Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CRISC

ISACA CRISC Exam Questions
Certified in Risk and Information Systems Control (Page 46 )

Updated On: 24-Feb-2026
Page 46 of 380
PDF with 1895 Questions

Which of the following is the MOST important consideration when performing a risk assessment of a fire suppression system within a data center?

  1. Insurance coverage
  2. Onsite replacement availability
  3. Maintenance procedures
  4. Installation manuals

Answer(s): C

Explanation:

The MOST important consideration when performing a risk assessment of a fire suppression system within a data center is the maintenance procedures, because they ensure that the fire suppression system is functioning properly and reliably, and that it can prevent or minimize the damage caused by fire incidents. The maintenance procedures should include regular testing, inspection, and servicing of the fire suppression system components, such as sprinklers, detectors, alarms, and extinguishers. The other options are not as important as the maintenance procedures, because:
Option A: Insurance coverage is a financial measure that can compensate for the loss or damage caused by fire incidents, but it does not prevent or reduce the likelihood or impact of the fire incidents. Insurance coverage is also dependent on the terms and conditions of the insurance policy, which may not cover all the scenarios or costs of the fire incidents. Option B: Onsite replacement availability is a contingency measure that can facilitate the recovery or restoration of the fire suppression system after a fire incident, but it does not prevent or reduce the likelihood or impact of the fire incidents. Onsite replacement availability is alsodependent on the availability and compatibility of the replacement parts, which may not match the original fire suppression system specifications or requirements. Option D: Installation manuals are a reference source that can provide guidance on how to install or configure the fire suppression system, but they do not ensure that the fire suppression system is functioning properly and reliably. Installation manuals are also static documents that may not reflect the current or updated fire suppression system standards or practices. References = Risk and Information Systems Control Study Manual, 7th Edition, ISACA, 2020, p. 211.



Which of the following is the BEST way to validate the results of a vulnerability assessment?

  1. Perform a penetration test.
  2. Review security logs.
  3. Conduct a threat analysis.
  4. Perform a root cause analysis.

Answer(s): A

Explanation:

According to the CRISC Review Manual (Digital Version), the best way to validate the results of a vulnerability assessment is to perform a penetration test, which is a type of security testing that simulates an attack on the IT assets and processes to exploit the identified vulnerabilities and evaluate the potential impact and severity of the attack.

Performing a penetration test helps to:
Confirm the existence and exploitability of the vulnerabilities detected by the vulnerability assessment
Measure the effectiveness and efficiency of the existing security controls and countermeasures
Identify and prioritize the risks and gaps in the security posture of the IT assets and processes Recommend and implement appropriate remediation and mitigation actions to address the vulnerabilities and risks
Enhance the security awareness and resilience of the organization References = CRISC Review Manual (Digital Version), Chapter 1: IT Risk Identification,

Section 1.5: IT Risk Identification Methods and Techniques, pp. 36-371



Which of the following BEST helps to balance the costs and benefits of managing IT risk?

  1. Prioritizing risk responses
  2. Evaluating risk based on frequency and probability
  3. Consideringrisk factors that can be quantified
  4. Managing the risk by using controls

Answer(s): A

Explanation:

Prioritizing risk responses helps to balance the costs and benefits of managing IT risk by ensuring that the most significant risks are addressed first and that the resources allocated to risk management are used efficiently and effectively. Evaluating risk based on frequency and probability is a part of risk analysis, not risk response. Considering risk factors that can be quantified is also a part of risk analysis, and it does not necessarily capture all the relevant aspects of risk. Managing the risk by using controls is a possible risk response, but it does not guarantee that the costs and benefits of risk management are balanced, as some controls may be too expensive or ineffective for the level of risk they mitigate. References = Risk and Information Systems Control Study Manual, Chapter 4: Risk Response, page 145.



Which of the following will provide the BEST measure of compliance with IT policies?

  1. Evaluate past policy review reports.
  2. Conduct regular independent reviews.
  3. Perform penetration testing.
  4. Test staff on their compliance responsibilities.

Answer(s): B

Explanation:

Conducting regular independent reviews will provide the best measure of compliance with IT policies, as this ensures that the policies are implemented and followed consistently and effectively across the organization. Independent reviews can also identify any gaps, weaknesses, or violations in the compliance process, and recommend corrective actions or improvements.Independent reviews can be performed by internal or external auditors, regulators, or consultants, depending on the scope and purpose of the review. Evaluating past policy review reports, performing penetration testing, and testing staff on their complianceresponsibilities are not the best measures of compliance with IT policies, although they may be useful or complementary methods. Evaluating past policy review reports can provide some historical and comparative data, but it may not reflect the current or accurate situation of the compliance status. Performing penetration testing can assess the security and vulnerability of the IT systems and networks, but it does not measure the compliance with all the IT policies, such as those related to governance, operations, or quality. Testing staff on their compliance responsibilities can evaluate the awareness and knowledge of the staff, but it does not measure the actual behaviour or performance of the staff in complying with the IT policies. References = Risk and Information Systems Control Study Manual, Chapter 5: Risk and Control Monitoring and Reporting, page 187.



The MAIN purpose of selecting a risk response is to.

  1. ensure compliance with local regulatory requirements
  2. demonstrate the effectiveness of risk management practices.
  3. ensure organizational awareness of the risk level
  4. mitigate the residual riskto be within tolerance

Answer(s): D

Explanation:

The main purpose of selecting a risk response is to mitigate the residual risk to be within tolerance. Residual risk is the risk that remains after applying a risk response. Risk tolerance is the amount and type of risk that an organization is willing to accept in order to achieve its objectives. Risk response is the process of selecting and implementing actions to address risk. The goal of risk response is to reduce the residual risk to a level that is acceptable to the organization and its stakeholders. The other options are not the main purpose of selecting a risk response, although they may be secondary benefits or outcomes. References = Risk and Information Systems Control Study Manual, Chapter 4, Section 4.3.1, page 4-23.






Post your Comments and Discuss ISACA CRISC exam dumps with other Community members:

Join the CRISC Discussion