Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CRISC

ISACA CRISC Exam Questions
Certified in Risk and Information Systems Control (Page 11 )

Updated On: 24-Feb-2026
Page 11 of 380
PDF with 1895 Questions

Which of the following criteria is MOST important when developing a response to an attack that would compromise data?

  1. The recovery time objective (RTO)
  2. The likelihood of a recurring attack
  3. The organization's risk tolerance
  4. The business significance of the information

Answer(s): D

Explanation:

According to the CRISC Review Manual (Digital Version), the business significance of the information is the most important criterion when developing a response to an attack that would compromise data, as it determines the impact and severity of the attack on the organization's objectives and performance. The business significance of the information helps to:
Assess the value and sensitivity of the data that is compromised or at risk of compromise Evaluate the potential losses or damages that the organization may incur due to the data compromise
Prioritize the data recovery and restoration activities based on the criticality and urgency of the data
Communicate and coordinate the data breach response and notification with the relevant stakeholders, such as the data owners, the customers, the regulators, and the media

Enhance the data protection and security measures to prevent or mitigate future data compromise incidents
References = CRISC Review Manual (Digital Version), Chapter 3: IT Risk Response, Section 3.3: Risk Response Options, pp. 174-1751



Which of the following is performed after a risk assessment is completed?

  1. Defining risk taxonomy
  2. Identifying vulnerabilities
  3. Conducting an impact analysis
  4. Defining risk response options

Answer(s): D

Explanation:

Defining risk response options is performed after a risk assessment is completed. A risk assessment is the process of identifying, analyzing, and evaluating the risks that affect the enterprise's objectives and operations. After a risk assessment is completed, the enterprise needs to define the risk response options, which are the actions that can be taken to address the risks.The risk response options include accepting, avoiding, transferring, mitigating, or exploiting the risks. Defining risk response options helps to select the most appropriate and effective strategy to manage the risks. Defining risk taxonomy, identifying vulnerabilities, and conducting an impact analysis are performed before or during a risk assessment, not after. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 2, Section 2.1.1.4, page 541
1: ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide, Answer to Question 644.



Which of the following BEST enables the development of a successful IT strategy focused on business risk mitigation?

  1. Providing risk awareness training for business units
  2. Obtaining input from business management
  3. Understanding the business controls currently in place
  4. Conducting a business impact analysis (BIA)

Answer(s): B

Explanation:

Obtaining input from business management is the best way to enable the development of a successful IT strategy focused on business risk mitigation, because it helps to align and integrate the IT objectives and activities with the business goals and priorities. An IT strategy is a plan that defines how IT supports and enables the organization's vision, mission, and strategy. A business risk mitigation is a process that aims to reduce or eliminate the risks that may affect the achievement of the business objectives or expectations. Obtaining input from business management is the best way to ensure that the IT strategy is relevant, realistic, and responsive to the business needs and challenges, and that the IT risks are identified, assessed, and managed in accordance with the business risk appetite and tolerance. Providing risk awareness training for business units, understanding the business controls currently in place, and conducting a businessimpact analysis (BIA) are all useful ways to support the development of an IT strategy focused on business risk mitigation, but they are not the best way, as they do not directly involve the input and feedback from business management. References = Risk and Information Systems Control Study Manual, Chapter 2, Section 2.1.1, page 37



Which of the following provides The MOST useful information when determining a risk management program's maturity level?

  1. Risk assessment results
  2. A recently reviewed risk register
  3. Key performance indicators (KPIs)
  4. The organization's risk framework

Answer(s): C

Explanation:

Key performance indicators (KPIs) are measurable values that demonstrate how effectively an organization is achieving its key objectives. KPIs can be used to evaluate the progress and performance of a risk management program, as well as to identify the areas for improvement and alignment with the organization's strategy. KPIs can provide the most useful information when determining a risk management program's maturity level, because they can reflect the extent to which the program is integrated, consistent, proactive, and value-adding. KPIs can also be compared with industry benchmarks or best practices to assess the program's maturity level relative to other organizations. The other options are not as useful as KPIs, because they do not provide a clear and comprehensive picture of the risk management program's maturity level, but rather focus on specific aspects or outputs of the program. References = Risk and Information Systems Control Study Manual, Chapter 1, Section 1.3.2, page 18.



Before implementing instant messaging within an organization using a public solution, which of the following should be in place to mitigate data leakage risk?

  1. A dataextraction tool
  2. An access control list
  3. An intrusion detection system (IDS)
  4. An acceptable usage policy

Answer(s): D

Explanation:

According to the CRISC Review Manual1, an acceptable usage policy is a document that defines the rules and guidelines for the appropriate and secure use of IT resources within an organization. It helps to mitigate data leakage risk by establishing the roles and responsibilities of users, the types and purposes of data that can be shared or transmitted, the authorized methods and channels of communication, the security controls and measures to protect data, and the consequences of non-compliance. An acceptable usage policy also educates and raises awareness among users about the potential risks and threats associated with instant messaging and other forms of online communication. Therefore, before implementing instant messaging within an organization using a public solution, an acceptable usage policy should be in place to mitigate data leakage risk. References = CRISC Review Manual1, page 237.






Post your Comments and Discuss ISACA CRISC exam dumps with other Community members:

Join the CRISC Discussion