Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CRISC

ISACA CRISC Exam Questions
Certified in Risk and Information Systems Control (Page 40 )

Updated On: 24-Feb-2026
Page 40 of 380
PDF with 1895 Questions

Which of the following is the MOST effective way to help ensure future risk levels do not exceed the organization's risk appetite?

  1. Establishing a series ofkey risk indicators (KRIs).
  2. Adding risk triggers to entries in the risk register.
  3. Implementing key performance indicators (KPIs).
  4. Developing contingency plans for key processes.

Answer(s): A

Explanation:

KRIs provide predictive metrics to monitor changes in risk levels, enabling timely interventions to maintain risks within the organization's appetite. This aligns with theRisk Monitoring and Reportingframework, which emphasizes proactive identification of risk thresholds.



An unauthorized individual has socially engineered entry into an organization's secured physical premises.
Which of the following is the BEST way to prevent future occurrences?

  1. Employ security guards.
  2. Conduct security awareness training.
  3. Install security cameras.
  4. Require security access badges.

Answer(s): B

Explanation:

Social engineering is a technique that involves manipulating or deceiving people into performing actions or divulging information that may compromise the security of an organization or its data12.
Entry into an organization's secured physical premises is a form of physical access that allows an unauthorized individual to access, steal, or damage the organization's assets, such as equipment, documents, or systems34.
The best way to prevent future occurrences of social engineering entry into an organization's secured physical premises is to conduct security awareness training, which is an educational program that aims to equip the organization's employees with the knowledge and skills they need to protect the organization's data and sensitive information from cyber threats, such as hacking, phishing, or other breaches56.
Security awareness training is the best way because it helps the employees to recognize and resist the common and emerging social engineering techniques, such as tailgating,impersonation, or pretexting, that may be used by the attackers to gain physical access to the organization's premises56.
Security awareness training is also the best way because it fosters a culture of security and responsibility among the employees, and encourages them to follow the best practices andpolicies for physical security, such as locking the doors, verifying the identity of visitors, or reporting any suspicious activities or incidents56. The other options are not the best way, but rather possible measures or controls that may supplement or enhance the security awareness training. For example:

Employing security guards is a measure that involves hiring or contracting professional personnel who are trained and authorized to monitor, patrol, and protect the organization's premises from unauthorized access or intrusion78. However, this measure is not the best way because it may not be sufficient or effective to prevent or deter all types of social engineering attacks, especially if the attackers are able to bypass, deceive, or coerce the security guards78.
Installing security cameras is a control that involves using electronic devices that capture and record the visual images of the organization's premises, and provide evidence or alerts of any unauthorized access or activity . However, this control is not the best way because it is reactive rather than proactive, and may not prevent or stop the social engineering attacks before they cause any harm or damage to the organization . Requiring security access badges is a control that involves using physical or electronic cards that identify and authenticate the employees or authorized visitors who are allowed to enter the organization's premises, and restrict or deny the access to anyone else . However, this control is not the best way because it may not be foolproof or reliable to prevent or detect the social engineering attacks, especially if the attackers are able to steal, forge, or clone the security access badges . References =
1: What is Social Engineering? | Types & Examples of Social Engineering Attacks1
2: Social Engineering: What It Is and How to Prevent It | Digital Guardian2
3: What is physical Social Engineering and why is it important? - Integrity3603
4: What Is Tailgating (Piggybacking) In Cyber Security? - Wlan Labs4
5: What Is Security Awareness Training and Why Is It Important? - Kaspersky5
6: Security Awareness Training - Cybersecurity Education Online | Proofpoint US6
7: Security Guard - Wikipedia7
8: Security Guard Services - Allied Universal8
Security Camera - Wikipedia
Security Camera Systems - The Home Depot
Access Badge - Wikipedia
Access Control Systems - HID Global



An organizations chief technology officer (CTO) has decided to accept the risk associated with the potential loss from a denial-of-service (DoS) attack. In this situation, the risk practitioner's BEST course of action is to:

  1. identify key risk indicators (KRls) for ongoing monitoring
  2. validate the CTO's decision with the business process owner
  3. update the risk register with the selected risk response
  4. recommend that the CTO revisit the risk acceptance decision.

