CRISC Exam Questions
640 real CRISC exam questions with expert-verified answers and explanations. Page 11 of 13.
- Question #501IT Risk Assessment
Which of the following BEST enables a risk practitioner to identify the consequences of losing critical resources due to a disaster?
Business Impact Analysis (BIA)Impact AssessmentRisk IdentificationCritical Resource Loss - Question #502Risk Response and Reporting
Which of the following BEST enables an organization to address risk associated with technical complexity?
Risk managementTechnical complexitySecurity architectureRisk mitigation - Question #503Risk Response and Reporting
Which of the following is the MOST important reason for a risk practitioner to continuously monitor a critical security transformation program?
Risk MonitoringRisk MitigationRisk ResponseProgram Risk Management - Question #504IT Risk Assessment
An organization has identified the need to implement an asset tiering model to establish the appropriate level of impact. Which of the following is the MOST effective risk assessme...
Risk assessment methodologiesQuantitative risk assessmentAsset tieringImpact assessment - Question #505Risk Response and Reporting
Concerned about system load capabilities during the month-end close process, management requires monitoring of the average time to complete tasks and monthly reporting of the findi...
Performance MeasurementKey Performance Indicators (KPIs)MonitoringReporting - Question #506Governance
Within the three lines of defense model, the PRIMARY responsibility for ensuring risk mitigation controls are properly configured belongs with:
Three Lines of DefenseRisk Mitigation ControlsControl OwnershipLine Management - Question #507Risk Response and Reporting
A business unit is updating a risk register with assessment results for a key project. Which of the following is MOST important to capture in the register?
Risk RegisterRisk TreatmentAction PlansRisk Response - Question #508Risk Response and Reporting
An organization has established a policy prohibiting ransom payments if subjected to a ransomware attack. Which of the following is the MOST effective control to support this polic...
RansomwareImmutable BackupsIncident RecoveryRisk Response Controls - Question #509Risk Response and Reporting
During a post-implementation review for a new system, users voiced concerns about missing functionality. Which of the following is the BEST way for the organization to avoid this s...
User Acceptance TestingRequirements ValidationSystem ImplementationProject Quality Assurance - Question #510IT Risk Assessment
An organization is outsourcing a key database to be hosted by an external service provider. Who is BEST suited to assess the impact of potential data loss?
Risk Impact AssessmentBusiness ContinuityRoles and ResponsibilitiesThird-Party Risk Management - Question #511Governance
A risk practitioner has been asked to propose a risk acceptance framework for an organization. Which of the following is the MOST important consideration for the risk practitioner...
Risk AcceptanceRisk Management FrameworkRisk GovernanceRoles and Responsibilities - Question #512Risk Response and Reporting
Which of the following BEST mitigates reputational risk associated with disinformation campaigns against an organization?
Reputational RiskDisinformationRisk MitigationCrisis Communication - Question #513Governance
Which of the following should a risk practitioner do FIRST to support the implementation of governance around organizational assets within an enterprise risk management (ERM) progr...
ERMRisk ProfileGovernance ImplementationOrganizational Assets - Question #514Information Technology and Security
Zero Trust architecture is designed and deployed with adherence to which of the following basic tenets?
Zero TrustSecurity ArchitectureNetwork SecuritySecurity Principles - Question #515IT Risk Assessment
The risk to an organization's reputation due to a recent cybersecurity breach is PRIMARILY considered to be:
Strategic riskReputation riskRisk classificationCybersecurity impact - Question #516IT Risk Assessment
Which of the following is a PRIMARY reason for considering existing controls during initial risk assessment?
Risk assessment processCurrent riskExisting controlsRisk terminology - Question #517Risk Response and Reporting
Which of the following is the BEST way to prevent the loss of highly sensitive data when disposing of storage media?
Data sanitizationMedia disposalPhysical destructionInformation asset protection - Question #518IT Risk Assessment
Which of the following is MOST important to consider when assessing the likelihood that a recently discovered software vulnerability will be exploited?
Vulnerability assessmentLikelihood assessmentExploitabilityRisk factors - Question #519IT Risk Assessment
A risk practitioner identifies an increasing trend of employees copying company information unrelated to their job functions to USB drives. Which of the following elements of the r...
Risk registerRisk likelihoodRisk monitoringInsider threat - Question #520Governance
What would be MOST helpful to ensuring the effective implementation of a new cybersecurity program?
Program ImplementationCybersecurity GovernanceAccountabilityRoles and Responsibilities - Question #521Risk Response and Reporting
Who is BEST suited to provide information to the risk practitioner about the effectiveness of a technical control associated with an application?
System ownershipControl effectivenessRoles and responsibilitiesRisk information sources - Question #522Governance
An organization is concerned that a change in its market situation may impact the current level of acceptable risk for senior management. As a result, which of the following is MOS...
Risk policyRisk appetiteRisk governancePolicy review - Question #523Risk Response and Reporting
Which of the following BEST prevents control gaps in the Zero Trust model when implementing in the environment?
Zero TrustSecurity ArchitectureRisk MitigationControl Gaps - Question #524Risk Response and Reporting
Which of the following should be the PRIMARY driver for the prioritization of risk responses?
