Special Summer Sale 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: Board70

CRISC Exam Dumps - Isaca Certification Questions and Answers

Question # 4

Which of the following IT key risk indicators (KRIs) provides management with the BEST feedback on IT capacity?

Options:

A.

Trends in IT resource usage

B.

Trends in IT maintenance costs

C.

Increased resource availability

D.

Increased number of incidents

Buy Now
Question # 5

Which of the following is the PRIMARY reason for a risk practitioner to review an organization's IT asset inventory?

Options:

A.

To plan for the replacement of assets at the end of their life cycles

B.

To assess requirements for reducing duplicate assets

C.

To understand vulnerabilities associated with the use of the assets

D.

To calculate mean time between failures (MTBF) for the assets

Buy Now
Question # 6

Which of the following is the PRIMARY consideration when establishing an organization's risk management methodology?

Options:

A.

Business context

B.

Risk tolerance level

C.

Resource requirements

D.

Benchmarking information

Buy Now
Question # 7

Which of the following would be MOST important for a risk practitioner to provide to the internal audit department during the audit planning process?

Options:

A.

Closed management action plans from the previous audit

B.

Annual risk assessment results

C.

An updated vulnerability management report

D.

A list of identified generic risk scenarios

Buy Now
Question # 8

Which of the following is MOST important when developing risk scenarios?

Options:

A.

The scenarios are based on industry best practice.

B.

The scenarios focus on current vulnerabilities.

C.

The scenarios are relevant to the organization.

D.

The scenarios include technical consequences.

Buy Now
Question # 9

A third-party vendor has offered to perform user access provisioning and termination. Which of the following control accountabilities is BEST retained within the organization?

Options:

A.

Reviewing access control lists

B.

Authorizing user access requests

C.

Performing user access recertification

D.

Terminating inactive user access

Buy Now
Question # 10

Which of the following is the MOST effective way to integrate business risk management with IT operations?

Options:

A.

Perform periodic IT control self-assessments.

B.

Require a risk assessment with change requests.

C.

Provide security awareness training.

D.

Perform periodic risk assessments.

Buy Now
Question # 11

A global organization is considering the transfer of its customer information systems to an overseas cloud service provider in the event of a disaster. Which of the following should be the MOST important risk consideration?

Options:

A.

Regulatory restrictions for cross-border data transfer

B.

Service level objectives in the vendor contract

C.

Organizational culture differences between each country

D.

Management practices within each company

Buy Now
Question # 12

Which of the following resources is MOST helpful when creating a manageable set of IT risk scenarios?

Options:

A.

Results of current and past risk assessments

B.

Organizational strategy and objectives

C.

Lessons learned from materialized risk scenarios

D.

Internal and external audit findings

Buy Now
Question # 13

Which of the following is the BEST key performance indicator (KPI) for determining how well an IT policy is aligned to business requirements?

Options:

A.

Total cost to support the policy

B.

Number of exceptions to the policy

C.

Total cost of policy breaches

D.

Number of inquiries regarding the policy

Buy Now
Question # 14

An organization has engaged a third party to provide an Internet gateway encryption service that protects sensitive data uploaded to a cloud service. This is an example of risk:

Options:

A.

mitigation.

B.

avoidance.

C.

transfer.

D.

acceptance.

Buy Now
Question # 15

Which of the following is the PRIMARY reason for conducting peer reviews of risk analysis?

Options:

A.

To enhance compliance with standards

B.

To minimize subjectivity of assessments

C.

To increase consensus among peers

D.

To provide assessments for benchmarking

Buy Now
Question # 16

Which of the following is a KEY responsibility of the second line of defense?

Options:

A.

Implementing control activities

B.

Monitoring control effectiveness

C.

Conducting control self-assessments

D.

Owning risk scenarios

Buy Now
Question # 17

The MOST significant benefit of using a consistent risk ranking methodology across an organization is that it enables:

Options:

A.

allocation of available resources

B.

clear understanding of risk levels

C.

assignment of risk to the appropriate owners

D.

risk to be expressed in quantifiable terms

Buy Now
Question # 18

Which of the following is MOST likely to introduce risk for financial institutions that use blockchain?

Options:

A.

Cost of implementation

B.

Implementation of unproven applications

C.

Disruption to business processes

D.

Increase in attack surface area

Buy Now
Question # 19

Which of the following is the BEST recommendation of a risk practitioner for an organization that recently changed its organizational structure?

Options:

A.

Communicate the new risk profile.

B.

Implement a new risk assessment process.

C.

Revalidate the corporate risk appetite.

D.

Review and adjust key risk indicators (KRIs).

Buy Now
Question # 20

When testing the security of an IT system, il is MOST important to ensure that;

Options:

A.

tests are conducted after business hours.

B.

operators are unaware of the test.

C.

external experts execute the test.

D.

agreement is obtained from stakeholders.

Buy Now
Question # 21

Which of the following is the PRIMARY reason for an organization to include an acceptable use banner when users log in?

Options:

A.

To reduce the likelihood of insider threat

B.

