Weekend Special 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: sale65best

Free Isaca CRISC Practice Exam with Questions & Answers | Set: 7

Questions 301

An organization must make a choice among multiple options to respond to a risk. The stakeholders cannot agree and decide to postpone the decision. Which of the following risk responses has the organization adopted?

Options:
A.

Transfer

B.

Mitigation

C.

Avoidance

D.

Acceptance

Isaca CRISC Premium Access
Questions 302

Which of the following should be done FIRST when information is no longer required to support business objectives?

Options:
A.

Archive the information to a backup database.

B.

Protect the information according to the classification policy.

C.

Assess the information against the retention policy.

D.

Securely and permanently erase the information

Questions 303

Which of the following would BEST assist in reconstructing the sequence of events following a security incident across multiple IT systems in the organization's network?

Options:
A.

Network monitoring infrastructure

B.

Centralized vulnerability management

C.

Incident management process

D.

Centralized log management

Questions 304

Which of the following provides the MOST up-to-date information about the effectiveness of an organization's overall IT control environment?

Options:
A.

Key performance indicators (KPIs)

B.

Risk heat maps

C.

Internal audit findings

D.

Periodic penetration testing

Questions 305

A violation of segregation of duties is when the same:

Options:
A.

user requests and tests the change prior to production.

B.

user authorizes and monitors the change post-implementation.

C.

programmer requests and tests the change prior to production.

D.

programmer writes and promotes code into production.

Questions 306

Which of the following is MOST important for a risk practitioner to verify when evaluating the effectiveness of an organization's existing controls?

Options:
A.

Senior management has approved the control design.

B.

Inherent risk has been reduced from original levels.

C.

Residual risk remains within acceptable levels.

D.

Costs for control maintenance are reasonable.

Questions 307

Participants in a risk workshop have become focused on the financial cost to mitigate risk rather than choosing the most appropriate response. Which of the following is the BEST way to address this type of issue in the long term?

Options:
A.

Perform a return on investment analysis.

B.

Review the risk register and risk scenarios.

C.

Calculate annualized loss expectancy of risk scenarios.

D.

Raise the maturity of organizational risk management.

Questions 308

An organization learns of a new ransomware attack affecting organizations worldwide. Which of the following should be done FIRST to reduce the likelihood of infection from the attack?

Options:
A.

Identify systems that are vulnerable to being exploited by the attack.

B.

Confirm with the antivirus solution vendor whether the next update will detect the attack.

C.

Verify the data backup process and confirm which backups are the most recent ones available.

D.

Obtain approval for funding to purchase a cyber insurance plan.

Questions 309

Which of the following is MOST useful when communicating risk to management?

Options:
A.

Risk policy

B.

Audit report

C.

Risk map

D.

Maturity model

Questions 310

Which of the following will BEST help in communicating strategic risk priorities?

Options:
A.

Heat map

B.

Business impact analysis (BIA)

C.

Balanced Scorecard

D.

Risk register

Questions 311

Which of the following is the PRIMARY purpose of periodically reviewing an organization's risk profile?

Options:
A.

Align business objectives with risk appetite.

B.

Enable risk-based decision making.

C.

Design and implement risk response action plans.

D.

Update risk responses in the risk register

Questions 312

An organization is preparing to transfer a large number of customer service representatives to the sales department. Of the following, who is responsible for mitigating the risk associated with residual system access?

Options:
A.

IT service desk manager

B.

Sales manager

C.

Customer service manager

D.

Access control manager

Questions 313

Which of the following trends would cause the GREATEST concern regarding the effectiveness of an organization's user access control processes? An increase in the:

Options:
A.

ratio of disabled to active user accounts.

B.

percentage of users with multiple user accounts.

C.

average number of access entitlements per user account.

D.

average time between user transfers and access updates.

Questions 314

An organization is implementing encryption for data at rest to reduce the risk associated with unauthorized access. Which of the following MUST be considered to assess the residual risk?

Options:
A.

Data retention requirements

B.

Data destruction requirements

C.

Cloud storage architecture

D.

Key management

Questions 315

Which of the following is the BEST indication of a mature organizational risk culture?

Options:
A.

Corporate risk appetite is communicated to staff members.

B.

Risk owners understand and accept accountability for risk.

C.

Risk policy has been published and acknowledged by employees.

D.

Management encourages the reporting of policy breaches.

Questions 316

Which of the following is the MOST effective control to maintain the integrity of system configuration files?

Options:
A.

Recording changes to configuration files

B.

Implementing automated vulnerability scanning

C.

Restricting access to configuration documentation

D.

Monitoring against the configuration standard

Questions 317

Which of the following is the PRIMARY objective of providing an aggregated view of IT risk to business management?

Options:
A.

To enable consistent data on risk to be obtained

B.

To allow for proper review of risk tolerance

C.

To identify dependencies for reporting risk

D.

To provide consistent and clear terminology

Questions 318

An information system for a key business operation is being moved from an in-house application to a Software as a Service (SaaS) vendor. Which of the following will have the GREATEST impact on the ability to monitor risk?

