Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CRISC

ISACA CRISC Exam Questions
Certified in Risk and Information Systems Control (Page 35 )

Updated On: 24-Feb-2026
Page 35 of 380
PDF with 1895 Questions

Which of the following is MOST useful input when developing risk scenarios?

  1. Common attacks in other industries.
  2. Identification of risk events.
  3. Impact on critical assets.
  4. Probability of disruptive risk events.

Answer(s): B

Explanation:

Identifying specific risk events provides the foundational input for creating relevant and actionable risk scenarios. These scenarios form the basis of assessing potential impacts and determining effective controls. This is a key step in theRisk Identification and Assessmentprocess.



The MOST essential content to include in an IT risk awareness program is how to:

  1. populate risk register entries and build a risk profile for management reporting.
  2. prioritize IT-related actions by considering risk appetite and risk tolerance.
  3. define the IT risk framework for the organization.
  4. comply with the organization's IT risk and information security policies.

Answer(s): D

Explanation:

The most essential content to include in an IT risk awareness program is how to comply with the organization's IT risk and information security policies. This will help to ensure that the staff members are aware of their roles and responsibilities, and that they follow the best practices andstandards to protect the organization's information assets and systems. Compliance with the IT risk and information security policies also helps to reduce the likelihood and impact of IT-related incidents and breaches, and to align the IT activities with the organization's objectives and strategies. Populating risk register entries, prioritizing IT- related actions, and defining the IT risk framework are important aspects of IT risk management, but they are not the most essential content to include in an IT risk awareness program. References = Risk and Information Systems Control Study Manual, 7th Edition,

Chapter 5, Section 5.1.1.2, page 2291
1: ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide, Answer to Question 646.



Which of the following is the MOST important reason to restrict access to the risk register on a need-to-know basis?

  1. It contains vulnerabilities and threats.
  2. The risk methodology is intellectual property.
  3. Contents may be used as auditable findings.
  4. Risk scenarios may be misinterpreted.

Answer(s): A

Explanation:

Restricting access to the risk register on a need-to-know basis is important because it contains vulnerabilities and threats that could expose the organization to potential harm or loss if they are disclosed or exploited by unauthorized parties. The risk register is a tool that captures and documents the risk identification, analysis, evaluation, and treatment processes1. The risk register contains sensitive information such as the sources and causes of risk, the potential impacts and consequences of risk, the likelihood and frequency of risk occurrence, and the risk response actions and plans1. If this information is accessed by unauthorized parties, such as competitors, hackers, or malicious insiders, they could use it to launch attacks, sabotageoperations, or gain an unfair advantage over the organization. Therefore, access to the risk register should be limited to those who have a legitimate need and authorization to view, modify, or use the information, such as the risk owners, managers, or practitioners



Which of the following resources is MOST helpful to a risk practitioner when updating the likelihood rating in the risk register?

  1. Risk control assessment
  2. Audit reports with risk ratings
  3. Penetration test results
  4. Business impact analysis (BIA)

Answer(s): C

Explanation:

Penetration test results are the most helpful resource to a risk practitioner when updating the likelihood rating in the risk register. Penetration testing is a method of simulating real-world attacks on an IT system or network to identify and exploit vulnerabilities and measure the potential impact. Penetration test results provide empirical evidence of the existence and severity of vulnerabilities, as well as the ease and probability of exploitation. These results can help the risk practitioner to update the likelihood rating of the risks associated with the vulnerabilities, and to prioritize the risk response actions. Risk control assessment, audit reports with risk ratings, and business impact analysis (BIA) are also useful resources for risk management, but they are not as directly related to the likelihood rating as penetration test results. References = Risk and Information Systems Control Study Manual, Chapter 2, Section 2.3.3, page 2-28.



Which of the following is the PRIMARY reason to use administrative controls in conjunction with technical controls?

  1. To gain stakeholder support for the implementation of controls
  2. To comply with industry best practices by balancing multiple types of controls
  3. To improve the effectiveness of controls that mitigate risk
  4. To address multiple risk scenarios mitigated by technical controls

Answer(s): C

Explanation:

Administrative controls, such as policies, procedures, and training, complement technical controls by addressing the human and organizational aspects of risk management. Using bothtypes of controls together enhances the overall effectiveness of the risk mitigation strategy, ensuring that technical measures are supported by appropriate governance and user behavior.


Reference:

ISACA CRISC Review Manual, 7th Edition, Chapter 4: Information Technology and Security, Section: Control Types and Implementation.






Post your Comments and Discuss ISACA CRISC exam dumps with other Community members:

Join the CRISC Discussion