Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CRISC

ISACA CRISC Exam Questions
Certified in Risk and Information Systems Control (Page 24 )

Updated On: 24-Feb-2026
Page 24 of 380
PDF with 1895 Questions

Winch of the following can be concluded by analyzing the latest vulnerability report for the it infrastructure?

  1. Likelihood of a threat
  2. Impact of technology risk
  3. Impact of operational risk
  4. Control weakness

Answer(s): D

Explanation:

A vulnerability report for the IT infrastructure is a document that identifies and evaluates the weaknesses or gaps in the IT systems, networks, or devices that could be exploited by threats or cause incidents. By analyzing the latest vulnerability report, one can conclude the existence and extent of control weaknesses in the IT infrastructure, because control weaknesses are the deficiencies or failures of the controls that are supposed to prevent, detect, or correct the vulnerabilities. The other options are not the correct answers, because they are not directly concluded by analyzing the latest vulnerability report. The likelihood of a threat, the impact of technology risk, and the impact of operational risk are examples of risk factors or consequencesthat depend on the vulnerability and the threat, but they are not determined by the vulnerability report alone. References = CRISC: Certified in Risk & Information Systems Control Sample Questions



During an IT risk scenario review session, business executives question why they have been assigned ownership of IT-related risk scenarios. They feel IT risk is technical in nature and therefore should be owned by IT.
Which of the following is the BEST way for the risk practitioner to address these concerns?

  1. Describe IT risk scenarios in terms of business risk.
  2. Recommend the formation of an executive risk council to oversee IT risk.
  3. Provide an estimate of IT system downtime if IT risk materializes.
  4. Educate business executives on IT risk concepts.

Answer(s): A

Explanation:

IT risk scenarios are hypothetical situations or occurrences that illustrate the potential impact of IT-related threats or opportunities on the organization's objectives, performance, or value creation12.
Business risk scenarios are hypothetical situations or occurrences that illustrate the potential impact of business-related threats or opportunities on the organization's objectives,

performance, or value creation34.
The best way for the risk practitioner to address the concerns of the business executives who question why they have been assigned ownership of IT-related risk scenarios is to describe IT risk scenarios in terms of business risk, which is a technique that involves translating and communicating the IT risk scenarios into the language and context of the business risk scenarios, and highlighting the linkages and dependencies between them56. Describing IT risk scenarios in terms of business risk is the best way because it helps the business executives to understand and appreciate the relevance and importance of IT risk scenarios, andhow they affect the achievement of the organization's goals and the delivery of value to the stakeholders56.

Describing IT risk scenarios in terms of business risk is also the best way because it helps the business executives to accept and fulfill their roles and responsibilities as the owners of IT risk scenarios, and to collaborate and coordinate with the IT team and other stakeholders in the risk management process56.
The other options are not the best ways, but rather possible alternatives or supplements that may support or enhance the description of IT risk scenarios in terms of business risk. For example:
Recommending the formation of an executive risk council to oversee IT risk is a way that involves establishing and empowering a group of senior leaders from different business units and functions to provide the strategic direction, guidance, and oversight for the IT risk managementprocess78. However, this way is not the best way because it does not directlyaddress the concerns of the business executives who question why they have been assigned ownership of IT risk scenarios, and it may not be feasible or effective without a clear and common understanding of IT risk scenarios among the council members78. Providing an estimate of IT system downtime if IT risk materializes is a way that involves quantifying and communicating the potential loss or disruption of the IT systems or services that support the organization's operations, if the IT risk scenarios occur9 . However, this way is not the best way because it does not fully capture or convey the impact of IT risk scenarios on the organization's objectives, performance, or valuecreation, and it may not be relevant or meaningful for some IT risk scenarios that are not related to IT system downtime9 . Educating business executives on IT risk concepts is a way that involves providing and delivering the knowledge and skills on the principles, frameworks, and techniques of IT risk management, and the roles and responsibilities of the IT risk owners and stakeholders . However, this way is not the best way because it does not specifically address the concerns of the business executives who question why they have been assigned ownership of IT risk scenarios, and it may not be sufficient or effective without a practical and contextual application of IT risk concepts to the organization's situation and goals . References =
1: IT Scenario Analysis in Enterprise Risk Management - ISACA2
2: New Toolkit and Course From ISACA Help Practitioners Develop Risk Scenarios - ISACA1
3: Business Risk - Investopedia3

