New Year Special 60% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: bestdeal

Free Isaca CRISC Practice Exam with Questions & Answers

Questions 1

Which of the following should be the risk practitioner s PRIMARY focus when determining whether controls are adequate to mitigate risk?

Options:
A.

Sensitivity analysis

B.

Level of residual risk

C.

Cost-benefit analysis

D.

Risk appetite

Isaca CRISC Premium Access
Questions 2

Which of the following is the MAIN reason for documenting the performance of controls?

Options:
A.

Obtaining management sign-off

B.

Demonstrating effective risk mitigation

C.

Justifying return on investment

D.

Providing accurate risk reporting

Questions 3

Which of the following is a specific concern related to machine learning algorithms?

Options:
A.

Low software quality

B.

Lack of access controls

C.

Data breaches

D.

Data bias

Questions 4

Which of the following is the MOST effective way to help ensure future risk levels do not exceed the organization's risk appetite?

Options:
A.

Developing contingency plans for key processes

B.

Implementing key performance indicators (KPIs)

C.

Adding risk triggers to entries in the risk register

D.

Establishing a series of key risk indicators (KRIs)

Questions 5

Which of the following is MOST important for effective communication of a risk profile to relevant stakeholders?

Options:
A.

Emphasizing risk in the risk profile that is related to critical business activities

B.

Customizing the presentation of the risk profile to the intended audience

C.

Including details of risk with high deviation from the risk appetite

D.

Providing information on the efficiency of controls for risk mitigation

Questions 6

A risk practitioner has identified that the organization's secondary data center does not provide redundancy for a critical application. Who should have the authority to accept the associated risk?

Options:
A.

Business continuity director

B.

Disaster recovery manager

C.

Business application owner

D.

Data center manager

Questions 7

Whether the results of risk analyses should be presented in quantitative or qualitative terms should be based PRIMARILY on the:

Options:
A.

requirements of management.

B.

specific risk analysis framework being used.

C.

organizational risk tolerance

D.

results of the risk assessment.

Questions 8

Which of the following analyses is MOST useful for prioritizing risk scenarios associated with loss of IT assets?

Options:
A.

SWOT analysis

B.

Business impact analysis (BIA)

C.

Cost-benefit analysis

D.

Root cause analysis

Questions 9

Which of the following is the PRIMARY reason for logging in a production database environment?

Options:
A.

To provide evidence of activities

B.

To prevent illicit actions of database administrators (DBAs)

C.

To ensure that changes are authorized

D.

To ensure that changes made are correctly applied

Questions 10

WhichT5f the following is the MOST effective way to promote organization-wide awareness of data security in response to an increase in regulatory penalties for data leakage?

Options:
A.

Enforce sanctions for noncompliance with security procedures.

B.

Conduct organization-w>de phishing simulations.

C.

Require training on the data handling policy.

D.

Require regular testing of the data breach response plan.

Questions 11

The PRIMARY benefit of selecting an appropriate set of key risk indicators (KRIs) is that they:

Options:
A.

serve as a basis for measuring risk appetite.

B.

align with the organization's risk profile.

C.

provide a warning of emerging high-risk conditions.

D.

provide data for updating the risk register.

Questions 12

Which of the following BEST enables detection of ethical violations committed by employees?

Options:
A.

Transaction log monitoring

B.

Whistleblower program

C.

Access control attestation

D.

Periodic job rotation

Questions 13

Which of the following is the MOST useful input when developing risk scenarios?

Options:
A.

Common attacks in other industries

B.

Identification of risk events

C.

Impact on critical assets

D.

Probability of disruptive risk events

Questions 14

Which organizational role should be accountable for ensuring information assets are appropriately classified?

Options:
A.

Data protection officer

B.

Chief information officer (CIO)

C.

Information asset custodian

D.

Information asset owner

Questions 15

Which of the following BEST enables a risk practitioner to identify the consequences of losing critical resources due to a disaster?

Options:
A.

Risk management action plans

B.

Business impact analysis (BIA)

C.

What-if technique

D.

Tabletop exercise results

Questions 16

Which of the following BEST mitigates the risk associated with inadvertent data leakage by users who work remotely?

Options:
A.

Conducting training on the protection of organizational assets

B.

Configuring devices to use virtual IP addresses

C.

Ensuring patching for end-user devices

D.

Providing encrypted access to organizational assets

Questions 17

An organization has outsourced its backup and recovery procedures to a third-party cloud provider. Which of the following should be the risk practitioner's NEXT course of action?

Options:
A.

Remove the associated risk from the register.

B.

Validate control effectiveness and update the risk register.

C.

Review the contract and service level agreements (SLAs).

D.

Obtain an assurance report from the third-party provider.

Questions 18

IT risk assessments can BEST be used by management:

Options:
A.

for compliance with laws and regulations

B.

as a basis for cost-benefit analysis.

