Browse Exams Pricing

ExamsCRISCQuestions

CRISC Exam Questions

640 real CRISC exam questions with expert-verified answers and explanations. Page 6 of 13.

Question #251Governance
Which of the following is the PRIMARY objective of risk management?
Risk Management ObjectivesBusiness AlignmentOrganizational GoalsRisk Governance Principles
Question #252IT Risk Assessment
An organization has allowed several employees to retire early in order to avoid layoffs Many of these employees have been subject matter experts for critical assets Which type of r...
Institutional knowledgeEmployee turnover riskOperational riskSubject matter experts (SMEs)
Question #253Risk Response and Reporting
One of an organization's key IT systems cannot be patched because the patches interfere with critical business application functionalities. Which of the following would be the risk...
Risk MitigationCompensating ControlsRisk Response StrategiesVulnerability Management
Question #254Risk Response and Reporting
An organization uses one centralized single sign-on (SSO) control to cover many applications. Which of the following is the BEST course of action when a new application is added to...
Single Sign-On (SSO)Control testingChange managementIT risk mitigation
Question #255Governance
Which of the following would present the GREATEST challenge for a risk practitioner during a merger of two organizations?
Merger IntegrationRisk AppetiteStrategic AlignmentRisk Management Challenges
Question #256Risk Response and Reporting
When classifying and prioritizing risk responses, the areas to address FIRST are those with:
Risk prioritizationRisk responseCost-effectivenessRisk level
Question #257Risk Response and Reporting
A legacy application used for a critical business function relies on software that has reached the end of extended support Which of the following is the MOST effective control to m...
Legacy systems managementRisk mitigation strategiesNetwork security controlsVulnerability management
Question #258Governance
A risk practitioner notices a risk scenario associated with data loss at the organization's cloud provider is assigned to the provider who should the risk scenario be reassigned to...
Risk OwnershipData AccountabilityThird-Party RiskRoles and Responsibilities
Question #259IT Risk Assessment
Who is MOST important lo include in the assessment of existing IT risk scenarios?
IT risk assessmentStakeholder identificationBusiness process ownersRisk scenario assessment
Question #260Risk Response and Reporting
An organization plans to implement a new Software as a Service (SaaS) speech-to-text solution Which of the following is MOST important to mitigate risk associated with data privacy...
SaaS securityData privacyEncryptionRisk mitigation
Question #261Risk Response and Reporting
An incentive program is MOST likely implemented to manage the risk associated with loss of which organizational asset?
Incentive programsHuman capital riskRisk mitigationOrganizational assets
Question #262Governance
When creating a separate IT risk register for a large organization, which of the following is MOST important to consider with regard to the existing corporate risk 'register?
Risk Register IntegrationRisk TaxonomyIT Risk GovernanceEnterprise Risk Management (ERM)
Question #263Risk Response and Reporting
Which of the following is the PRIMARY accountability for a control owner?
Control ownershipControl effectivenessRoles and responsibilitiesRisk mitigation
Question #264Risk Response and Reporting
A recent risk workshop has identified risk owners and responses for newly identified risk scenarios. Which of the following should be the risk practitioner s NEXT step? r
Risk RegisterRisk Management ProcessRisk Response Lifecycle
Question #265IT Risk Assessment
Which of the following should be a risk practitioner's NEXT step after learning of an incident that has affected a competitor?
Risk scenario developmentRisk assessment processExternal threat intelligenceProactive risk management
Question #266Governance
WhichT5f the following is the MOST effective way to promote organization-wide awareness of data security in response to an increase in regulatory penalties for data leakage?
Data security awarenessEmployee trainingRegulatory complianceRisk mitigation
Question #267Risk Response and Reporting
Which of the following BEST enables senior management lo compare the ratings of risk scenarios?
Risk reportingRisk visualizationRisk heat mapSenior management communication
Question #268Risk Response and Reporting
Which of the following is the PRIMARY reason for an organization to include an acceptable use banner when users log in?
Acceptable Use Policy (AUP)Insider Threat MitigationSecurity ControlsRisk Mitigation
Question #269IT Risk Assessment
A recent regulatory requirement has the potential to affect an organization's use of a third party to supply outsourced business services. Which of the following is the BEST course...
Regulatory complianceThird-party risk managementOutsourcingGap analysis
Question #270Risk Response and Reporting
Which of the following is MOST important to include when reporting the effectiveness of risk management to senior management?
Risk ReportingResidual RiskRisk Management EffectivenessSenior Management Communication
Question #271Risk Response and Reporting
A risk practitioner has established that a particular control is working as desired, but the annual cost of maintenance has increased and now exceeds the expected annual loss expos...
Control effectivenessCost-benefit analysisRisk responseControl evaluation
Question #272Governance
What is senior management's role in the RACI model when tasked with reviewing monthly status reports provided by risk owners?
RACI ModelRisk GovernanceSenior Management ResponsibilitiesRisk Reporting Oversight
Question #273Governance
Which of the following proposed benefits is MOST likely to influence senior management approval to reallocate budget for a new security initiative?
Residual RiskSenior Management CommunicationSecurity Investment JustificationRisk Governance
Question #274Risk Response and Reporting
Which of the following is the MOST important course of action for a risk practitioner when reviewing the results of control performance monitoring?
Control performance monitoringRisk mitigation validationControl effectivenessRisk practitioner role
Question #275Governance
Which of the following is MOST important to ensure when reviewing an organization's risk register?
Risk RegisterRisk OwnershipAccountabilityRisk Management Process
Question #276Risk Response and Reporting
