New Year Special 60% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: bestdeal

Free Isaca CRISC Practice Exam with Questions & Answers | Set: 5

Questions 201

Which of the following would BEST enable mitigation of newly identified risk factors related to internet of Things (loT)?

Options:
A.

Introducing control procedures early in the life cycle

B.

Implementing loT device software monitoring

C.

Performing periodic risk assessments of loT

D.

Performing secure code reviews

Isaca CRISC Premium Access
Questions 202

Which of the following process controls BEST mitigates the risk of an employee issuing fraudulent payments to a vendor?

Options:
A.

Performing credit verification of third-party vendors prior to payment

B.

Conducting system access reviews to ensure least privilege and appropriate access

C.

Performing regular reconciliation of payments to the check registers

D.

Enforcing segregation of duties between the vendor master file and invoicing

Questions 203

A risk practitioner is involved in a comprehensive overhaul of the organizational risk management program. Which of the following should be reviewed FIRST to help identify relevant IT risk scenarios?

Options:
A.

Technology threats

B.

IT assets

C.

Security vulnerabilities

D.

IT risk register

Questions 204

A risk practitioner has been asked to evaluate the adoption of a third-party blockchain integration platform based on the value added by the platform and the organization's risk appetite. Which of the following is the risk practitioner's BEST course of action?

Options:
A.

Conduct a risk assessment with stakeholders.

B.

Conduct third-party resilience tests.

C.

Update the risk register with the process changes.

D.

Review risk related to standards and regulations.

Questions 205

A company has located its computer center on a moderate earthquake fault. Which of the following is the MOST important consideration when establishing a contingency plan and an alternate processing site?

Options:
A.

The contingency plan provides for backup media to be taken to the alternative site.

B.

The contingency plan for high priority applications does not involve a shared cold site.

C.

The alternative site is a hot site with equipment ready to resume processing immediately.

D.

The alternative site does not reside on the same fault no matter how far the distance apart.

Questions 206

The software version of an enterprise's critical business application has reached end-of-life and is no longer supported by the vendor. IT has decided to develop an in-house replacement application. Which of the following should be the PRIMARY concern?

Options:
A.

The system documentation is not available.

B.

Enterprise risk management (ERM) has not approved the decision.

C.

The board of directors has not approved the decision.

D.

The business process owner is not an active participant.

Questions 207

Which of the following scenarios presents the GREATEST risk of noncompliance with data privacy best practices?

Options:
A.

Making data available to a larger audience of customers

B.

Data not being disposed according to the retention policy

C.

Personal data not being de-identified properly

D.

Data being used for purposes the data subjects have not opted into

Questions 208

A MAJOR advantage of using key risk indicators (KRIs) is that they:

Options:
A.

Identify scenarios that exceed defined risk appetite.

B.

Help with internal control assessments concerning risk appetite.

C.

Assess risk scenarios that exceed defined thresholds.

D.

Identify when risk exceeds defined thresholds.

Questions 209

A global organization has implemented an application that does not address all privacy requirements across multiple jurisdictions. Which of the following risk responses has the organization adopted with regard to privacy requirements?

Options:
A.

Risk avoidance

B.

Risk transfer

C.

Risk mitigation

D.

Risk acceptance

Questions 210

A business unit is updating a risk register with assessment results for a key project. Which of the following is MOST important to capture in the register?

Options:
A.

The methodology used to perform the risk assessment

B.

Action plans to address risk scenarios requiring treatment

C.

Date and status of the last project milestone

D.

The individuals assigned ownership of controls

Questions 211

Which of the following is the GREATEST risk associated with inappropriate classification of data?

Options:
A.

Inaccurate record management data

B.

Inaccurate recovery time objectives (RTOs)

C.

Lack of accountability for data ownership

D.

Users having unauthorized access to data

Questions 212

Which of the following is the PRIMARY objective of aggregating the impact of IT risk scenarios and reflecting the results in the enterprise risk register?

Options:
A.

To ensure IT risk appetite is communicated across the organization

B.

To ensure IT risk impact can be compared to the IT risk appetite

C.

