Cisco®
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk®
ServiceNow®
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CRISC

CRISC: Certified in Risk and Information Systems Control
Free Practice Exam Questions (page: 31)
Updated On: 2-Jan-2026

Page 31 of 238
PDF with 1895 Questions

Which of the following is the MOST effective way 10 identify an application backdoor prior to implementation'?

  1. User acceptance testing (UAT)
  2. Database activity monitoring
  3. Source code review
  4. Vulnerability analysis

Answer(s): C

Explanation:

A source code review is the process of examining and analyzing the source code of an application to identify any vulnerabilities, errors, or flaws that may compromise the security, functionality, or performance of the application. A source code review is the most effective way to identify an application backdoor prior to implementation, as it can detect any hidden or unauthorized code that may allow unauthorized access, bypass security controls, or execute malicious commands. A source code review can also help to improvethe quality and reliability of the application, and ensure compliance with the coding standards and best practices. References = CRISC Review Manual, 7th Edition, page 181.



Which of the following would be a weakness in procedures for controlling the migration of changes to production libraries?

  1. The programming project leader solely reviews test results before approving the transfer to production.
  2. Test and production programs are in distinct libraries.
  3. Only operations personnel are authorized to access production libraries.
  4. A synchronized migration of executable and source code from the test environment to the production environment is allowed.

Answer(s): A

Explanation:

The programming project leader solely reviewing test results before approving the transfer to production would be a weakness in procedures for controlling the migration of changes to production libraries, because it violates the principle of segregation of duties, and it exposes the production libraries to the risk of unauthorized or erroneous changes. The programming project leader is responsible for developing and testing the changes, but not for approving and deploying them. The approval and deployment of the changes should be done by an independent and authorized party, such as the change control board or the operations manager. The other options are not weaknesses, but rather good practices, because:
Option B: Test and production programs being in distinct libraries is a good practice, because it prevents the accidental or intentional overwriting or mixing of the test and production programs, and it ensures the integrity and security of the production libraries. Option C: Only operations personnel being authorized to access production libraries is a good practice, because it restricts the access and modification of the production libraries to the qualified and accountable staff, and it prevents the unauthorized or inappropriate access or modification of the production libraries by other parties. Option D: A synchronized migration of executable and source code from the test environment to the production environment being allowed is a good practice, because it ensures the consistency and completeness of the changes, and it avoids the potential errors or discrepancies that may arise from the manual or partial migration of the changes. References = Risk and Information Systems Control Study Manual, 7th Edition, ISACA, 2020, p. 215.



An organization has raised the risk appetite for technology risk. The MOST likely result would be:

  1. increased inherent risk.
  2. higher risk management cost
  3. decreased residual risk.
  4. lower risk management cost.

Answer(s): D

Explanation:

The risk appetite of an organization is the amount and type of risk that it is willing to accept in pursuit of its objectives1. Technology risk is the risk related to the use of information and technology in theorganization2. If an organization has raised its risk appetite for technology risk, it means that it is willing to accept more risk in exchange for more potential benefits from technology initiatives. This would likely result in lower risk management cost, as the organization would spend less on implementing and maintaining controls to mitigate technology risk. The other options are not the most likely results of raising the risk appetite for technology risk. Increased inherent risk is the risk before considering the effect of controls3, and it is not directly affected by the risk appetite. Higher risk management cost would be the opposite of the expected outcome, as the organization would reduce its risk management efforts. Decreased residual risk is the risk after considering the effect of controls3, and it would also be the opposite of the expected outcome, as the organization would accept more risk exposure. References = Organisations must define their IT risk appetite and tolerance; IT Risk Resources; CRISC | What Accurate CRISC Free Download Is



Which of the following changes would be reflected in an organization's risk profile after the failure of a critical patch implementation?

  1. Risk appetite is decreased.
  2. Inherent risk is increased.
  3. Risk tolerance is decreased.
  4. Residual risk is increased.

Answer(s): D

Explanation:

Residual risk is the level of risk that remains after applying controls or other risk treatments. A critical patch is a type of control that aims to reduce the risk of a known vulnerability being exploited by attackers. If the patch implementation fails, the control is ineffective and the risk is not reduced. Therefore, the residual risk is increased, as the organization is still exposed to the potential negative consequences of the vulnerability.


Reference:

·ISACA, Risk and Information Systems Control Review Manual, 7th Edition, 2020, p. 2111 ·ISACA, Practical Patch Management and Mitigation2



An organization is making significant changes to an application. At what point should the application risk profile be updated?

  1. After user acceptance testing (UAT)
  2. Upon release to production
  3. During backlog scheduling
  4. When reviewing functional requirements

Answer(s): D

Explanation:

The application risk profile should be updated when reviewing functional requirements. This will help to identify and assess the potential risks that may arise from the changes to the application, and to plan and implement appropriate risk responses. Updating the application risk profile at this stage will also help to ensure that the changes are aligned with the organization's objectives, policies, and standards, and that they meet the stakeholders' expectations and needs. Updating the application risk profile after user acceptance testing, upon release to production, or during backlog scheduling are not the best points to update the risk profile, as they may be too late or too early to capture the relevant risks and their impacts. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 2, Section 2.1.1.1, page 511
1: ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide, Answer to Question 655.



Which of the following should be the GREATEST concern to a risk practitioner when process documentation is incomplete?