To eliminate the possibility of insider threat

C.

To enable rapid discovery of insider threat

D.

To reduce the impact of insider threat

Buy Now
Question # 22

An organization striving to be on the leading edge in regard to risk monitoring would MOST likely implement:

Options:

A.

procedures to monitor the operation of controls.

B.

a tool for monitoring critical activities and controls.

C.

real-time monitoring of risk events and control exceptions.

D.

monitoring activities for all critical assets.

E.

Perform a controls assessment.

Buy Now
Question # 23

Which of the following should be a risk practitioner’s MOST important consideration when developing IT risk scenarios?

Options:

A.

The impact of controls on the efficiency of the business in delivering services

B.

Linkage of identified risk scenarios with enterprise risk management

C.

Potential threats and vulnerabilities that may have an impact on the business

D.

Results of network vulnerability scanning and penetration testing

Buy Now
Question # 24

An organization's internal audit department is considering the implementation of robotics process automation (RPA) to automate certain continuous auditing tasks. Who would own the risk associated with ineffective design of the software bots?

Options:

A.

Lead auditor

B.

Project manager

C.

Chief audit executive (CAE)

D.

Chief information officer (CIO)

Buy Now
Question # 25

A company has located its computer center on a moderate earthquake fault. Which of the following is the MOST important consideration when establishing a contingency plan and an alternate processing site?

Options:

A.

The contingency plan provides for backup media to be taken to the alternative site.

B.

The contingency plan for high priority applications does not involve a shared cold site.

C.

The alternative site is a hot site with equipment ready to resume processing immediately.

D.

The alternative site does not reside on the same fault no matter how far the distance apart.

Buy Now
Question # 26

Which of the following methods would BEST contribute to identifying obscure risk scenarios?

Options:

A.

Brainstorming sessions

B.

Control self-assessments

C.

Vulnerability analysis

D.

Monte Carlo analysis

Buy Now
Question # 27

Which of the following conditions presents the GREATEST risk to an application?

Options:

A.

Application controls are manual.

B.

Application development is outsourced.

C.

Source code is escrowed.

D.

Developers have access to production environment.

Buy Now
Question # 28

Malware has recently affected an organization. The MOST effective way to resolve this situation and define a comprehensive risk treatment plan would be to perform:

Options:

A.

a gap analysis

B.

a root cause analysis.

C.

an impact assessment.

D.

a vulnerability assessment.

Buy Now
Question # 29

Who is PRIMARILY accountable for risk treatment decisions?

Options:

A.

Risk owner

B.

Business manager

C.

Data owner

D.

Risk manager

Buy Now
Question # 30

The PRIMARY reason for establishing various Threshold levels for a set of key risk indicators (KRIs) is to:

Options:

A.

highlight trends of developing risk.

B.

ensure accurate and reliable monitoring.

C.

take appropriate actions in a timely manner.

D.

set different triggers for each stakeholder.

Buy Now
Question # 31

An organization has opened a subsidiary in a foreign country. Which of the following would be the BEST way to measure the effectiveness of the subsidiary's IT systems controls?

Options:

A.

Implement IT systems in alignment with business objectives.

B.

Review metrics and key performance indicators (KPIs).

C.

Review design documentation of IT systems.

D.

Evaluate compliance with legal and regulatory requirements.

Buy Now
Question # 32

Which of the following is the BEST recommendation to address recent IT risk trends that indicate social engineering attempts are increasing in the organization?

Options:

A.

Conduct a simulated phishing attack.

B.

Update spam filters

C.

Revise the acceptable use policy

D.

Strengthen disciplinary procedures

Buy Now
Question # 33

Which of the following is the PRIMARY benefit of consistently recording risk assessment results in the risk register?

Options:

A.

Assessment of organizational risk appetite

B.

Compliance with best practice

C.

Accountability for loss events

D.

Accuracy of risk profiles

Buy Now
Question # 34

A newly enacted information privacy law significantly increases financial penalties for breaches of personally identifiable information (Pll). Which of the following will MOST likely outcome for an organization affected by the new law?

Options:

A.

Increase in compliance breaches

B.

Increase in loss event impact

C.

Increase in residual risk

D.

Increase in customer complaints

Buy Now
Question # 35

After undertaking a risk assessment of a production system, the MOST appropriate action is for the risk manager to:

Options:

A.

recommend a program that minimizes the concerns of that production system.

B.

inform the development team of the concerns, and together formulate risk reduction measures.

C.

inform the process owner of the concerns and propose measures to reduce them

D.

inform the IT manager of the concerns and propose measures to reduce them.

Buy Now
Question # 36

What are the MOST important criteria to consider when developing a data classification scheme to facilitate risk assessment and the prioritization of risk mitigation activities?

Options:

A.

Mitigation and control value

B.

Volume and scope of data generated daily

C.

Business criticality and sensitivity

D.

Recovery point objective (RPO) and recovery time objective (RTO)

Buy Now
Question # 37

Which of the following is MOST effective in continuous risk management process improvement?