C.

as input for decision-making

D.

to measure organizational success.

Questions 19

A risk practitioner is organizing risk awareness training for senior management. Which of the following is the MOST important topic to cover in the training session?

Options:
A.

The organization's strategic risk management projects

B.

Senior management roles and responsibilities

C.

The organizations risk appetite and tolerance

D.

Senior management allocation of risk management resources

Questions 20

Which of the following would BEST help to ensure that suspicious network activity is identified?

Options:
A.

Analyzing intrusion detection system (IDS) logs

B.

Analyzing server logs

C.

Using a third-party monitoring provider

D.

Coordinating events with appropriate agencies

Questions 21

Which of the following aspects of an IT risk and control self-assessment would be MOST important to include in a report to senior management?

Options:
A.

Changes in control design

B.

A decrease in the number of key controls

C.

Changes in control ownership

D.

An increase in residual risk

Questions 22

The MOST important characteristic of an organization s policies is to reflect the organization's:

Options:
A.

risk assessment methodology.

B.

risk appetite.

C.

capabilities

D.

asset value.

Questions 23

A risk practitioner observes that hardware failure incidents have been increasing over the last few months. However, due to built-in redundancy and fault-tolerant architecture, there have been no interruptions to business operations. The risk practitioner should conclude that:

Options:
A.

a root cause analysis is required

B.

controls are effective for ensuring continuity

C.

hardware needs to be upgraded

D.

no action is required as there was no impact

Questions 24

Which of the following is the BEST course of action to reduce risk impact?

Options:
A.

Create an IT security policy.

B.

Implement corrective measures.

C.

Implement detective controls.

D.

Leverage existing technology

Questions 25

Which of the following is the MOST important consideration when developing an organization's risk taxonomy?

Options:
A.

Leading industry frameworks

B.

Business context

C.

Regulatory requirements

D.

IT strategy

Questions 26

A risk assessment has identified that an organization may not be in compliance with industry regulations. The BEST course of action would be to:

Options:
A.

conduct a gap analysis against compliance criteria.

B.

identify necessary controls to ensure compliance.

C.

modify internal assurance activities to include control validation.

D.

collaborate with management to meet compliance requirements.

Questions 27

Which of the following risk register updates is MOST important for senior management to review?

Options:
A.

Extending the date of a future action plan by two months

B.

Retiring a risk scenario no longer used

C.

Avoiding a risk that was previously accepted

D.

Changing a risk owner

Questions 28

A data processing center operates in a jurisdiction where new regulations have significantly increased penalties for data breaches. Which of the following elements of the risk register is MOST important to update to reflect this change?

Options:
A.

Risk impact

B.

Risk trend

C.

Risk appetite

D.

Risk likelihood

Questions 29

What is the BEST information to present to business control owners when justifying costs related to controls?

Options:
A.

Loss event frequency and magnitude

B.

The previous year's budget and actuals

C.

Industry benchmarks and standards

D.

Return on IT security-related investments

Questions 30

Which of the following is MOST important to identify when developing generic risk scenarios?

Options:
A.

The organization’s vision and mission

B.

Resources required for risk mitigation

C.

Impact to business objectives

D.

Risk-related trends within the industry

Questions 31

Which of the following is the MOST important data source for monitoring key risk indicators (KRIs)?

Options:
A.

Directives from legal and regulatory authorities

B.

Audit reports from internal information systems audits

C.

Automated logs collected from different systems

D.

Trend analysis of external risk factors

Questions 32

Which of the following should be the PRIMARY consideration when assessing the automation of control monitoring?

Options:
A.

impact due to failure of control

B.

Frequency of failure of control

C.

Contingency plan for residual risk

D.

Cost-benefit analysis of automation

Questions 33

Which of the following is the BEST indication of an effective risk management program?

Options:
A.

Risk action plans are approved by senior management.

B.

Residual risk is within the organizational risk appetite

C.

Mitigating controls are designed and implemented.

D.

Risk is recorded and tracked in the risk register

Questions 34

Which of the following is the FIRST step in managing the risk associated with the leakage of confidential data?

Options:
A.

Maintain and review the classified data inventor.

B.

Implement mandatory encryption on data

C.

Conduct an awareness program for data owners and users.

D.

Define and implement a data classification policy

Questions 35

A risk practitioner is assisting with the preparation of a report on the organization s disaster recovery (DR) capabilities. Which information would have the MOST impact on the overall recovery profile?

Options:
A.

The percentage of systems meeting recovery target times has increased.

B.

The number of systems tested in the last year has increased.

C.

The number of systems requiring a recovery plan has increased.

D.

The percentage of systems with long recovery target times has decreased.

Questions 36

Which of the following is the MOST important foundational element of an effective three lines of defense model for an organization?

Options:
A.

A robust risk aggregation tool set

B.

Clearly defined roles and responsibilities

C.

A well-established risk management committee

D.

