Cisco®
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
Microsoft
VMware
Avaya
SAP
Google
Salesforce
Amazon
Palo Alto Networks
ISC2
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CRISC

Free ISACA CRISC Exam Questions (page: 9)

Page 9 of 238
PDF with 1895 Questions

An organization recently experienced a cyber attack that resulted in the loss of confidential customer data.
Which of the following is the risk practitioner's BEST recommendation after recovery steps have been completed?

  1. Develop new key risk indicators (KRIs).
  2. Perform a root cause analysis.
  3. Recommend the purchase of cyber insurance.
  4. Review the incident response plan.

Answer(s): B

Explanation:

The risk practitioner's best recommendation after recovery steps have been completed is B. Perform a root cause analysis. A root cause analysis is a process of identifying and assessing the underlying causes of a problem or an incident. By performing a root cause analysis, the risk practitioner can help the organization to understand how and why the cyber attack happened, what vulnerabilities and gaps were exploited, and what actions and controls can be implemented to prevent or mitigate similar incidents in the future12 A root cause analysis can also help the organization to improve its incident response plan, which is a set of instructions to help IT staff detect, respond to, and recover from network security incidents3 A root cause analysis can provide valuable feedback and lessons learned from the cyber attack, and help the organization to update and test its incident response plan accordingly45
Developing new key risk indicators, recommending the purchase of cyber insurance, and reviewing the incident response plan are all possible actions that the risk practitioner can take after a cyber attack, but they are not the best recommendation. Developing new key risk indicators can help the organization to monitor and measure its risk exposure and performance, but it does not address the root causes of the cyber attack12 Recommending the purchase of cyber insurance can help the organization to hedge against the financial losses caused by cyber incidents, but it does not prevent or solve the underlying issues67 Reviewing the incident response plan can help the organization to evaluate its effectiveness and identify areas for improvement, but it does not explain how and why the cyber attack occurred345 Therefore, the best recommendation is to perform a root cause analysis, as it can help the organization to understand, resolve, and prevent the cyber attack and its consequences12



An organization has used generic risk scenarios to populate its risk register.
Which of the following presents the GREATEST challenge to assigning of the associated risk entries?

  1. The volume of risk scenarios is too large
  2. Risk aggregation has not been completed
  3. Risk scenarios are not applicable
  4. The risk analystsfor each scenario is incomplete

Answer(s): C

Explanation:

The greatest challenge to assigning of the associated risk entries when an organization has used generic risk scenarios to populate its risk register is that the risk scenarios are not applicable. Generic risk scenarios are risk scenarios that are based on common or typical situations that may affect many organizations or industries. They are useful for providing a general overview or reference of the potential risks, but they may not be relevant, specific, or realistic for a particular organization or context. Therefore, using generic risk scenarios may result in inaccurate, incomplete, or misleading risk entries that do not reflect the actual risk profile or appetite of the organization. The other options are not as challenging as the risk scenarios being not applicable, as they are related to the quantity, quality, or aggregation of the risk scenarios, not the suitabilityor validity of the risk scenarios. References = Risk and Information Systems Control Study Manual, Chapter 1: IT Risk Identification, Section 1.3:
IT Risk Scenarios, page 23.



Which of the following is the MOST important objective of regularly presenting the project risk register to the project steering committee?

  1. To allocate budget for resolution of risk issues
  2. To determine if new risk scenarios have been identified
  3. To ensure the project timeline is on target
  4. To track the status of risk mitigation actions

Answer(s): D

Explanation:

Project risk register: A document that records the identified risks, their likelihood, impact, and mitigation strategies for a project1.
Project steering committee: A group of senior stakeholders and experts who oversee and support a project from a higher level2.
Risk mitigation actions: The measures taken to prevent, reduce, or transfer the risks that may affect a project3.
The most important objective of regularly presenting the project risk register to the project steering committee is to track the status of risk mitigation actions. Tracking the status of risk mitigation actions can help the project steering committee to:
Monitor and measure the performance and effectiveness of the risk management process and controls
Evaluate the progress and outcomes of the risk mitigation actions against the project goals and objectives
Identify and resolve any issues, challenges, or gaps in the risk mitigation actions Provide guidance, feedback, and support to the project manager and the project team Adjust or revise the risk mitigation actions as needed to reflect the changes in the project scope, schedule, budget, or environment
The other options are not the most important objective of regularly presenting the project risk register to the project steering committee, although they may be relevant or beneficial. Allocating budget for resolution of risk issues, which means assigning financial resources to address and resolve the risks that may affect a project, may be a part of the risk management process, but it is not the primary purpose of presenting the project risk register, which is more focused on tracking and reporting the risk status and actions. Determining if new risk scenarios have been identified, which means finding out if there are any additional or emerging risks that may impact a project, may be a useful outcome of presenting the project risk register, but it is not the main objective, which is more concerned with tracking and reporting the existing risk status and actions. Ensuring the project timeline is on target, which means verifying that the project is progressing according to the planned schedule and milestones, may be a benefit of presenting the project risk register, but it is not the key objective, which is more related to tracking and reporting the risk status and actions. References = Risk Register: A Project Manager's Guide with Examples [2023] ·

Asana, Project Steering Committee: Roles, Best Practices, Challenges, Risk Mitigation:
Definition, Strategies, and Examples



In addition to the risk register, what should a risk practitioner review to develop an understanding of the organization's risk profile?

