Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CRISC

ISACA CRISC Exam Questions
Certified in Risk and Information Systems Control (Page 13 )

Updated On: 24-Feb-2026
Page 13 of 380
PDF with 1895 Questions

Which of the following provides the MOST mitigation value for an organization implementing new Internet of Things (loT) devices?

  1. Performing a vulnerability assessment on the loT devices
  2. Designing loT architecture with IT security controls from the start
  3. Implementing key risk indicators (KRIs) for loT devices
  4. To ensurerisk trend data is collected and reported

Answer(s): B



An organization recently experienced a cyber attack that resulted in the loss of confidential customer data.
Which of the following is the risk practitioner's BEST recommendation after recovery steps have been completed?

  1. Develop new key risk indicators (KRIs).
  2. Perform a root cause analysis.
  3. Recommend the purchase of cyber insurance.
  4. Review the incident response plan.

Answer(s): B

Explanation:

The risk practitioner's best recommendation after recovery steps have been completed is B. Perform a root cause analysis. A root cause analysis is a process of identifying and assessing the underlying causes of a problem or an incident. By performing a root cause analysis, the risk practitioner can help the organization to understand how and why the cyber attack happened, what vulnerabilities and gaps were exploited, and what actions and controls can be implemented to prevent or mitigate similar incidents in the future12 A root cause analysis can also help the organization to improve its incident response plan, which is a set of instructions to help IT staff detect, respond to, and recover from network security incidents3 A root cause analysis can provide valuable feedback and lessons learned from the cyber attack, and help the organization to update and test its incident response plan accordingly45
Developing new key risk indicators, recommending the purchase of cyber insurance, and reviewing the incident response plan are all possible actions that the risk practitioner can take after a cyber attack, but they are not the best recommendation. Developing new key risk indicators can help the organization to monitor and measure its risk exposure and performance, but it does not address the root causes of the cyber attack12 Recommending the purchase of cyber insurance can help the organization to hedge against the financial losses caused by cyber incidents, but it does not prevent or solve the underlying issues67 Reviewing the incident response plan can help the organization to evaluate its effectiveness and identify areas for improvement, but it does not explain how and why the cyber attack occurred345 Therefore, the best recommendation is to perform a root cause analysis, as it can help the organization to understand, resolve, and prevent the cyber attack and its consequences12



An organization has used generic risk scenarios to populate its risk register.
Which of the following presents the GREATEST challenge to assigning of the associated risk entries?

  1. The volume of risk scenarios is too large
  2. Risk aggregation has not been completed
  3. Risk scenarios are not applicable
  4. The risk analystsfor each scenario is incomplete

Answer(s): C

Explanation:

The greatest challenge to assigning of the associated risk entries when an organization has used generic risk scenarios to populate its risk register is that the risk scenarios are not applicable. Generic risk scenarios are risk scenarios that are based on common or typical situations that may affect many organizations or industries. They are useful for providing a general overview or reference of the potential risks, but they may not be relevant, specific, or realistic for a particular organization or context. Therefore, using generic risk scenarios may result in inaccurate, incomplete, or misleading risk entries that do not reflect the actual risk profile or appetite of the organization. The other options are not as challenging as the risk scenarios being not applicable, as they are related to the quantity, quality, or aggregation of the risk scenarios, not the suitabilityor validity of the risk scenarios. References = Risk and Information Systems Control Study Manual, Chapter 1: IT Risk Identification, Section 1.3:
IT Risk Scenarios, page 23.



Which of the following is the MOST important objective of regularly presenting the project risk register to the project steering committee?

  1. To allocate budget for resolution of risk issues
  2. To determine if new risk scenarios have been identified
  3. To ensure the project timeline is on target
  4. To track the status of risk mitigation actions

Answer(s): D

Explanation:

Project risk register: A document that records the identified risks, their likelihood, impact, and mitigation strategies for a project1.
Project steering committee: A group of senior stakeholders and experts who oversee and support a project from a higher level2.
Risk mitigation actions: The measures taken to prevent, reduce, or transfer the risks that may affect a project3.
The most important objective of regularly presenting the project risk register to the project steering committee is to track the status of risk mitigation actions. Tracking the status of risk mitigation actions can help the project steering committee to:
Monitor and measure the performance and effectiveness of the risk management process and controls
Evaluate the progress and outcomes of the risk mitigation actions against the project goals and objectives
Identify and resolve any issues, challenges, or gaps in the risk mitigation actions Provide guidance, feedback, and support to the project manager and the project team Adjust or revise the risk mitigation actions as needed to reflect the changes in the project scope, schedule, budget, or environment
The other options are not the most important objective of regularly presenting the project risk register to the project steering committee, although they may be relevant or beneficial. Allocating budget for resolution of risk issues, which means assigning financial resources to address and resolve the risks that may affect a project, may be a part of the risk management process, but it is not the primary purpose of presenting the project risk register, which is more focused on tracking and reporting the risk status and actions. Determining if new risk scenarios have been identified, which means finding out if there are any additional or emerging risks that may impact a project, may be a useful outcome of presenting the project risk register, but it is not the main objective, which is more concerned with tracking and reporting the existing risk status and actions. Ensuring the project timeline is on target, which means verifying that the project is progressing according to the planned schedule and milestones, may be a benefit of presenting the project risk register, but it is not the key objective, which is more related to tracking and reporting the risk status and actions. References = Risk Register: A Project Manager's Guide with Examples [2023] ·

Asana, Project Steering Committee: Roles, Best Practices, Challenges, Risk Mitigation:
Definition, Strategies, and Examples



In addition to the risk register, what should a risk practitioner review to develop an understanding of the organization's risk profile?

  1. The control catalog
  2. The asset profile
  3. Business objectives
  4. Key riskindicators (KRls)

Answer(s): C

Explanation:

In addition to the risk register, which is a tool to document and monitor the risks that affect the organization, a risk practitioner should review the business objectives of the organization to develop an understanding of its risk profile. The risk profile is a description of the set of risks that the organization faces in relation to its goals and strategies. By reviewing the business objectives, the risk practitioner can identify the sources, drivers, and consequences of the risks, as well as the alignment, prioritization, and tolerance of the risks. The business objectives also provide the context and criteria for evaluating and managing the risks. The other options are not the best choices to review for developing an understandingof the organization's risk profile, as they do not capture the full scope and nature of the risks. The control catalog is a list of the existing controls that are implemented to mitigate the risks, but it does not reflect the effectiveness, efficiency, or sufficiency of the controls. The asset profile is a description of the resources and capabilities that the organization possesses or relies on, but it does not indicate the value, vulnerability, or interdependency of the assets. The key risk indicators (KRIs) are metrics that measure the level and trend of the risks, but they do not explain the causes, impacts, orresponses to the risks. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 2, Section 2.1.2, Page 49.






Post your Comments and Discuss ISACA CRISC exam dumps with other Community members:

Join the CRISC Discussion