Browse Exams Pricing

ExamsCRISCQuestions

CRISC Exam Questions

640 real CRISC exam questions with expert-verified answers and explanations. Page 8 of 13.

Question #351Risk Response and Reporting
A migration from an in-house developed system to an external cloud-based solution is affecting a previously rated key risk scenario related to payroll processing. Which part of the...
Risk Register ManagementRisk Mitigation PlansChange Impact Analysis
Question #352Information Technology and Security
Which of the following is the BEST key performance indicator (KPI) to measure the ability to deliver uninterrupted IT services?
Key Performance IndicatorsService ReliabilityIT Service AvailabilityMetrics
Question #353Governance
Which of the following is MOST important for a multinational organization to consider when developing its security policies and standards?
Regulatory compliancePolicy developmentMultinational operationsLegal requirements
Question #354IT Risk Assessment
Which of the following should be the starting point when performing a risk analysis for an asset?
Risk analysis processRisk scenariosRisk identificationRisk management
Question #355IT Risk Assessment
Which of the following emerging technologies is frequently used for botnet distributed denial of service (DDoS) attacks?
IoT securityDDoS attacksBotnetsEmerging technologies
Question #356Risk Response and Reporting
When determining the accuracy of a key risk indicator (KRI), it is MOST important that the indicator:
Key Risk Indicators (KRI)Risk MonitoringKRI AccuracyRisk Measurement
Question #357IT Risk Assessment
Which of the following should be of MOST concern to a risk practitioner reviewing the system development life cycle (SDLC)?
SDLCUser Acceptance TestingIT Risk AssessmentTesting Strategy
Question #358Risk Response and Reporting
Which of the following is the BEST response when a potential IT control deficiency has been identified?
Control deficiencyNotificationBusiness process ownerRisk identification
Question #359Governance
An organization's stakeholders are unable to agree on appropriate risk responses. Which of the following would be the BEST course of action?
Risk responseStakeholder managementEscalation proceduresRisk governance
Question #360Governance
Which of the following is the MOST important success factor when introducing risk management in an organization?
Executive supportRisk management success factorsOrganizational governanceProgram initiation
Question #361Governance
A risk practitioner learns that a risk owner has been accepting gifts from a supplier of IT products. Some of these IT products are used to implement controls and to mitigate risk...
Ethical conductConflict of interestReporting misconductRisk owner responsibilities
Question #362IT Risk Assessment
Which of the following should a risk practitioner do NEXT after learning that Internet of Things (loT) devices installed in the production environment lack appropriate security con...
Risk assessment processThreat identificationImpact analysisIoT security
Question #363Risk Response and Reporting
Which of the following process controls BEST mitigates the risk of an employee issuing fraudulent payments to a vendor?
Segregation of DutiesFraud PreventionPayment ControlsRisk Mitigation
Question #364IT Risk Assessment
A hospital recently implemented a new technology to allow virtual patient appointments. Which of the following should be the risk practitioner's FIRST course of action?
Risk assessmentNew technology riskRisk profileContinuous risk management
Question #365Information Technology and Security
Which of the following is the MOST important reason to restrict access to the risk register on a need- to-know basis?
Risk Register ManagementAccess ControlInformation SecurityData Confidentiality
Question #366Risk Response and Reporting
The BEST way for management to validate whether risk response activities have been completed is to review:
Risk RegisterRisk Response ValidationManagement OversightAudit Trail
Question #367Governance
Which of the following is the PRIMARY benefit of integrating risk and security requirements in an organization's enterprise architecture (EA)?
Enterprise ArchitectureRisk IntegrationSecurity RequirementsInformation Asset Management
Question #368IT Risk Assessment
A key risk indicator (KRI) that incorporates data from external open-source threat intelligence sources has shown changes in risk trend dat
Risk Register ManagementKey Risk Indicators (KRIs)Threat IntelligenceRisk Impact Assessment
Question #369Risk Response and Reporting
A risk practitioner discovers that an IT operations team manager bypassed web filtering controls by using a mobile device, in violation of the network security policy. Which of the...
Incident ManagementPolicy ViolationRisk Practitioner ResponsibilitiesSecurity Incident Reporting
Question #370Risk Response and Reporting
Which of the following risk impacts should be the PRIMARY consideration for determining recovery priorities in a disaster recovery situation?
Disaster RecoveryBusiness Continuity PlanningRecovery PrioritiesRisk Impact Analysis
Question #371IT Risk Assessment
Which of the following provides the MOST useful input to the development of realistic risk scenarios?
Risk scenario developmentRisk identificationRisk eventsRisk assessment input
Question #372Risk Response and Reporting
Which of the following is the BEST control for a large organization to implement to effectively mitigate risk related to fraudulent transactions?
Segregation of duties (SoD)Fraud preventionInternal controlsRisk mitigation
Question #373IT Risk Assessment
Which of the following is the GREATEST concern if user acceptance testing (UAT) is not conducted when implementing a new application?
User Acceptance Testing (UAT)Application Implementation RisksBusiness RequirementsProject Failure
Question #374Governance
Which of the following is the PRIMARY reason to ensure policies and standards are properly documented within the risk management process?
Risk PoliciesStandards DocumentationSenior Management ApprovalRisk Governance
Question #375IT Risk Assessment
A risk practitioner is involved in a comprehensive overhaul of the organizational risk management program. Which of the following should be reviewed FIRST to help identify relevant...
Risk identificationIT assetsRisk scenariosRisk management program
Question #376Risk Response and Reporting
A risk assessment has revealed that the probability of a successful cybersecurity attack is increasing. The potential loss could exceed the organization's risk appetite. Which of t...