To ensure IT risk ownership is assigned at the appropriate organizational level

D.

To ensure IT risk scenarios are consistently assessed within the organization

Questions 213

Which of the following is BEST measured by key control indicators (KCIs)?

Options:
A.

Historical trends of the organizational risk profile

B.

Cost efficiency of risk treatment plan projects

C.

Comprehensiveness of risk assessment procedures

D.

Effectiveness of organizational defense in depth

Questions 214

A data center has recently been migrated to a jurisdiction where heavy fines will be imposed should leakage of customer personal data occur. Assuming no other changes to the operating environment, which factor should be updated to reflect this situation as an input to scenario development for this particular risk event?

Options:
A.

Risk likelihood

B.

Risk impact

C.

Risk capacity

D.

Risk appetite

Questions 215

Which of the following is a risk practitioner's BEST recommendation to help reduce IT risk associated with scheduling overruns when starting a new application development project?

Options:
A.

Implement a tool to track the development team's deliverables.

B.

Review the software development life cycle.

C.

Involve the development team in planning.

D.

Assign more developers to the project team.

Questions 216

An incentive program is MOST likely implemented to manage the risk associated with loss of which organizational asset?

Options:
A.

Employees

B.

Data

C.

Reputation

D.

Customer lists

Questions 217

The BEST way for management to validate whether risk response activities have been completed is to review:

Options:
A.

the risk register change log.

B.

evidence of risk acceptance.

C.

control effectiveness test results.

D.

control design documentation.

Questions 218

An organization has built up its cash reserves and has now become financially able to support additional risk while meeting its objectives. What is this change MOST likely to impact?

Options:
A.

Risk profile

B.

Risk capacity

C.

Risk indicators

D.

Risk tolerance

Questions 219

A risk practitioner's BEST guidance to help an organization develop relevant risk scenarios is to ensure the scenarios are:

Options:
A.

based on industry trends.

B.

mapped to incident response plans.

C.

related to probable events.

D.

aligned with risk management capabilities.

Questions 220

Which of the following is the BEST way to protect sensitive data from administrators within a public cloud?

Options:
A.

Use an encrypted tunnel lo connect to the cloud.

B.

Encrypt the data in the cloud database.

C.

Encrypt physical hard drives within the cloud.

D.

Encrypt data before it leaves the organization.

Questions 221

Which of the following is the BEST way to mitigate the risk associated with fraudulent use of an enterprise's brand on Internet sites?

Options:
A.

Utilizing data loss prevention (DLP) technology

B.

Monitoring the enterprise's use of the Internet

C.

Scanning the Internet to search for unauthorized usage

D.

Developing training and awareness campaigns

Questions 222

Which of the following is MOST important for a multinational organization to consider when developing its security policies and standards?

Options:
A.

Regional competitors' policies and standards

B.

Ability to monitor and enforce compliance

C.

Industry-standard templates

D.

Differences in regulatory requirements

Questions 223

An assessment of information security controls has identified ineffective controls. Which of the following should be the risk practitioner's FIRST course of action?

Options:
A.

Determine whether the impact is outside the risk appetite.

B.

Report the ineffective control for inclusion in the next audit report.

C.

Request a formal acceptance of risk from senior management.

D.

Deploy a compensating control to address the identified deficiencies.

Questions 224

Which of the following is MOST important when identifying an organization's risk exposure associated with Internet of Things (loT) devices?

Options:
A.

Defined remediation plans

B.

Management sign-off on the scope

C.

Manual testing of device vulnerabilities

D.

Visibility into all networked devices

Questions 225

Which of the following is the GREATEST concern related to the monitoring of key risk indicators (KRIs)?

Options:
A.

Logs are retained for longer than required.

B.

Logs are reviewed annually.

C.

Logs are stored in a multi-tenant cloud environment.

D.

Logs are modified before analysis is conducted.

Questions 226

Which of the following is the MOST effective way to validate organizational awareness of cybersecurity risk?

Options:
A.

Conducting security awareness training

B.

Updating the information security policy

C.