  1. Inability to allocate resources efficiently
  2. Inability to identify the risk owner
  3. Inability to complete the risk register
  4. Inability to identify process experts

Answer(s): B

Explanation:

The greatest concern for a risk practitioner when process documentation is incomplete is the inability to identify the risk owner. The risk owner is the person or entity that has the authority and responsibility to manage a specific risk or a group of related risks. The risk owner helps to identify, assess, and respond to the risks, and to monitor and report on the risk performance and improvement. The risk owner also helps to communicate and coordinate the risk management activities with the relevant stakeholders, such as the board, management, business units, and IT functions. The risk owner is usually identified in the process documentation, which describes the roles, responsibilities, procedures, and resources for each process. The inability to identify the risk owner is a major concern for the risk practitioner, because it may affect the accountability, transparency, and effectiveness of the risk management process, and may lead to confusion, conflicts, or gaps in the risk management activities. The other options are not as concerning as the inability to identify the risk owner, although they may also pose some difficulties or limitations for the risk management process. Inability to allocate resources efficiently, inability to complete the risk register, and inability to identify process experts are all factors that could affect the quality and timeliness of the risk management process, but they do not necessarily affect the authority and responsibility of the risk management process. References = Risk and Information Systems Control Study Manual, Chapter 2, Section 2.2.1, page 2-11.



Which of the following is a risk practitioner's MOST important responsibility in managing risk acceptance that exceeds risk tolerance?

  1. Verify authorization by senior management.
  2. Increase the risk appetite to align with the current risk level
  3. Ensure the acceptance is set to expire over lime
  4. Update the risk response in the riskregister.

Answer(s): A

Explanation:

The risk practitioner's most important responsibility in managing risk acceptance that exceeds risk tolerance is to verify authorization by senior management. Risk acceptance is a risk response strategy that involves acknowledging and agreeing to bear the risk and its potential consequences. Risk tolerance is the acceptable or allowable level of variation or deviation from the expected or desired outcomes or objectives.
When the risk acceptance exceeds the risk tolerance, it means that the organization is taking on more risk than it can handle or afford. Therefore, the risk practitioner should verify that the risk acceptance is authorized by senior management, who have the authority and accountability for making risk management decisions and ensuring that they are aligned with the organizational strategy and objectives. The other options are not as important as verifying authorization by senior management, as they are related to the adjustments, conditions, or documentation of the risk acceptance, not the approval or validation of the risk acceptance. References = Risk and Information Systems Control Study Manual, Chapter 3: IT Risk Response, Section 3.2: IT Risk Response Options, page 133.



Which of the following would provide the MOST comprehensive information for updating an organization's risk register?

  1. Results of the latest risk assessment
  2. Results of a risk forecasting analysis
  3. A review of compliance regulations
  4. Findings of the most recent audit

Answer(s): A

Explanation:

A risk register is a document that is used as a risk management tool to identify and track risks that may affect a project or an organization1. A risk register should be updated regularly to reflect the current status and changes of the risks, as well as the actions taken to mitigate or resolve them2. The most comprehensive information for updating a risk register would come from the results of the latest risk assessment, which is a process that involves identifying, analyzing, and evaluating the risks and their potential impacts3. A risk assessment provides a detailed and systematic overview of the risks, theirsources, causes, likelihood, severity, and consequences, as well as the existing and planned controls andresponses4. A risk assessment also helps to prioritize the risks based on their level of exposure and urgency, and to align them with the organization's risk appetite and tolerance5. Therefore, the results of the latest risk assessment would provide the most relevant and complete information for updating a risk register and ensuring that it reflects the current risk profile and situation of the project or the organization. Results of a risk forecasting analysis are not the most comprehensive information for updating a risk register, as they do not provide a complete picture of the risks and their impacts. A risk forecasting analysis is a technique that uses historical data, trends, and scenarios to estimate the potential outcomes and impacts of future events that may affect the organization's objectives and performance6. A risk forecasting analysis can help to anticipate and prepare for the risks, but it does not provide specific information on the sources, causes, likelihood, severity, and consequences of the risks, nor the existing and planned controls and responses. A review ofcompliance regulations is not the most comprehensive information for updating a risk register, as it does not cover all the aspects and dimensions of risk management. A review of compliance regulations is a process that involves checking and verifying that the organization's activities, processes, and systems are in accordance with the applicable laws, rules, and standards7. A review of compliance regulations can help to identify and mitigate the risks related to legal or regulatory violations, but it does not provide specific information on the other types and sources of risks, such as operational, strategic, financial, or reputational risks, nor the existing and planned controls and responses. Findings of the most recent audit are not the most comprehensive information for updating a risk register, as they do not provide a current and holistic view of the risks and their impacts. An audit is an independent examination and evaluation of the organization's activities, processes, and systems, to provide assurance and advice on their adequacy and effectiveness. An audit can help to identify and report the issues or gaps in the organization's risk management, but it does not provide specific information on the current status and changes of the risks, nor the existing and planned controls and responses. References = Risk and Information Systems Control Study Manual, Chapter 4: Risk and Control Monitoring and Reporting, Section 4.2: Risk Monitoring, pp. 189-191.



Viewing page 31 of 238
Viewing questions 241 - 248 out of 1895 questions



Post your Comments and Discuss ISACA CRISC exam prep with other Community members:

CRISC Exam Discussions & Posts