Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CRISC

ISACA CRISC Exam Questions
Certified in Risk and Information Systems Control (Page 26 )

Updated On: 24-Feb-2026
Page 26 of 380
PDF with 1895 Questions

Which of the following is the GREATEST impact of implementing a risk mitigation strategy?

  1. Improved alignment with business goals.
  2. Reduction of residual risk.
  3. Increased costs due to control implementation.
  4. Decreased overall risk appetite.

Answer(s): B

Explanation:

The primary goal of risk mitigation is to reduce residual risk to an acceptable level. This aligns with the principles ofRisk Treatment, ensuring that the implemented strategies effectively address identified risks without exceeding the organization's risk appetite.



Which of the following MUST be assessed before considering risk treatment options for a scenario with significant impact?

  1. Risk magnitude
  2. Incident probability
  3. Risk appetite
  4. Cost-benefit analysis

Answer(s): A

Explanation:

According to the Risk Assessment and Management: A Complete Guide, risk magnitude is the product of the likelihood and impact of a risk scenario. Risk magnitude is an important factor to consider before choosing risk treatment options, as it indicates the level of exposure andpotential harm that the organization faces from the risk scenario. Risk treatment options should be selected based on the risk magnitude, as well as the risk appetite and tolerance of the organization. For a scenario with significant impact, the risk magnitude is likely to be high, and therefore the risk treatment options should aim to reduce the likelihood and/or impact of the risk scenario as much as possible, or to transfer or avoid the risk altogether. References = Risk Assessment and Management: A Complete Guide, ISO 27001 Risk Assessment & Risk Treatment: The Complete Guide



Which of the following elements of a risk register is MOST likely to change as a result of change in management's risk appetite?

  1. Key risk indicator (KRI) thresholds
  2. Inherent risk
  3. Risk likelihood and impact
  4. Risk velocity

Answer(s): A

Explanation:

According to the CRISC Review Manual (Digital Version), key risk indicator (KRI) thresholds are the most likely elements of a risk register to change as a result of change in management's risk appetite, as they reflect the acceptable levels of risk exposure for the organization. KRIthresholds are the values or ranges that trigger an alert or a response when the actual KRI values deviate from the expected or desired values. KRI thresholds help to:
Monitor and measure the current risk levels and performance of the IT assets and processes Identify and report any risk issues or incidents that may require attention or action Evaluate the effectiveness and efficiency of the risk response actions and controls Align the risk management activities and decisions with the organization's risk appetite and risk tolerance
If the management's risk appetite changes, the KRI thresholds may need to be adjusted accordingly to ensure that the risk register reflects the current risk preferences and expectations of the organization.

References = CRISC Review Manual (Digital Version), Chapter 4: IT Risk Monitoring and Reporting, Section 4.1: IT Risk Monitoring, pp. 217-2181



Which of the following controls will BEST detect unauthorized modification of data by a database administrator?

  1. Reviewingdatabase access rights
  2. Reviewing database activity logs
  3. Comparing data to input records
  4. Reviewing changes to edit checks

Answer(s): B

Explanation:

Unauthorized modification of data by a database administrator is a security risk that involves altering, deleting, or inserting data on a database without proper authorization or approval, by a person who has privileged access to the database, such as a database administrator12. The best control to detect unauthorized modification of data by a database administrator is to review database activity logs, which are records that capture and store the details and history ofthe transactions or activities that are performed on the database, such as who, what, when, where, and how34.
Reviewing database activity logs is the best control because it provides evidence and visibility of the database operations, and enables the detection and reporting of any deviations, anomalies, or issues that may indicate unauthorized modification of data by a database administrator34.
Reviewing database activity logs is also the best control because it supports the accountability and auditability of the database operations, and facilitates the investigation and resolution of any unauthorized modification of data by a database administrator34. The other options are not the best controls, but rather possible measures or techniques that may supplement or enhance the review of database activity logs. For example:
Reviewing database access rights is a measure that involves verifying and validating the permissions and privileges that are granted or revoked to the users or roles who can access or modify the data on the database56. However, this measure is not the best control because it does not directly detect unauthorized modification of data by a database administrator, especially if the database administrator has legitimate access rights to the data56. Comparing data to input records is a technique that involves matching and reconciling the data on the database with the original or source data that are entered or imported into the database, and identifying and correcting any discrepancies or errors78. However, this technique is not the best control because it does not directly detect unauthorized modification of data by a database administrator, especially if the input records are also modified or compromised78.
Reviewing changes to edit checks is a technique that involves examining and evaluating the modifications or updates to the edit checks, which are rules or validations that are applied to the data on the database to ensure their accuracy, completeness, andconsistency9 . However, this technique is not the best control because it does not directly detect unauthorized modification of data by a database administrator, especially if the edit checks are bypassed or disabled9 . References =
1: Database Security: Attacks and Solutions | SpringerLink2
2: Unauthorised Modification of Data With Intent to Cause Impairment3
3: Database Activity Monitoring - Wikipedia4
4: Database Activity Monitoring (DAM) | Imperva5
5: Database Access Control - Wikipedia6
6: Database Access Control: Best Practices for Database Security7
7: Data Reconciliation - Wikipedia8
8: Data Reconciliation and Gross Error Detection9
9: Edit Check - Wikipedia
Edit Checks: A Data Quality Tool



Who should have the authority to approve an exception to a control?

  1. information security manager
  2. Control owner
  3. Risk owner
  4. Risk manager

Answer(s): B

Explanation:

The control owner is the person who has the authority to approve an exception to a control. A control is a policy, procedure, or technical measure that is implemented to prevent or mitigate a risk. A control owner is responsible for the design, implementation, operation, and maintenance of the control, as well as for monitoring and reporting its performance and effectiveness. A control owner is also accountable for the approval of any changes or exceptions to the control, based on the risk assessment and business justification. An information security manager, a risk owner, and a risk manager are not the best choices, as they do not have the same level of authority, responsibility, and knowledge as the control owner in relation to the control. References = CRISC Review Manual, 6th Edition, ISACA, 2015, page 35.






Post your Comments and Discuss ISACA CRISC exam dumps with other Community members:

Join the CRISC Discussion