Well-documented and communicated escalation procedures

Questions 37

The MAIN purpose of conducting a control self-assessment (CSA) is to:

Options:
A.

gain a better understanding of the control effectiveness in the organization

B.

gain a better understanding of the risk in the organization

C.

adjust the controls prior to an external audit

D.

reduce the dependency on external audits

Questions 38

Which of the following is a PRIMARY benefit of engaging the risk owner during the risk assessment process?

Options:
A.

Identification of controls gaps that may lead to noncompliance

B.

Prioritization of risk action plans across departments

C.

Early detection of emerging threats

D.

Accurate measurement of loss impact

Questions 39

Which of the following would BEST help minimize the risk associated with social engineering threats?

Options:
A.

Enforcing employees’ sanctions

B.

Conducting phishing exercises

C.

Enforcing segregation of dunes

D.

Reviewing the organization's risk appetite

Questions 40

Which of the following would BEST help an enterprise prioritize risk scenarios?

Options:
A.

Industry best practices

B.

Placement on the risk map

C.

Degree of variances in the risk

D.

Cost of risk mitigation

Questions 41

Which of the following BEST describes the role of the IT risk profile in strategic IT-related decisions?

Options:
A.

It compares performance levels of IT assets to value delivered.

B.

It facilitates the alignment of strategic IT objectives to business objectives.

C.

It provides input to business managers when preparing a business case for new IT projects.

D.

It helps assess the effects of IT decisions on risk exposure

Questions 42

Which of the following is the BEST key performance indicator (KPI) to measure the maturity of an organization's security incident handling process?

Options:
A.

The number of security incidents escalated to senior management

B.

The number of resolved security incidents

C.

The number of newly identified security incidents

D.

The number of recurring security incidents

Questions 43

An organization has procured a managed hosting service and just discovered the location is likely to be flooded every 20 years. Of the following, who should be notified of this new information FIRST.

Options:
A.

The risk owner who also owns the business service enabled by this infrastructure

B.

The data center manager who is also employed under the managed hosting services contract

C.

The site manager who is required to provide annual risk assessments under the contract

D.

The chief information officer (CIO) who is responsible for the hosted services

Questions 44

Which of the following controls would BEST reduce the risk of account compromise?

Options:
A.

Enforce password changes.

B.

Enforce multi-factor authentication (MFA).

C.

Enforce role-based authentication.

D.

Enforce password encryption.

Questions 45

The PRIMARY reason a risk practitioner would be interested in an internal audit report is to:

Options:
A.

plan awareness programs for business managers.

B.

evaluate maturity of the risk management process.

C.

assist in the development of a risk profile.

D.

maintain a risk register based on noncompliance.

Questions 46

Which of the following is the MOST important consideration when multiple risk practitioners capture risk scenarios in a single risk register?

Options:
A.

Aligning risk ownership and control ownership

B.

Developing risk escalation and reporting procedures

C.

Maintaining up-to-date risk treatment plans

D.

Using a consistent method for risk assessment

Questions 47

Which of the following is MOST helpful to ensure effective security controls for a cloud service provider?

Options:
A.

A control self-assessment

B.

A third-party security assessment report

C.

Internal audit reports from the vendor

D.

Service level agreement monitoring

Questions 48

The PRIMARY objective of testing the effectiveness of a new control before implementation is to:

Options:
A.

ensure that risk is mitigated by the control.

B.

measure efficiency of the control process.

C.

confirm control alignment with business objectives.

D.

comply with the organization's policy.

Questions 49

The MOST effective way to increase the likelihood that risk responses will be implemented is to:

Options:
A.

create an action plan

B.

assign ownership

C.

review progress reports

D.

perform regular audits.

Questions 50

In addition to the risk register, what should a risk practitioner review to develop an understanding of the organization's risk profile?

Options:
A.

The control catalog

B.

The asset profile

C.

Business objectives

D.

Key risk indicators (KRls)

Exam Code: CRISC
Certification Provider: Isaca
Exam Name: Certified in Risk and Information Systems Control
Last Update: Feb 11, 2025
Questions: 1590

Isaca Related Exams

How to pass Isaca CISA - Certified Information Systems Auditor Exam
How to pass Isaca CISM - Certified Information Security Manager Exam
How to pass Isaca CGEIT - Certified in the Governance of Enterprise IT Exam Exam
How to pass Isaca COBIT5 - COBIT 5 Foundation Exam Exam
How to pass Isaca CDPSE - Certified Data Privacy Solutions Engineer Exam
How to pass Isaca COBIT-2019 - COBIT 2019 Foundation Exam
How to pass Isaca NIST-COBIT-2019 - ISACA Implementing the NIST Cybersecurity Framework using COBIT 2019 Exam

Isaca Free Exams

Isaca Free Exams
Examstrack offers comprehensive free resources and practice tests for Isaca exams.