Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CRISC

ISACA CRISC Exam Questions
Certified in Risk and Information Systems Control (Page 25 )

Updated On: 24-Feb-2026
Page 25 of 380
PDF with 1895 Questions

A company has located its computer center on a moderate earthquake fault.
Which of the following is the MOST important consideration when establishing a contingency plan and an alternate processing site?

  1. The contingency plan provides for backup media to be taken to the alternative site.
  2. The contingency plan for high priority applications does not involve a shared cold site.
  3. The alternative site is a hot site with equipment ready to resume processing immediately.
  4. The alternative site does not reside on the same fault no matter how far the distance apart.

Answer(s): D

Explanation:

The most important consideration when establishing a contingency plan and an alternate processing site for a company that has located its computer center on a moderate earthquake fault is that the alternative site does not reside on the same fault no matter how far the distance apart, as it ensures that the alternative site is not affected by the same earthquake event that may disrupt the primary site, and that the business continuity and recovery objectives can be met. The other options are not the most important considerations, as they are more related to the backup, priority, or readiness of the alternative site, respectively, rather than the location of the alternative site. References = CRISC Review Manual, 7th Edition, page 111.



What is the PRIMARY reason an organization should include background checks on roles with elevated access to production as part of its hiring process?

  1. Reduce internal threats
  2. Reduce exposure to vulnerabilities
  3. Eliminate risk associated with personnel
  4. Ensure new hires have the required skills

Answer(s): A

Explanation:

The primary reason an organization should include background checks on roles with elevated access to production as part of its hiring process is to reduce internal threats. Internal threats are the risks that originate from within the organization, such as employees, contractors, or partners. Roles with elevated access to production have the privilege and ability to access,

modify, or delete sensitive or critical data and systems. If these roles are assigned to individuals who have malicious intent, criminal records, or conflicts of interest, they may pose a significant threat to the organization's security, integrity, and availability. By conducting background checks, the organization can verify the identity, credentials, and history of the candidates, and prevent or minimize the possibility of hiring untrustworthy or unsuitable individuals. The other options are not as important as reducing internal threats, as they are related to the outcomes, impacts, or requirements of the roles with elevated access to production, not the reasons for conducting background checks. References = Risk and Information Systems Control Study Manual, Chapter 3: IT Risk Response, Section 3.3: IT Risk Response Implementation, page 145.



Which of the following will BEST communicate the importance of risk mitigation initiatives to senior management?

  1. Business case
  2. Balanced scorecard
  3. Industry standards
  4. Heat map

Answer(s): A

Explanation:

A business case will BEST communicate the importance of risk mitigation initiatives to senior management, because it provides a clear and concise justification of the objectives, benefits, costs, and risks of the proposed initiatives. A business case helps to align the risk mitigation initiatives with the enterprise's strategy and goals, and to obtain the necessary approval and support from senior management. The other options are not as effective as a business case, because:
Option B: A balanced scorecard is a tool to measure and monitor the performance of the enterprise across four perspectives: financial, customer, internal process, and learning and growth. It does not communicate the importance of risk mitigation initiatives, but rather the outcomes and impacts of them.
Option C: Industry standards are benchmarks or best practices that define the minimum requirements or expectations for a certain domain or activity. They do not communicate the importance of risk mitigation initiatives, but rather the compliance or alignment of them with the external environment.
Option D: A heat map is a tool to visualize and prioritize the risks based on their likelihood and impact. It does not communicate the importance of risk mitigation initiatives, but rather the severity and distribution of the risks. References = Risk and Information Systems Control

Study Manual, 7th Edition, ISACA, 2020, p. 118.



Which of the following is MOST important when developing risk scenarios?

  1. Reviewing business impact analysis (BIA)
  2. Collaborating with IT audit
  3. Conducting vulnerability assessments
  4. Obtaining input from key stakeholders

Answer(s): D

Explanation:

The most important factor when developing risk scenarios is obtaining input from key stakeholders. A risk scenario is a description of a possible event or situation that could affect the enterprise's objectives, processes, or resources. Obtaining input from key stakeholders, such as business owners, process owners, subject matter experts, or external parties, helps to ensure that the risk scenarios are realistic, relevant, and comprehensive. It also helps to identify the sources,drivers, indicators, likelihood, impact, and responses of the risk scenarios, and to align them with the enterprise's risk appetite and tolerance. Obtaining input from key stakeholders also fosters a collaborative and participatory approach to risk management, and enhances the risk awareness and ownership among the stakeholders. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 2, Section 2.1.3, page 621



After migrating a key financial system to a new provider, it was discovered that a developer could gain access to the production environment.
Which of the following is the BEST way to mitigate the risk in this situation?

  1. Escalate the issue to the service provider.
  2. Re-certify the application access controls.
  3. Remove the developer'saccess.
  4. Review the results of pre-migration testing.

Answer(s): C

Explanation:

After migrating a key financial system to a new provider, it was discovered that a developer could gain access to the production environment. This indicates that there is a risk of unauthorized access, use, disclosure, modification, or destruction of sensitive data, such as financial records, transactions, reports, etc.
A control that could mitigate this risk is to remove the developer's access to the production environment. This means that the developer would not be able to alter the source code or configuration of the financial system without proper authorization or approval. The other options are not the best ways to mitigate the risk in this situation. They are either irrelevant or less effective than removing the developer's access.
The references for this answer are:
Risk IT Framework, page 14
Information Technology & Security, page 8
Risk Scenarios Starter Pack, page 6






Post your Comments and Discuss ISACA CRISC exam dumps with other Community members:

Join the CRISC Discussion