New Year Special 60% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: bestdeal

How to Easily Pass the Isaca CRISC Exam: Expert Advice

Questions 151

Which of the following is the PRIMARY reason to establish the root cause of an IT security incident?

Options:
A.

Update the risk register.

B.

Assign responsibility and accountability for the incident.

C.

Prepare a report for senior management.

D.

Avoid recurrence of the incident.

Isaca CRISC Premium Access
Questions 152

An organization's risk tolerance should be defined and approved by which of the following?

Options:
A.

The chief risk officer (CRO)

B.

The board of directors

C.

The chief executive officer (CEO)

D.

The chief information officer (CIO)

Questions 153

Which of the following is the MOST effective way to help ensure an organization's current risk scenarios are relevant?

Options:
A.

Adoption of industry best practices

B.

Involvement of stakeholders in risk assessment

C.

Review of risk scenarios by independent parties

D.

Documentation of potential risk in business cases

Questions 154

Which of the following should be the risk practitioner s FIRST course of action when an organization has decided to expand into new product areas?

Options:
A.

Identify any new business objectives with stakeholders.

B.

Present a business case for new controls to stakeholders.

C.

Revise the organization's risk and control policy.

D.

Review existing risk scenarios with stakeholders.

Questions 155

A control owner responsible for the access management process has developed a machine learning model to automatically identify excessive access privileges. What is the risk practitioner's BEST course of action?

Options:
A.

Review the design of the machine learning model against control objectives.

B.

Adopt the machine learning model as a replacement for current manual access reviews.

C.

Ensure the model assists in meeting regulatory requirements for access controls.

D.

Discourage the use of emerging technologies in key processes.

Questions 156

Which of the following is MOST important for a risk practitioner to consider when evaluating plans for changes to IT services?

Options:
A.

Change testing schedule

B.

Impact assessment of the change

C.

Change communication plan

D.

User acceptance testing (UAT)

Questions 157

Which of the following IT key risk indicators (KRIs) provides management with the BEST feedback on IT capacity?

Options:
A.

Trends in IT resource usage

B.

Trends in IT maintenance costs

C.

Increased resource availability

D.

Increased number of incidents

Questions 158

A risk practitioner shares the results of a vulnerability assessment for a critical business application with the business manager. Which of the following is the NEXT step?

Options:
A.

Develop a risk action plan to address the findings.

B.

Evaluate the impact of the vulnerabilities to the business application.

C.

Escalate the findings to senior management and internal audit.

D.

Conduct a penetration test to validate the vulnerabilities from the findings.

Questions 159

An organization has identified that terminated employee accounts are not disabled or deleted within the time required by corporate policy. Unsure of the reason, the organization has decided to monitor the situation for three months to obtain more information. As a result of this decision, the risk has been:

Options:
A.

avoided.

B.

accepted.

C.

mitigated.

D.

transferred.

Questions 160

During the initial risk identification process for a business application, it is MOST important to include which of the following stakeholders?

Options:
A.

Business process owners

B.

Business process consumers

C.

Application architecture team

D.

Internal audit

Questions 161

Which of the following is the PRIMARY responsibility of the first line of defense related to computer-enabled fraud?

Options:
A.

Providing oversight of risk management processes

B.

Implementing processes to detect and deter fraud

C.

Ensuring that risk and control assessments consider fraud

D.

Monitoring the results of actions taken to mitigate fraud

Questions 162

A recent internal risk review reveals the majority of core IT application recovery time objectives (RTOs) have exceeded the maximum time defined by the business application owners. Which of the following is MOST likely to change as a result?

Options:
A.

Risk forecasting

B.

Risk tolerance

C.

Risk likelihood

D.

Risk appetite

Questions 163

After identifying new risk events during a project, the project manager s NEXT step should be to:

Options:
A.

determine if the scenarios need 10 be accepted or responded to.

B.

record the scenarios into the risk register.

C.

continue with a qualitative risk analysis.

D.

continue with a quantitative risk analysis.

Questions 164

A risk practitioner notices that a particular key risk indicator (KRI) has remained below its established trigger point for an extended period of time. Which of the following should be done FIRST?

Options:
A.

Recommend a re-evaluation of the current threshold of the KRI.

B.

Notify management that KRIs are being effectively managed.

C.

Update the risk rating associated with the KRI In the risk register.

D.

Update the risk tolerance and risk appetite to better align to the KRI.

Questions 165

Which of the following is the BEST indicator of the effectiveness of a control action plan's implementation?

Options:
A.

Increased number of controls

B.

Reduced risk level

C.

Increased risk appetite

D.

Stakeholder commitment

Questions 166

Which of the following MUST be assessed before considering risk treatment options for a scenario with significant impact?

Options:
A.

Risk magnitude

B.

Incident probability

C.

Risk appetite

D.

