Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CRISC

ISACA CRISC Exam Questions
Certified in Risk and Information Systems Control (Page 47 )

Updated On: 24-Feb-2026
Page 47 of 380
PDF with 1895 Questions

Which of the following is the PRIMARY benefit of implementing key control indicators (KCIs)?

  1. Confirming the adequacy of recovery plans.
  2. Improving compliance with control standards.
  3. Providing early detection of control degradation.
  4. Reducing the number of incidents.

Answer(s): C

Explanation:

Key Control Indicators (KCIs) are metrics used to monitor the performance of controls. Their primary benefit is the early detection of control degradation, allowing organizations to take corrective actions before issues escalate into significant problems.


Reference:

ISACA CRISC Review Manual, 7th Edition, Chapter 3: Risk Response and Reporting, Section: Control Monitoring and Reporting.



Which of the following is the PRIMARY objective for automating controls?

  1. Reducing the need for audit reviews
  2. Facilitating continuous control monitoring
  3. Improving control process efficiency
  4. Complying with functionalrequirements

Answer(s): B

Explanation:

The primary objective of automating controls is to facilitate continuous control monitoring. Automation enables real-time or near-real-time oversight of control activities, allowing for prompt detection and response to control failures or anomalies. This continuous monitoring enhances the organization's ability to maintain compliance and manage risks effectively.


Reference:

ISACA CRISC Review Manual, 7th Edition, Chapter 4: Information Technology and Security, Section: Control Monitoring and Automation.



Which of the following is MOST important to identify when developing top-down risk scenarios?

  1. Key procedure control gaps
  2. Business objectives
  3. Senior management's riskappetite
  4. Hypothetical scenarios

Answer(s): B

Explanation:

The most important factor to identify when developing top-down risk scenarios is B.
Business objectives12
Top-down risk scenarios are based on the organization's strategic goals, objectives, and key performance indicators (KPIs), and they aim to identify the potential events or situations that could prevent or hinder the achievement of those goals and objectives12 By identifying the business objectives, the risk practitioner can align the risk scenarios with the organization's mission, vision, and values, and ensure that the risk scenarios are relevant, realistic, and meaningful for the senior management and other stakeholders12 The other factors are not as important as the business objectives when developing top-down risk scenarios, because they are either more relevant for bottom-up risk scenarios (A and D), or they are derived from the business objectives and the risk scenarios ©12



Which of the following is the MOST important consideration when determining the appropriate data retention period throughout the data management life cycle?

  1. Data storage and collection methods
  2. Data owner preferences
  3. Legal and regulatory requirements
  4. Choice of encryption algorithms

Answer(s): C

Explanation:

Legal and regulatory requirements are paramount when determining data retention periods. Compliance with laws such as GDPR, HIPAA, or industry-specific regulations ensures that data is retained appropriately and disposed of when no longer necessary, thereby mitigating legal risks.


Reference:

ISACA CRISC Review Manual, 7th Edition, Chapter 2: IT Risk Assessment, Section: Data Management and Privacy.



The PRIMARY objective of the board of directors periodically reviewing the risk profile is to help ensure:

  1. the risk strategy is appropriate
  2. KRIs and KPIs are aligned
  3. performance of controls is adequate
  4. the risk monitoring process has been established

Answer(s): A

Explanation:

The PRIMARY objective of the board of directors periodically reviewing the risk profile is to help ensure that the risk strategy is appropriate, because the risk strategy defines the enterprise's risk appetite, tolerance, and objectives, and guides the risk management process and activities. The board of directors should review the risk profile to ensure that it reflects the current internal and external environment, and that it aligns with the enterprise's strategy and goals. The other options are not the primary objective, because:
Option B: KRIs and KPIs are aligned is a desirable outcome of the risk strategy, but not the primary objective of the board of directors reviewing the risk profile. KRIs and KPIs are indicators that measure and monitor the risk exposure and performance of the enterprise, respectively, and they should be consistent with the risk strategy and objectives. Option C: Performance of controls is adequate is a result of the risk response, but not the primary objective of the board of directors reviewing the risk profile. Performance of controls is the degree to which the controls are effective and efficient in mitigating the risks, and it should be evaluated and reported by the risk management function and the internal audit function.
Option D: The risk monitoring process has been established is a prerequisite for the risk profile, but not the primary objective of the board of directors reviewing the risk profile. The risk monitoring process is the process of tracking and reporting the risk status and performance, and it should be implemented and executed by the risk management function and the business process owners. References = Risk and Information Systems Control Study

Manual, 7th Edition, ISACA, 2020, p. 119.






Post your Comments and Discuss ISACA CRISC exam dumps with other Community members:

Join the CRISC Discussion