Risk ResponseIncident ResponseCybersecurity RiskRisk Appetite
Question #377IT Risk Assessment
An application development team has a backlog of user requirements for a new system that will process insurance claim payments for customers. Which of the following should be the M...
Risk assessmentUser requirementsFinancial impactSystem accuracy
Question #378Risk Response and Reporting
Which of the following is the BEST indicator of the effectiveness of a control?
Control effectivenessControl monitoringRisk responsePerformance indicators
Question #379Risk Response and Reporting
Key control indicators (KCls) help to assess the effectiveness of the internal control environment PRIMARILY by:
Key Control Indicators (KCIs)Control EffectivenessControl MonitoringInternal Controls
Question #380Governance
A risk practitioner has been asked to assess the risk associated with a new critical application used by a financial process team that the risk practitioner was a member of two yea...
Conflict of InterestRisk Assessment ObjectivityEthics in Risk ManagementGovernance Principles
Question #381Governance
When outsourcing a business process to a cloud service provider, it is MOST important to understand that:
Outsourcing riskCloud risk managementRisk accountabilityIT governance
Question #382Risk Response and Reporting
Which of the following would MOST effectively reduce the potential for inappropriate exposure of vulnerabilities documented in an organization's risk register?
Access ControlRisk Register ProtectionSecurity ControlsInformation Protection
Question #383Governance
Which of the following BEST enables an organization to determine whether risk management is aligned with its goals and objectives?
Strategic AlignmentEnterprise ArchitectureRisk Management ProgramOrganizational Goals
Question #384Information Technology and Security
If concurrent update transactions to an account are not processed properly, which of the following will MOST likely be affected?
Data IntegrityConcurrent TransactionsInformation Security PrinciplesTransaction Processing
Question #385Governance
Which of the following is the BEST method for determining an enterprise's current appetite for risk?
Risk appetiteSenior managementRisk governanceRisk assessment methodology
Question #386Governance
Which of the following is the MOST important course of action to foster an ethical, risk-aware culture?
Risk CultureEthics ProgramAwareness TrainingOrganizational Values
Question #387Risk Response and Reporting
An online payment processor would be severely impacted if the fraud detection system has an outage. Which of the following is the BEST way to address this risk?
Risk ResponseRecovery ControlsBusiness ContinuitySystem Outage
Question #388IT Risk Assessment
A risk practitioner is developing a set of bottom-up IT risk scenarios. The MOST important time to involve business stakeholders is when:
IT Risk AssessmentRisk ScenariosStakeholder EngagementRisk Validation
Question #389Risk Response and Reporting
When reporting to senior management on changes in trends related to IT risk, which of the following is MOST important?
Risk ReportingMaterialitySenior Management CommunicationIT Risk Trends
Question #390IT Risk Assessment
Which of the following is MOST important to identify when developing top-down risk scenarios?
Risk scenario developmentBusiness objectivesTop-down approachRisk identification
Question #391Risk Response and Reporting
Which of the following is the BEST course of action for a system administrator who suspects a colleague may be intentionally weakening a system's validation controls in order to pa...
Insider ThreatFraud ReportingWhistleblower PolicyRisk Response
Question #392Governance
An organization has updated its acceptable use policy to mitigate the risk of employees disclosing confidential information. Which of the following is the BEST way to reinforce the...
Policy effectivenessSecurity awareness trainingHuman factorRisk mitigation
Question #393Risk Response and Reporting
Which of the following situations would BEST justify escalation to senior management?
Residual RiskRisk EscalationRisk AppetiteRisk Reporting
Question #394Governance
Which of the following is MOST important for management to consider when deciding whether to invest in an IT initiative that exceeds management's risk appetite?
Risk ToleranceRisk AppetiteIT Investment DecisionsRisk Governance
Question #395Risk Response and Reporting
Which of the following is MOST important to review when evaluating the ongoing effectiveness of the IT risk register?
Risk RegisterRisk MonitoringRisk Management EffectivenessRisk Reporting
Question #396Governance
An organization has built up its cash reserves and has now become financially able to support additional risk while meeting its objectives. What is this change MOST likely to impac...
Risk capacityFinancial resourcesRisk management concepts
Question #397IT Risk Assessment
An assessment of information security controls has identified ineffective controls. Which of the following should be the risk practitioner's FIRST course of action?
Risk Assessment ProcessControl EffectivenessRisk AppetiteRisk Evaluation
Question #398IT Risk Assessment
A risk practitioner is performing a risk assessment of recent external advancements in quantum computing. Which of the following would pose the GREATEST concern for the risk practi...
Quantum ComputingCryptographyRisk AssessmentEncryption Standards
Question #399Risk Response and Reporting
Which of the following will MOST likely change as a result of the decrease in risk appetite due to a new privacy regulation?
Risk AppetiteKey Risk Indicators (KRIs)Risk ThresholdsRisk Monitoring
Question #400Governance
Who should be accountable for authorizing information system access to internal users?
Information ownerAccess authorizationRoles and responsibilitiesAccountability

PreviousPage 8 of 13Next

study smarter, certify faster.

Product

Browse Exams
Pricing
PDF Downloads

Resources

Blog
Glossary
Topics
FAQ
Contact Us

Legal

Terms of Service
Privacy Policy
Cookie Policy
DMCA
Refund Policy

Company

About
Contact

© 2026 NerdExam. All rights reserved.Built for IT professionals

NerdExam is a trading name of WADL Solutions Limited, a company incorporated in Hong Kong (CR# 80143234). Registered office: Unit 2904-05, 29/F, Universal Trade Centre, 3 Arbuthnot Road, Central, Hong Kong.

CompTIA, AWS, Cisco, Microsoft, Google Cloud, Oracle, VMware, and other certification names referenced on this site are trademarks of their respective owners. NerdExam is not affiliated with, endorsed by, or sponsored by any certification vendor.