Risk AppetiteRisk PrioritizationRisk Response - Question #525Risk Response and Reporting
Which of the following provides the BEST evidence that robust risk management practices are in place within an organization?
Risk Management PracticesRisk RegisterRisk MonitoringEvidence of Effectiveness - Question #526Governance
Which of the following stakeholders define risk tolerance for an enterprise?
Risk toleranceRisk governanceStakeholder rolesExecutive responsibility - Question #527Risk Response and Reporting
A risk register BEST facilitates which of the following risk management functions?
Risk RegisterRisk Management FunctionsStakeholder CommunicationRisk Review - Question #528IT Risk Assessment
Which of the following is the GREATEST risk of relying on artificial intelligence (Al) within heuristic security systems?
Artificial Intelligence (AI)Heuristic SecurityRisk IdentificationBaselining - Question #529Risk Response and Reporting
When a risk practitioner is building a key risk indicator (KRI) from aggregated data, it is CRITICAL that the data is derived from:
Key Risk Indicators (KRIs)Data QualityRisk MonitoringAggregated Data - Question #530IT Risk Assessment
Which of the following techniques is MOST helpful when quantifying the potential loss impact of cyber risk?
Risk quantificationLoss impactBusiness Impact AnalysisCyber risk management - Question #531Risk Response and Reporting
Which of the following is the MOST important key performance indicator (KPI) for monitoring the user access management process?
Access ManagementKPIRisk MonitoringService Level Agreement - Question #532IT Risk Assessment
Which of the following is the MOST useful information for prioritizing risk mitigation?
Risk prioritizationRisk mitigationBusiness impact assessmentRisk analysis - Question #533Risk Response and Reporting
A key performance indicator (KPI) shows that a process is operating inefficiently, even though no control issues were noted during the most recent risk assessment. Which of the fol...
Key Performance Indicators (KPIs)Risk MonitoringControl EffectivenessDiscrepancy Resolution - Question #534IT Risk Assessment
Senior management has requested more information regarding the risk associated with introducing a new application into the environment. Which of the following should be done FIRST?
Risk analysisRisk assessment processNew application riskIT risk identification - Question #535IT Risk Assessment
An organization's board of directors is concerned about recent data breaches in the news and wants to assess its exposure to similar scenarios. Which of the following is the BEST c...
Security Controls EvaluationData Breach RiskRisk ExposureIT Risk Assessment - Question #536Risk Response and Reporting
Which of the following is the MOST reliable validation of a new control?
Control ValidationInternal AuditControl DesignAssurance - Question #537Governance
A penetration testing team discovered an ineffectively designed access control. Who is responsible for ensuring the control design gap is remediated?
Control OwnershipRoles and ResponsibilitiesControl RemediationRisk Governance - Question #538IT Risk Assessment
Which of the following information is MOST useful to a risk practitioner for developing IT risk scenarios?
Risk ScenariosIT Risk AssessmentRisk Identification - Question #539Risk Response and Reporting
Which of the following is the MOST important consideration when selecting digital signature software?
Digital SignaturesNonrepudiationInformation Security ControlsRisk Mitigation - Question #540Risk Response and Reporting
Which of the following BEST helps to mitigate risk associated with excessive access by authorized users?
Least PrivilegeAccess ControlRisk MitigationUser Provisioning - Question #541Risk Response and Reporting
Warning banners on login screens for laptops provided by an organization to its employees are an example of which type of control?
Security ControlsDeterrent ControlsControl TypesRisk Response - Question #542IT Risk Assessment
Which of the following is the GREATEST risk associated with inappropriate classification of data?
Data ClassificationAccess ControlInformation Security RiskConfidentiality - Question #543IT Risk Assessment
Which of the following events is MOST likely to trigger the need to conduct a risk assessment?
Risk Assessment TriggersBusiness ChangeProactive Risk ManagementNew Initiatives Risk - Question #544IT Risk Assessment
Which of the following is the MOST important for an organization to have in place to ensure IT asset protection?
IT asset protectionRisk assessmentIT risk managementAsset security - Question #545Governance
Which of the following is the PRIMARY purpose for ensuring senior management understands the organization's risk universe in relation to the IT risk management program?
Senior Management ResponsibilityRisk Appetite DefinitionRisk GovernanceEnterprise Risk View - Question #546Risk Response and Reporting
Which of the following BEST indicates the effective implementation of a risk treatment plan?
Risk TreatmentResidual RiskRisk AppetiteRisk Tolerance - Question #547IT Risk Assessment
Which of the following is the MOST essential characteristic of a good IT risk scenario?
IT Risk ScenariosBusiness AlignmentRisk IdentificationRisk Management Principles - Question #548Risk Response and Reporting
An organization has committed to a business initiative with the knowledge that the risk exposure is higher than the risk appetite. Which of the following is the risk practitioner's...
Risk acceptanceRisk appetiteRisk documentationRisk response - Question #549Risk Response and Reporting
Which of the following is MOST important for a risk practitioner to confirm once a risk action plan has been completed?
Risk MitigationRisk TreatmentAction Plan EffectivenessPost-Implementation Review - Question #550Governance
When assessing the maturity level of an organization's risk management framework, which of the following should be of GREATEST concern to a risk practitioner?
Risk management maturitySenior management involvementRisk governanceOrganizational support