Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CRISC

ISACA CRISC Exam Questions
Certified in Risk and Information Systems Control (Page 14 )

Updated On: 24-Feb-2026
Page 14 of 380
PDF with 1895 Questions

Which of the following provides the BEST evidence that risk responses have been executed according to their risk action plans?

  1. Risk policy review
  2. Business impact analysis (B1A)
  3. Control catalog
  4. Risk register

Answer(s): D

Explanation:

A risk register is a document that is used as a risk management tool to identify and track risks that may affect a project or an organization1. A risk register also includes information about the risk responses,which are the actions taken or planned to mitigate or eliminate the risks2. Therefore, a risk register provides the best evidence that risk responses have been executed according to their risk action plans, as it shows the status and progress of the riskresponses, the results and outcomes of the risk responses, and the feedback and lessons learned from the risk responses3. A risk policy review is not the best evidence that risk responses have been executed according to their risk action plans, as it does not provide specific information on the risk responses. A risk policy review is a process that involves checking and verifying that the organization's risk management policies are up to date, relevant, and effective4. A risk policy review can help to identify and address any gaps or issues in the risk management policies, but it does not show the details and performance of the risk responses. A business impact analysis (BIA) is not the best evidence that risk responses have been executed according to their risk action plans, as it does not provide specific information on the riskresponses. A BIA is a process that identifies and evaluates the potential effects of a disruption on the critical functions and processes of an organization5. A BIA can help to forecast the impacts of a risk event, but it does not show the actions and outcomes of the risk responses. A control catalog is not the best evidence that risk responses have been executed according to their risk action plans, as it does not provide specific information on the risk responses. A control catalog is adocument that lists and describes the controls that are implemented or planned to manage the risks within an organization6. A control catalog can help to document and communicate the controls, but it does not show the status and results of the risk responses. References = 1: Risk Register: A Project Manager's Guide with Examples [2023] · Asana2: Risk Response Strategy and Contingency Plans - ProjectManagement.com3: Risk Register: Examples, Benefits, and Best Practices4: A brief guide to assessing risks and controls | ACCA Global5: Using Business Impact Analysis to Inform Risk Prioritization and Response6: [Control Catalogue - ISACA]



Which risk response strategy could management apply to both positive and negative risk that has been identified?

  1. Transfer
  2. Accept
  3. Exploit
  4. Mitigate

Answer(s): B

Explanation:

Accepting risk is the only risk response strategy that could be applied to both positive and negative risk that has been identified. Accepting risk means taking no action to change the likelihood or impact of the risk, but being prepared to deal with the consequences if the risk occurs. Accepting risk is usually chosen when the risk is low, unavoidable, or outweighed by the benefits. For positive risks, accepting risk means taking advantage of the opportunities if they arise. For negative risks, accepting risk means setting aside contingency reserves or plans to copewith the threats. The other risk response strategies are specific to either positive or negative risks. Transfer, exploit, and mitigate are strategies for negative risks, while share, enhance, and avoid are strategies for positive risks. References = Risk and Information Systems Control Study Manual, Chapter 4, Section 4.3.1, page 4-23.



Which of the following is necessary to enable an IT risk register to be consolidated with the rest of the organization's risk register?

  1. Risk taxonomy
  2. Risk response
  3. Risk appetite
  4. Risk ranking

Answer(s): A

Explanation:

According to the CRISC Review Manual, risk taxonomy is the system of classification and categorization of risks based on common characteristics and attributes. Risk taxonomy is necessary to enable an IT risk register to be consolidated with the rest of the organization's risk register, because it helps to ensure consistency, comparability, and alignment of the risks across the organization. Risk taxonomy also helps to facilitate the communication, reporting, and aggregation of the risks. The other options are not the correct answers, because they are not essential for consolidating the risk registers. Risk response is the action taken to address the risk, which may vary depending on the risk level and strategy. Risk appetite is the amount and type of risk that an organization is willing to accept, which may differ across the organization's units and functions. Risk ranking is the process of prioritizing the risks based on their impact and likelihood, which may change over time and context. References =

CRISC Review Manual, 7th Edition, Chapter 2, Section 2.1.2, page 69.



Which of the following would be of GREATEST assistance when justifying investment in risk response strategies?

  1. Total cost of ownership
  2. Resource dependency analysis
  3. Cost-benefit analysis
  4. Business impact analysis

Answer(s): C

Explanation:

A cost-benefit analysis is a technique that compares the costs and benefits of different risk response strategies, such as mitigating, transferring, avoiding, or accepting risks. A cost- benefit analysis can help justify investment in risk response strategies by showing the expected return on investment, the net present value, the break-even point, and the cost- effectiveness of each option.A cost-benefit analysis can also help prioritize the most optimal risk response strategies based on the available resources, the risk appetite, and the stakeholder expectations. References = Risk and Information Systems Control Study Manual, Chapter 3: Risk Response and Mitigation, Section 3.4: Risk Response Selection, p. 156-157.



Which of the following would MOST likely cause a risk practitioner to change the likelihood rating in the risk register?

  1. Risk appetite
  2. Control cost
  3. Control effectiveness
  4. Risk tolerance

Answer(s): C

Explanation:

The likelihood rating in the risk register is a measure of how probable it is that a risk event will occur, given the current conditions and controls. The risk practitioner should change the likelihood rating if there is a significant change in the effectiveness of the controls that are implemented to prevent or reduce the risk. For example, if a control becomes obsolete, ineffective, or bypassed, the likelihood rating should increase, as the risk event becomes more likely to happen. Conversely, if a control becomes more efficient, reliable, or robust, the likelihood rating should decrease, as the risk event becomes less likely to happen. The other options are not likely to cause a change in the likelihood rating, as they are not directly related to the probability of the risk event. Risk appetite is the amount of risk that an organization is willing to accept in pursuit of its objectives. Control cost is the amount of resources that are required to implement and maintain a control. Risk tolerance is the acceptable level of variation that an organization is willing to allow for a risk to deviate from its desired level or expected outcome. These factors may influence the risk response or the risk acceptance, but not the likelihood rating. References = Risk and Information Systems Control Study Manual, Chapter 1: IT Risk Identification, Section 1.4: Risk Register, p. 25- 26.






Post your Comments and Discuss ISACA CRISC exam dumps with other Community members:

Join the CRISC Discussion