4: Business Risk: Definition, Types, Examples & How to Manage4
5: Risk IT Framework, ISACA, 2009
6: IT Risk Management Framework, University of Toronto, 2017
7: Executive Risk Council - ISACA5
8: Executive Risk Council: A Guide to Success6
9: IT System Downtime - ISACA7
IT System Downtime: Causes, Costs, and How to Prevent It8 IT Risk Education - ISACA9
IT Risk Education: A Guide to Success



Which of the following key risk indicators (KRIs) is MOST effective for monitoring risk related to a bring your own device (BYOD) program?

  1. Number of users who have signed a BYOD acceptable use policy
  2. Number of incidents originating from BYOD devices
  3. Budget allocated to the BYOD program security controls
  4. Number of devices enrolled in the BYOD program

Answer(s): B

Explanation:

The most effective key risk indicator (KRI) for monitoring risk related to a bring your own device (BYOD) program is the number of incidents originating from BYOD devices, as it directly measures the impact and frequency of the potential threats and vulnerabilities associated with the use of personal devices for accessing company data and systems. A BYOD program can pose various risks to an organization, such as data loss or breach, malware infection, unauthorized access, compliance violation, or device theft or loss12. The number of incidents originating from BYOD devices can help to identify and quantify these risks, and to trigger appropriate risk response actions when the incidents exceed the acceptable thresholds. The other options are not the most effective KRIs, as they do not directly measure the risk level or impact of the BYOD program. The number of users who have signed a BYOD acceptable use policy may indicate the awareness and compliance of the users, but not the actual risk exposure or mitigation. The budget allocated to the BYOD program security controls may indicate the investment and efficiency of the risk management, but not the effectiveness or necessity. The number of devices enrolled in the BYOD program may indicate the scope and scale of the risk, but not the severity or likelihood. References = Key Risk Indicators: A Practical Guide; KRI Framework for Operational Risk Management



Which of the following is the MOST significant indicator of the need to perform a penetration test?

  1. An increase in the number of high-risk audit findings
  2. An increase in the number of security incidents
  3. An increase in the percentage of turnover in IT personnel
  4. An increase in the number of infrastructure changes

Answer(s): B

Explanation:

An increase in the number of security incidents is the most significant indicator of the need to perform a penetration test, because it suggests that the organization's IT systems or networks are vulnerable to attacks and may not have adequate security controls in place. A penetration test is a simulated attack on an IT system or network to identify and exploit its weaknesses and evaluate its security posture. A penetration test can help to discover and remediate the vulnerabilities that may have caused or contributed to the security incidents, and to prevent or reduce the likelihood and impact of future incidents. An increase in the number of high-risk audit findings, an increase in the percentage of turnover in IT personnel, and an increase in the number of infrastructure changes are all possible indicators of the need to perform a penetration test, but they are not the most significant indicator, as they do not directly reflect the actual or potential occurrence of security incidents. References = Risk and Information Systems Control Study Manual, Chapter 5, Section 5.3.2, page 200



It is MOST important that security controls for a new system be documented in:

  1. testing requirements
  2. the implementation plan.
  3. System requirements
  4. The security policy

Answer(s): C

Explanation:

It is most important that security controls for a new system be documented in the system requirements. The system requirements define the functional and non-functional specifications of the system, including the security controls that are needed to protect the system and its data. Documenting the security controls in the system requirements can help ensure that they are designed, developed, tested, and implemented as part of the system development life cycle. Testing requirements, the implementation plan, and the security policy are other documents that may include security controls, but they are not as important as the system requirements. References = ISACA Certified in Risk and Information Systems Control (CRISC) Certification Exam Question and Answers, question 5; CRISC Review Manual, 6th Edition, page 212.






Post your Comments and Discuss ISACA CRISC exam dumps with other Community members:

Join the CRISC Discussion