Cost-benefit analysis

Questions 167

The PRIMARY purpose of using control metrics is to evaluate the:

Options:
A.

amount of risk reduced by compensating controls.

B.

amount of risk present in the organization.

C.

variance against objectives.

D.

number of incidents.

Questions 168

A risk practitioner is reviewing the status of an action plan to mitigate an emerging IT risk and finds the risk level has increased. The BEST course of action would be to:

Options:
A.

implement the planned controls and accept the remaining risk.

B.

suspend the current action plan in order to reassess the risk.

C.

revise the action plan to include additional mitigating controls.

D.

evaluate whether selected controls are still appropriate.

Questions 169

The MOST essential content to include in an IT risk awareness program is how to:

Options:
A.

populate risk register entries and build a risk profile for management reporting.

B.

prioritize IT-related actions by considering risk appetite and risk tolerance.

C.

define the IT risk framework for the organization.

D.

comply with the organization's IT risk and information security policies.

Questions 170

The PRIMARY purpose of vulnerability assessments is to:

Options:
A.

provide clear evidence that the system is sufficiently secure.

B.

determine the impact of potential threats.

C.

test intrusion detection systems (IDS) and response procedures.

D.

detect weaknesses that could lead to system compromise.

Questions 171

An internally developed payroll application leverages Platform as a Service (PaaS) infrastructure from the cloud. Who owns the related data confidentiality risk?

Options:
A.

IT infrastructure head

B.

Human resources head

C.

Supplier management head

D.

Application development head

Questions 172

Which of the following provides the BEST evidence that risk mitigation plans have been implemented effectively?

Options:
A.

Self-assessments by process owners

B.

Mitigation plan progress reports

C.

Risk owner attestation

D.

Change in the level of residual risk

Questions 173

Which of the following would be MOST relevant to stakeholders regarding ineffective control implementation?

Options:
A.

Threat to IT

B.

Number of control failures

C.

Impact on business

D.

Risk ownership

Questions 174

A recent audit identified high-risk issues in a business unit though a previous control self-assessment (CSA) had good results. Which of the following is the MOST likely reason for the difference?

Options:
A.

The audit had a broader scope than the CSA.

B.

The CSA was not sample-based.

C.

The CSA did not test control effectiveness.

D.

The CSA was compliance-based, while the audit was risk-based.

Questions 175

The PRIMARY basis for selecting a security control is:

Options:
A.

to achieve the desired level of maturity.

B.

the materiality of the risk.

C.

the ability to mitigate risk.

D.

the cost of the control.

Questions 176

For no apparent reason, the time required to complete daily processing for a legacy application is approaching a risk threshold. Which of the following activities should be performed FIRST?

Options:
A.

Temporarily increase the risk threshold.

B.

Suspend processing to investigate the problem.

C.

Initiate a feasibility study for a new application.

D.

Conduct a root-cause analysis.

Questions 177

The BEST way to test the operational effectiveness of a data backup procedure is to:

Options:
A.

conduct an audit of files stored offsite.

B.

interview employees to compare actual with expected procedures.

C.

inspect a selection of audit trails and backup logs.

D.

demonstrate a successful recovery from backup files.

Questions 178

Which of the following can be interpreted from a single data point on a risk heat map?

Options:
A.

Risk tolerance

B.

Risk magnitude

C.

Risk response

D.

Risk appetite

Questions 179

Which of the following is MOST influential when management makes risk response decisions?

Options:
A.

Risk appetite

B.

Audit risk

C.

Residual risk

D.

Detection risk

Questions 180

Which of the following activities is PRIMARILY the responsibility of senior management?

Options:
A.

Bottom-up identification of emerging risks

B.

Categorization of risk scenarios against a standard taxonomy

C.

Prioritization of risk scenarios based on severity

D.

Review of external loss data

Questions 181

Quantifying the value of a single asset helps the organization to understand the:

Options:
A.

overall effectiveness of risk management

B.

consequences of risk materializing

C.

necessity of developing a risk strategy,

D.

organization s risk threshold.

Questions 182

A department has been granted an exception to bypass the existing approval process for purchase orders. The risk practitioner should verify the exception has been approved by which of the following?

Options:
A.

Internal audit

B.

Control owner

C.

Senior management

D.

Risk manager

Questions 183

An organization has just implemented changes to close an identified vulnerability that impacted a critical business process. What should be the NEXT course of action?

Options:
A.

Redesign the heat map.

B.

Review the risk tolerance.

C.

Perform a business impact analysis (BIA)

D.

Update the risk register.

Questions 184

A risk practitioner has just learned about new done FIRST?

Options:
A.

Notify executive management.

B.

Analyze the impact to the organization.

C.

Update the IT risk register.

D.

Design IT risk mitigation plans.

Questions 185

The PRIMARY purpose of a maturity model is to compare the:

Options:
A.

current state of key processes to their desired state.