Options:
A.

Reduced ability to evaluate key risk indicators (KRIs)

B.

Reduced access to internal audit reports

C.

Dependency on the vendor's key performance indicators (KPIs)

D.

Dependency on service level agreements (SLAs)

Questions 319

When an organization is having new software implemented under contract, which of the following is key to controlling escalating costs?

Options:
A.

Risk management

B.

Change management

C.

Problem management

D.

Quality management

Questions 320

Which of the following is the BEST course of action to help reduce the probability of an incident recurring?

Options:
A.

Perform a risk assessment.

B.

Perform root cause analysis.

C.

Initiate disciplinary action.

D.

Update the incident response plan.

Questions 321

When evaluating enterprise IT risk management it is MOST important to:

Options:
A.

create new control processes to reduce identified IT risk scenarios

B.

confirm the organization’s risk appetite and tolerance

C.

report identified IT risk scenarios to senior management

D.

review alignment with the organization's investment plan

Questions 322

Which of the following is MOST important to have in place to ensure the effectiveness of risk and security metrics reporting?

Options:
A.

Organizational reporting process

B.

Incident reporting procedures

C.

Regularly scheduled audits

D.

Incident management policy

Questions 323

Which of the following BEST indicates that additional or improved controls ate needed m the environment?

Options:
A.

Management, has decreased organisational risk appetite

B.

The risk register and portfolio do not include all risk scenarios

C.

merging risk scenarios have been identified

D.

Risk events and losses exceed risk tolerance

Questions 324

Which of the following is the BEST way to manage the risk associated with malicious activities performed by database administrators (DBAs)?

Options:
A.

Activity logging and monitoring

B.

Periodic access review

C.

Two-factor authentication

D.

Awareness training and background checks

Questions 325

Which of the following will BEST support management reporting on risk?

Options:
A.

Control self-assessment (CSA)

B.

Risk policy requirements

C.

A risk register

D.

Key performance indicators (KPIs)

Questions 326

Which of the following is the MOST effective way to integrate risk and compliance management?

Options:
A.

Embedding risk management into compliance decision-making

B.

Designing corrective actions to improve risk response capabilities

C.

Embedding risk management into processes that are aligned with business drivers

D.

Conducting regular self-assessments to verify compliance

Questions 327

Which of the following issues should be of GREATEST concern when evaluating existing controls during a risk assessment?

Options:
A.

A high number of approved exceptions exist with compensating controls.

B.

Successive assessments have the same recurring vulnerabilities.

C.

Redundant compensating controls are in place.

D.

Asset custodians are responsible for defining controls instead of asset owners.

Questions 328

Which of the following is the FIRST step when conducting a business impact analysis (BIA)?

Options:
A.

Identifying critical information assets

B.

Identifying events impacting continuity of operations;

C.

Creating a data classification scheme

D.

Analyzing previous risk assessment results

Questions 329

Upon learning that the number of failed back-up attempts continually exceeds the current risk threshold, the risk practitioner should:

Options:
A.

inquire about the status of any planned corrective actions

B.

keep monitoring the situation as there is evidence that this is normal

C.

adjust the risk threshold to better reflect actual performance

D.

initiate corrective action to address the known deficiency

Questions 330

When reviewing a business continuity plan (BCP). which of the following would be the MOST significant deficiency?

Options:
A.

BCP testing is net in conjunction with the disaster recovery plan (DRP)

B.

Recovery time objectives (RTOs) do not meet business requirements.

C.

BCP is often tested using the walk-through method.

D.

Each business location has separate, inconsistent BCPs.

Questions 331

A risk practitioner identifies a database application that has been developed and implemented by the business independently of IT. Which of the following is the BEST course of action?

Options:
A.

Escalate the concern to senior management.

B.

Document the reasons for the exception.

C.

Include the application in IT risk assessments.

D.

Propose that the application be transferred to IT.

Questions 332

Which of the following should be the MOST important consideration for senior management when developing a risk response strategy?

Options:
A.

Cost of controls

B.

Risk tolerance

C.

Risk appetite

D.

Probability definition

Questions 333

Which of the following is the BEST key control indicator (KCI) for risk related to IT infrastructure failure?

Options:
A.

Number of times the recovery plan is reviewed

B.

Number of successful recovery plan tests

C.

Percentage of systems with outdated virus protection

D.

Percentage of employees who can work remotely

Questions 334

Which of the following is the MOST critical element to maximize the potential for a successful security implementation?

Options:
A.

The organization's knowledge

B.

Ease of implementation

C.

The organization's culture

D.

industry-leading security tools

Questions 335

Which of the following is the MOST important consideration when selecting key risk indicators (KRIs) to monitor risk trends over time?

Options:
A.

Ongoing availability of data

B.

Ability to aggregate data

C.

Ability to predict trends

D.

Availability of automated reporting systems

Questions 336

Which of the following is the BEST source for identifying key control indicators (KCIs)?

Options:
A.

Privileged user activity monitoring controls

B.

