Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CRISC

ISACA CRISC Exam Questions
Certified in Risk and Information Systems Control (Page 36 )

Updated On: 24-Feb-2026
Page 36 of 380
PDF with 1895 Questions

Which of the following would provide the BEST guidance when selecting an appropriate risk treatment plan?

  1. Riskmitigation budget
  2. Business Impact analysis
  3. Cost-benefit analysis
  4. Return on investment

Answer(s): C

Explanation:

A cost-benefit analysis is the best guidance when selecting an appropriate risk treatment plan. A risk treatment plan is a document that describes the actions or measures that are taken or planned to modifythe risk, such as reducing, avoiding, transferring, or accepting the risk1. Selecting an appropriate risk treatmentplan means choosing the most suitable and effective option foraddressing the risk, based on the organization's objectives, strategies, and risk criteria2. A cost-benefit analysis is a method of comparing the benefits and costs of different alternatives or options, and selecting the one that maximizes the net benefit or value3. A cost-benefit analysis is the best guidance when selecting an appropriate risk treatment plan, because it helps to:
Evaluate the feasibility, effectiveness, and efficiency of the risk treatment options, and compare them against the organization's risk appetite and tolerance; Balance the benefits and costs of the risk treatment options, and consider both the quantitative and qualitative aspects of the risk and the risk response; Optimize the use of the organization's resources and capabilities, and ensure that the risk treatment options are aligned and integrated with the organization's goals and values; Support the risk decision making and prioritization, and provide a rational and transparent basis for selecting the best risk treatment option. The other options are not the best guidance when selecting an appropriate risk treatment plan, as they are either less comprehensive or less relevant than a cost-benefit analysis. A risk mitigation budget is a document that allocates the financial resources for implementing and maintaining the risk mitigation actions or measures4. A risk mitigation budget can help to ensure the availability and adequacy of the funds for the risk treatment options, as well as to monitor and control the risk treatment expenditures. However, a risk mitigation budget is not the best guidance when selecting an appropriate risk treatment plan, as it does not address the benefits or value of the risk treatment options, or the suitability or effectiveness of the risk treatment options. A business impact analysis is a method of estimating the potential effects or consequences of a risk on the organization's objectives, operations, or performance5. A business impact analysis can help to assess the severity and priority of the risk, as well as to identify the critical assets and resources that are involved or impacted by the risk. However, a business impact analysis is not the best guidance when selecting an appropriate risk treatment plan, as it does not address the costs or feasibility of the risk treatment options, or the alternatives or options for the risk treatment. A return on investment is a metric that measures the profitability or efficiency of an investment, project, or activity, by comparing the benefits and costs of the investment, project, or activity6. A return on investment can help to evaluate the performance and effectiveness of the risk treatment options, as well as to compare the risk treatment options with other investments, projects, or activities. However, a return on investmentis not the best guidance when selecting an appropriate risk treatment plan, as it does not address the qualitative or intangible aspects of the risk and the risk response, or the risk appetite and tolerance of the organization. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 2, Section 2.1.8, Page 61.



Which of the following is the BEST indicator of the effectiveness of IT risk management processes?

  1. Percentage of businessusers completing risk training
  2. Percentage of high-risk scenarios for which risk action plans have been developed
  3. Number of key risk indicators (KRIs) defined
  4. Time between when IT risk scenarios are identified and the enterprise's response

Answer(s): D

Explanation:

IT risk management is the process of identifying, assessing, and mitigating the risks related to the use of information technology (IT) in the organization. IT risk management aims to ensure the confidentiality, integrity, and availability of IT resources and information, and to support the IT governance and strategy of the organization1. The best indicator of the effectiveness of IT risk management processes is the time between when IT risk scenarios are identified and the enterprise's response. This indicator can help to measure how quickly and efficiently the organization can detect and respond to the IT risks, and how well the organization can prevent or minimize the negative impacts of the IT risks. The time between when IT risk scenarios are identified and the enterprise's response can include:
The time taken to identify and report the IT risk scenarios, using various methods and sources, such as risk assessments, audits, monitoring, alerts, or incidents

