Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CRISC

ISACA CRISC Exam Questions
Certified in Risk and Information Systems Control (Page 18 )

Updated On: 24-Feb-2026
Page 18 of 380
PDF with 1895 Questions

Which of the following is the BEST indication of the effectiveness of a business continuity program?

  1. Business continuity tests are performed successfully and issues are addressed.
  2. Business impact analyses are reviewed and updated in a timely manner.
  3. Business continuity and disaster recovery plans are regularly updated.
  4. Business units are familiar with the business continuity plans and process.

Answer(s): A

Explanation:

According to the Section 4: Quiz 40 - Business Continuity Plan Flashcards, the best indication of the effectiveness of a business continuity program is the successful performance of business continuity tests and the resolution of any issues that arise. Business continuity tests are exercises that simulate various scenarios of disruption or disaster and evaluate the organization's ability to recover and resume its critical functions. Business continuity tests can help to validate the assumptions, objectives, and strategies of the business continuity program, as well as to identify and address any gaps, weaknesses, or errors in the business continuity and disaster recovery plans. By performing business continuity tests regularly and effectively, the organization can ensure that its business continuity program is aligned with its needs andexpectations, and that it can cope with any potential crisis. References = Section 4:
Quiz 40 - Business Continuity Plan Flashcards



Which of the following is the MAIN purpose of monitoring risk?

  1. Communication
  2. Risk analysis
  3. Decision support
  4. Benchmarking

Answer(s): C

Explanation:

The main purpose of monitoring risk is to provide decision support for the organization. Risk monitoring is the process of tracking and reviewing the risk management activities, the risk profile, and the risk performance of the organization. By monitoring risk, the organization can obtain timely and relevant information and feedback on the risk situation, and use it to make informed and effective decisions on risk management and business objectives. Communication, risk analysis, and benchmarking are other possible purposes of risk monitoring, but they are not as important as decision support. References = ISACA Certified in Risk and Information Systems Control (CRISC) Certification Exam Question and Answers, question 12; CRISC Review Manual, 6th Edition, page 215.



Which of the following is the BEST method of creating risk awareness in an organization?

  1. Marking the risk register available to project stakeholders
  2. Ensuring senior management commitment to risk training
  3. Providing regular communication to risk managers
  4. Appointing the risk manager from the business units

Answer(s): B

Explanation:

The best method of creating risk awareness in an organization is to ensure senior management commitment to risk training. Senior management plays a vital role in setting the tone and direction of the risk culture and governance in the organization. By demonstrating their support and participation in risk training, they can influence and motivate the employees to follow the risk policies and procedures, and to enhance their risk knowledge and skills. Marking the risk register available to project stakeholders, providing regular communication to risk managers, and appointing the risk manager from the business units are other methods of creating risk awareness, but they are not as effective as ensuring senior management commitment to risk training. References = ISACA Certified in Risk and Information Systems Control (CRISC) Certification Exam Question and Answers, question 12; CRISC Review Manual, 6th Edition, page 215.



Which of the following proposed benefits is MOST likely to influence senior management approval to reallocate budget for a new security initiative?

  1. Reduction in the number of incidents
  2. Reduction in inherent risk
  3. Reduction in residual risk
  4. Reduction in the number of known vulnerabilities

Answer(s): C

Explanation:

The proposed benefit that is most likely to influence senior management approval to reallocate budget for a new security initiative is the reduction in residual risk, as it indicates the expected value and outcome of the initiative in terms of reducing the risk exposure and impact to the level that is aligned with the risk tolerance and appetite of the organization. The other options are not the most likely benefits, as they may not reflect the actual or optimal risk reduction, or may not be relevant or measurable for the senior management, respectively. References = CRISC Review Manual, 7th Edition, page 111.



Which of the following can be used to assign a monetary value to risk?

  1. Annual lossexpectancy (ALE)
  2. Business impact analysis
  3. Cost-benefit analysis
  4. Inherent vulnerabilities

Answer(s): A

Explanation:

Annual loss expectancy (ALE) is a method to assign a monetary value to risk by multiplying the probability of a risk event by the potential loss associated with that event1. ALE can be used to compare the costs and benefits of different risk mitigation options and to determine the optimallevel of investment in riskmanagement2. Business impact analysis (BIA) is a process to identify and evaluate the potential effects of a disruption on the critical functions and processes of an organization3. BIA can help to forecast the impacts of a risk event, but it does not assign a monetary value to the risk itself. Cost-benefit analysis (CBA) is a technique to compare the costs and benefits of a project, decision, or action4. CBA can help to evaluate the feasibility and profitability of a risk mitigation option, but it does not assign a monetary value to the risk itself. Inherent vulnerabilities are the weaknesses or flaws in a system, process, or asset that expose it to potential threats5. Inherent vulnerabilities can increase the likelihood or impact of a risk event, but they do not assign a monetary value to the risk itself. References = Risk and Information Systems Control Study Manual, Chapter 2: IT Risk Assessment, Section 2.2: Risk Analysis, pp. 77-81.






Post your Comments and Discuss ISACA CRISC exam dumps with other Community members:

Join the CRISC Discussion