Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CRISC

ISACA CRISC Exam Questions
Certified in Risk and Information Systems Control (Page 34 )

Updated On: 24-Feb-2026
Page 34 of 380
PDF with 1895 Questions

Which of the following offers the SIMPLEST overview of changes in an organization's risk profile?

  1. A risk roadmap
  2. A balanced scorecard
  3. A heat map
  4. The risk register

Answer(s): C

Explanation:

A heat map is a graphical representation of the organization's risk profile that shows the relative level of risk for each risk category or event. A heat map uses colors, shapes, or symbols to indicate the magnitude and likelihood of each risk, as well as its trend and status. A heat map offers the simplest overview of changes in the organization's risk profile, as it allows the risk decision-makers to quickly identify the most significant risks, theareas of improvement or deterioration, and the gaps or overlaps in risk management. A heat map can also be used to communicate the risk profile to senior management and other stakeholders in a clear and concise manner. References = Risk and Information Systems Control Study Manual, Chapter 2: IT Risk Assessment, Section 2.3: IT Risk Assessment Methods and Techniques, Page 77; Future Risks: How organizations see changes in risk management - Aon.



Which of the following key performance indicators (KPis) would BEST measure me risk of a service outage when using a Software as a Service (SaaS) vendors

  1. Frequency of business continuity plan (BCP) lasting
  2. Frequency and number of new software releases
  3. Frequency and duration of unplanned downtime
  4. Number of IT support staff available after business hours

Answer(s): C

Explanation:

Software as a Service (SaaS) is a cloud computing model that provides software applications over the internet, without requiring the users to install or maintain them on their own devices. SaaS vendors are responsible for hosting, managing, and updating the software applications, and providing technical support and security to the users. The key performance indicator (KPI) that would best measure the risk of a service outage when using a SaaS vendor is the frequency and duration of unplanned downtime, which is the amount and length of time that the software applications are unavailable or inaccessible due to unexpected events, such as network failures, server crashes, power outages, cyberattacks, etc. The frequency and duration of unplanned downtime indicate the reliability and availability of the SaaS vendor, and the potential impact of the service outage on the users' business operations and productivity. References = 3



Which of the following BEST reduces the likelihood of fraudulent activity that occurs through use of a digital wallet?

  1. Require multi-factor authentication (MFA) to access the digital wallet.
  2. Use a digital key to encrypt the contents of the wallet.
  3. Enable audit logging on the digitalwallet's device.
  4. Require public key infrastructure (PKI) to authorize transactions.

Answer(s): A

Explanation:

Requiring MFA increases the security of digital wallets by adding an additional layer of authentication, making it harder for unauthorized users to gain access. This aligns withAccess Control Standardsand significantly reduces the likelihood of fraud.



Which of the following is the BEST approach to mitigate the risk associated with a control deficiency?

  1. Perform a business case analysis
  2. Implement compensating controls.
  3. Conduct a control sell-assessment (CSA)
  4. Build a provision for risk

Answer(s): B

Explanation:

The best approach to mitigate the risk associated with a control deficiency is to implement compensating controls. A control deficiency is a situation where a control is missing, ineffective, or inefficient, and cannot provide reasonable assurance that the objectives or requirements are met. A compensating control is a control that provides an alternative or additional measure of protection when the primary or preferred control is not feasible or effective. A compensating control can help to reduce the likelihood and/or impact of the risk associated with the control deficiency, and maintain the compliance or performance level. The other options are not as effective as implementing compensating controls, as they are related to the analysis, assessment, or provision of the risk, not the mitigation of the risk. References = Risk and Information Systems Control Study Manual, Chapter 3: IT Risk Response, Section 3.3: IT Risk Response Implementation, page 145.



Who is accountable for risk treatment?

  1. Enterprise risk management team
  2. Risk mitigation manager
  3. Business process owner
  4. Risk owner

Answer(s): D

Explanation:

Risk treatment is the process of selecting and implementing the appropriate risk response strategy and actions to address the identified risks. Risk treatment can involve different strategies, such as avoiding, reducing, transferring, or accepting the risk. Risk owner is the person or group who has the authority and accountability to manage the risk and its response. Risk owner is accountable for risk treatment, as they are responsible for deciding, approving, and executing the risk treatment plan, and for monitoring and reportingthe results and outcomes of the risk treatment. The other options are not accountable for risk treatment, as they have different roles or responsibilities in the risk management process:
Enterprise risk management team is the group of risk managers and practitioners who support the enterprise-wide risk management program, and provide guidance and direction to the risk owners and stakeholders. Enterprise risk management team may advise or assist the risk owner in risk treatment, but they are not accountable for risk treatment. Risk mitigation manager is the person who designs, implements, and monitors the risk mitigation actions or measures that reduce the likelihood or impact of the risk to an acceptable level, such as controls, policies, or procedures. Risk mitigation manager may advise or assist the risk owner in risk treatment, but they are not accountable for risk treatment.
Business process owner is the stakeholder who is responsible for the business process that is supported by the IT system or application, such as the CRM system. Business process owner may be affected by or contribute to the risk, and may be involved in the risk treatment, but they are not accountable for risk treatment, unless they are also the risk owner. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 3, Section 3.1.1.1, pp. 95-96.






Post your Comments and Discuss ISACA CRISC exam dumps with other Community members:

Join the CRISC Discussion