Browse Exams Pricing

ExamsCRISCQuestions

CRISC Exam Questions

640 real CRISC exam questions with expert-verified answers and explanations. Page 9 of 13.

Question #401Governance
It was discovered that a service provider's administrator was accessing sensitive information without the approval of the customer in an Infrastructure as a Service (laaS) model. W...
Third-party riskCloud securityContractual agreementsVendor management
Question #402Governance
Which group has PRIMARY ownership of reputational risk stemming from unethical behavior within the organization?
Reputational riskBoard responsibilityOrganizational ethicsRisk ownership
Question #403Risk Response and Reporting
Which of the following is the MOST important reason to communicate control effectiveness to senior management?
Control Effectiveness ReportingRisk CommunicationSenior Management ReportingCurrent Risk Status
Question #404IT Risk Assessment
Which of the following actions should a risk practitioner do NEXT when an increased industry trend of external cyber attacks is identified?
Risk assessmentThreat analysisVulnerability analysisCyber security risk
Question #405Risk Response and Reporting
The PRIMARY benefit of selecting an appropriate set of key risk indicators (KRIs) is that they:
Key Risk IndicatorsRisk MonitoringEarly WarningRisk Management
Question #406Risk Response and Reporting
A large organization recently restructured the IT department and has decided to outsource certain functions. What action should the control owners in the IT department take?
Risk Response EvaluationControl EffectivenessOrganizational ChangeOutsourcing Risk Management
Question #407Governance
Which of the following risk activities is BEST facilitated by enterprise architecture (EA)?
Enterprise Architecture (EA)Risk AlignmentOrganizational PrioritiesRisk Response
Question #408Risk Response and Reporting
A multinational company needs to implement a new centralized security system. The risk practitioner has identified a conflict between the organization's data-handling policy and lo...
Regulatory ComplianceData PrivacyRisk Response StrategyLegal Risk
Question #409IT Risk Assessment
An organization's risk management team wants to develop IT risk scenarios to show the impact of collecting and storing credit card information. Which of the following is the MOST c...
Risk scenario developmentEvent tree analysisIT risk assessment techniquesImpact analysis
Question #410Risk Response and Reporting
Which of the following is the MOST essential factor for managing risk in a highly dynamic environment?
Dynamic Risk ManagementIncident DetectionIncident ResponseRisk Treatment
Question #411Risk Response and Reporting
Who should be responsible for approving the cost of controls to be implemented for mitigating risk?
Risk OwnershipRisk ResponseControl Cost ApprovalAccountability
Question #412Risk Response and Reporting
An organization recently experienced a cyber attack that resulted in the loss of confidential customer data. Which of the following is the risk practitioner's BEST recommendation a...
Post-incident analysisRoot cause analysisIncident responseRisk management improvement
Question #413Risk Response and Reporting
The BEST way to validate that a risk treatment plan has been implemented effectively is by reviewing:
Risk treatment validationControl effectivenessRCSAPost-implementation review
Question #414IT Risk Assessment
An organization has restructured its business processes, and the business continuity plan (BCP) needs to be revised accordingly. Which of the following should be identified FIRST?
BCP revisionRisk identificationBusiness process changeDisruptive scenarios
Question #415Risk Response and Reporting
An organization is moving its critical assets to the cloud. Which of the following is the MOST important key performance indicator (KPI) to include in the service level agreement (...
Cloud computingService Level Agreement (SLA)Key Performance Indicator (KPI)Availability
Question #416Risk Response and Reporting
Which of the following is the MOST important criteria for selecting key risk indicators (KRIs)?
Key Risk IndicatorsKRI selection criteriaRisk monitoringRisk management
Question #417Risk Response and Reporting
Which of the following is the BEST metric to demonstrate the effectiveness of an organization's patch management process?
Patch ManagementMetricsProcess EffectivenessRisk Control Monitoring
Question #418Risk Response and Reporting
What is the MOST important consideration when selecting key performance indicators (KPIs) for control monitoring?
KPIsControl MonitoringData AvailabilityRisk Response Effectiveness
Question #419Governance
Within the three lines of defense model, the responsibility for managing risk and controls resides with:
Three Lines of DefenseRisk Management RolesOperational ManagementRisk Ownership
Question #420Governance
Which of the following has the GREATEST positive impact on ethical compliance within the risk management process?
Ethical leadershipTone at the topEthical cultureCompliance
Question #421Risk Response and Reporting
An organization has established a contract with a vendor that includes penalties for loss of availability. Which risk treatment has been adopted by the organization?
Risk TreatmentRisk TransferVendor ManagementContract Management
Question #422Governance
Which of the following deficiencies identified during a review of an organization's cybersecurity policy should be of MOST concern?
Cybersecurity PolicyBoard OversightGovernance StructurePolicy Approval
Question #423Risk Response and Reporting
Which of the following is MOST helpful when prioritizing action plans for identified risk?
Risk PrioritizationRisk AppetiteRisk ResponseRisk Rating
Question #424Governance
Which of the following is the MOST likely reason an organization would engage an independent reviewer to assess its IT risk management program?
Independent ReviewIT Risk Management ProgramStrategic AlignmentProgram Assessment
Question #425Risk Response and Reporting
Which of the following is the BEST criterion to determine whether higher residual risk ratings in the risk register should be accepted?
Risk AcceptanceResidual RiskRisk AppetiteRisk Response
Question #426Risk Response and Reporting
Which of the following changes would be reflected in an organization's risk profile after the failure of a critical patch implementation?
Residual RiskRisk Control FailureRisk ProfileRisk Response
Question #427Risk Response and Reporting