Implementing mock phishing exercises

D.

Requiring two-factor authentication

Questions 227

When creating a separate IT risk register for a large organization, which of the following is MOST important to consider with regard to the existing corporate risk 'register?

Options:
A.

Leveraging business risk professionals

B.

Relying on generic IT risk scenarios

C.

Describing IT risk in business terms

D.

Using a common risk taxonomy

Questions 228

Which of the following is the BEST response when a potential IT control deficiency has been identified?

Options:
A.

Remediate and report the deficiency to the enterprise risk committee.

B.

Verify the deficiency and then notify the business process owner.

C.

Verify the deficiency and then notify internal audit.

D.

Remediate and report the deficiency to senior executive management.

Questions 229

Which of the following BEST prevents control gaps in the Zero Trust model when implementing in the environment?

Options:
A.

Relying on multiple solutions for Zero Trust

B.

Utilizing rapid development during implementation

C.

Establishing a robust technical architecture

D.

Starting with a large initial scope

Questions 230

An organization has established a contract with a vendor that includes penalties for loss of availability. Which risk treatment has been adopted by the organization?

Options:
A.

Acceptance

B.

Avoidance

C.

Transfer

D.

Reduction

Questions 231

Which of the following BEST enables the development of a successful IT strategy focused on business risk mitigation?

Options:
A.

Providing risk awareness training for business units

B.

Obtaining input from business management

C.

Understanding the business controls currently in place

D.

Conducting a business impact analysis (BIA)

Questions 232

Which of the following is the GREATEST concern associated with the use of artificial intelligence (AI) language models?

Options:
A.

The model could be hacked or exploited.

B.

The model could be used to generate inaccurate content.

C.

Staff could become overly reliant on the model.

D.

It could lead to biased recommendations.

Questions 233

An organization's decision to remain noncompliant with certain laws or regulations is MOST likely influenced by:

Options:
A.

The region in which the organization operates.

B.

Established business culture.

C.

Risk appetite set by senior management.

D.

Identified business process controls.

Questions 234

Which of the following provides the MOST useful input to the development of realistic risk scenarios?

Options:
A.

Balanced scorecard

B.

Risk appetite

C.

Risk map

D.

Risk events

Questions 235

An organization has updated its acceptable use policy to mitigate the risk of employees disclosing confidential information. Which of the following is the BEST way to reinforce the effectiveness of this policy?

Options:
A.

Communicate sanctions for policy violations to all staff.

B.

Obtain signed acceptance of the new policy from employees.

C.

Train all staff on relevant information security best practices.

D.

Implement data loss prevention (DLP) within the corporate network.

Questions 236

An organization has contracted with a cloud service provider to support the deployment of a new product. Of the following, who should own the associated risk?

Options:
A.

The head of enterprise architecture (EA)

B.

The IT risk manager

C.

The information security manager

D.

The product owner

Questions 237

A risk practitioner learns that a risk owner has been accepting gifts from a supplier of IT products. Some of these IT products are used to implement controls and to mitigate risk to acceptable levels. Which of the following should the risk practitioner do FIRST?

Options:
A.

Initiate disciplinary action against the risk owner.

B.

Reassess the risk and review the underlying controls.

C.

Review organizational ethics policies.

D.

Report the activity to the supervisor.

Questions 238

A risk practitioner has been notified of a social engineering attack using artificial intelligence (AI) technology to impersonate senior management personnel. Which of the following would BEST mitigate the impact of such attacks?

Options:
A.

Subscription to data breach monitoring sites

B.

Suspension and takedown of malicious domains or accounts

C.

Increased monitoring of executive accounts

D.

Training and awareness of employees for increased vigilance

Questions 239

If concurrent update transactions to an account are not processed properly, which of the following will MOST likely be affected?

Options:
A.

Confidentiality

B.

Accountability

C.

Availability

D.

Integrity

Questions 240

Which of the following outcomes of disaster recovery planning is MOST important to enable the initiation of necessary actions during a disaster?

Options:
A.

Definition of disaster recovery plan (DRP) scope and key stakeholders

B.

