New Year Special 60% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: bestdeal

Free Isaca CRISC Practice Exam with Questions & Answers | Set: 2

Questions 51

Which of the following situations reflects residual risk?

Options:
A.

Risk that is present before risk acceptance has been finalized

B.

Risk that is removed after a risk acceptance has been finalized

C.

Risk that is present before mitigation controls have been applied

D.

Risk that remains after mitigation controls have been applied

Isaca CRISC Premium Access
Questions 52

After a risk has been identified, who is in the BEST position to select the appropriate risk treatment option?

Options:
A.

The risk practitioner

B.

The business process owner

C.

The risk owner

D.

The control owner

Questions 53

Which of the following is MOST important when developing key performance indicators (KPIs)?

Options:
A.

Alignment to risk responses

B.

Alignment to management reports

C.

Alerts when risk thresholds are reached

D.

Identification of trends

Questions 54

A risk heat map is MOST commonly used as part of an IT risk analysis to facilitate risk:

Options:
A.

communication

B.

identification.

C.

treatment.

D.

assessment.

Questions 55

A rule-based data loss prevention {DLP) tool has recently been implemented to reduce the risk of sensitive data leakage. Which of the following is MOST likely to change as a result of this implementation?

Options:
A.

Risk likelihood

B.

Risk velocity

C.

Risk appetite

D.

Risk impact

Questions 56

An organization is planning to engage a cloud-based service provider for some of its data-intensive business processes. Which of the following is MOST important to help define the IT risk associated with this outsourcing activity?

Options:
A.

Service level agreement

B.

Customer service reviews

C.

Scope of services provided

D.

Right to audit the provider

Questions 57

Which of the following is the MOST important consideration for a risk practitioner when making a system implementation go-live recommendation?

Options:
A.

Completeness of system documentation

B.

Results of end user acceptance testing

C.

Variances between planned and actual cost

D.

availability of in-house resources

Questions 58

An organization has determined a risk scenario is outside the defined risk tolerance level. What should be the NEXT course of action?

Options:
A.

Develop a compensating control.

B.

Allocate remediation resources.

C.

Perform a cost-benefit analysis.

D.

Identify risk responses

Questions 59

Which of the following is the GREATEST benefit of incorporating IT risk scenarios into the corporate risk register?

Options:
A.

Corporate incident escalation protocols are established.

B.

Exposure is integrated into the organization's risk profile.

C.

Risk appetite cascades to business unit management

D.

The organization-wide control budget is expanded.

Questions 60

Which of the following is the PRIMARY reason for a risk practitioner to use global standards related to risk management?

Options:
A.

To build an organizational risk-aware culture

B.

To continuously improve risk management processes

C.

To comply with legal and regulatory requirements

D.

To identify gaps in risk management practices

Questions 61

When a high number of approved exceptions are observed during a review of a control procedure, an organization should FIRST initiate a review of the:

Options:
A.

Relevant policies.

B.

Threat landscape.

C.

Awareness program.

D.

Risk heat map.

Questions 62

A global organization is considering the acquisition of a competitor. Senior management has requested a review of the overall risk profile from the targeted organization. Which of the following components of this review would provide the MOST useful information?

Options:
A.

Risk appetite statement

B.

Enterprise risk management framework

C.

Risk management policies

D.

Risk register

Questions 63

The analysis of which of the following will BEST help validate whether suspicious network activity is malicious?

Options:
A.

Logs and system events

B.

Intrusion detection system (IDS) rules

C.

Vulnerability assessment reports

D.

Penetration test reports

Questions 64

Which of the following should be the HIGHEST priority when developing a risk response?

Options:
A.

The risk response addresses the risk with a holistic view.

B.

The risk response is based on a cost-benefit analysis.

C.

The risk response is accounted for in the budget.

D.

The risk response aligns with the organization's risk appetite.

Questions 65

An organization wants to assess the maturity of its internal control environment. The FIRST step should be to:

Options:
A.

validate control process execution.

B.

determine if controls are effective.

C.

identify key process owners.

D.

conduct a baseline assessment.

Questions 66

Establishing and organizational code of conduct is an example of which type of control?

Options:
A.

Preventive

B.

Directive

C.

Detective

D.

Compensating

Questions 67

Management has noticed storage costs have increased exponentially over the last 10 years because most users do not delete their emails. Which of the following can BEST alleviate this issue while not sacrificing security?

Options:
A.

Implementing record retention tools and techniques

B.

Establishing e-discovery and data loss prevention (DLP)

C.

Sending notifications when near storage quota

D.

Implementing a bring your own device 1BVOD) policy

Questions 68

Which of the following is the BEST method for assessing control effectiveness?

Options:
A.

Ad hoc control reporting

B.

Control self-assessment

C.

Continuous monitoring

D.

Predictive analytics

Questions 69

A risk practitioner is summarizing the results of a high-profile risk assessment sponsored by senior management. The BEST way to support risk-based decisions by senior management would be to:

Options:
A.

map findings to objectives.

