Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CRISC

ISACA CRISC Exam Questions
Certified in Risk and Information Systems Control (Page 52 )

Updated On: 24-Feb-2026
Page 52 of 380
PDF with 1895 Questions

After the review of a risk record, internal audit questioned why the risk was lowered from medium to low.
Which of the following is the BEST course of action in responding to this inquiry?

  1. Obtain industry benchmarks related to the specific risk.
  2. Provide justification for the lower risk rating.
  3. Notify the business at the next risk briefing.
  4. Reopen the risk issue and complete a full assessment.

Answer(s): B

Explanation:

The best course of action in responding to the internal audit inquiry is to provide justification for the lower risk rating. This would demonstrate that the risk record was updated based on a valid and documented rationale, such as changes in the risk environment, risk drivers, risk indicators, or risk responses. Providing justification would also help to maintain the transparency and accountability of the risk management process, and ensure that the internal audit is satisfied with the risk assessment outcome. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 4, Section 4.2.3, page 184.



An organization control environment is MOST effective when:

  1. control designs are reviewed periodically
  2. controls perform as intended.
  3. controls are implemented consistently.
  4. controls operate efficiently

Answer(s): B

Explanation:

The organization control environment is most effective when the controls perform as intended. The controls are the mechanisms or measures that are designed and implemented to prevent, detect, or correct the risks that may affect the achievement of the objectives. The controls perform as intended when they provide reasonable assurance that the risks are mitigated or managed to an acceptable level, and that the objectives are met or exceeded. The performance of the controls can be measured and evaluated by using key performance indicators (KPIs) and key risk indicators (KRIs). The other options are not as indicative of the effectiveness of the control environment, as they are related to the review, implementation, or efficiency of the controls, not the performance or assurance of the controls. References = Risk and Information Systems Control Study Manual, Chapter 2: IT Risk Assessment, Section 2.3: IT Control Assessment, page 69.



Which of the following BEST enables risk-based decision making in support of a business continuity plan (BCP)?

  1. Impact analysis
  2. Control analysis
  3. Root cause analysis
  4. Threat analysis

Answer(s): A

Explanation:

The best tool to enable risk-based decision making in support of a business continuity plan (BCP) is an impact analysis. An impact analysis is a process of identifying and evaluating the potential effects of an interruption or disruption of business operations on the organization'scritical functions, processes, and resources. An impact analysis can help to determine the recovery priorities, objectives, and strategies forthe BCP. Control analysis, root cause analysis, and threat analysis are other possible tools, but they are not as effective as an impact analysis. References = ISACA Certified in Risk and Information Systems Control

(CRISC) Certification Exam Question and Answers, question 12; CRISC Review Manual, 6th Edition, page 215.



Which of the following poses the GREATEST risk to an organization's operations during a major it transformation?

  1. Lack ofrobust awareness programs
  2. infrequent risk assessments of key controls
  3. Rapid changes in IT procedures
  4. Unavailability of critical IT systems

Answer(s): D

Explanation:

Unavailability of critical IT systems poses the greatest risk to an organization's operations during a major IT transformation, because it can disrupt the business continuity, productivity, and performance of the organization. Unavailability of critical IT systems can also cause financial, reputational, or legal damages to the organization, and affect the quality and delivery of products or services to the customers. The other options are not the greatest risks, although they may also pose some challenges or threats to the organization during a major IT transformation. Lack of robust awareness programs, infrequent risk assessments of key controls, and rapid changes in IT procedures are examples of management or process risks that can affect the planning, execution,or monitoring of the IT transformation, but they do not have the same impact or severity as the unavailability of critical IT systems. References = CRISC: Certified in Risk & Information Systems Control Sample Questions



Which of the following is the MOST important success factor when introducing risk management in an organization?

  1. Implementing a risk register
  2. Defining a risk mitigation strategy and plan
  3. Assigning risk ownership
  4. Establishing executive management support

Answer(s): D

Explanation:

Establishing executive management support is the most important success factor when introducing risk management in an organization. This is because executive management support can help ensure that risk management is aligned with the organization's vision, mission, and strategy, as well as provide the necessary resources, authority, and accountability for riskmanagement activities. Executive management support can also help foster a risk-aware culture,promote stakeholder engagement, and facilitate risk communication and reporting. According to the CRISC Review Manual 2022, one of the key elements of IT governance is to obtain executive management support and commitment for risk management1. According to the web search results, executive management support is a critical success factor for risk management in various contexts and industries234.






Post your Comments and Discuss ISACA CRISC exam dumps with other Community members:

Join the CRISC Discussion