The time taken to analyze and evaluate the IT risk scenarios, using various tools and techniques, such as risk matrices, risk registers, risk indicators, or risk models The time taken to select and implement the IT risk responses, using various strategies and controls, such as avoidance, mitigation, transfer, or acceptance The time taken to review and improve the IT risk management processes, using various feedback and learning mechanisms, such as lessons learned, best practices, or benchmarks23 The other options are not the best indicators of the effectiveness of IT risk management processes, but rather some of the inputs or outputs of IT risk management processes. Percentage of business users completing risk training is an indicator of the awareness and competence of the IT users and providers, which can affect the IT risk management performance, but it does not measure the IT risk management processes directly. Percentage of high-risk scenarios for which risk action plans have been developed is an indicator of the completeness and coverage of the IT risk management activities, which can affect the IT risk management outcomes, but it does not measure the IT risk management processes directly. Number of key risk indicators (KRIs) defined is an indicator of the scope and complexity of the IT risk management objectives, whichcan affect the IT risk management resources and capabilities, but it does not measure the IT risk management processes directly. References = IT Risk Management - ISACA
Risk Management Process - ISACA
Risk Response - ISACA
[CRISC Review Manual, 7th Edition]



Which of the following would be MOST useful to senior management when determining an appropriate risk response?

  1. A comparison of current risk levels withestablished tolerance
  2. A comparison of cost variance with defined response strategies
  3. A comparison of current risk levels with estimated inherent risk levels
  4. A comparison of accepted risk scenarios associated with regulatory compliance

Answer(s): A

Explanation:

A comparison of current risk levels with established tolerance is the most useful information for senior management when determining an appropriate risk response, as it shows the gap between the actual risk exposure and the desired risk exposure of the enterprise. This gap indicates the need and urgency for risk response actions, and helps senior management to prioritize and allocate resources for risk mitigation. A comparison of current risk levels with established tolerance also reflects the effectiveness of the existing risk management process and controls, and enables senior management to monitor and adjust the risk strategy and objectives accordingly. References = ISACA Certified in Risk and Information Systems Control (CRISC) Certification Exam Question and Answers, Question 234. CRISC by Isaca Actual Free Exam Q&As, Question 9. CRISC: Certified in Risk & Information Systems Control Sample Questions, Question 234. CRISC Sample Questions 2024, Question 234.



Which of the following is the MOST essential characteristic of a good IT risk scenario?

  1. The scenario is aligned to business control processes.
  2. The scenario is aligned to the organization's risk appetite and tolerance.
  3. The scenario is aligned to a business objective.
  4. The scenario is aligned to known vulnerabilities in information technology.

Answer(s): C

Explanation:

A good IT risk scenario must be aligned with a business objective. This alignment ensures that the risk scenario is relevant to the organization's goals and can be effectively integrated into its risk management processes.
Alignment to Business Objective (Answer C):
Importance: Aligning risk scenarios with business objectives ensures that they are relevant and support the organization's overall strategy.
Impact: This alignment helps in prioritizing risk management efforts and resources toward areas that directly affect the organization's success. Outcome: It leads to more effective risk management by focusing on risks that could impact key business outcomes.
Comparison with Other Options:
A . The scenario is aligned to business control processes:
Purpose: Control processes are important but secondary to business objectives. B . The scenario is aligned to the organization's risk appetite and tolerance:
Purpose: Important for overall risk management but not the primary characteristic of a good risk scenario.
D . The scenario is aligned to known vulnerabilities in information technology:
Purpose: While addressing vulnerabilities is important, the primary focus should be on how these vulnerabilities affect business objectives.


Reference:

ISACA CRISC Review Manual, Chapter 2, "IT Risk Assessment", which emphasizes the need for risk scenarios to be aligned with business objectives for effective risk management.



Which of the following would BEST help to address the risk associated with malicious outsiders modifying application data?

  1. Multi-factor authentication
  2. Role-basedaccess controls
  3. Activation of control audits
  4. Acceptable use policies

Answer(s): B

Explanation:

Role-based access controls (RBAC) are a type of preventive control that limit the access and actions of users based on their roles and responsibilities within the organization. RBAC can help to address the risk of malicious outsiders modifying application data by restricting their access to the data and the functions they can perform on it. RBAC can also enforce the principle of least privilege, which means that users only have the minimum level of access required to perform their tasks. RBAC can be implemented through policies, procedures, and technical mechanisms such as access control lists, encryption, and authentication. References = Risk and Information Systems Control Study Manual, Chapter 4, Section 4.2.1.1, p. 178-179






Post your Comments and Discuss ISACA CRISC exam dumps with other Community members:

Join the CRISC Discussion