B.

provide quantified detailed analysis

C.

recommend risk tolerance thresholds.

D.

quantify key risk indicators (KRls).

Questions 70

When an organization's business continuity plan (BCP) states that it cannot afford to lose more than three hours of a critical application's data, the three hours is considered the application’s:

Options:
A.

Maximum tolerable outage (MTO).

B.

Recovery point objective (RPO).

C.

Mean time to restore (MTTR).

D.

Recovery time objective (RTO).

Questions 71

A review of an organization s controls has determined its data loss prevention {DLP) system is currently failing to detect outgoing emails containing credit card data. Which of the following would be MOST impacted?

Options:
A.

Key risk indicators (KRls)

B.

Inherent risk

C.

Residual risk

D.

Risk appetite

Questions 72

Which of the following BEST enables effective risk-based decision making?

Options:
A.

Performing threat modeling to understand the threat landscape

B.

Minimizing the number of risk scenarios for risk assessment

C.

Aggregating risk scenarios across a key business unit

D.

Ensuring the risk register is updated to reflect changes in risk factors

Questions 73

Which of the following would be MOST useful when measuring the progress of a risk response action plan?

Options:
A.

Percentage of mitigated risk scenarios

B.

Annual loss expectancy (ALE) changes

C.

Resource expenditure against budget

D.

An up-to-date risk register

Questions 74

An organization that has been the subject of multiple social engineering attacks is developing a risk awareness program. The PRIMARY goal of this program should be to:

Options:
A.

reduce the risk to an acceptable level.

B.

communicate the consequences for violations.

C.

implement industry best practices.

D.

reduce the organization's risk appetite

Questions 75

Which of the following is the FIRST step in managing the security risk associated with wearable technology in the workplace?

Options:
A.

Identify the potential risk.

B.

Monitor employee usage.

C.

Assess the potential risk.

D.

Develop risk awareness training.

Questions 76

Which of the following is the MOST effective key performance indicator (KPI) for change management?

Options:
A.

Percentage of changes with a fallback plan

B.

Number of changes implemented

C.

Percentage of successful changes

D.

Average time required to implement a change

Questions 77

Which of the following is the BEST method to identify unnecessary controls?

Options:
A.

Evaluating the impact of removing existing controls

B.

Evaluating existing controls against audit requirements

C.

Reviewing system functionalities associated with business processes

D.

Monitoring existing key risk indicators (KRIs)

Questions 78

After several security incidents resulting in significant financial losses, IT management has decided to outsource the security function to a third party that provides 24/7 security operation services. Which risk response option has management implemented?

Options:
A.

Risk mitigation

B.

Risk avoidance

C.

Risk acceptance

D.

Risk transfer

Questions 79

Periodically reviewing and updating a risk register with details on identified risk factors PRIMARILY helps to:

Options:
A.

minimize the number of risk scenarios for risk assessment.

B.

aggregate risk scenarios identified across different business units.

C.

build a threat profile of the organization for management review.

D.

provide a current reference to stakeholders for risk-based decisions.

Questions 80

Which of the following would BEST provide early warning of a high-risk condition?

Options:
A.

Risk register

B.

Risk assessment

C.

Key risk indicator (KRI)

D.

Key performance indicator (KPI)

Questions 81

Which of the following is the MOST important consideration when sharing risk management updates with executive management?

Options:
A.

Using an aggregated view of organizational risk

B.

Ensuring relevance to organizational goals

C.

Relying on key risk indicator (KRI) data Including

D.

Trend analysis of risk metrics

Questions 82

During which phase of the system development life cycle (SDLC) should information security requirements for the implementation of a new IT system be defined?

Options:
A.

Monitoring

B.

Development

C.

Implementation

D.

Initiation

Questions 83

The head of a business operations department asks to review the entire IT risk register. Which of the following would be the risk manager s BEST approach to this request before sharing the register?

Options:
A.

Escalate to senior management

B.

Require a nondisclosure agreement.

C.

Sanitize portions of the register

D.

Determine the purpose of the request

Questions 84

Which of the following should be a risk practitioner's NEXT step upon learning the impact of an organization's noncompliance with a specific legal regulation?

Options:
A.

Identify risk response options.

B.

Implement compensating controls.

C.

Invoke the incident response plan.

D.

Document the penalties for noncompliance.

Questions 85

Which of the following is the MOST important factor affecting risk management in an organization?

Options:
A.

The risk manager's expertise

B.

Regulatory requirements

C.

Board of directors' expertise

D.

The organization's culture

Questions 86

An organization has outsourced its IT security operations to a third party. Who is ULTIMATELY accountable for the risk associated with the outsourced operations?

Options:
A.

The third party s management

B.

The organization's management

C.

The control operators at the third party

D.

The organization's vendor management office

Questions 87

The acceptance of control costs that exceed risk exposure is MOST likely an example of:

Options:
A.

low risk tolerance.

