Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CRISC

ISACA CRISC Exam Questions
Certified in Risk and Information Systems Control (Page 38 )

Updated On: 24-Feb-2026
Page 38 of 380
PDF with 1895 Questions

A bank recently incorporated Blockchain technology with the potential to impact known risk within the organization.
Which of the following is the risk practitioner's BEST course of action?

  1. Determine whether riskresponses are still adequate.
  2. Analyze and update control assessments with the new processes.
  3. Analyze the risk and update the risk register as needed.
  4. Conduct testing of the control that mitigate the existing risk.

Answer(s): C



Which of the following should be the PRIMARY input when designing IT controls?

  1. Benchmark of industry standards
  2. Internal and external risk reports
  3. Recommendations from IT risk experts
  4. Outcome of control self-assessments

Answer(s): B

Explanation:

The primary input when designing IT controls should be internal and external risk reports. IT controls are specific activities performed by persons or systems to ensure that business objectives are met, and thatthe confidentiality, integrity, and availability of data and the overall management of the IT function are ensured1. Designing IT controls means creating and implementing the appropriate measures or actions to reduce the likelihood or impact of the IT risks that may affect the organization2. Internal and external risk reports are documents that provide information and analysis on the current and potential IT risks that the organization faces, as well as their sources, drivers, consequences, and responses3. Internal risk reports are generated by the organization itself, such as by the IT risk management function, the internal audit function, or the business units. External risk reports are obtained from external sources, such as regulators, industry associations, or third-party service providers. Internal and external risk reports are the primary input when designing IT controls, because they help to:
Identify and prioritize the IT risks that need to be addressed by the IT controls; Evaluate the likelihood and impact of the IT risks, and compare them against the organization's risk appetite and tolerance;
Determine the most suitable and effective IT control objectives and activities to mitigate the IT risks;
Align the IT control design and implementation with the organization's objectives, strategies, and values;
Monitor and measure the performance and effectiveness of the IT controls in reducing the IT risks. The other options are not the primary input when designing IT controls, as they are either less relevant or less specific than internal and external risk reports. Benchmark of industry standards is a comparison of the organization's IT control practices and performance with those of other organizations in the same industry or sector4. Benchmark of industry standards can help to improve the quality and consistency of the IT control design and implementation, as well as to identify the best practices and gaps. However, benchmark of industry standards is not the primary input when designing IT controls, as it does not address the specific IT risks that the organization faces, or the IT control objectives and activities that are appropriate and effective for the organization. Recommendations from IT risk experts are the suggestions or advice from the professionals or specialists who have the knowledge and experience in IT risk management and IT control design and implementation5. Recommendations from IT risk experts can help to enhance the IT control design and implementation, as well as to provide guidance and support to the organization. However, recommendations from IT risk experts are not the primary inputwhen designing IT controls, as they are based on the opinions and perceptions of the experts, and may not reflect the actual or objective level and nature of the IT risks, or the IT control objectives and activities that are suitable and efficient for the organization. Outcome of control self-assessments is the result or conclusion of the evaluation and testing of the design and operation of the existingIT controls by the organization itself, such as by the IT control owners, the IT risk management function, or the business units6. Outcome of control self-assessments can help to improve the IT control design and implementation, as well as to detect and correct any issues or deficiencies. However, outcome of control self-assessments is not the primary input when designing IT controls, as it does not cover the new or emerging IT risks that the organization may face, or the IT control objectives and activities that are relevant and necessary for the organization. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 4, Section 4.2.1, Page 189.



An organization has received notification that it is a potential victim of a cybercrime that may have compromised sensitive customer data.
What should be The FIRST course of action?

  1. Invoke the incident response plan.
  2. Determine the business impact.
  3. Conduct a forensic investigation.
  4. Invoke the business continuity plan (BCP).

Answer(s): A

Explanation:

The first course of action for an organization that has received notification that it is a potential victim of a cybercrime that may have compromised sensitive customer data is to invoke the incident response plan. An incident response plan is a set of procedures and guidelines that defines the roles and responsibilities of the incident response team, the communication and escalation channels, the incident identification and classification criteria, the incident containment and eradication strategies, the incident recovery and restoration activities, and the incident documentation and reporting requirements. Invoking the incident response plan as soon as possible is crucial to minimize the damage and disruption caused by the cybercrime, to preserve the evidence and facilitate the investigation, and to comply with the legal andregulatory obligations. The other options are not the first course of action, although they may be subsequent or concurrent steps in the incident response process. Determining the business impact is a part of the incident assessment and prioritization phase, which helps to evaluate the severity and scope of the incident and to allocate the appropriate resources and actions. Conducting a forensic investigation is a part of the incident analysis and evidence collection phase, which helps to identify the source and cause of the incident and to support the legal and disciplinary actions. Invoking the business continuity plan (BCP)

is a part of the incident recovery and restoration phase, which helps to resume the normal operations and services and to mitigate the adverse effects of the incident. References = The National Cyber Incident Response Plan (NCIRP), Cyber Incident Response Plan | Cyber.gov.au, [Cyber Incident Response: A Framework for Preparation and Success], [Cyber Incident Response Plan: How to Create One for Your Business]



As pan of business continuity planning, which of the following is MOST important to include m a business impact analysis (BlA)?

  1. An assessment of threats to the organization
  2. An assessment of recovery scenarios
  3. industry standard framework
  4. Documentation of testing procedures

Answer(s): C

Explanation:

As part of business continuity planning, the most important thing to include in a business impact analysis (BIA) is an industry standard framework. A BIA is a process of identifying and analyzing the potential effects of disruptions to the critical business functions and processes. An industry standard framework is a set of best practices, guidelines, and methodologies that provide a consistent and comprehensive approach to conducting a BIA. An industry standard framework can help to ensure that the BIA is complete, accurate, and reliable, and that it covers all the relevant aspects, such as the scope, objectives, criteria, methods, data sources, and reporting. An industry standard framework can also help to benchmark the BIA results against the industry norms and expectations, and to align the BIA with the business continuity strategy and plan. The other options are not as important as an industry standard framework, as they are related to the specific steps, activities, or outputs of the BIA, not the overall structure and quality of the BIA. References = Risk and Information Systems Control Study Manual, Chapter 4: Risk and Control Monitoring and Reporting, Section 4.4: Key Control Indicators, page 211.



A multinational company needs to implement a new centralized security system. The risk practitioner has identified a conflict between the organization's data-handling policy and local privacy regulations.
Which of the following would be the BEST recommendation?

  1. Request a policy exception from senior management.
  2. Comply with the organizational policy.
  3. Report the noncompliance to the local regulatory agency.
  4. Request an exception from the local regulatory agency.

Answer(s): D






Post your Comments and Discuss ISACA CRISC exam dumps with other Community members:

Join the CRISC Discussion