Free CRISC Exam Braindumps

Which of the following is the MOST important reason to maintain key risk indicators (KRIs)?

  1. In order to avoid risk
  2. Complex metrics require fine-tuning
  3. Risk reports need to be timely
  4. Threats and vulnerabilities change over time

Answer(s): D


Threats and vulnerabilities change over time and KRI maintenance ensures that KRIs continue to effectively capture these changes.

The risk environment is highly dynamic as the enterprise's internal and external environments are constantly changing. Therefore, the set of KRIs needs to be changed over time, so that they can capture the changes in threat and vulnerability.

Incorrect Answers:
A: Risk avoidance is one possible risk response. Risk responses are based on KRI reporting, but is not the reason for maintenance of KRIs.

B: While most key risk indicator (KRI) metrics need to be optimized in respect to their sensitivity, the most important objective of KRI maintenance is to ensure that KRIs continue to effectively capture the changes in threats and vulnerabilities over time. Hence the most important reason is that because of change of threat and vulnerability overtime.

C: Risk reporting timeliness is a business requirement, but is not a reason for KRI maintenance.

Which of the following would be a risk practitioner’s BEST recommendation to help ensure cyber risk is assessed and reflected in the enterprise-level risk profile?

  1. Conduct cyber risk awareness training tailored specifically for senior management
  2. Implement a cyber risk program based on industry best practices
  3. Manage cyber risk according to the organization’s risk management framework
  4. Define cyber roles and responsibilities across the organization

Answer(s): C

Which of the following roles is BEST suited to help a risk practitioner understand the impact of IT-related events on business objectives?

  1. Process owners
  2. IT management
  3. Senior management
  4. Internal audit

Answer(s): A

It is MOST appropriate for changes to be promoted to production after they are:

  1. approved by the business owner
  2. tested by business owners
  3. communicated to business management
  4. initiated by business users

Answer(s): B

Which of the following BEST enables the identification of trends in risk levels?

  1. Measurements for key risk indicators (KRIs) are repeatable
  2. Qualitative definitions for key risk indicators (KRIs) are used
  3. Quantitative measurements are used for key risk indicators (KRIs)
  4. Correlation between risk levels and key risk indicators (KRIs) is positive

Answer(s): C

To implement the MOST effective monitoring of key risk indicators (KRIs), which of the following needs to be in place?

  1. Automated data feed
  2. Controls monitoring
  3. Escalation procedures
  4. Threshold definition

Answer(s): B

Which of the following would MOST likely result in updates to an IT risk appetite statement?

  1. Changes in senior management
  2. External audit findings
  3. Feedback from focus groups
  4. Self-assessment reports

Answer(s): B

Which of the following would be MOST helpful to understand the impact of a new technology system on an organization’s current risk profile?

  1. Conduct a gap analysis
  2. Review existing risk mitigation controls
  3. Perform a risk assessment
  4. Hire consultants specializing in the new technology

Answer(s): D

Which of the following is the PRIMARY factor in determining a recovery time objective (RTO)?

  1. Response time of the emergency action plan
  2. Cost of downtime due to a disaster
  3. Cost of offsite backup premises
  4. Cost of testing the business continuity plan

Answer(s): B

A review of an organization’s controls has determined its data loss prevention (DLP) system is currently failing to detect outgoing emails containing credit card data.
Which of the following would be MOST impacted?

  1. Risk appetite
  2. Residual risk
  3. Key risk indicators (KRIs)
  4. Inherent risk

Answer(s): B

Get The Premium Version
 Test Questions PDF from

 Test Questions PDF from