B.

corporate culture misalignment.

C.

corporate culture alignment.

D.

high risk tolerance

Questions 88

A risk practitioner has observed that there is an increasing trend of users sending sensitive information by email without using encryption. Which of the following would be the MOST effective approach to mitigate the risk associated with data loss?

Options:
A.

Implement a tool to create and distribute violation reports

B.

Raise awareness of encryption requirements for sensitive data.

C.

Block unencrypted outgoing emails which contain sensitive data.

D.

Implement a progressive disciplinary process for email violations.

Questions 89

Which of the following would be the BEST way to help ensure the effectiveness of a data loss prevention (DLP) control that has been implemented to prevent the loss of credit card data?

Options:
A.

Testing the transmission of credit card numbers

B.

Reviewing logs for unauthorized data transfers

C.

Configuring the DLP control to block credit card numbers

D.

Testing the DLP rule change control process

Questions 90

Which of the following changes would be reflected in an organization's risk profile after the failure of a critical patch implementation?

Options:
A.

Risk tolerance is decreased.

B.

Residual risk is increased.

C.

Inherent risk is increased.

D.

Risk appetite is decreased

Questions 91

A systems interruption has been traced to a personal USB device plugged into the corporate network by an IT employee who bypassed internal control procedures. Of the following, who should be accountable?

Options:
A.

Business continuity manager (BCM)

B.

Human resources manager (HRM)

C.

Chief risk officer (CRO)

D.

Chief information officer (CIO)

Questions 92

Which of the following will BEST help mitigate the risk associated with malicious functionality in outsourced application development?

Options:
A.

Perform an m-depth code review with an expert

B.

Validate functionality by running in a test environment

C.

Implement a service level agreement.

D.

Utilize the change management process.

Questions 93

Which of the following will BEST mitigate the risk associated with IT and business misalignment?

Options:
A.

Establishing business key performance indicators (KPIs)

B.

Introducing an established framework for IT architecture

C.

Establishing key risk indicators (KRIs)

D.

Involving the business process owner in IT strategy

Questions 94

Which of the following is the MOST important element of a successful risk awareness training program?

Options:
A.

Customizing content for the audience

B.

Providing incentives to participants

C.

Mapping to a recognized standard

D.

Providing metrics for measurement

Questions 95

Which of the following is the BEST approach to use when creating a comprehensive set of IT risk scenarios?

Options:
A.

Derive scenarios from IT risk policies and standards.

B.

Map scenarios to a recognized risk management framework.

C.

Gather scenarios from senior management.

D.

Benchmark scenarios against industry peers.

Questions 96

An audit reveals that several terminated employee accounts maintain access. Which of the following should be the FIRST step to address the risk?

Options:
A.

Perform a risk assessment

B.

Disable user access.

C.

Develop an access control policy.

D.

Perform root cause analysis.

Questions 97

Which of the following BEST provides an early warning that network access of terminated employees is not being revoked in accordance with the service level agreement (SLA)?

Options:
A.

Updating multi-factor authentication

B.

Monitoring key access control performance indicators

C.

Analyzing access control logs for suspicious activity

D.

Revising the service level agreement (SLA)

Questions 98

Which of the following is the MOST important requirement for monitoring key risk indicators (KRls) using log analysis?

Options:
A.

Obtaining logs m an easily readable format

B.

Providing accurate logs m a timely manner

C.

Collecting logs from the entire set of IT systems

D.

implementing an automated log analysis tool

Questions 99

Which of the following activities would BEST contribute to promoting an organization-wide risk-aware culture?

Options:
A.

Performing a benchmark analysis and evaluating gaps

B.

Conducting risk assessments and implementing controls

C.

Communicating components of risk and their acceptable levels

D.

Participating in peer reviews and implementing best practices

Questions 100

It is MOST appropriate for changes to be promoted to production after they are:

Options:
A.

communicated to business management

B.

tested by business owners.

C.

approved by the business owner.

D.

initiated by business users.

Exam Code: CRISC
Certification Provider: Isaca
Exam Name: Certified in Risk and Information Systems Control
Last Update: Feb 17, 2025
Questions: 1590

Isaca Related Exams

How to pass Isaca CISA - Certified Information Systems Auditor Exam
How to pass Isaca CISM - Certified Information Security Manager Exam
How to pass Isaca CGEIT - Certified in the Governance of Enterprise IT Exam Exam
How to pass Isaca COBIT5 - COBIT 5 Foundation Exam Exam
How to pass Isaca CDPSE - Certified Data Privacy Solutions Engineer Exam
How to pass Isaca COBIT-2019 - COBIT 2019 Foundation Exam
How to pass Isaca NIST-COBIT-2019 - ISACA Implementing the NIST Cybersecurity Framework using COBIT 2019 Exam

Isaca Free Exams

Isaca Free Exams
Examstrack offers comprehensive free resources and practice tests for Isaca exams.