Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CRISC

ISACA CRISC Exam Questions
Certified in Risk and Information Systems Control (Page 50 )

Updated On: 16-Feb-2026
Page 50 of 380
PDF with 1895 Questions

A large organization needs to report risk at all levels for a new centralized visualization project to reduce cost and improve performance.
Which of the following would MOST effectively represent the overall risk of the project to senior management?

  1. Aggregated key performance indicators (KPls)
  2. Key risk indicators (KRIs)
  3. Centralized risk register
  4. Risk heat map

Answer(s): D

Explanation:

A risk heat map is a graphical tool that displays the overall risk of the project to senior management by showing the probability and impact of individual risks in a matrix format. A risk heat map can help to prioritize the risks, communicate the risk exposure, and monitor the risk response. A risk heat map can also show the risk appetite and tolerance levels of the organization, as well as the residual risk after the risk response. The other options are not the most effective ways to represent the overall risk of the project to senior management, although they may be useful or complementary to the risk heat map. Aggregated key performance indicators (KPIs) are metrics that measure the performance of the project against the objectives, but they do not show the uncertainty or variability of the project outcomes. Key risk indicators (KRIs) are metrics that measure the level of risk or the effectiveness of the risk response, but they do not show the relationship between the probability and impact of the risks. A centralizedrisk register is a document that records the details of the individual risks, such as the description, category, cause, effect, probability, impact, response, and status, but it does not show the overall risk of the project in a visual or concise way. References = Managing overall project risk, Project Risk Management ­ Quick Reference Guide, 10 Common Project Risks (Plus the Steps To Solve Them), What Is Project Risk Management: Benefits, Challenges, Best Practices



Which of the following is the PRIMARY reason to perform periodic vendor risk assessments?

  1. To provide input to the organization's risk appetite
  2. To monitor the vendor's control effectiveness
  3. To verify the vendor's ongoing financial viability
  4. To assess the vendor's risk mitigation plans

Answer(s): B

Explanation:

The primary reason to perform periodic vendor risk assessments is to monitor the vendor's control effectiveness. A vendor risk assessment is a process of evaluating the risks associated with outsourcing a service or function to a third-party vendor. The assessment should be performed periodically to ensure that the vendor is complying with the contractual obligations, service level agreements, and security standards, and that the vendor's controls are operating effectively to mitigate the risks. Providing input to the organization's risk appetite, verifying the vendor's ongoing financial viability, and assessing the vendor's risk mitigation plans are otherpossible reasons, but they are not as important as monitoring the vendor's control effectiveness. References = ISACA Certified in Risk and Information Systems Control (CRISC) Certification Exam Question and Answers, question 11; CRISC Review Manual, 6th Edition, page 144.



An organization is planning to move its application infrastructure from on-premises to the cloud.
Which of the following is the BEST course of the actin to address the risk associated with data transfer if the relationship is terminated with the vendor?

  1. Meet with the business leaders to ensure the classification of their transferred data is in place
  2. Ensure the language in the contract explicitly states who is accountable for each step of the data transfer process
  3. Collect requirements for the environment to ensure the infrastructure as a service (IaaS) is configured appropriately.
  4. Work closely with the information security officer to ensure the company has the proper security controls in place.

Answer(s): B

Explanation:

The best course of action to address the risk associated with data transfer if the relationship is terminated with the vendor is to ensure the language in the contract explicitly states who is accountable for each step of the data transfer process. This can help to avoid ambiguity, confusion, or disputes over the ownership, responsibility, and liability of the data and the data transfer process. Meeting with the business leaders, collecting requirements, and working with the information security officer are important activities, but they are not as effective as ensuring the contractual agreement is clear and enforceable. References = ISACA Certified in Risk and Information Systems Control (CRISC) Certification Exam Question and Answers, question 4; CRISC Review Manual, 6th Edition, page 153.



Who is MOST appropriate to be assigned ownership of a control

  1. The individual responsible for control operation
  2. The individualinformed of the control effectiveness
  3. The individual responsible for resting the control
  4. The individual accountable for monitoring control effectiveness

Answer(s): D

Explanation:

A control is a measure or action that is implemented to reduce the likelihood or impact of a risk event, or to enhance the benefits or opportunities of a risk event. A control owner is a person who is assigned the responsibility and authority for the design, implementation, operation, and maintenance of a control. The most appropriate person to be assigned ownership of a control is the individual accountable for monitoring control effectiveness, which is the process of measuring and evaluating the performance and compliance of the control. By assigning the control ownership to the individual accountable for monitoring control effectiveness, the organization can ensure that the control is aligned with the risk objectives, operates as intended, and delivers the expected results. References = 4



An organization outsources the processing of us payroll data A risk practitioner identifies a control weakness at the third party trial exposes the payroll data.
Who should own this risk?

  1. The third party's IT operations manager
  2. The organization's process owner
  3. The third party's chief risk officer (CRO)
  4. The organization's risk practitioner

Answer(s): B

Explanation:

The organization's process owner should own the risk of exposing the payroll data due to a control weakness at the third party, because the process owner is the person who is responsible for the business process that generates, uses, or transfers the payroll data. The process owner should also ensure that the third party complies with the contractual obligations and service level agreements that define the expected performance and security standards of the payroll data processing. The other options are not the correct answers, because they are not the primary owners of the risk, although they may also be involved in the risk management process. The third party's IT operations manager, the third party's chief risk officer (CRO), and the organization's risk practitioner are examples of secondary owners or stakeholders of the risk, who may provide support, guidance, or oversight to the risk owner, but they are not accountable for the risk or the risk response strategy. References = CRISC: Certified in Risk & Information Systems Control Sample Questions






Post your Comments and Discuss ISACA CRISC exam dumps with other Community members:

Join the CRISC Discussion