CRISC Question #249: Real Exam Question with Answer & Explanation

Question

When implementing an IT risk management program, which of the following is the BEST time to evaluate current control effectiveness?

Options

• ABefore defining a framework
• BDuring the risk assessment
• CWhen evaluating risk response
• DWhen updating the risk register

Explanation

The best time to evaluate current control effectiveness is during the risk assessment phase of an IT risk management program.

Common mistakes.

• A. Evaluating control effectiveness before defining a framework is premature, as the framework guides what controls should exist and how they should be assessed.
• C. Evaluating control effectiveness when evaluating risk response is too late, as control effectiveness should inform the selection of appropriate risk responses, not be assessed simultaneously with them.
• D. While updating the risk register might involve noting control statuses, the formal and comprehensive evaluation of effectiveness is a distinct activity that should happen as part of the initial assessment to inform the register's contents.

Concept tested. Timing of control effectiveness evaluation

No community discussion yet for this question.