Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CRISC

ISACA CRISC Exam
Certified in Risk and Information Systems Control (Page 58 )

Updated On: 12-Feb-2026
Page 58 of 380
PDF with 1895 Questions

A risk practitioner is reviewing accountability assignments for data risk in the risk register.
Which of the following would pose the GREATEST concern?

  1. The risk owner is not the control owner for associated data controls.
  2. The risk owner is in a business unit and does not report through the IT department.
  3. The risk owner is listed as the department responsible for decision-making.
  4. The risk owner is a staff member rather than a department manager.

Answer(s): C

Explanation:

The risk owner is listed as the department responsible for decision making would pose the greatest concern for a risk practitioner who is reviewing accountability assignments for data risk in the risk register, as it indicates a lack of clarity and specificity on who is accountable for the risk and its response. The risk owner should be an individual, not a department, who has the authority and responsibility to manage the risk and its associated controls. The other options are not the greatest concern, as they do not necessarily imply a lack of accountability, but rather a possible difference in roles and responsibilities between the risk owner and the control owner, the business unit and the IT department, or the staff member and the department manager. References = CRISC Review Manual, 7th Edition, page 101.



An organization's board of directors is concerned about recent data breaches in the news and wants to assess its exposure to similar scenarios.
Which of the following is the BEST course of action?

  1. Evaluate the organization's existing data protection controls.
  2. Reassess the risk appetite andtolerance levels of the business.
  3. Evaluate the sensitivity of data that the business needs to handle.
  4. Review the organization's data retention policy and regulatory requirements.

Answer(s): A

Explanation:

Data Protection Controls:

Evaluating existing data protection controls involves reviewing and assessing the measures in place to protect sensitive data from breaches.
This includes technical, administrative, and physical controls designed to prevent unauthorized access, use, disclosure, disruption, modification, or destruction of data.
Steps in Evaluation:
Review Current Controls:Assess the effectiveness of encryption, access controls, data masking, and other security measures.
Identify Gaps:Determine if there are any weaknesses or vulnerabilities in the current controls.
Recommend Improvements:Suggest enhancements or additional controls to address identified gaps.
Importance of Evaluation:
Provides the board with a clear understanding of the organization's current security posture and exposure to data breaches.
Helps in identifying areas where additional controls or improvements are needed to mitigate risks effectively.
Comparing Other Actions:
Reassess Risk Appetite and Tolerance Levels:Important but secondary to understanding current controls.
Evaluate Data Sensitivity:Useful but should be part of a broader assessment of existing controls.
Review Data Retention Policy:Relevant for compliance but not directly addressing the immediate concern of data breaches.


Reference:

The CRISC Review Manual discusses the importance of evaluating data protection controls to understand and mitigate risks (CRISC Review Manual, Chapter 4: Information Technology and Security, Section 4.4 Data Protection and Privacy) .



A cloud service provider has completed upgrades to its cloud infrastructure to enhance service availability.
Which of the following is the MOST important key risk indicator (KRI) for management to monitor?

  1. Peak demand on the cloud service during business hours
  2. Percentage of technology upgrades resulting in security breaches
  3. Number of incidents with downtime exceeding contract threshold
  4. Percentage of servers not patched per policy

Answer(s): C

Explanation:

Monitoring the number of incidents with downtime exceeding the contract threshold is a critical KRI for assessing the effectiveness of infrastructure upgrades aimed at enhancing service availability. This metric directly reflects the provider's ability to meet agreed-upon service levels and helps identify areas requiring further improvement.


Reference:

ISACA CRISC Review Manual, 7th Edition, Chapter 4: Information Technology and Security, Section: Key Risk Indicators.



Which of the following is MOST important for successful incident response?

  1. The quantity of data logged by the attack control tools
  2. Blocking the attack route immediately
  3. The ability to trace the source of the attack
  4. The timeliness of attack recognition

Answer(s): D

Explanation:

The most important factor for successful incident response is the timeliness of attack recognition. Incident response is the process of detecting, analyzing, containing, eradicating, recovering, and reporting on security incidents that could affect the organization's IT systems or data. The timeliness of attack recognition is the speed and accuracy with which the organization can identify and confirm that an attack has occurred or is in progress. The timeliness of attack recognition is crucial for successful incident response, as it affects the ability and effectiveness of the organization to respond to and mitigate the attack, and to minimize the damage and impact of the attack. The other options are not as important as the timeliness of attack recognition, although they may also contribute to or influence the incident response. The quantity of data logged by the attack control tools, the ability to trace the source of the attack, and the blocking of the attack route immediately are all factors that could help or hinder the incident response, but they are not the most important factor for successful incident response. References = CISA Review Manual, 27th Edition, Chapter 5, Section 5.4.1, page 5-32.



Which of the following is the MOST important consideration for protecting data assets m a Business application system?

  1. Application controls are aligned with data classification lutes
  2. Applicationusers are periodically trained on proper data handling practices
  3. Encrypted communication is established between applications and data servers
  4. Offsite encrypted backups are automatically created by the application

Answer(s): A

Explanation:

The most important consideration for protecting data assets in a business application system is to ensure that the application controls are aligned with the data classification rules. Data classification rules define the level of sensitivity, confidentiality, and criticality of the data, andthe corresponding security requirements and controls. Application controls are the policies, procedures, and technical measures that are implemented at the application level to ensure the security, integrity, and availability of the data. Application controls should be designed and configured to match the data classification rules, so that the data is protected according to its value and risk. For example, if the data is classified as highly confidential, the application controls should enforce strong authentication, encryption, access control, logging, and auditing mechanisms. References = CRISC Review Manual, 6th Edition, ISACA, 2015, page 214.






Post your Comments and Discuss ISACA CRISC exam prep with other Community members:

Join the CRISC Discussion