Controls mapped to organizational risk scenarios

C.

Recent audit findings of control weaknesses

D.

A list of critical security processes

Questions 337

While reviewing a contract of a cloud services vendor, it was discovered that the vendor refuses to accept liability for a sensitive data breach. Which of the following controls will BES reduce the risk associated with such a data breach?

Options:
A.

Ensuring the vendor does not know the encryption key

B.

Engaging a third party to validate operational controls

C.

Using the same cloud vendor as a competitor

D.

Using field-level encryption with a vendor supplied key

Questions 338

Which of The following should be of GREATEST concern for an organization considering the adoption of a bring your own device (BYOD) initiative?

Options:
A.

Device corruption

B.

Data loss

C.

Malicious users

D.

User support

Questions 339

The PRIMARY objective for requiring an independent review of an organization's IT risk management process should be to:

Options:
A.

assess gaps in IT risk management operations and strategic focus.

B.

confirm that IT risk assessment results are expressed as business impact.

C.

verify implemented controls to reduce the likelihood of threat materialization.

D.

ensure IT risk management is focused on mitigating potential risk.

Questions 340

Which of the following is MOST likely to cause a key risk indicator (KRI) to exceed thresholds?

Options:
A.

Occurrences of specific events

B.

A performance measurement

C.

The risk tolerance level

D.

Risk scenarios

Questions 341

The PRIMARY goal of conducting a business impact analysis (BIA) as part of an overall continuity planning process is to:

Options:
A.

obtain the support of executive management.

B.

map the business processes to supporting IT and other corporate resources.

C.

identify critical business processes and the degree of reliance on support services.

D.

document the disaster recovery process.

Questions 342

Which of the following is the BEST Key control indicator KCO to monitor the effectiveness of patch management?

Options:
A.

Percentage of legacy servers out of support

B.

Percentage of severs receiving automata patches

C.

Number of unpremeditated vulnerabilities

D.

Number of intrusion attempts

Questions 343

Which of the following is MOST important when developing risk scenarios?

Options:
A.

Reviewing business impact analysis (BIA)

B.

Collaborating with IT audit

C.

Conducting vulnerability assessments

D.

Obtaining input from key stakeholders

Questions 344

Which of the following MUST be updated to maintain an IT risk register?

Options:
A.

Expected frequency and potential impact

B.

Risk tolerance

C.

Enterprise-wide IT risk assessment

D.

Risk appetite

Questions 345

Which of the following BEST facilitates the mitigation of identified gaps between current and desired risk environment states?

Options:
A.

Develop a risk treatment plan.

B.

Validate organizational risk appetite.

C.

Review results of prior risk assessments.

D.

Include the current and desired states in the risk register.

Questions 346

Which of the following would BEST help to address the risk associated with malicious outsiders modifying application data?

Options:
A.

Multi-factor authentication

B.

Role-based access controls

C.

Activation of control audits

D.

Acceptable use policies

Questions 347

Which of the following is MOST important to compare against the corporate risk profile?

Options:
A.

Industry benchmarks

B.

Risk tolerance

C.

Risk appetite

D.

Regulatory compliance

Questions 348

A management team is on an aggressive mission to launch a new product to penetrate new markets and overlooks IT risk factors, threats, and vulnerabilities. This scenario BEST demonstrates an organization's risk:

Options:
A.

management.

B.

tolerance.

C.

culture.

D.

analysis.

Questions 349

Which of the following is the MOST important reason to link an effective key control indicator (KCI) to relevant key risk indicators (KRIs)?

Options:
A.

To monitor changes in the risk environment

B.

To provide input to management for the adjustment of risk appetite

C.

To monitor the accuracy of threshold levels in metrics

D.

To obtain business buy-in for investment in risk mitigation measures

Questions 350

An organization has initiated a project to launch an IT-based service to customers and take advantage of being the first to market. Which of the following should be of GREATEST concern to senior management?

Options:
A.

More time has been allotted for testing.

B.

The project is likely to deliver the product late.

C.

A new project manager is handling the project.

D.

The cost of the project will exceed the allotted budget.

Exam Code: CRISC
Certification Provider: Isaca
Exam Name: Certified in Risk and Information Systems Control
Last Update: Feb 10, 2025
Questions: 1590

Isaca Related Exams

How to pass Isaca CISA - Certified Information Systems Auditor Exam
How to pass Isaca CISM - Certified Information Security Manager Exam
How to pass Isaca CGEIT - Certified in the Governance of Enterprise IT Exam Exam
How to pass Isaca COBIT5 - COBIT 5 Foundation Exam Exam
How to pass Isaca CDPSE - Certified Data Privacy Solutions Engineer Exam
How to pass Isaca COBIT-2019 - COBIT 2019 Foundation Exam
How to pass Isaca NIST-COBIT-2019 - ISACA Implementing the NIST Cybersecurity Framework using COBIT 2019 Exam

Isaca Free Exams

Isaca Free Exams
Examstrack offers comprehensive free resources and practice tests for Isaca exams.