B.

actual KPIs with target KPIs.

C.

organization to industry best practices.

D.

organization to peers.

Questions 186

IT stakeholders have asked a risk practitioner for IT risk profile reports associated with specific departments to allocate resources for risk mitigation. The BEST way to address this request would be to use:

Options:
A.

the cost associated with each control.

B.

historical risk assessments.

C.

key risk indicators (KRls).

D.

information from the risk register.

Questions 187

An organization has received notification that it is a potential victim of a cybercrime that may have compromised sensitive customer data. What should be The FIRST course of action?

Options:
A.

Invoke the incident response plan.

B.

Determine the business impact.

C.

Conduct a forensic investigation.

D.

Invoke the business continuity plan (BCP).

Questions 188

Which of the following is the GREATEST concern associated with the transmission of healthcare data across the internet?

Options:
A.

Unencrypted data

B.

Lack of redundant circuits

C.

Low bandwidth connections

D.

Data integrity

Questions 189

What is MOST important for the risk practitioner to understand when creating an initial IT risk register?

Options:
A.

Enterprise architecture (EA)

B.

Control environment

C.

IT objectives

D.

Organizational objectives

Questions 190

The PRIMARY benefit of classifying information assets is that it helps to:

Options:
A.

communicate risk to senior management

B.

assign risk ownership

C.

facilitate internal audit

D.

determine the appropriate level of control

Questions 191

Which of the following is the BEST indicator of the effectiveness of a control monitoring program?

Options:
A.

Time between control failure and failure detection

B.

Number of key controls as a percentage of total control count

C.

Time spent on internal control assessment reviews

D.

Number of internal control failures within the measurement period

Questions 192

Which of the following BEST indicates that an organizations risk management program is effective?

Options:
A.

Fewer security incidents have been reported.

B.

The number of audit findings has decreased.

C.

Residual risk is reduced.

D.

inherent risk Is unchanged.

Questions 193

Which of the following BEST enables a proactive approach to minimizing the potential impact of unauthorized data disclosure?

Options:
A.

Cyber insurance

B.

Data backups

C.

Incident response plan

D.

Key risk indicators (KRIs)

Questions 194

The risk associated with a high-risk vulnerability in an application is owned by the:

Options:
A.

security department.

B.

business unit

C.

vendor.

D.

IT department.

Questions 195

Which of the following would provide executive management with the BEST information to make risk decisions as a result of a risk assessment?

Options:
A.

A companion of risk assessment results to the desired state

B.

A quantitative presentation of risk assessment results

C.

An assessment of organizational maturity levels and readiness

D.

A qualitative presentation of risk assessment results

Questions 196

Which of the following would be of GREATEST concern to a risk practitioner reviewing current key risk indicators (KRIs)?

Options:
A.

The KRIs' source data lacks integrity.

B.

The KRIs are not automated.

C.

The KRIs are not quantitative.

D.

The KRIs do not allow for trend analysis.

Questions 197

Which of the following is the MOST important information to be communicated during security awareness training?

Options:
A.

Management's expectations

B.

Corporate risk profile

C.

Recent security incidents

D.

The current risk management capability

Questions 198

Which of the following would provide the MOST comprehensive information for updating an organization's risk register?

Options:
A.

Results of the latest risk assessment

B.

Results of a risk forecasting analysis

C.

A review of compliance regulations

D.

Findings of the most recent audit

Questions 199

An organization is making significant changes to an application. At what point should the application risk profile be updated?

Options:
A.

After user acceptance testing (UAT)

B.

Upon release to production

C.

During backlog scheduling

D.

When reviewing functional requirements

Questions 200

When confirming whether implemented controls are operating effectively, which of the following is MOST important to review?

Options:
A.

Results of benchmarking studies

B.

Results of risk assessments

C.

Number of emergency change requests

D.

Maturity model

Exam Code: CRISC
Certification Provider: Isaca
Exam Name: Certified in Risk and Information Systems Control
Last Update: Jan 19, 2025
Questions: 1583

Isaca Related Exams

How to pass Isaca CISA - Certified Information Systems Auditor Exam
How to pass Isaca CISM - Certified Information Security Manager Exam
How to pass Isaca CGEIT - Certified in the Governance of Enterprise IT Exam Exam
How to pass Isaca COBIT5 - COBIT 5 Foundation Exam Exam
How to pass Isaca CDPSE - Certified Data Privacy Solutions Engineer Exam
How to pass Isaca COBIT-2019 - COBIT 2019 Foundation Exam
How to pass Isaca NIST-COBIT-2019 - ISACA Implementing the NIST Cybersecurity Framework using COBIT 2019 Exam

Isaca Free Exams

Isaca Free Exams
Examstrack offers comprehensive free resources and practice tests for Isaca exams.