Options:

A.

Periodic assessments

B.

Change management

C.

Awareness training

D.

Policy updates

Buy Now
Question # 38

During testing, a risk practitioner finds the IT department's recovery time objective (RTO) for a key system does not align with the enterprise's business continuity plan (BCP). Which of the following should be done NEXT?

Options:

A.

Report the gap to senior management

B.

Consult with the IT department to update the RTO

C.

Complete a risk exception form.

D.

Consult with the business owner to update the BCP

Buy Now
Question # 39

Who should be responsible for determining which stakeholders need to be involved in the development of a risk scenario?

Options:

A.

Risk owner

B.

Risk practitioner

C.

Compliance manager

D.

Control owner

Buy Now
Question # 40

An organization has outsourced its IT security operations to a third party. Who is ULTIMATELY accountable for the risk associated with the outsourced operations?

Options:

A.

The third party s management

B.

The organization's management

C.

The control operators at the third party

D.

The organization's vendor management office

Buy Now
Question # 41

From a risk management perspective, which of the following is the PRIMARY benefit of using automated system configuration validation tools?

Options:

A.

Residual risk is reduced.

B.

Staff costs are reduced.

C.

Operational costs are reduced.

D.

Inherent risk is reduced.

Buy Now
Question # 42

A risk owner has accepted a high-impact risk because the control was adversely affecting process efficiency. Before updating the risk register, it is MOST important for the risk practitioner to:

Options:

A.

ensure suitable insurance coverage is purchased.

B.

negotiate with the risk owner on control efficiency.

C.

reassess the risk to confirm the impact.

D.

obtain approval from senior management.

Buy Now
Question # 43

An IT risk practitioner is evaluating an organization's change management controls over the last six months. The GREATEST concern would be an increase in:

Options:

A.

rolled back changes below management's thresholds.

B.

change-related exceptions per month.

C.

the average implementation time for changes.

D.

number of user stories approved for implementation.

Buy Now
Question # 44

Which of the following is the MOST relevant information to include in a risk management strategy?

Options:

A.

Quantified risk triggers

B.

Cost of controls

C.

Regulatory requirements

D.

Organizational goals

Buy Now
Question # 45

Which of the following is the MOST useful input when developing risk scenarios?

Options:

A.

Common attacks in other industries

B.

Identification of risk events

C.

Impact on critical assets

D.

Probability of disruptive risk events

Buy Now
Question # 46

Which of these documents is MOST important to request from a cloud service

provider during a vendor risk assessment?

Options:

A.

Nondisclosure agreement (NDA)

B.

Independent audit report

C.

Business impact analysis (BIA)

D.

Service level agreement (SLA)

Buy Now
Question # 47

Which of the following is MOST important for a risk practitioner to consider when determining the control requirements for data privacy arising from emerging technologies?

Options:

A.

internal audit recommendations

B.

Laws and regulations

C.

Policies and procedures

D.

Standards and frameworks

Buy Now
Question # 48

An organization has allowed its cyber risk insurance to lapse while seeking a new insurance provider. The risk practitioner should report to management that the risk has been:

Options:

A.

transferred

B.

mitigated.

C.

accepted

D.

avoided

Buy Now
Question # 49

Which of the following would BEST indicate to senior management that IT processes are improving?

Options:

A.

Changes in the number of security exceptions

B.

Changes to the structure of the risk register

C.

Changes in the number of intrusions detected

D.

Changes in the position in the maturity model

Buy Now
Question # 50

Business areas within an organization have engaged various cloud service providers directly without assistance from the IT department. What should the risk practitioner do?

Options:

A.

Recommend the IT department remove access to the cloud services.

B.

Engage with the business area managers to review controls applied.

C.

Escalate to the risk committee.

D.

Recommend a risk assessment be conducted.

Buy Now
Question # 51

Which of the following is a risk practitioner's BEST recommendation to help reduce IT risk associated with scheduling overruns when starting a new application development project?

Options:

A.

Implement a tool to track the development team's deliverables.

B.

Review the software development life cycle.

C.

Involve the development team in planning.

D.

Assign more developers to the project team.

Buy Now
Question # 52

Which of the following is MOST commonly compared against the risk appetite?

Options:

A.

IT risk

B.

Inherent risk

C.

Financial risk

D.

Residual risk

Buy Now
Question # 53

A payroll manager discovers that fields in certain payroll reports have been modified without authorization. Which of the following control weaknesses could have contributed MOST to this problem?

Options:

A.

The user requirements were not documented.

B.

Payroll files were not under the control of a librarian.

C.

The programmer had access to the production programs.

D.

The programmer did not involve the user in testing.

Buy Now
Exam Code: CRISC
Exam Name: Certified in Risk and Information Systems Control
Last Update: Apr 1, 2025
Questions: 1575
CRISC pdf

CRISC PDF

$25.5  $84.99
CRISC Engine

CRISC Testing Engine

$28.5  $94.99
CRISC PDF + Engine

CRISC PDF + Testing Engine

$40.5  $134.99