Which of the following is the BEST recommendation to address recent IT risk trends that indicate social engineering attempts are increasing in the organization?
Social engineeringPhishing simulationSecurity awareness trainingRisk treatment
Question #277Governance
Which of the following is MOST useful for measuring the existing risk management process against a desired state?
Process MaturityCapability Maturity ModelRisk Management ProcessProcess Assessment
Question #278Risk Response and Reporting
Which of the following is the BEST way to validate whether controls to reduce user device vulnerabilities have been implemented according to management's action plan?
Control validationVulnerability managementSecurity controlsImplementation verification
Question #279Governance
Which of the following should be considered FIRST when creating a comprehensive IT risk register?
Risk RegisterRisk AppetiteIT Risk ManagementRisk Management Process
Question #280Risk Response and Reporting
Which of the following observations from a third-party service provider review would be of GREATEST concern to a risk practitioner?
Third-party risk managementSLA monitoringRisk indicatorsVendor performance
Question #281Risk Response and Reporting
Which of the following is the MOST important characteristic of a key risk indicator (KRI) to enable decision-making?
Key Risk Indicators (KRI)Risk MonitoringDecision MakingRisk Trends
Question #282Risk Response and Reporting
A poster has been displayed in a data center that reads. "Anyone caught taking photographs in the data center may be subject to disciplinary action." Which of the following control...
Control typesDeterrent controlsPhysical security
Question #283Governance
Which of the following is MOST important when determining risk appetite?
Risk AppetiteRisk GovernanceManagement ConsensusStrategic Risk Management
Question #284Risk Response and Reporting
An organization wants to transfer risk by purchasing cyber insurance. Which of the following would be MOST important for the risk practitioner to communicate to senior management f...
Risk TransferCyber InsuranceAnnualized Loss Expectancy (ALE)Risk Communication
Question #285Governance
An organizational policy requires critical security patches to be deployed in production within three weeks of patch availability. Which of the following is the BEST metric to veri...
Policy adherencePerformance metricsCompliance monitoringVulnerability management
Question #286Risk Response and Reporting
Which of the following is the ULTIMATE objective of utilizing key control indicators (KCIs) in the risk management process?
Key Control Indicators (KCIs)Risk MonitoringEarly Warning SystemsRisk Level Change
Question #287Risk Response and Reporting
Risk mitigation is MOST effective when which of the following is optimized?
Risk mitigationResidual riskRisk management conceptsEffectiveness
Question #288IT Risk Assessment
An organization has been made aware of a newly discovered critical vulnerability in a regulatory reporting system. Which of the following is the risk practitioner's BEST course of...
Impact assessmentVulnerability managementRisk analysisRisk practitioner duties
Question #289Governance
An organization's capability to implement a risk management framework is PRIMARILY influenced by the:
Risk Management FrameworkRisk CultureOrganizational CapabilityImplementation
Question #290Risk Response and Reporting
Which of the following BEST supports the management of identified risk scenarios?
Risk RegisterRisk Management ToolsRisk MonitoringRisk Response
Question #291IT Risk Assessment
Which of the following is MOST important for the organization to consider before implementing a new in-house developed artificial intelligence (Al) solution?
AI RiskSolution ImplementationAlgorithm ValidationRisk Assessment
Question #292Risk Response and Reporting
Well-developed, data-driven risk measurements should be:
Risk MeasurementRisk IndicatorsProactive Risk ManagementRisk Reporting
Question #293Governance
Which of the following should be the PRIMARY driver for an organization on a multi-year cloud implementation to publish a cloud security policy?
Cloud Security PolicySecurity GovernanceCloud ImplementationSecurity Requirements
Question #294Governance
The PRIMARY reason to implement a formalized risk taxonomy is to:
Risk TaxonomyRisk Management FrameworkRisk VisibilityEnterprise Risk Management
Question #295Risk Response and Reporting
Which of the following scenarios is MOST important to communicate to senior management?
Risk CommunicationRisk ToleranceSenior Management ReportingRisk Escalation
Question #296Governance
Which organizational role should be accountable for ensuring information assets are appropriately classified?
Information asset managementRoles and responsibilitiesData classificationAccountability
Question #297Risk Response and Reporting
Which of the following provides the MOST reliable evidence to support conclusions after completing an information systems controls assessment?
Controls AssessmentEvidence ReliabilityAudit EvidenceInformation Systems Controls
Question #298Risk Response and Reporting
A company has located its computer center on a moderate earthquake fault. Which of the following is the MOST important consideration when establishing a contingency plan and an alt...
Disaster Recovery PlanningAlternate Site SelectionGeographic SeparationRisk Mitigation
Question #299Risk Response and Reporting
Which of the following is the PRIMARY objective of aggregating the impact of IT risk scenarios and reflecting the results in the enterprise risk register?
Risk aggregationEnterprise risk registerRisk appetiteRisk impact comparison
Question #300Governance
Which of the following will BEST help to ensure implementation of corrective action plans?
AccountabilityCorrective actionsRisk response implementationRoles and responsibilities

PreviousPage 6 of 13Next

study smarter, certify faster.

Product

Browse Exams
Pricing
PDF Downloads

Resources

Blog
Glossary
Topics
FAQ
Contact Us

Legal

Terms of Service
Privacy Policy
Cookie Policy
DMCA
Refund Policy

Company

About
Contact

© 2026 NerdExam. All rights reserved.Built for IT professionals

NerdExam is a trading name of WADL Solutions Limited, a company incorporated in Hong Kong (CR# 80143234). Registered office: Unit 2904-05, 29/F, Universal Trade Centre, 3 Arbuthnot Road, Central, Hong Kong.

CompTIA, AWS, Cisco, Microsoft, Google Cloud, Oracle, VMware, and other certification names referenced on this site are trademarks of their respective owners. NerdExam is not affiliated with, endorsed by, or sponsored by any certification vendor.