Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CRISC

ISACA CRISC Exam Questions
Certified in Risk and Information Systems Control (Page 43 )

Updated On: 24-Feb-2026
Page 43 of 380
PDF with 1895 Questions

Which of the following provides the BEST measurement of an organization's risk management maturity level?

  1. Level of residual risk
  2. The results of a gap analysis
  3. ITalignment to business objectives
  4. Key risk indicators (KRIs)

Answer(s): D

Explanation:

Risk management maturity level is the degree to which an organization has developed and implemented a systematic and proactive approach to managing the risks that it faces across its various functions, processes, and activities. Risk management maturity level reflects the organization's risk culture and capability, and its alignment with its objectives and strategies1.
The best measurement of an organization's risk management maturity level is the key risk indicators (KRIs), which are metrics or measures that provide information on the current or potential exposure and performance of the organization in relation to specific risks. KRIs can help to:
Monitor and track the changes or trends in the risk level and the risk response over time Identify and alert the risk issues or events that require attention or action Evaluate and report the effectiveness and efficiency of the risk management processes and practices
Support and inform the risk decision making and improvement23 KRIs can be classified into different types, such as:
Leading KRIs, which are forward-looking and predictive, and indicate the likelihood or probability of a risk event occurring in the future Lagging KRIs, which are backward-looking and descriptive, and indicate the impact or consequence of a risk event that has already occurred Quantitative KRIs, which are numerical or measurable, and indicate the magnitude or severity of a risk event or outcome
Qualitative KRIs, which are descriptive or subjective, and indicate the nature or characteristics of a risk event or outcome4
The other options are not the best measurements of an organization's risk management maturity level, but rather some of the factors or outcomes of it. Level of residual risk is the level of risk that remains after the risk response has been implemented. Level of residual risk reflects the effectiveness and efficiency of the risk response, and the need for further action or monitoring. The results of a gap analysis are the differences between the current and the desired state of the risk management processes and practices. The results of a gap analysis reflect the completeness and coverage of the risk management activities, and the areas for improvement or enhancement. IT alignment to business objectives is the extent to which IT supports and enables the achievement of the organization's goals and strategies. IT alignment to business objectives reflects the integration and coordination of the IT and business functions, and the optimization of the IT value and performance. References = Risk Maturity Assessment Explained | Risk Maturity Model Key Risk Indicators - ISACA
Key Risk Indicators: What They Are and How to Use Them Key Risk Indicators: Types and Examples
[CRISC Review Manual, 7th Edition]



It was discovered that a service provider's administrator was accessing sensitive information without the approval of the customer in an Infrastructure as a Service (laaS) model.
Which of the following would BEST protect against a future recurrence?

  1. Data encryption
  2. Intrusion prevention system (IPS)
  3. Two-factor authentication
  4. Contractual requirements

Answer(s): D

Explanation:

The best option to protect against a future recurrence of unauthorized access by a service provider's administrator is D. Contractual requirements. Data encryption, intrusion prevention system, and two-factor authentication are all technical measures that can enhance the security of the data stored in the Infrastructure as a Service (IaaS) model, but they do not prevent the service provider's administrator from accessing the data if they have the necessary credentials, keys, or permissions. Contractual requirements, on the other hand, are legal obligations that bind the service provider to respect the customer's privacy and confidentiality, and to limit the access tothe data to only authorized and necessary personnel. Contractual requirements can also specify the penalties or remedies for any breach of contract, which can deter the service provider's administrator from violating the terms of the agreement. Therefore, contractual requirements are the most effective way to protect against a future recurrence of unauthorized access by a service provider's administrator12
1: What is Data Encryption? | Forcepoint 2: The elements of a contract: understanding contract requirements - Juro



Which of the following should be the PRIMARY basis for prioritizing risk responses?

  1. The impact of the risk
  2. The replacement cost of the business asset
  3. The cost of risk mitigation controls
  4. The classification of the business asset

Answer(s): A

Explanation:

The primary basis for prioritizing risk responses is the impact of the risk. The impact of the risk is the consequence or effect of the risk on the organization's objectives or operations, such as financial loss, reputational damage, operational disruption, or legal liability. The impact of therisk is one of the key dimensions of risk analysis, along with the likelihood of the risk. The impact of the risk helps to determine the severity and priority of the risk, and to select the most appropriate and effective risk response. The impact of the risk also helps to evaluate the cost-benefit and trade-off of the risk response, and to measure the residual risk and the risk performance. The other options are not the primary basis for prioritizing risk responses, although they may be considered or influenced by the impact of the risk. The replacement cost of the business asset, the cost of risk mitigation controls, and the classification of the business asset are all factors that could affect the value or importance of the business asset, but they do not necessarily reflect the impact of the risk on the business asset or the organization. References = Risk and Information Systems Control Study Manual, Chapter 4, Section 4.3.1, page 4-25.



A risk practitioner is reviewing a vendor contract and finds there is no clause to control privileged access to the organization's systems by vendor employees.
Which of the following is the risk practitioner's BEST course of action?

  1. Contact the control owner to determine if a gap in controls exists.
  2. Add this concern to the risk register and highlight it for management review.
  3. Report this concern to the contracts department for further action.
  4. Document this concern as a threat and conduct an impact analysis.

Answer(s): C

Explanation:

According to the CRISC Review Manual1, the contracts department is responsible for drafting, reviewing, and negotiating contracts with vendors and other third parties. The contracts department should ensure that the contracts include adequate clauses and terms to address the risks and controls related to the vendor services and activities. Therefore, the best course of action for the risk practitioner when finding a missing clause to control privileged access to the organization's systems by vendor employees is to report this concern to the contracts department for further action. The contracts department can then revise the contract to include the necessary clause, or seek alternative solutions to mitigate the risk of unauthorized or inappropriate access by vendor employees. References = CRISC Review Manual1, page 229.



Which of the following presents the GREATEST concern associated with the use of artificial intelligence (Al) systems?

  1. Al systems need to be available continuously.
  2. Al systems can be affected by bias.
  3. Al systems are expensive to maintain.
  4. Al systems can provide false positives.

Answer(s): B






Post your Comments and Discuss ISACA CRISC exam dumps with other Community members:

Join the CRISC Discussion