Recovery time and maximum acceptable data loss thresholds

C.

A checklist including equipment, location of data backups, and backup sites

D.

A list of business areas and critical functions subject to risk analysis

Questions 241

Which of the following is the MOST important document regarding the treatment of sensitive data?

Options:
A.

Organization risk profile

B.

Information classification policy

C.

Encryption policy

D.

Digital rights management policy

Questions 242

After conducting a risk assessment for regulatory compliance, an organization has identified only one possible mitigating control. The cost of the control has been determined to be higher than the penalty of noncompliance. Which of the following would be the risk practitioner's BEST recommendation?

Options:
A.

Accept the risk with management sign-off.

B.

Ignore the risk until the regulatory body conducts a compliance check.

C.

Mitigate the risk with the identified control.

D.

Transfer the risk by buying insurance.

Questions 243

Which of the following is MOST important to consider when assessing the likelihood that a recently discovered software vulnerability will be exploited?

Options:
A.

The skill level required of a threat actor

B.

The amount of personally identifiable information (PH) disclosed

C.

The ability to detect and trace the threat action

D.

The amount of data that might be exposed by a threat action

Questions 244

Which of the following is the BEST key performance indicator (KPI) to measure the ability to deliver uninterrupted IT services?

Options:
A.

Mean time between failures (MTBF)

B.

Mean time to recover (MTTR)

C.

Planned downtime

D.

Unplanned downtime

Questions 245

What is a risk practitioner's BEST approach to monitor and measure how quickly an exposure to a specific risk can affect the organization?

Options:
A.

Create an asset valuation report.

B.

Create key performance indicators (KPls).

C.

Create key risk indicators (KRIs).

D.

Create a risk volatility report.

Questions 246

The percentage of unpatched systems is a:

Options:
A.

threat vector.

B.

critical success factor (CSF).

C.

key performance indicator (KPI).

D.

key risk indicator (KRI).

Questions 247

Where is the FIRST place a risk practitioner should look to identify accountability for a specific risk?

Options:
A.

Risk register

B.

Risk scenario

C.

RACI matrix

D.

Risk response plan

Questions 248

Which of the following is BEST measured by key control indicators (KCIs)?

Options:
A.

Historical trends of the organizational risk profile.

B.

Cost efficiency of risk treatment plan projects.

C.

Comprehensiveness of risk assessment procedures.

D.

Effectiveness of organizational defense in depth.

Questions 249

A large organization recently restructured the IT department and has decided to outsource certain functions. What action should the control owners in the IT department take?

Options:
A.

Conduct risk classification for associated IT controls.

B.

Determine whether risk responses still effectively address risk.

C.

Perform vulnerability and threat assessments.

D.

Analyze and update IT control assessments.

Questions 250

An organization wants to transfer risk by purchasing cyber insurance. Which of the following would be MOST important for the risk practitioner to communicate to senior management for contract negotiation purposes?

Options:
A.

Most recent IT audit report results

B.

Replacement cost of IT assets

C.

Current annualized loss expectancy report

D.

Cyber insurance industry benchmarking report

Exam Code: CRISC
Certification Provider: Isaca
Exam Name: Certified in Risk and Information Systems Control
Last Update: Feb 11, 2025
Questions: 1590

Isaca Related Exams

How to pass Isaca CISA - Certified Information Systems Auditor Exam
How to pass Isaca CISM - Certified Information Security Manager Exam
How to pass Isaca CGEIT - Certified in the Governance of Enterprise IT Exam Exam
How to pass Isaca COBIT5 - COBIT 5 Foundation Exam Exam
How to pass Isaca CDPSE - Certified Data Privacy Solutions Engineer Exam
How to pass Isaca COBIT-2019 - COBIT 2019 Foundation Exam
How to pass Isaca NIST-COBIT-2019 - ISACA Implementing the NIST Cybersecurity Framework using COBIT 2019 Exam

Isaca Free Exams

Isaca Free Exams
Examstrack offers comprehensive free resources and practice tests for Isaca exams.