Browse Exams Pricing

ExamsCRISCQuestions

CRISC Exam Questions

640 real CRISC exam questions with expert-verified answers and explanations. Page 1 of 13.

Question #1IT Risk Assessment
Of the following, who is BEST suited to assist a risk practitioner in developing a relevant set of risk scenarios?
Risk scenariosStakeholder managementRisk identificationAsset ownership
Question #2IT Risk Assessment
An organization has made a decision to purchase a new IT system. During when phase of the system development life cycle (SDLC) will identified risk MOST likely lead to architecture...
SDLC PhasesRisk IntegrationSystem ArchitectureDesign Trade-offs
Question #3Risk Response and Reporting
Recovery the objectives (RTOs) should be based on
RTORecovery Time ObjectiveBusiness Continuity PlanningDowntime Tolerance
Question #4Risk Response and Reporting
Which of the following issues found during the review of a newly created disaster recovery plan (DRP) should be of MOST concern?
Disaster Recovery Planning (DRP)Business ContinuityCriticality AnalysisRisk Response Effectiveness
Question #5Risk Response and Reporting
Which of the following is MOST helpful in defining an early-warning threshold associated with insufficient network bandwidth''
Network MonitoringPerformance MetricsEarly Warning ThresholdsRisk Monitoring
Question #6Governance
An organization maintains independent departmental risk registers that are not automatically aggregated. Which of the following is the GREATEST concern?
Risk AggregationEnterprise Risk ManagementRisk ReportingManagement Oversight
Question #7IT Risk Assessment
it was determined that replication of a critical database used by two business units failed. Which of the following should be of GREATEST concern1?
Database replicationData integrityRisk impactCritical systems
Question #8Risk Response and Reporting
Which of the following contributes MOST to the effective implementation of risk responses?
Risk response implementationRisk understandingEffectivenessRisk management principles
Question #9IT Risk Assessment
As pan of business continuity planning, which of the following is MOST important to include m a business impact analysis (BlA)?
Business Impact AnalysisBusiness Continuity PlanningThreat AssessmentRisk Assessment
Question #10Governance
Which of the following would BEST mitigate an identified risk scenario?
Risk ToleranceRisk MitigationRisk GovernanceStrategic Risk Management
Question #11Risk Response and Reporting
An organization has decided to commit to a business activity with the knowledge that the risk exposure is higher than the risk appetite. Which of the following is the risk practiti...
Risk acceptanceRisk appetiteRisk documentationRisk practitioner responsibilities
Question #12Risk Response and Reporting
Which of the following would BEST mitigate the ongoing risk associated with operating system (OS) vulnerabilities?
OS vulnerability managementRisk mitigation strategiesPatching and upgradesOngoing risk management
Question #13IT Risk Assessment
Which of the following would BEST enable a risk-based decision when considering the use of an emerging technology for data processing?
Risk-based decision makingEmerging technology riskGap analysisRisk assessment tools
Question #14Risk Response and Reporting
An organization has an approved bring your own device (BYOD) policy. Which of the following would BEST mitigate the security risk associated with the inappropriate use of enterpris...
BYOD securityMobile Device Management (MDM)Risk mitigationApplication security
Question #15Risk Response and Reporting
Which key performance efficiency IKPI) BEST measures the effectiveness of an organization's disaster recovery program?
Disaster RecoveryKey Performance Indicators (KPI)Recovery Time Objective (RTO)Program Effectiveness
Question #16Risk Response and Reporting
Which of the following will BEST help to ensure the continued effectiveness of the IT risk management function within an organization experiencing high employee turnover?
IT Risk Management EffectivenessOperational ContinuityRisk MonitoringHigh Employee Turnover Mitigation
Question #17Governance
An organization has decided to use an external auditor to review the control environment of an outsourced service provider. The BEST control criteria to evaluate the provider would...
Outsourced services riskControl evaluation criteriaVendor risk managementOrganizational accountability
Question #18Risk Response and Reporting
A company has recently acquired a customer relationship management (CRM) application from a certified software vendor. Which of the following will BE ST help lo prevent technical v...
Risk TransferThird-Party Risk ManagementContractual Risk ManagementVendor Management
Question #19Governance
Which of the following is MOST important information to review when developing plans for using emerging technologies?
Strategic alignmentEmerging technology planningOrganizational strategyIT governance
Question #20Risk Response and Reporting
What is the PRIMARY reason an organization should include background checks on roles with elevated access to production as part of its hiring process?
Background ChecksPersonnel RiskRisk MitigationInsider Threat
Question #21Governance
Before assigning sensitivity levels to information it is MOST important to:
Information ClassificationSecurity PolicyRisk GovernanceInformation Sensitivity
Question #22IT Risk Assessment
An organization has used generic risk scenarios to populate its risk register. Which of the following presents the GREATEST challenge to assigning of the associated risk entries?
Risk RegisterRisk ScenariosRisk IdentificationRisk Applicability
Question #23Risk Response and Reporting
When of the following standard operating procedure (SOP) statements BEST illustrates appropriate risk register maintenance?
Risk Register MaintenanceRisk Management LifecycleRisk MonitoringRisk Environment
Question #24Governance
Which of the blowing is MOST important when implementing an organization s security policy?
Security PolicyManagement SupportPolicy ImplementationOrganizational Governance
Question #25Risk Response and Reporting
A cote data center went offline abruptly for several hours affecting many transactions across multiple locations. Which of the to" owing would provide the MOST useful information t...
Incident responsePost-incident analysisMitigating controlsForensic investigation
Question #26Governance
