Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CRISC

ISACA CRISC Exam Questions
Certified in Risk and Information Systems Control (Page 41 )

Updated On: 24-Feb-2026
Page 41 of 380
PDF with 1895 Questions

What is the MOST important consideration when selecting key performance indicators (KPIs) for control monitoring?

  1. Source information is acquired at stable cost.
  2. Source information is tailored by removing outliers.
  3. Source information is readily quantifiable.
  4. Source information is consistently available.

Answer(s): D

Explanation:

The most important consideration when selecting KPIs for control monitoring is that the source information is consistently available, meaning that it can be obtained regularly, reliably, and timely from the same or equivalent data sources. This ensures that the KPIs can measure the performance of the controls over time and across different units or functions, and provide meaningful and comparable results. Source information that is acquired at stable cost, tailored by removing outliers, or readily quantifiable are also desirable, but not as essential as consistency.


Reference:

·ISACA, Risk IT Framework, 2nd Edition, 2019, p. 751 ·ISACA, Performance Measurement Metrics for IT Governance2



Which of the following should be the PRIMARY objective of a risk awareness training program?

  1. To enable risk-based decision making
  2. To promote awareness of the risk governance function
  3. To clarify fundamental risk management principles
  4. To ensure sufficient resources are available

Answer(s): A

Explanation:

The primary objective of a risk awareness training program is to enable risk-based decision making, which means making decisions that take into account the potential risks and opportunities associated with each option. A risk awareness training program should aim to develop a common understanding of risk across multiple functions and business units, achieve a better understanding of risk for competitive advantage, and build safeguards against earnings-related surprises1. A risk awareness training program should also cover the basics of risk management, such as the risk management process, the roles and responsibilities of different stakeholders, the risk appetite and tolerance of the organization, and the tools and techniques for identifying, analyzing, evaluating, and treating risks234. A risk awareness training program should also include practical examples and case studies to illustrate how risk management can beapplied in different scenarios and contexts5. References = Risk and Information Systems Control Study Manual, Chapter 1: IT Risk Identification, Section 1.11: Risk Awareness, pp. 34-354



Which of the following is the PRIMARY reason to update a risk register with risk assessment results?

  1. To communicate the level and priority of assessed risk to management
  2. To provide a comprehensive inventory of risk across the organization
  3. To assign a risk owner to manage the risk
  4. To enable the creation of action plans to address nsk

Answer(s): A

Explanation:

The primary reason to update a risk register with risk assessment results is to communicate the level and priority of assessed risk to management, as this enables them to make informed decisions about risk response and allocation of resources. The risk register is a tool for documenting and reporting the current status of risks, their causes, impacts, likelihood, and responses. Updating the risk register with risk assessment results ensures that the information is accurate, relevant, and timely. The risk register also helps to monitor and track the progress and effectiveness of risk management activities. The other options are not the primary reasons to update the risk register, although they may be secondary benefits or outcomes of doing so. References = Risk and Information Systems Control Study Manual, Chapter 3: IT Risk Assessment, page 109.



A technology company is developing a strategic artificial intelligence (Al)-driven application that has high potential business value. At what point should the enterprise risk profile be updated?

  1. After user acceptance testing (UAT)
  2. Upon approval of the business case
  3. When user stories are developed
  4. During post-implementation review

Answer(s): B



Which of the following would BEST facilitate the implementation of data classification requirements?

  1. Implementing a data toss prevention (DLP) solution
  2. Assigning a data owner
  3. Scheduling periodic audits
  4. Implementing technical controls over the assets

Answer(s): B

Explanation:

The best way to facilitate the implementation of data classification requirements is to assign a data owner. A data owner is a person who has the authority and responsibility for defining, classifying, and protecting the data. A data owner can help to facilitate the implementation of data classification requirements by providing the criteria, categories, roles, and procedures for classifying the data according to its sensitivity, value, and criticality. A data owner can also ensure that the data is handled and stored appropriately, and that the data classification policy is enforced and monitored. The other options are not as effective as assigning a data owner, as they are related to the prevention, audit, or control of the data, not the classification or protection of the data. References = Risk and Information Systems Control Study Manual, Chapter 4: Risk and Control Monitoring and Reporting, Section 4.4: Key Control Indicators, page 211.






Post your Comments and Discuss ISACA CRISC exam dumps with other Community members:

Join the CRISC Discussion