CRISC Question #29: Real Exam Question with Answer & Explanation

Question

Which of the following would MOST likely require a risk practitioner to update the risk register?

Options

• AAn alert being reported by the security operations center.
• BDevelopment of a project schedule for implementing a risk response
• CCompletion of a project for implementing a new control
• DEngagement of a third party to conduct a vulnerability scan

Explanation

The completion of a project for implementing a new control is the event most likely requiring a risk practitioner to update the risk register. This action directly changes the organization's risk posture by introducing a mitigation, necessitating a review and update of associated risk statuses and residual risk levels.

Common mistakes.

• A. An alert from a security operations center (SOC) typically indicates a potential incident or anomalous activity, which might trigger an investigation, but it doesn't automatically require an update to the risk register itself unless it reveals a previously unknown risk or a significant change in an existing one.
• B. The development of a project schedule for a risk response is a planning activity; the actual implementation (completion) is what changes the risk posture and requires the register update.
• D. Engaging a third party for a vulnerability scan is an assessment activity designed to identify vulnerabilities, which may lead to identifying new risks or updating existing ones, but the engagement itself doesn't directly alter the risk posture. The findings of the scan, once analyzed, might lead to an update.

Concept tested. Risk register update triggers

Reference. https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-39.pdf

No community discussion yet for this question.