A risk practitioner observed Vial a high number of pokey exceptions were approved by senior management. Which of the following is the risk practitioner's BEST course of action to d...
Risk exception managementRoot cause analysisControl owner responsibilitiesManagement approval processes
Question #27Risk Response and Reporting
The BEST way to mitigate the high cost of retrieving electronic evidence associated with potential litigation is to implement policies and procedures for.
data classificatione-discovery costslitigation risk mitigationinformation governance
Question #28Risk Response and Reporting
An organization has completed a risk assessment of one of its service providers. Who should be accountable for ensuring that risk responses are implemented?
Risk response implementationAccountabilityIT risk practitionerThird-party risk management
Question #29Risk Response and Reporting
Which of the following would MOST likely require a risk practitioner to update the risk register?
Risk RegisterRisk ResponseControl ImplementationRisk Monitoring
Question #30IT Risk Assessment
An IT risk threat analysis is BEST used to establish
IT risk assessmentThreat analysisRisk scenariosRisk identification
Question #31Governance
Which of the following is a risk practitioner's MOST important responsibility in managing risk acceptance that exceeds risk tolerance?
Risk acceptanceRisk toleranceSenior management authorizationRisk governance
Question #32Risk Response and Reporting
Which of the following would provide the BEST evidence of an effective internal control environment/?
Internal control environmentControl effectivenessIndependent auditControl monitoring
Question #33Risk Response and Reporting
An organization is concerned that its employees may be unintentionally disclosing data through the use of social media sites. Which of the following will MOST effectively mitigate...
User Awareness TrainingSocial Media RiskUnintentional Data DisclosureRisk Mitigation
Question #34IT Risk Assessment
Who should be responsible (of evaluating the residual risk after a compensating control has been
Risk Management RolesResidual Risk EvaluationCompensating ControlsRisk Assessment
Question #35IT Risk Assessment
A global company s business continuity plan (BCP) requires the transfer of its customer information....event of a disaster. Which of the following should be the MOST important risk...
Business Continuity PlanningCloud SecurityData ProtectionThird-Party Risk
Question #36Risk Response and Reporting
Which of the following is the BEST approach to mitigate the risk associated with a control deficiency?
Control Self-Assessment (CSA)Risk MitigationControl DeficiencyRisk Monitoring
Question #37Governance
Which of the following is PRIMARILY a risk management responsibly of the first line of defense?
Risk ManagementThree Lines of DefenseFirst Line of DefenseGovernance
Question #38IT Risk Assessment
Which of the following would be the GREATEST concern for an IT risk practitioner when an employees.....
Access ControlOffboarding ProceduresIT Security RiskVulnerability Management
Question #39Risk Response and Reporting
Which of the following is the BEST indication that key risk indicators (KRls) should be revised?
Key Risk Indicators (KRIs)Risk MonitoringRisk ThresholdsRisk Reporting
Question #40IT Risk Assessment
In order to determining a risk is under-controlled the risk practitioner will need to
Risk toleranceRisk controlResidual riskRisk evaluation
Question #41IT Risk Assessment
An organization is considering the adoption of an aggressive business strategy to achieve desired growth From a risk management perspective what should the risk practitioner do NEX...
Risk IdentificationBusiness Strategy AlignmentRisk Assessment ProcessThreat Management
Question #42Information Technology and Security
Which of the following practices would be MOST effective in protecting personality identifiable information (Ptl) from unauthorized access m a cloud environment?
PII ProtectionCloud SecurityEncryptionAccess Controls
Question #43Governance
Which of the following is MOST important to the effectiveness of key performance indicators (KPIs)?
Key Performance Indicators (KPIs)Risk MonitoringGovernanceManagement Oversight
Question #44Governance
Which of the following is the MOST comprehensive resource for prioritizing the implementation of information systems controls?
Control prioritizationIT strategic planningInformation security governanceResource allocation
Question #45Governance
Which of the following will BEST help to ensure implementation of corrective action plans?
AccountabilityCorrective ActionsRisk OwnershipImplementation Assurance
Question #46Governance
Which of the following would BEST facilitate the implementation of data classification requirements?
Data ClassificationData OwnerRoles and ResponsibilitiesInformation Governance
Question #47Governance
Which of the following is MOST important for mitigating ethical risk when establishing accountability for control ownership?
Ethical Risk ManagementAccountabilityRisk CultureLeadership Communication
Question #48Governance
Which of the following management action will MOST likely change the likelihood rating of a risk scenario related to remote network access?
Risk LikelihoodManagement ActionsOrganizational PolicyRisk Governance
Question #49Risk Response and Reporting
After the implementation of internal of Things (IoT) devices, new risk scenarios were identified. What is the PRIMARY reason to report this information to risk owners?
Risk reportingRisk profile updateRisk ownershipNew risk identification
Question #50Governance
An organization control environment is MOST effective when:
Control EffectivenessControl EnvironmentInternal ControlsControl Performance

Page 1 of 13Next

study smarter, certify faster.

Product

Browse Exams
Pricing
PDF Downloads

Resources

Blog
Glossary
Topics
FAQ
Contact Us

Legal

Terms of Service
Privacy Policy
Cookie Policy
DMCA
Refund Policy

Company

About
Contact

© 2026 NerdExam. All rights reserved.Built for IT professionals

NerdExam is a trading name of WADL Solutions Limited, a company incorporated in Hong Kong (CR# 80143234). Registered office: Unit 2904-05, 29/F, Universal Trade Centre, 3 Arbuthnot Road, Central, Hong Kong.

CompTIA, AWS, Cisco, Microsoft, Google Cloud, Oracle, VMware, and other certification names referenced on this site are trademarks of their respective owners. NerdExam is not affiliated with, endorsed by, or sponsored by any certification vendor.