Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CRISC

ISACA CRISC Exam Questions
Certified in Risk and Information Systems Control (Page 51 )

Updated On: 17-Feb-2026
Page 51 of 380
PDF with 1895 Questions

Malware has recently affected an organization. The MOST effective way to resolve this situation and define a comprehensive risk treatment plan would be to perform:

  1. a gap analysis
  2. a root cause analysis.
  3. an impact assessment.
  4. a vulnerabilityassessment.

Answer(s): B

Explanation:

The most effective way to resolve the situation and define a comprehensive risk treatment plan would be to perform a root cause analysis. A root cause analysis is a method of identifying and addressing the underlying factors or causes that led to the occurrence of a problem or incident1. In this case, the problem or incident is the malware infection that affected the organization. By performing a root cause analysis, the organization can determine how and why the malware was able to infect the systems, what vulnerabilities or weaknesses were exploited, what controls orprocesses failed or were missing, and what actions or decisions contributed to the situation. A root cause analysis can help the organization to prevent or reduce the recurrence of similar incidents, as well as to improve the effectiveness and efficiency of the risk management process. A root cause analysis can also help the organization to define a comprehensive risk treatment plan, which is a set of actions or measures that are taken to modify the risk, such as reducing, avoiding, transferring, or accepting the risk2. Based on the findings and recommendations of the root cause analysis, the organization can select and implement the most appropriate risk treatment option for the malware risk, as well as for any other related or emerging risks. The risk treatment plan should also include the roles and responsibilities, resources, timelines, and performance indicators for the risk treatmentactions3. The other options are not the most effective ways to resolve the situation and define a comprehensive risk treatment plan, as they are either less thorough or less relevant than a root cause analysis. A gap analysis is a method of comparing the current state and the desired state of a process, system, or organization, and identifying the gaps or differences between them4. A gap analysis can help the organization to identify the areas of improvement or enhancement, as well as the opportunities or challenges for achieving the desired state. However, a gap analysis is not the most effective wayto resolve the situation and define a comprehensive risk treatment plan, as it does not address the causes or consequences of the malware infection, or the actions or measures to mitigate the risk. An impact assessment is a method of estimating the potential effects or consequences of a change, decision, or action on a process, system, or organization5. An impact assessment can help the organization to evaluate the benefits and costs, as well as the risks and opportunities, of a proposed or implemented change, decision, or action. However, an impact assessment is not the most effective way to resolve the situation and define a comprehensive risk treatment plan, as it does not investigate the origin or nature of the malware infection, or the solutions or alternatives to manage the risk. A vulnerability assessment is a method of identifying and analyzing the weaknesses or flaws in a process, system, or organization that can be exploited by threats to cause harm or loss6. A vulnerability assessment can help the organization to discover and prioritize the vulnerabilities, as well as to recommend and implement the controls or measures to reduce or eliminate them. However, a vulnerability assessment is not the most effective way to resolve the situation and define a comprehensive risk treatment plan, as it does not consider the root causes or impacts of the malware infection, or the risk treatment options or plans to address the risk. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 2, Section 2.1.8, Page 61.



The MAIN reason for creating and maintaining a risk register is to:

  1. assess effectiveness of different projects.
  2. define the risk assessment methodology.
  3. ensure assets have low residual risk.
  4. account for identified key risk factors.

Answer(s): D

Explanation:

A risk register is a tool used to identify, assess, and prioritize risks in an organization. It typically includes a detailed description of each identified risk, an assessment of its likelihood and potential impact, and a plan for managing or mitigating the risk1. A risk register is usually created at the beginning of a project or a process, and is updated regularly throughout the risk management life cycle2.
The main reason for creating and maintaining a risk register is to account for identified key risk factors. This means that the risk register helps to:
Document and track all the relevant risks that may affect the project or the organization, and their sources, causes, and consequences
Provide a comprehensive and consistent view of the risk profile and exposure of the project or the organization
Support the decision-making and prioritization of the risk responses and controls, based on the risk appetite and tolerance of the project or the organization Communicate and report the risk information and status to the stakeholders and regulators, and ensure transparency and accountability
Enable the continuous improvement and learning from the risk management process and outcomes3
References = What is a risk register and why is it important?, Purpose of a risk register:
Here's what a risk register is used for, Risk Register: A Project Manager's Guide with Examples [2024], Risk Register - Wikipedia



An external security audit has reported multiple findings related to control noncompliance.
Which of the following would be MOST important for the risk practitioner to communicate to senior management?