Answer(s): A

Explanation:

A denial-of-service (DoS) attack is a type of cyberattack that aims to disrupt or disable the normal functioning of a system or network by overwhelming it with excessive traffic or requests.
The chief technology officer (CTO) has decided to accept the risk associated with the potential loss from a DoS attack. This means that the CTO has determined that the cost or effort of implementing or maintaining controls to prevent or reduce the impact of a DoS attack is not justified by the expected benefits or savings, and that the organization is willing to bear the consequences of a DoS attack if it occurs. The best course of action for the risk practitioner in this situation is to identify key risk indicators (KRIs) for ongoing monitoring. This means that the risk practitioner should define and measure the metrics that provide information about the level of exposure to the DoS attack risk, such as the frequency, duration, or severity of the attacks, the availability, performance, or security of the systems or networks, the customer satisfaction, reputation, or revenue of the organization, etc.
Identifying KRIs for ongoing monitoring helps to track and evaluate the actual results and outcomes of the risk acceptance decision, compare them with the risk appetite and tolerance ofthe organization, identify any deviations or breaches that may require attention or action, and report them to the appropriate parties for decision making or improvement actions.
The references for this answer are:
Risk IT Framework, page 15
Information Technology & Security, page 9
Risk Scenarios Starter Pack, page 7



Which of the following is MOST helpful to ensure effective security controls for a cloud service provider?

  1. A controlself-assessment
  2. A third-party security assessment report
  3. Internal audit reports from the vendor
  4. Service level agreement monitoring

Answer(s): B

Explanation:

A third-party security assessment report is the most helpful to ensure effective security controls for a cloud service provider, because it provides an independent and objective evaluation of the cloud provider's security posture, policies, and practices. A third-party security assessment report can help to verify and validate the cloud provider's compliance with the relevant standards, regulations, and best practices, such as ISO 27001, PCI DSS, NIST, or CSA. A third-party security assessment report can also help to identify and address any gaps, weaknesses, or vulnerabilities in the cloud provider's security controls, and to provide recommendations and guidance for improvement. A third-party security assessment report can also help to increase the trust and confidence of the cloud customers, and to facilitate the due diligence and risk management processes. The other options are less helpful to ensure effective security controls for a cloud service provider. A control self-assessment is a process that enables the cloud provider to assess its own security controls, using a predefined framework or questionnaire. However, a control self-assessment may not be as reliable or comprehensive as a third-party security assessment report, as it may be biased, incomplete, or inaccurate, and it may not cover all the aspects or dimensions of security. Internal audit reports from the vendor are documents that provide the results and findings of the internal audits conducted by the cloud provider's ownauditors, to verify and validate the effectiveness and efficiency of the securitycontrols. However, internal audit reports from the vendor may not be as credible or trustworthy as a third-party security assessment report, as they may be influenced by the cloud provider's interests, objectives, or agenda, and they may not follow the same standards or criteria as the external auditors. Service level agreement monitoring is a process that measures and evaluates the performance and availability of the cloud services, based on the predefined metrics and targets agreed between the cloud provider and the cloud customer. However, service level agreement monitoring may not be sufficient or relevant to ensure effective security controls for a cloud service provider, as it may not address the security aspects or requirements of the cloud services, such as confidentiality, integrity, or accountability, and it may not reflect the actual security risks or incidents that may occur in the cloud environment. References = Cloud Security Controls:
Key Elements and 4 Control Frameworks 1



Which of the following will BEST help to ensure that information system controls are effective?

  1. Responding promptly to control exceptions
  2. Implementing compensating controls
  3. Testing controls periodically
  4. Automating manual controls

Answer(s): C

Explanation:

The best way to ensure that information system controls are effective is to test them periodically. Testing controls periodically helps to verify that the controls are operating as intended, and that they are aligned with the enterprise's objectives, policies, and standards. Testing controls periodically also helps to identify any gaps, weaknesses, or deficiencies in the controls, and to implement corrective actions or improvements. Responding promptly to control exceptions, implementing compensating controls, and automating manual controls are good practices, but they are not the best way to ensure control effectiveness. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 3, Section 3.1.1.2, page 1071
1: ISACA Certified in Risk and Information Systems Control (CRISC®) Exam

Guide, Answer to Question 641.






Post your Comments and Discuss ISACA CRISC exam dumps with other Community members:

Join the CRISC Discussion