CRISC Exam Questions
640 real CRISC exam questions with expert-verified answers and explanations. Page 2 of 13.
- Question #51Risk Response and Reporting
When is the BEST to identify risk associated with major project to determine a mitigation plan?
Project Risk ManagementRisk IdentificationRisk MitigationProject Lifecycle - Question #52IT Risk Assessment
The PRIMARY objective of collecting information and reviewing documentation when performing periodic risk analysis should be to:
Risk AnalysisInformation GatheringThreat IdentificationRisk Assessment Fundamentals - Question #53IT Risk Assessment
An organization is analyzing the risk of shadow IT usage. Which of the following is the MOST important input into the assessment?
Shadow ITRisk Assessment InputsBusiness BenefitsRisk Analysis Context - Question #54Governance
Which of the following would be a risk practitioner's BEST recommendation upon learning of an updated cybersecurity regulation that could impact the organization?
Regulatory complianceGap analysisRisk management processIT governance - Question #55Risk Response and Reporting
It is MOST important that security controls for a new system be documented in:
Security Controls DocumentationControl TestingSystem Development Life Cycle (SDLC)Risk Response Validation - Question #56Risk Response and Reporting
An organization is planning to move its application infrastructure from on-premises to the cloud. Which of the following is the BEST course of the actin to address the risk associa...
Cloud Risk ManagementVendor Risk ManagementContract ManagementCloud Exit Strategy - Question #57IT Risk Assessment
Which of the following would be the result of a significant increase in the motivation of a malicious threat actor?
Risk AssessmentThreat ActorRisk LikelihoodRisk Components - Question #58Governance
Which of the following would BEST facilitate the implementation of data classification requirements?
Data ClassificationData OwnershipInformation GovernanceRoles and Responsibilities - Question #59Risk Response and Reporting
Which of the following sources is MOST relevant to reference when updating security awareness training materials?
Security awareness trainingRisk registerRisk mitigationControl implementation - Question #60Risk Response and Reporting
Which of the following should be of MOST concern to a risk practitioner reviewing an organization risk register after the completion of a series of risk assessments?
Risk Register ReviewRisk Action PlansRisk Treatment EffectivenessRisk Monitoring - Question #61Risk Response and Reporting
When documenting a risk response, which of the following provides the STRONGEST evidence to support the decision?
Risk DocumentationEvidence StrengthRisk Response VerificationAudit Follow-up - Question #62Risk Response and Reporting
Which of the following would MOST effectively reduce risk associated with an increase of online transactions on a retailer website?
Risk reductionTransaction controlsFraud mitigationE-commerce security - Question #63Governance
Which of the following is the BEST method of creating risk awareness in an organization?
Risk AwarenessSenior Management CommitmentRisk TrainingOrganizational Culture - Question #64IT Risk Assessment
A bank recently incorporated Blockchain technology with the potential to impact known risk within the organization. Which of the following is the risk practitioner's BEST course of...
Control AssessmentIT RiskNew Technology RiskRisk Management Process - Question #65IT Risk Assessment
Which of the following would be a risk practitioner's GREATEST concern with the use of a vulnerability scanning tool?
Vulnerability scanningRisk assessment toolsReporting accuracyFalse positives/negatives - Question #66IT Risk Assessment
Which of the following is the PRIMARY reason to perform periodic vendor risk assessments?
Vendor Risk ManagementThird-Party RiskControl MonitoringRisk Assessment - Question #67Risk Response and Reporting
Which of the following is the MOST important objective from a cost perspective for considering aggregated risk responses in an organization?
Risk responseRisk aggregationCost efficiencyRisk management strategy - Question #68Governance
Which of the following is MOST helpful in providing an overview of an organization's risk management program?
Risk Management ProgramRisk Management FrameworkProgram OverviewRisk Governance - Question #69Governance
Which of the following is the BEST control to minimize the risk associated with scope creep in software development?
Scope creepProject change managementRisk mitigationSoftware development risk - Question #70IT Risk Assessment
An organization has recently hired a large number of part-time employees. During the annual audit, it was discovered that many user IDs and passwords were documented in procedure m...
Risk IdentificationRisk TerminologyAccess Control WeaknessesIT Audit Findings - Question #71Risk Response and Reporting
Which of the following is MOST important to update when an organization's risk appetite changes?
Risk AppetiteKey Risk Indicators (KRIs)Risk MonitoringRisk Management - Question #72Risk Response and Reporting
The BEST key performance indicator (KPI) to measure the effectiveness of the security patching process is the percentage of patches installed:
KPIsSecurity PatchingVulnerability ManagementPerformance Measurement - Question #73Risk Response and Reporting
In order to efficiently execute a risk response action plan, it is MOST important for the emergency response team members to understand:
Risk Response ExecutionEmergency Response TeamRoles and ResponsibilitiesCrisis Management - Question #74Governance
Which of the following is the BEST indicator of executive management's support for IT risk mitigation efforts?
Executive supportIT risk mitigationBudget allocationResource management - Question #75IT Risk Assessment
Which of the following BEST enables risk-based decision making in support of a business continuity plan (BCP)?
Business Continuity Planning (BCP)Business Impact Analysis (BIA)Risk-based decision makingImpact assessment - Question #76Governance
Which of the following is MOST important for senior management to review during an acquisition?