  1. A recommendation for internal audit validation
  2. Plans for mitigating the associated risk
  3. Suggestions for improving risk awareness training
  4. The impact to the organization's risk profile

Answer(s): D

Explanation:

The risk profile of an organization is a summary of the key risks that affect its objectives, operations, and performance. The risk profile can help senior management understand the current and potential exposure of the organization to various sources of uncertainty, and prioritize the risk response accordingly. An external security audit can reveal multiple findings related to control noncompliance, which indicate that the existing controls are not adequate, effective, or aligned with the organization's risk appetite. These findings can have a significant impact on the organization's risk profile, as they can increase the likelihood and/or impact of adverse events, such as data breaches, cyberattacks, regulatory fines, reputational damage, etc. Therefore, the most important information that the risk practitioner should communicate to senior management is the impact to the organization's risk profile, as it can help them make informed decisions about the risk response and allocation of resources. References = Risk and Information Systems Control Study Manual, Chapter 4:
Risk and Control Monitoring and Reporting, Section 4.1: Risk Profile, p. 193-195.



A penetration testing team discovered an ineffectively designed access control.
Who is responsible for ensuring the control design gap is remediated?

  1. Control owner
  2. Risk owner
  3. IT security manager
  4. Control operator

Answer(s): A

Explanation:

Role of the Control Owner:
The control owner is responsible for the design, implementation, and maintenance of a specific control.
They have detailed knowledge of the control's purpose, its intended functionality, and its operational context within the organization.
Responsibility for Remediation:

When a penetration testing team discovers an ineffectively designed access control, it is the control owner's responsibility to ensure the design gap is remediated. The control owner must assess the findings, determine the root cause of the ineffectiveness, and take necessary actions to redesign or enhance the control to address the identified weaknesses.
Steps to Remediate Control Design Gap:
Assess the Findings:Understand the specific issues identified by the penetration testing team. Redesign the Control:Modify the control design to address the identified gaps and ensure it meets security requirements.
Implement Changes:Apply the redesigned control and test its effectiveness.

Continuous Monitoring:Regularly review the control to ensure it remains effective over time.
Comparing Other Roles:
Risk Owner:Manages overall risk but does not directly handle control design. IT Security Manager:Oversees the security posture but delegates specific control responsibilities to control owners.
Control Operator:Operates the control but is not responsible for its design or remediation.


Reference:

The CRISC Review Manual emphasizes the control owner's responsibility in maintaining and improving control effectiveness (CRISC Review Manual, Chapter 3: Risk Response and Mitigation, Section 3.7 Control Design and Selection) .



When assessing the maturity level of an organization's risk management framework, which of the following deficiencies should be of GREATEST concern to a risk practitioner?

  1. Unclear organizational risk appetite
  2. Lack of senior management participation
  3. Use of highly customized control frameworks
  4. Reliance on qualitative analysis methods

Answer(s): B

Explanation:

Senior management participation is essential for the success of an organization's risk management framework, as it demonstrates the commitment, support, and leadership for the risk management activities. Senior management participation also ensures that the risk management framework is aligned with the organization's strategy, objectives, and culture, and that the risk management roles and responsibilities are clearly defined and communicated. Senior management participation also facilitates the allocation of adequate resources, the establishment of risk appetite and tolerance, and the monitoring and reporting of risk performance. Therefore, the lack of senior management participation should be of greatest concern to a risk practitioner, as it indicates a low level of risk maturity and a high level of risk exposure. The other options are not as concerning as the lack of senior management participation, because they do not affect the risk management framework as significantly, and they can be addressed or improved with the involvement of senior management, as explained below:
A . Unclear organizational risk appetite is a deficiency that can affect the risk management framework, as it can lead to inconsistent or inappropriate risk decisions and responses. However, this deficiency can be resolved or mitigated with the participation of senior management, whocan define and communicate the risk appetite and tolerance for the organization, and ensure that they are aligned with the organization's strategy and objectives. C . Use of highlycustomized control frameworks is a deficiency that can affect the risk management framework, as it can create complexity, confusion, or duplication in the control design and implementation. However, this deficiency can be resolved or mitigated with the participation of senior management, who can review and rationalize the control frameworks, and ensure that they are relevant, effective, and efficient for the organization's risk profile and environment.
D . Reliance on qualitative analysis methods is adeficiency that can affect the risk management framework, as it can limit the accuracy, reliability, and comparability of the risk information and assessment. However, this deficiency can be resolved or mitigated with the participation of senior management, who can support and promote the use of quantitative analysis methods, such as the FAIR framework1, and provide the necessary data, tools, and skills for the risk analysis and evaluation. References = Risk and Information Systems Control Study Manual, Chapter 1, Section 1.3.2, page 18.






Post your Comments and Discuss ISACA CRISC exam dumps with other Community members:

Join the CRISC Discussion