Which of the following BEST protects organizational data within a production cloud environment?
Data protectionCloud securityData encryptionTechnical controls
Question #428Risk Response and Reporting
Which of the following management actions will MOST likely change the likelihood rating of a risk scenario related to remote network access?
Risk LikelihoodRisk ResponseAccess ControlMulti-factor Authentication
Question #429Governance
An organization has outsourced its backup and recovery procedures to a third-party cloud provider. Which of the following should be the risk practitioner's NEXT course of action?
Outsourcing riskThird-party risk managementContract reviewService Level Agreements (SLAs)
Question #430IT Risk Assessment
An organization uses a web application hosted by a cloud service that is populated by data sent to the vendor via email on a monthly basis. Which of the following should be the FIR...
Data ClassificationRisk AnalysisThird-Party RiskCloud Security
Question #431IT Risk Assessment
Which of the following is the BEST way to determine the value of information assets for risk management purposes?
Asset ValuationRisk AssessmentImpact AnalysisInformation Security Risk
Question #432IT Risk Assessment
Which of the following BEST facilitates the development of relevant risk scenarios?
Risk ScenariosRisk IdentificationStakeholder EngagementBrainstorming
Question #433Risk Response and Reporting
Which of the following is the PRIMARY purpose of a risk register?
Risk RegisterRisk Management ToolsRisk DocumentationCentralized Risk View
Question #434Governance
A risk practitioner notes control design changes when comparing risk response to a previously approved action plan. Which of the following is MOST important for the practitioner to...
Control ChangesApprovalsRisk Response MonitoringGovernance
Question #435Governance
The software version of an enterprise's critical business application has reached end-of-life and is no longer supported by the vendor. IT has decided to develop an in-house replac...
IT Project GovernanceBusiness-IT AlignmentStakeholder ManagementCritical Application Risk
Question #436IT Risk Assessment
An organization recently implemented new technologies that enable the use of robotic process automation. Which of the following is MOST important to reassess?
Risk profileIT risk assessmentNew technology riskRobotic Process Automation
Question #437Governance
The PRIMARY focus of an ongoing risk awareness program should be to:
Risk awareness programRisk-based decision makingRisk management culture
Question #438Risk Response and Reporting
An organization operates in an environment where the impact of ransomware attacks is high, with a low likelihood. After quantifying the impact of the risk associated with ransomwar...
Risk ResponseBusiness ContinuityImpact MitigationRisk Appetite
Question #439IT Risk Assessment
Of the following, whose input is ESSENTIAL when developing risk scenarios for the implementation of a third-party mobile application that stores customer data?
Risk ScenariosBusiness Process OwnershipStakeholder InputThird-Party Risk
Question #440Governance
Which of the following is the PRIMARY objective of a risk awareness program?
Risk awareness programRisk cultureRisk management principles
Question #441IT Risk Assessment
During a review of the asset life cycle process, a risk practitioner identified several unreturned and unencrypted laptops belonging to former employees. Which of the following is...
Asset managementData securityRisk identificationOffboarding process
Question #442Governance
Which of the following is a risk practitioner's BEST recommendation regarding disaster recovery management (DRM) for Software as a Service (SaaS) providers?
SaaS Risk ManagementContract ManagementThird-Party RiskDisaster Recovery
Question #443Governance
Which of the following criteria for assigning owners to IT risk scenarios provides the GREATEST benefit to an organization?
Risk ownershipBusiness impactRisk management principlesOrganizational benefit
Question #444Risk Response and Reporting
Which of the following is the ULTIMATE objective of utilizing key control indicators (KCIs) in the risk management process?
Key Control IndicatorsControl effectivenessInternal control environmentRisk monitoring
Question #445Information Technology and Security
Which of the following is the BEST method to track asset inventory?
Asset inventoryAsset managementAutomated toolsIT operations
Question #446IT Risk Assessment
A risk practitioner has reviewed new international regulations and realizes the new regulations will affect the organization. Which of the following should be the risk practitioner...
Risk identificationRisk registerRegulatory impactRisk scenarios
Question #447IT Risk Assessment
Which of the following should be the PRIMARY consideration when assessing the risk of using Internet of Things (loT) devices to collect and process personally identifiable informat...
IoT Risk ManagementPII PrivacyRegulatory ComplianceRisk Assessment Principles
Question #448Risk Response and Reporting
Which types of controls are BEST used to minimize the risk associated with a vulnerability?
Control typesPreventive controlsRisk minimizationVulnerability management
Question #449IT Risk Assessment
Which of the following should be done FIRST upon learning that the organization will be affected by a new regulation in its industry?
Regulatory ComplianceGap AnalysisRisk IdentificationRegulatory Impact
Question #450Information Technology and Security
An insurance company handling sensitive and personal information from its customers receives a large volume of telephone requests and electronic communications daily. Which of the...
Social EngineeringRisk Awareness TrainingCustomer Service SecurityInformation Security Threats

PreviousPage 9 of 13Next

study smarter, certify faster.

Product

Browse Exams
Pricing
PDF Downloads

Resources

Blog
Glossary
Topics
FAQ
Contact Us

Legal

Terms of Service
Privacy Policy
Cookie Policy
DMCA
Refund Policy

Company

About
Contact

© 2026 NerdExam. All rights reserved.Built for IT professionals

NerdExam is a trading name of WADL Solutions Limited, a company incorporated in Hong Kong (CR# 80143234). Registered office: Unit 2904-05, 29/F, Universal Trade Centre, 3 Arbuthnot Road, Central, Hong Kong.

CompTIA, AWS, Cisco, Microsoft, Google Cloud, Oracle, VMware, and other certification names referenced on this site are trademarks of their respective owners. NerdExam is not affiliated with, endorsed by, or sponsored by any certification vendor.