Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CRISC

ISACA CRISC Exam Questions
Certified in Risk and Information Systems Control (Page 5 )

Updated On: 21-Feb-2026
Page 5 of 380
PDF with 1895 Questions

Which of the following would present the MOST significant risk to an organization when updating the incident response plan?

  1. Obsolete response documentation
  2. Increased stakeholder turnover
  3. Failure to audit third-party providers
  4. Undefinedassignment of responsibility

Answer(s): D

Explanation:

The most significant risk to an organization when updating the incident response plan is the undefined assignment of responsibility. An incident response plan is a document that defines the roles, responsibilities, procedures, and resources for responding to an incident that could disrupt the normal operations of the organization, or compromise its assets, reputation, or compliance. An incident response plan should clearly assign the responsibility for each task and activity involved in the incident response process, such as detection, containment, analysis, eradication, recovery, and reporting. Undefined assignment of responsibility could lead to confusion, duplication, conflict, or omission among the stakeholders, and impair the effectiveness and efficiency of the incident response process. Undefined assignment of responsibility could also increase the risk of escalation, recurrence, or impact of the incident, and affect the accountability and performance of the organization. Obsolete response documentation, increased stakeholder turnover, and failure to audit third-party providers are also risks, but they are not as significant as undefined assignment of responsibility, as they do not directly affect the execution and outcome of the incident response process. References = CRISC Review Manual, 6th Edition, ISACA, 2015, page 130.



Which of the following would present the GREATEST challenge for a risk practitioner during a merger of two organizations?

  1. Variances between organizational risk appetites
  2. Different taxonomies to categorize risk scenarios
  3. Disparate platforms for governance, risk, and compliance (GRC) systems
  4. Dissimilar organizational risk acceptance protocols

Answer(s): A

Explanation:

The greatest challenge for a risk practitioner during a merger of two organizations is the variances between organizational risk appetites, as they may indicate a significant difference in the risk culture, strategy, and objectives of the two organizations, and may require a complex and lengthy process of alignment and integration. Different taxonomies to categorize risk scenarios, disparate platforms for governance, risk, and compliance (GRC) systems, and dissimilar organizational risk acceptance protocols are not the greatest challenges, as they are more related to the technical, operational, or procedural aspects of risk management, rather than the strategicor cultural aspects of risk management. References = CRISC Review Manual, 7th Edition, page 109.



Which of the following is the MOST important for an organization to have in place to ensure IT asset protection?

  1. Procedures for risk assessments on IT assets
  2. AnIT asset management checklist
  3. An IT asset inventory populated by an automated scanning tool
  4. A plan that includes processes for the recovery of IT assets

Answer(s): A

Explanation:

To ensure IT asset protection, having procedures for risk assessments on IT assets is the most important. These procedures enable an organization to systematically identify, evaluate, and mitigate risks associated with its IT assets. This process is crucial for understanding thevulnerabilities and threats that could potentially harm the assets and for implementing the necessary controls to protect them.

Procedures for Risk Assessments on IT Assets (Answer A):
Importance: Regular risk assessments help in identifying vulnerabilities and threats to IT assets, allowing the organization to prioritize and implement appropriate risk mitigation strategies.
Implementation: These procedures should be well-documented and regularly updated to reflect the changing threat landscape and the organization's evolving IT infrastructure. Outcome: Effective risk assessments ensure that IT assets are protected from potential risks, thereby safeguarding the organization's data, systems, and overall IT environment.
Comparison with Other Options:
B . An IT asset management checklist:

Purpose: This helps in tracking and managing IT assets. Limitation: It does not address risk assessment and mitigation directly. C . An IT asset inventory populated by an automated scanning tool:
Purpose: Provides a detailed list of IT assets.
Limitation: While it helps in knowing what assets exist, it does not assess the risks associated with those assets.
D . A plan that includes processes for the recovery of IT assets:
Purpose: Focuses on recovery after an incident.
Limitation: It is reactive rather than proactive in protecting assets.


Reference:

ISACA CRISC Review Manual, Chapter 2, "IT Risk Assessment", which emphasizes the need for systematic risk assessments to manage and protect IT assets effectively.



Which of the following is the MOST reliable validation of a new control?