Risk appetite & toleranceMergers & AcquisitionsStrategic risk managementGovernance oversight - Question #77IT Risk Assessment
Senior management wants to increase investment in the organization's cybersecurity program in response to changes in the external threat landscape. Which of the following would BES...
Risk AssessmentInvestment PrioritizationRisk ManagementCybersecurity Program - Question #78IT Risk Assessment
A recent vulnerability assessment of a web-facing application revealed several weaknesses. Which of the following should be done NEXT to determine the risk exposure?
Vulnerability ManagementPenetration TestingRisk AssessmentSecurity Testing Lifecycle - Question #79Governance
Which of the following should be of GREATEST concern when reviewing the results of an independent control assessment to determine the effectiveness of a vendor's control environmen...
Third-party risk managementVendor control assessmentAudit independenceAssurance reliability - Question #80Governance
Which of the following is the MOST critical factor to consider when determining an organization's risk appetite?
Risk appetiteManagement cultureRisk governanceStrategic risk management - Question #81Risk Response and Reporting
Which of the following is the MOST important key performance indicator (KPI) to monitor the effectiveness of disaster recovery processes?
Disaster RecoveryKPIsRecovery Time Objective (RTO)Risk Response Monitoring - Question #82Governance
An organization wants to launch a campaign to advertise a new product Using data analytics, the campaign can be targeted to reach potential customers. Which of the following should...
Data Privacy PrinciplesPurpose LimitationTargeted Marketing RiskData Governance - Question #83IT Risk Assessment
During a risk assessment, a key external technology supplier refuses to provide control design and effectiveness information, citing confidentiality concerns. What should the risk...
Third-party riskVendor managementRisk assessmentContractual obligations - Question #84Risk Response and Reporting
Which of the following findings of a security awareness program assessment would cause the GREATEST concern to a risk practitioner?
Security Awareness ProgramRisk Mitigation EffectivenessTraining CustomizationRisk Response Evaluation - Question #85Governance
Which of the following is the MOST important concern when assigning multiple risk owners for an identified risk?
Risk OwnershipAccountabilityRisk GovernanceShared Responsibility - Question #86IT Risk Assessment
Following an acquisition, the acquiring company's risk practitioner has been asked to update the organization's IT risk profile What is the MOST important information to review fro...
Risk ProfileAcquisition RiskRisk RegisterIT Risk Assessment - Question #87Risk Response and Reporting
An organization has experienced several incidents of extended network outages that have exceeded tolerance. Which of the following should be the risk practitioner's FIRST step to a...
Risk Management ProcessIncident ResponseRoot Cause AnalysisRisk Treatment - Question #88Risk Response and Reporting
Which of the following is the MAIN purpose of monitoring risk?
Risk MonitoringRisk CommunicationRisk Management ProcessStakeholder Reporting - Question #89IT Risk Assessment
During an acquisition, which of the following would provide the MOST useful input to the parent company's risk practitioner when developing risk scenarios for the post-acquisition...
Risk ScenariosAcquisition Risk ManagementIT Balanced ScorecardRisk Assessment Inputs - Question #90Risk Response and Reporting
Which of the following is the MOST important consideration when communicating the risk associated with technology end-of-life to business owners?
Risk CommunicationTechnology End-of-LifeBusiness ImpactStakeholder Management - Question #91Governance
Which of the following is MOST important when conducting a post-implementation review as part of the system development life cycle (SDLC)?
Post-implementation reviewSDLCProject objectivesIT governance - Question #92Risk Response and Reporting
Using key risk indicators (KRIs) to illustrate changes in the risk profile PRIMARILY helps to:
Key Risk Indicators (KRIs)Risk MonitoringRisk ReportingStakeholder Communication - Question #93Risk Response and Reporting
Which of the following will BEST help to ensure key risk indicators (KRIs) provide value to risk owners?
Key Risk Indicators (KRIs)Risk MonitoringRisk ReportingRisk Owner Responsibilities - Question #94Risk Response and Reporting
When defining thresholds for control key performance indicators (KPIs). it is MOST helpful to align:
Risk AppetiteKey Risk Indicators (KRIs)Control Key Performance Indicators (KPIs)ThresholdsRisk Monitoring - Question #95Governance
Which of the following is the MOST important step to ensure regulatory requirements are adequately addressed within an organization?
Regulatory CompliancePolicy FrameworkCompliance ManagementGovernance Structure - Question #96Governance
Which of the following is the GREATEST benefit of identifying appropriate risk owners?
Risk ownershipAccountabilityRisk treatmentRisk governance - Question #97Governance
An organization's chief information officer (CIO) has proposed investing in a new. untested technology to take advantage of being first to market Senior management has concerns abo...
Risk appetiteRisk toleranceProject risk managementRisk governance - Question #98IT Risk Assessment
A risk practitioner is utilizing a risk heat map during a risk assessment. Risk events that are coded with the same color will have a similar:
Risk heat mapRisk assessmentRisk impactRisk visualization - Question #99Risk Response and Reporting
A recent risk workshop has identified risk owners and responses for newly identified risk scenarios. Which of the following should be the risk practitioner's NEXT step?
Risk Response PlanningBusiness CaseRisk Management ProcessDecision Support - Question #100Risk Response and Reporting
The objective of aligning mitigating controls to risk appetite is to ensure that:
Risk AppetiteMitigating ControlsCost-Benefit AnalysisExpected Loss