Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CRISC

ISACA CRISC Exam Questions
Certified in Risk and Information Systems Control (Page 27 )

Updated On: 24-Feb-2026
Page 27 of 380
PDF with 1895 Questions

The PRIMARY benefit of conducting a risk workshop using a top-down approach instead of a bottom-up approach is the ability to:

  1. identify specific project risk.
  2. obtain a holisticview of IT strategy risk.
  3. understand risk associated with complex processes.
  4. incorporate subject matter expertise.

Answer(s): B

Explanation:

Obtaining a holistic view of IT strategy risk is the primary benefit of conducting a risk workshop using a top-down approach instead of a bottom-up approach, because it helps to identify and assess the risks that may affect the alignment and integration of IT with the organization's objectives and strategy. A risk workshop is a collaborative and interactive method of conducting a risk assessment, where the risk practitioner facilitates a group discussion with the relevant stakeholders to identify, analyze, and evaluate the risks and their controls. A top-down approach is a method of conducting a risk workshop that starts from the high-level or strategic perspective, and then drills down to the lower-level or operational details. A bottom-up approach is a methodof conducting a risk workshop that starts from the low-level or operational details, and then aggregates them to the higher-level or strategic perspective. A top-down approach can offer a holistic view of IT strategy risk, as it helps to understand the big picture and the interrelationships of the risks and their impacts across the organization. A bottom-up approach can offer a detailed view of specific project or process risk, as it helps to capture the granular and technical aspects of the risks and their controls. Therefore, obtaining a holistic view of IT strategy risk is the primary benefit of using a top- down approach, as it supports the strategic alignment and integration of IT with the organization. Identifying specific project risk, understanding risk associated with complex processes, and incorporating subject matter expertise are all possible benefits of conducting a risk workshop, but they are not the primary benefit of using a top-down approach, as they are more suitable for a bottom-up approach. References = Risk and Information Systems Control Study Manual, Chapter 3, Section 3.2.2, page 87



The PRIMARY reason for establishing various Threshold levels for a set of key risk indicators (KRIs) is to:

  1. highlight trends of developing risk.
  2. ensure accurate and reliablemonitoring.
  3. take appropriate actions in a timely manner.
  4. set different triggers for each stakeholder.

Answer(s): C

Explanation:

The primary reason for establishing various threshold levels for a set of key risk indicators (KRIs) is to take appropriate actions in a timely manner. KRIs are metrics that provide information on the level of exposure to a given risk or the effectiveness of the controls in place. Threshold levels are predefined values that indicate when the risk level is acceptable, tolerable, or unacceptable. By establishing various threshold levels for a set of KRIs, the enterprise can monitor the risk situation and trigger the necessary responses before the risk becomes too severe or costly to mitigate. The other options are not the primary reasons for establishing various threshold levels, although they may be secondary benefits or outcomes of doing so. References = Risk and Information Systems Control Study Manual, Chapter 5:
Risk and Control Monitoring and Reporting, page 189.



When defining thresholds for control key performance indicators (KPIs). it is MOST helpful to align:

  1. information risk assessments with enterprise risk assessments.
  2. key risk indicators(KRIs) with risk appetite of the business.
  3. the control key performance indicators (KPIs) with audit findings.
  4. control performance with risk tolerance of business owners.

Answer(s): B

Explanation:

The most helpful factor to align when defining thresholds for control key performance indicators (KPIs) is the control performance with the risk tolerance of business owners. Control KPIs are metrics that measurethe effectiveness and efficiency of the controls that are implemented to mitigate the risks. By aligning the control performance with the risk tolerance of business owners, the thresholds for control KPIs can reflect the acceptable level of risk and the desired level of control for the business processes and objectives. Information risk assessments with enterprise risk assessments, key risk indicators (KRIs) with risk appetite of the business, andcontrol KPIs with audit findings are other possible factors to align, but they are not as helpful as control performance with risk tolerance of business owners. References = ISACA Certified in Risk and Information Systems Control (CRISC) Certification Exam Question and Answers, question 12; CRISC Review Manual, 6th Edition, page 215.



Warning banners on login screens for laptops provided by an organization to its employees are an example of which type of control?

  1. Corrective
  2. Preventive
  3. Detective
  4. Deterrent

Answer(s): D

Explanation:

Warning banners on login screens serve as deterrent controls. Deterrent controls are designed to discourage individuals from attempting unauthorized actions by warning them of potential consequences.
Purpose of Warning Banners
Warning banners provide clear notice to users, both authorized and unauthorized, that their activities may be monitored and that unauthorized access is prohibited. They serve as a legal disclaimer, which can be crucial in prosecuting unauthorized access attempts.
Effectiveness as a Deterrent Control
The primary function of a warning banner is to deter potential intruders by making them aware of the surveillance and legal implications of unauthorized access. For authorized users, it reinforces awareness of the organization's security policies and acceptable use agreements.

Comparison with Other Control Types
A. Corrective: These controls are used to correct or restore systems after an incident. B. Preventive: These controls are designed to prevent security incidents from occurring. C. Detective: These controls are used to detect and alert about security incidents. D. Deterrent: These controls are intended to discourage individuals from performing unauthorized activities.
References
Sybex-CISSP-Official-Study-Guide-9-Edition.pdf, p. 829, detailing the role of warning banners as deterrent controls .



Which of the following would be considered a vulnerability?

  1. Delayed removal of employee access
  2. Authorized administrative access to HR files
  3. Corruption of files due to malware
  4. Server downtime due to a denial ofservice (DoS) attack

Answer(s): A

Explanation:

According to the CRISC Review Manual (Digital Version), a vulnerability is a flaw or weakness in an asset's design, implementation, or operation and management that could be exploited by a threat. A delayed removal of employee access is a vulnerability, as it allows former employees to retain access to the organization's IT assets and processes, which could lead to unauthorized disclosure, modification, or destruction of data or resources. A delayed removal of employee access could be caused by poor personnel management, lack of security awareness, or inadequate access control policies and procedures. References = CRISC Review Manual (Digital Version), Chapter 1: IT Risk Identification, Section 1.5: IT Risk Identification Methods and Techniques, pp. 32-331






Post your Comments and Discuss ISACA CRISC exam dumps with other Community members:

Join the CRISC Discussion