  1. The control catalog
  2. The asset profile
  3. Business objectives
  4. Key riskindicators (KRls)

Answer(s): C

Explanation:

In addition to the risk register, which is a tool to document and monitor the risks that affect the organization, a risk practitioner should review the business objectives of the organization to develop an understanding of its risk profile. The risk profile is a description of the set of risks that the organization faces in relation to its goals and strategies. By reviewing the business objectives, the risk practitioner can identify the sources, drivers, and consequences of the risks, as well as the alignment, prioritization, and tolerance of the risks. The business objectives also provide the context and criteria for evaluating and managing the risks. The other options are not the best choices to review for developing an understandingof the organization's risk profile, as they do not capture the full scope and nature of the risks. The control catalog is a list of the existing controls that are implemented to mitigate the risks, but it does not reflect the effectiveness, efficiency, or sufficiency of the controls. The asset profile is a description of the resources and capabilities that the organization possesses or relies on, but it does not indicate the value, vulnerability, or interdependency of the assets. The key risk indicators (KRIs) are metrics that measure the level and trend of the risks, but they do not explain the causes, impacts, orresponses to the risks. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 2, Section 2.1.2, Page 49.



Which of the following provides the BEST evidence that risk responses have been executed according to their risk action plans?

  1. Risk policy review
  2. Business impact analysis (B1A)
  3. Control catalog
  4. Risk register

Answer(s): D

Explanation:

A risk register is a document that is used as a risk management tool to identify and track risks that may affect a project or an organization1. A risk register also includes information about the risk responses,which are the actions taken or planned to mitigate or eliminate the risks2. Therefore, a risk register provides the best evidence that risk responses have been executed according to their risk action plans, as it shows the status and progress of the riskresponses, the results and outcomes of the risk responses, and the feedback and lessons learned from the risk responses3. A risk policy review is not the best evidence that risk responses have been executed according to their risk action plans, as it does not provide specific information on the risk responses. A risk policy review is a process that involves checking and verifying that the organization's risk management policies are up to date, relevant, and effective4. A risk policy review can help to identify and address any gaps or issues in the risk management policies, but it does not show the details and performance of the risk responses. A business impact analysis (BIA) is not the best evidence that risk responses have been executed according to their risk action plans, as it does not provide specific information on the riskresponses. A BIA is a process that identifies and evaluates the potential effects of a disruption on the critical functions and processes of an organization5. A BIA can help to forecast the impacts of a risk event, but it does not show the actions and outcomes of the risk responses. A control catalog is not the best evidence that risk responses have been executed according to their risk action plans, as it does not provide specific information on the risk responses. A control catalog is adocument that lists and describes the controls that are implemented or planned to manage the risks within an organization6. A control catalog can help to document and communicate the controls, but it does not show the status and results of the risk responses. References = 1: Risk Register: A Project Manager's Guide with Examples [2023] · Asana2: Risk Response Strategy and Contingency Plans - ProjectManagement.com3: Risk Register: Examples, Benefits, and Best Practices4: A brief guide to assessing risks and controls | ACCA Global5: Using Business Impact Analysis to Inform Risk Prioritization and Response6: [Control Catalogue - ISACA]



Which risk response strategy could management apply to both positive and negative risk that has been identified?

  1. Transfer
  2. Accept
  3. Exploit
  4. Mitigate

Answer(s): B

Explanation:

Accepting risk is the only risk response strategy that could be applied to both positive and negative risk that has been identified. Accepting risk means taking no action to change the likelihood or impact of the risk, but being prepared to deal with the consequences if the risk occurs. Accepting risk is usually chosen when the risk is low, unavoidable, or outweighed by the benefits. For positive risks, accepting risk means taking advantage of the opportunities if they arise. For negative risks, accepting risk means setting aside contingency reserves or plans to copewith the threats. The other risk response strategies are specific to either positive or negative risks. Transfer, exploit, and mitigate are strategies for negative risks, while share, enhance, and avoid are strategies for positive risks. References = Risk and Information Systems Control Study Manual, Chapter 4, Section 4.3.1, page 4-23.



Which of the following is necessary to enable an IT risk register to be consolidated with the rest of the organization's risk register?

  1. Risk taxonomy
  2. Risk response
  3. Risk appetite
  4. Risk ranking

Answer(s): A

Explanation:

According to the CRISC Review Manual, risk taxonomy is the system of classification and categorization of risks based on common characteristics and attributes. Risk taxonomy is necessary to enable an IT risk register to be consolidated with the rest of the organization's risk register, because it helps to ensure consistency, comparability, and alignment of the risks across the organization. Risk taxonomy also helps to facilitate the communication, reporting, and aggregation of the risks. The other options are not the correct answers, because they are not essential for consolidating the risk registers. Risk response is the action taken to address the risk, which may vary depending on the risk level and strategy. Risk appetite is the amount and type of risk that an organization is willing to accept, which may differ across the organization's units and functions. Risk ranking is the process of prioritizing the risks based on their impact and likelihood, which may change over time and context. References =

CRISC Review Manual, 7th Edition, Chapter 2, Section 2.1.2, page 69.



Which of the following would be of GREATEST assistance when justifying investment in risk response strategies?

  1. Total cost of ownership
  2. Resource dependency analysis
  3. Cost-benefit analysis
  4. Business impact analysis

Answer(s): C

Explanation:

A cost-benefit analysis is a technique that compares the costs and benefits of different risk response strategies, such as mitigating, transferring, avoiding, or accepting risks. A cost- benefit analysis can help justify investment in risk response strategies by showing the expected return on investment, the net present value, the break-even point, and the cost- effectiveness of each option.A cost-benefit analysis can also help prioritize the most optimal risk response strategies based on the available resources, the risk appetite, and the stakeholder expectations. References = Risk and Information Systems Control Study Manual, Chapter 3: Risk Response and Mitigation, Section 3.4: Risk Response Selection, p. 156-157.



Viewing page 9 of 238
Viewing questions 65 - 72 out of 1895 questions



Post your Comments and Discuss ISACA CRISC exam prep with other Community members:

CRISC Exam Discussions & Posts