Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CRISC

ISACA CRISC Exam
Certified in Risk and Information Systems Control (Page 61 )

Updated On: 1-Feb-2026
Page 61 of 380
PDF with 1895 Questions

Which of the following is the PRIMARY purpose of periodically reviewing an organization's risk profile?

  1. Align business objectives with risk appetite.
  2. Enable risk-based decision making.
  3. Design and implement risk response action plans.
  4. Update risk responses in the risk register

Answer(s): B

Explanation:

According to the CRISC Review Manual, the primary purpose of periodically reviewing an organization's risk profile is to enable risk-based decision making, because it helps to ensure thatthe risk information is current, relevant, and accurate. The risk profile is a snapshot of the organization's risk exposure at a given point in time, based on the risk identification, analysis, and evaluation processes. Periodically reviewing the risk profile allows the organization tomonitor the changes in the risk environment, the effectiveness of the risk responses, and the impact of the risk events. This enables the organization to make informed decisions about the risk management strategies and priorities. The other options are not the primary purpose of periodically reviewing the risk profile, as they are related to other aspects of the risk management process. Aligning business objectives with risk appetite is the purpose of establishing the risk context, which defines the scope and boundaries of the risk management activities. Designing and implementing risk response action plans is the purpose of the risk response process, which involves selecting and executing the appropriate risk responses. Updating risk responses in the risk register is the outcome of the risk monitoring and reporting process, which involves tracking the risk performance and communicating the risk information to the stakeholders. References = CRISC Review Manual, 7th Edition, Chapter 2, Section 2.2.4, page 86.



Which of the following BEST supports the integration of IT risk management into an organization's strategic planning?

  1. Clearly defined organizational goals and objectives
  2. Incentive plans that reward employees based on IT risk metrics
  3. Regular organization-wide risk awareness training
  4. A comprehensive and documented IT risk management plan

Answer(s): D

Explanation:

A comprehensive and documented IT risk management plan provides a structured approach to identifying, assessing, and mitigating IT risks. Integrating this plan into the organization's strategic planning ensures that IT risk considerations are aligned with business objectives and are factored into decision-making processes at the strategic level.


Reference:

ISACA CRISC Review Manual, 7th Edition, Chapter 1: Governance, Section:
Risk Management Strategy.



A recently purchased IT application does not meet project requirements. Of the following, who is accountable for the potential impact?

  1. Business analyst
  2. Project sponsor
  3. IT project team
  4. IT project management office (PMO)

Answer(s): B



The PRIMARY purpose of IT control status reporting is to:

  1. ensure compliance with IT governance strategy.
  2. assist internal audit in evaluating and initiating remediation efforts.
  3. benchmark IT controls with Industry standards.
  4. facilitate the comparison of the current and desired states.

Answer(s): D

Explanation:

IT control status reporting is the process of collecting and analyzing data about the effectiveness and efficiency of IT controls. IT controls are the policies, procedures, and practices that ensure the confidentiality, integrity, and availability of IT resources and information. IT control status reporting helps to monitor the performance of IT controls against the predefined objectives and criteria, and to identify any gaps or issues that need to be addressed. IT control status reporting also provides information to the stakeholders about the current status and progress of IT control implementation and improvement. The primary purpose of IT control status reporting is to facilitate the comparison of the current and desired states of IT controls. This means that IT control status reporting helps to evaluate the gap between the actual and expected performance of IT controls, and to determine the actions and resources needed to close the gap. IT control status reporting also helps to align the IT controls with the business goals and strategies, and to ensure that the IT controls are delivering value to the organization. By comparing the current and desired states of IT controls, IT control status reporting enables continuous improvement and optimization of IT control processes and outcomes.
The other options are not the primary purpose of IT control status reporting, but rather some of the benefits or outcomes of it. IT control status reporting can help to ensure compliance with IT governance strategy,but it is not the main reason for doing it. IT governance is the framework that defines the roles, responsibilities, and relationships among the stakeholders involved in ITdecision making and oversight. IT control status reporting can support IT governance by providing relevant and reliable information to the stakeholders, and by demonstrating the accountability and transparency of IT control activities. However, IT control status reporting is not the same as IT governance, and it is not the only way to ensure compliance with IT governance strategy.
IT control status reporting can also assist internal audit in evaluating and initiating remediation efforts, but it is not the main objective of it. Internal audit is an independent and objective assurance and consulting activity that evaluates the adequacy and effectiveness of IT controls, and provides recommendations for improvement. IT control status reporting can provide input and evidence to the internal audit process, and help to identify the areas of IT control that need further review or testing. IT control status reporting can also help to monitor and track the implementation of the audit findings and recommendations, and to verify the results of the remediation efforts. However, IT control status reporting is not the same as internal audit, and it is not the only source of information for internal audit. Finally, IT control status reporting can benchmark IT controls with industry standards, but it is not the main goal of it. Industry standards are the best practices or guidelines that define the minimum requirements or expectations for IT control performance and quality. IT control status reporting can help to compare the IT controls with the industry standards, and to identify the areas of IT control that need to be enhanced or updated. IT control status reporting can also help to demonstrate the compliance or conformance of IT controls with the industry standards, and to provide assurance to the external parties or regulators. However, IT control status reporting is not the same as industry standards, and it is not the only way to benchmark IT controls. References =
Service Reporting in ITIL: Process, Objectives and Examples - KnowledgeHut Anatomy of an effective status report - Project Management Institute How to Create a Project Status Report [Template & Examples] Communicating Document Control Progress on a Project [CRISC Review Manual, 7th Edition]



Which of the following issues found during the review of a newly created disaster recovery plan (DRP) should be of MOST concern?

  1. Some critical business applications are not included in the plan
  2. Several recovery activities will be outsourced
  3. The plan is not based on an internationally recognized framework
  4. The chief information security officer (CISO) has not approved the plan

Answer(s): A

Explanation:

The most concerning issue found during the review of a newly created disaster recovery plan (DRP) is that some critical business applications are not included in the plan. This means that the DRP is incomplete and does not cover all the essential IT systems and services that support the business continuity. This could result in significant losses and damages in the event of a disaster. The other issues are not as critical, as they can be addressed by ensuring proper contracts, standards, and approvals are in place for the outsourced activities, the framework, and the CISO. References = Risk and Information Systems Control Study Manual, Chapter 3: IT Risk Response, Section 3.3: IT Risk Response Implementation, page 145.



Viewing page 61 of 380
Viewing questions 301 - 305 out of 1895 questions



Post your Comments and Discuss ISACA CRISC exam prep with other Community members:

Join the CRISC Discussion