for a key project. Which of the following is MOST important to capture in the register?

Options:

A.

The team that performed the risk assessment

B.

An assigned risk manager to provide oversight

C.

Action plans to address risk scenarios requiring treatment

D.

The methodology used to perform the risk assessment

Buy Now
Question # 381

Which of the following is the MOST important requirement for monitoring key risk indicators (KRls) using log analysis?

Options:

A.

Obtaining logs m an easily readable format

B.

Providing accurate logs m a timely manner

C.

Collecting logs from the entire set of IT systems

D.

implementing an automated log analysis tool

Buy Now
Question # 382

A multinational company needs to implement a new centralized security system. The risk practitioner has identified a conflict between the organization's data-handling policy and local privacy regulations. Which of the following would be the BEST recommendation?

Options:

A.

Request a policy exception from senior management.

B.

Comply with the organizational policy.

C.

Report the noncompliance to the local regulatory agency.

D.

Request an exception from the local regulatory agency.

Buy Now
Question # 383

Who should be accountable for authorizing information system access to internal users?

Options:

A.

Information security officer

B.

Information security manager

C.

Information custodian

D.

Information owner

Buy Now
Question # 384

Which of the following BEST enables detection of ethical violations committed by employees?

Options:

A.

Transaction log monitoring

B.

Whistleblower program

C.

Access control attestation

D.

Periodic job rotation

Buy Now
Question # 385

Which of the following stakeholders define risk tolerance for an enterprise?

Options:

A.

IT compliance and IT audit

B.

Regulators and shareholders

C.

The board and executive management

D.

Enterprise risk management (ERM)

Buy Now
Question # 386

Which of the following BEST reduces the likelihood of fraudulent activity that occurs through use of a digital wallet?

Options:

A.

Require multi-factor authentication (MFA) to access the digital wallet.

B.

Use a digital key to encrypt the contents of the wallet.

C.

Enable audit logging on the digital wallet's device.

D.

Require public key infrastructure (PKI) to authorize transactions.

Buy Now
Question # 387

When confirming whether implemented controls are operating effectively, which of the following is MOST important to review?

Options:

A.

Results of benchmarking studies

B.

Results of risk assessments

C.

Number of emergency change requests

D.

Maturity model

Buy Now
Question # 388

Which of the following is the GREATEST benefit of using IT risk scenarios?

Options:

A.

They support compliance with regulations.

B.

They provide evidence of risk assessment.

C.

They facilitate communication of risk.

D.

They enable the use of key risk indicators (KRls)

Buy Now
Question # 389

Well-developed, data-driven risk measurements should be:

Options:

A.

reflective of the lowest organizational level.

B.

a data feed taken directly from operational production systems.

C.

reported to management the same day data is collected.

D.

focused on providing a forward-looking view.

Buy Now
Question # 390

Which of the following is the GREATEST impact of implementing a risk mitigation strategy?

Options:

A.

Improved alignment with business goals.

B.

Reduction of residual risk.

C.

Increased costs due to control implementation.

D.

Decreased overall risk appetite.

Buy Now
Question # 391

Which of the following should be the PRIMARY focus of a disaster recovery management (DRM) framework and related processes?

Options:

A.

Restoring IT and cybersecurity operations

B.

Assessing the impact and probability of disaster scenarios

C.

Ensuring timely recovery of critical business operations

D.

Determining capacity for alternate sites

Buy Now
Question # 392

Which of the following should be the PRIMARY consideration when assessing the risk of using Internet of Things (loT) devices to collect and process personally identifiable information (PII)?

Options:

A.

Business strategies and needs

B.

Security features and support

C.

Costs and benefits

D.

Local laws and regulations

Buy Now
Question # 393

In the three lines of defense model, a PRIMARY objective of the second line is to:

Options:

A.

Review and evaluate the risk management program.

B.

Ensure risks and controls are effectively managed.

C.

Implement risk management policies regarding roles and responsibilities.

D.

Act as the owner for any operational risk identified as part of the risk program.

Buy Now
Question # 394

Which of the following is the PRIMARY benefit of integrating risk and security requirements in an organization's enterprise architecture (EA)?

Options:

A.

Adherence to legal and compliance requirements

B.

Reduction in the number of test cases in the acceptance phase

C.

Establishment of digital forensic architectures

D.

Consistent management of information assets

Buy Now
Question # 395

Which of the following events is MOST likely to trigger the need to conduct a risk assessment?

Options:

A.

An incident resulting in data loss

B.

Introduction of a new product line

C.

Changes in executive management

D.

Updates to the information security policy

Buy Now
Question # 396

The PRIMARY focus of an ongoing risk awareness program should be to:

Options:

A.

enable better risk-based decisions.

B.

define appropriate controls to mitigate risk.

C.

determine impact of risk scenarios.

D.

expand understanding of risk indicators.

Buy Now
Question # 397

Which of the following is MOST useful when performing a quantitative risk assessment?

Options:

A.

RACI matrix

B.

Financial models

C.

Management support

D.

Industry benchmarking

Buy Now
Question # 398

Within the three lines of defense model, the responsibility for managing risk and controls resides with:

Options:

A.

operational management.

B.

the risk practitioner.

C.

the internal auditor.

D.

executive management.

Buy Now
Question # 399

Which of the following BEST enables the timely detection of changes in the security control environment?

Options:

A.

Control self-assessment (CSA)

B.

Log analysis

C.

Security control reviews

D.

Random sampling checks

Buy Now
Question # 400

Which of the following would present the GREATEST challenge for a risk practitioner during a merger of two organizations?

Options:

A.

Variances between organizational risk appetites

B.

Different taxonomies to categorize risk scenarios

C.

Disparate platforms for governance, risk, and compliance (GRC) systems

D.

Dissimilar organizational risk acceptance protocols

Buy Now
Question # 401

WhichT5f the following is the MOST effective way to promote organization-wide awareness of data security in response to an increase in regulatory penalties for data leakage?

Options:

A.

Enforce sanctions for noncompliance with security procedures.

B.

Conduct organization-w>de phishing simulations.

C.

Require training on the data handling policy.

D.

Require regular testing of the data breach response plan.

Buy Now
Question # 402

A risk practitioner identifies an increasing trend of employees copying company information unrelated to their job functions to USB drives. Which of the following elements of the risk register should be updated to reflect this observation?

Options:

A.

Risk impact

B.

Key risk indicator (KRI)

C.

Risk appetite

D.

Risk likelihood

Buy Now
Question # 403

The PRIMARY reason to implement a formalized risk taxonomy is to:

Options:

A.

reduce subjectivity in risk management.

B.

comply with regulatory requirements.

C.

demonstrate best industry practice.

D.

improve visibility of overall risk exposure.

Buy Now
Exam Code: CRISC
Exam Name: Certified in Risk and Information Systems Control
Last Update: Apr 2, 2025
Questions: 1575
CRISC pdf

CRISC PDF

$25.5  $84.99
CRISC Engine

CRISC Testing Engine

$28.5  $94.99
CRISC PDF + Engine

CRISC PDF + Testing Engine

$40.5  $134.99