  1. Approval of the control by senior management
  2. Complete and accurate documentation of control objectives
  3. Control owner attestation of control effectiveness
  4. Internal audit review of control design

Answer(s): D

Explanation:

Internal Audit Review:
An internal audit review of control design involves a thorough examination of the control's structure, implementation, and effectiveness.
Auditors use a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
Steps in Audit Review:

Understand Control Objectives:Auditors ensure that the control is designed to meet specific risk management objectives.
Evaluate Implementation:Check whether the control has been implemented as designed. Test Effectiveness:Perform tests to verify that the control operates effectively and consistently over time.
Importance of Audit Review:
Provides independent and objective assurance that the control is appropriately designed and functioning as intended.
Identifies any deficiencies or areas for improvement in the control design.
Comparing Other Validation Methods:

Senior Management Approval:Indicates support but does not validate effectiveness. Documentation of Control Objectives:Important for understanding intent but not validation. Control Owner Attestation:Provides insight but lacks the independence of an audit.


Reference:

The CRISC Review Manual highlights the role of internal audits in validating control design and ensuring effective risk management (CRISC Review Manual, Chapter 3: Risk Response and Mitigation, Section 3.9 Control Testing and Effectiveness Evaluation) .



After conducting a risk assessment for regulatory compliance, an organization has identified only one possible mitigating control. The cost of the control has been determined to be higher than the penalty of noncompliance.
Which of the following would be the risk practitioner's BEST recommendation?

  1. Accept the risk with management sign-off.
  2. Ignore the risk until the regulatory body conducts a compliance check.
  3. Mitigate the risk with the identified control.
  4. Transfer the risk by buying insurance.

Answer(s): A

Explanation:

·Risk acceptance is a status quo risk response, where the risk owner acknowledges the risk exists but accepts it with minimal response1. Risk acceptance may be appropriate when the cost of other risk responses exceeds the value that would be gained, or when the risk is below the risk acceptance criteria2.
·Risk acceptance criteria are the criteria used as a basis for decisions about acceptable risk2. They should be established before conducting a risk assessment, and they may be influenced by factors such as utility, equality, technology, and risk perception2. Different organizations and countries may have different risk acceptance criteria, depending on their context and values3.
·In this scenario, the organization has conducted a risk assessment for regulatory compliance, and has identified only one possible mitigating control. However, the cost of the control is higher than the penalty of noncompliance, which implies that the risk is below the risk acceptancecriteria. Therefore, the best recommendation is to accept the risk with management sign-off, which means that the management agrees to take the risk and is accountable for the consequences.
·Ignoring the risk until the regulatory body conducts a compliance check (option B) is not a good recommendation, as it may expose the organization to legal, financial, or reputational damage. Moreover, ignoring the risk may violate the principle of risk reduction, which states that risks should be reduced wherever practicable2. ·Mitigating the risk with the identified control (option C) is not a good recommendation, as it may not be cost-effective or efficient for the organization. The cost of the control is higher than the penalty ofnoncompliance, which means that the organization would spend more resources than necessary to reduce the risk. Moreover, mitigating the risk may not be aligned with the principle of utility, which states that resources should be used as efficiently as possible for the society as a whole2.
·Transferring the risk by buying insurance (option D) is not a good recommendation, as it may not be feasible or beneficial for the organization. Transferring the risk means that the organization shifts the responsibility or burden of the risk to another party, such as an insurer, a contractor, or a partner1. However, transferring the risk does not eliminate the risk, and it may incur additional costs or complications for the organization. Moreover, transferring the risk may not be possible or acceptable for some types of regulatory compliance risks, such as those related to health, safety, or environmental standards3.


Reference:

·Compliance risk assessments - Deloitte United States ·Compliance Risk Assessment [5 Key Steps] | Hyperproof ·Compliance Risk Assessments | Deloitte US
·Risk Acceptance Criteria: Overview of ALARP and Similar Methodologies as Practiced Worldwide
·Risk Assessment 4. Risk acceptance criteria - Norwegian University of Science and Technology
·Risk Acceptance - Institute of Internal Auditors






Post your Comments and Discuss ISACA CRISC exam dumps with other Community members:

Join the CRISC Discussion