Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CRISC

ISACA CRISC Exam Questions
Certified in Risk and Information Systems Control (Page 48 )

Updated On: 24-Feb-2026
Page 48 of 380
PDF with 1895 Questions

Which of the following is a drawback in the use of quantitative risk analysis?

  1. It assigns numeric values to exposures of assets.
  2. It requires more resources than other methods
  3. It produces the results in numeric form.
  4. It is based on impact analysis of information assets.

Answer(s): B

Explanation:

The drawback in the use of quantitative risk analysis is that it requires more resources than other methods. Quantitative risk analysis is a method of risk analysis that assigns numeric values to the exposures of assets, the impact and likelihood of risk events, and the cost and benefit of risk responses. Quantitative risk analysis can provide more precise and objective results, and support the risk-based decision making process. However, quantitative risk analysis also requires more resources than other methods, such as data, time, expertise, and tools, to collect, validate, and analyze the quantitative information, and to perform the complex calculations and simulations. Quantitative risk analysis may also be limited by the availability, reliability, and accuracy of thedata, and the assumptions and models used. Assigning numeric values to exposures of assets, producing the results in numeric form, and being based on impact analysis of information assets are not drawbacks, but characteristics of quantitative risk analysis. References = CRISC Review Manual, 6th Edition, ISACA, 2015, page 49.



An organization has made a decision to purchase a new IT system. During when phase of the system development life cycle (SDLC) will identified risk MOST likely lead to architecture and design trade-offs?

  1. Acquisition
  2. Implementation
  3. Initiation
  4. Operation and maintenance

Answer(s): A

Explanation:

The acquisition phase of the system development life cycle (SDLC) is the phase where the organization decides to purchase a new IT system from an external vendor or develop it internally. During this phase, the identified risks will most likely lead to architecture and design trade-offs, as the organization will have to balance the cost, quality, functionality, security, and performance of the new IT system. The organization will have to evaluate the different options and alternatives available, and select the one that best meets the business needs and the risk appetite. The other phases of the SDLC are not as likely to involve architecture and design trade-offs, as they are more focused on implementing, testing, deploying, and maintaining the new ITsystem. References = Risk and Information Systems

Control Study Manual, Chapter 3: IT Risk Response, Section 3.2: IT Risk Response Options, page 133.



Which of the following is the MOST effective way 10 identify an application backdoor prior to implementation'?

  1. User acceptance testing (UAT)
  2. Database activity monitoring
  3. Source code review
  4. Vulnerability analysis

Answer(s): C

Explanation:

A source code review is the process of examining and analyzing the source code of an application to identify any vulnerabilities, errors, or flaws that may compromise the security, functionality, or performance of the application. A source code review is the most effective way to identify an application backdoor prior to implementation, as it can detect any hidden or unauthorized code that may allow unauthorized access, bypass security controls, or execute malicious commands. A source code review can also help to improvethe quality and reliability of the application, and ensure compliance with the coding standards and best practices. References = CRISC Review Manual, 7th Edition, page 181.



Which of the following would be a weakness in procedures for controlling the migration of changes to production libraries?

  1. The programming project leader solely reviews test results before approving the transfer to production.
  2. Test and production programs are in distinct libraries.
  3. Only operations personnel are authorized to access production libraries.
  4. A synchronized migration of executable and source code from the test environment to the production environment is allowed.

Answer(s): A

Explanation:

The programming project leader solely reviewing test results before approving the transfer to production would be a weakness in procedures for controlling the migration of changes to production libraries, because it violates the principle of segregation of duties, and it exposes the production libraries to the risk of unauthorized or erroneous changes. The programming project leader is responsible for developing and testing the changes, but not for approving and deploying them. The approval and deployment of the changes should be done by an independent and authorized party, such as the change control board or the operations manager. The other options are not weaknesses, but rather good practices, because:
Option B: Test and production programs being in distinct libraries is a good practice, because it prevents the accidental or intentional overwriting or mixing of the test and production programs, and it ensures the integrity and security of the production libraries. Option C: Only operations personnel being authorized to access production libraries is a good practice, because it restricts the access and modification of the production libraries to the qualified and accountable staff, and it prevents the unauthorized or inappropriate access or modification of the production libraries by other parties. Option D: A synchronized migration of executable and source code from the test environment to the production environment being allowed is a good practice, because it ensures the consistency and completeness of the changes, and it avoids the potential errors or discrepancies that may arise from the manual or partial migration of the changes. References = Risk and Information Systems Control Study Manual, 7th Edition, ISACA, 2020, p. 215.



An organization has raised the risk appetite for technology risk. The MOST likely result would be:

  1. increased inherent risk.
  2. higher risk management cost
  3. decreased residual risk.
  4. lower risk management cost.

Answer(s): D

Explanation:

The risk appetite of an organization is the amount and type of risk that it is willing to accept in pursuit of its objectives1. Technology risk is the risk related to the use of information and technology in theorganization2. If an organization has raised its risk appetite for technology risk, it means that it is willing to accept more risk in exchange for more potential benefits from technology initiatives. This would likely result in lower risk management cost, as the organization would spend less on implementing and maintaining controls to mitigate technology risk. The other options are not the most likely results of raising the risk appetite for technology risk. Increased inherent risk is the risk before considering the effect of controls3, and it is not directly affected by the risk appetite. Higher risk management cost would be the opposite of the expected outcome, as the organization would reduce its risk management efforts. Decreased residual risk is the risk after considering the effect of controls3, and it would also be the opposite of the expected outcome, as the organization would accept more risk exposure. References = Organisations must define their IT risk appetite and tolerance; IT Risk Resources; CRISC | What Accurate CRISC Free Download Is






Post your Comments and Discuss ISACA CRISC exam dumps with other Community members:

Join the CRISC Discussion