Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CRISC

ISACA CRISC Exam Questions
Certified in Risk and Information Systems Control (Page 23 )

Updated On: 24-Feb-2026
Page 23 of 380
PDF with 1895 Questions

An organization has experienced several incidents of extended network outages that have exceeded tolerance.
Which of the following should be the risk practitioner's FIRST step to address this situation?

  1. Recommend additional controls to address the risk.
  2. Update the risk tolerance level to acceptable thresholds.
  3. Update the incident-related risk trend in the risk register.
  4. Recommend a root cause analysis of the incidents.

Answer(s): D

Explanation:

The first step for the risk practitioner to address the situation of extended network outages that have exceeded tolerance is to recommend a root cause analysis of the incidents. A root cause analysis is a process of identifying and resolving the underlying causes of a problem or an event. By performing a root cause analysis, the risk practitioner can determine why the network outages occurred, what factors contributed to them, and how they can be prevented or reduced in the future. Recommending additional controls, updating the risk tolerance level, and updating the incident-related risk trend are possible steps that may follow the root cause analysis, but they are not the first step. References = ISACA Certified in Risk and Information Systems Control (CRISC) Certification Exam Question and Answers, question 4; CRISC Review Manual, 6th Edition, page 153.



Which of the following is a risk practitioner's BEST course of action if a risk assessment identifies a risk that is extremely unlikely but would have a severe impact should it occur?

  1. Rate the risk as high priority based on the severeimpact.
  2. Obtain management's consent to accept the risk.
  3. Ignore the risk due to the extremely low likelihood.
  4. Address the risk by analyzing treatment options.

Answer(s): D



A risk practitioner has been asked to evaluate a new cloud-based service to enhance an organization's access management capabilities.
When is the BEST time for the risk practitioner to provide opinions on control strength?

  1. After the initial design
  2. Before production rollout
  3. After a few weeks in use
  4. Before end-user testing

Answer(s): A

Explanation:

Providing opinions on control strength after the initial design is the best time for the risk practitioner, because it helps to ensure that the controls are aligned with the requirements and objectives of the new cloud-based service, and that they are effective and efficient in mitigating the risks associated with the service. A cloud-based service is a service that is delivered over the internet, where the service provider owns and manages the IT infrastructure, platforms, or applications, and the customer pays only for the resources or functions they use. An access management capability is a capability that enables the organization to control and monitor the access to its IT systems or networks, such as authentication, authorization, or auditing. Controls are policies, procedures, or mechanisms that help to reduce or eliminate the risks that may affect the security, reliability, performance, or compliance of the cloud-based service. Providing opinions on control strength after the initial design is the best time, as it allows the risk practitioner to review the design specifications and requirements, and to provide feedback and recommendations on the adequacy and suitability of the controls. Providing opinions on control strength before production rollout, after a few weeks in use, or before end-user testing are all possible times for the risk practitioner, but they are not the best time, as they may be too late or too early to influence the design and implementation of the controls. References = Risk and Information Systems Control Study Manual, Chapter 5, Section 5.2.1, page 183



A risk practitioner is defining metrics for security threats that were not identified by antivirus software.
Which type of metric is being developed?

  1. Key control indicator (KCI)
  2. Key risk indicator (KRI)
  3. Operational level agreement (OLA)
  4. Service level agreement (SLA)

Answer(s): B

Explanation:

A KRI is a measure used by an organization to measure the health of a particular risk. In this case, the risk practitioner is developing a metric to measure the risk associated with security threats that were not identified by antivirus software12.
References
1Standardized Scoring for Security and Risk Metrics - ISACA 2Key Performance Indicators for Security Governance, Part 1 - ISACA



Which of the following will BEST help to ensure new IT policies address the enterprise's requirements?

  1. involve IT leadership in the policy development process
  2. Require business users to sign acknowledgment of the poises
  3. involve business owners in the pokey development process
  4. Provide policy owners with greater enforcement authority

Answer(s): C

Explanation:

To ensure that new IT policies address the enterprise's requirements, it is important to involve the business owners who are the primary stakeholders of the IT services and processes. Business owners can provide valuable input on the business objectives, risks, and expectations that the IT policies should align with and support. By involving business owners in the policy development process, the IT policies will be more relevant, realistic, and acceptable to the business units. References = Risk and Information Systems Control Study Manual, Chapter 1: IT Risk Identification, Section 1.3: IT Risk Scenarios, page 23.






Post your Comments and Discuss ISACA CRISC exam dumps with other Community members:

Join the CRISC Discussion