Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CRISC

ISACA CRISC Exam Questions
Certified in Risk and Information Systems Control (Page 53 )

Updated On: 24-Feb-2026
Page 53 of 380
PDF with 1895 Questions

Which of the following provides the MOST helpful information in identifying risk in an organization?

  1. Risk registers
  2. Risk analysis
  3. Risk scenarios
  4. Risk responses

Answer(s): C

Explanation:

Risk scenarios provide the MOST helpful information in identifying risk in an organization, because they describe the possible events, causes, effects, and impacts of a risk on the organization's objectives and processes. Risk scenarios help to identify the sources, drivers, and indicators of risk, as well as the potential consequences and likelihood of occurrence. The other options are not as helpful as risk scenarios, because:

Option A: Risk registers are tools to document and track the identified risks, their characteristics, and their status, but they do not provide information on how to identify risks in the first place.
Option B: Risk analysis is a process to assess the likelihood and impact of the identified risks, and to prioritize them based on their severity, but it does not provide information on how to identify risks in the first place.
Option D: Risk responses are actions to address the identified risks, either by reducing, transferring, avoiding, or accepting them, but they do not provide information on how to identify risks in the first place. References = Risk and Information Systems Control Study Manual, 7th Edition, ISACA, 2020, p. 105.



An organization has decided to commit to a business activity with the knowledge that the risk exposure is higher than the risk appetite.
Which of the following is the risk practitioner's MOST important action related to this decision?

  1. Recommend risk remediation
  2. Change the level of risk appetite
  3. Document formal acceptance of the risk
  4. Reject the business initiative

Answer(s): C

Explanation:

The risk practitioner's most important action related to the decision to commit to a business activity with the knowledge that the risk exposure is higher than the risk appetite is to document formal acceptance of the risk. Formal acceptance of the risk means that the organization acknowledges and agrees to bear the risk and its potential consequences. Formal acceptance of the risk should be documented and approved by the appropriate authority level, such as senior management or the board of directors. Formal acceptance of the risk should also include the rationale, assumptions, and conditions for accepting the risk, as well as the monitoring and reporting mechanisms for the risk. Formal acceptance of the risk provides evidence and accountability for the risk management decision and helps to avoid disputes or misunderstandings in the future. The other options are not as important as documenting formalacceptance of the risk, as they are related to the alternatives, adjustments, or rejections of the risk, not the actual acceptance of the risk. References = Risk and Information Systems Control Study Manual, Chapter 3: IT Risk Response, Section 3.2: IT Risk Response Options, page 133.



After several security incidents resulting in significant financial losses, IT management has decided to outsource the security function to a third party that provides 24/7 security operation services.
Which risk response option has management implemented?

  1. Risk mitigation
  2. Risk avoidance
  3. Risk acceptance
  4. Risk transfer

Answer(s): D

Explanation:

Risk transferinvolves shifting the responsibility for managing specific risks to a third party. By outsourcing the security function, the organization transfers the associated risk to a vendor specializing in security management.



A risk practitioner has observed that risk owners have approved a high number of exceptions to the information security policy.
Which of the following should be the risk practitioner's GREATEST concern?

  1. Security policies are being reviewed infrequently.
  2. Controls are notoperating efficiently.
  3. Vulnerabilities are not being mitigated
  4. Aggregate risk is approaching the tolerance threshold

Answer(s): D

Explanation:

An exception to the information security policy is a permission to continue operating a system, service, or product that cannot comply with the established information security standards and requirements1. A risk owner is a person or entity that has the authority and accountability for a risk and its management2. A risk practitioner is a person or entity that has the knowledge and skills to perform risk management activities3. A high number of exceptions to the information security policy indicates that there are many systems, services, or products that do not meet the expected level of security and pose potential risks to the organization. The risk practitioner's greatest concern should be that the aggregate risk, which is the total amount of risk that the organization faces from all sources, is approaching the tolerance threshold, which is the limit beyond which the organization does not want to tolerate the risk4. If the aggregate risk isapproaching the tolerance threshold, it means that the organization is exposed to a high level of risk that may exceed its risk appetite, which is the amount of risk that the organization is willing to accept to achieve its objectives5. This may result in negative consequences for the organization, such as breaches, losses, damages, or reputational harm. Therefore, the risk practitioner should monitor and report the aggregate risk level and the tolerance threshold, and advise the risk owners and the management on the appropriate risk responses and actions to reduce the aggregate risk to an acceptable level. Security policies are being reviewed infrequently, controls are not operating efficiently, and vulnerabilities are not being mitigated are not the risk practitioner's greatest concern, as they are not directly related to the aggregate risk level and the tolerance threshold. Security policies are being reviewed infrequently is a condition that indicates that the organization's security policies are not updated or revised regularly to reflect the changes and updates in the security environment and the security requirements6. This may affect the relevance and effectiveness of the security policies, but it does not necessarilyincrease the aggregate risk level or the tolerance threshold. Controls are not operating efficiently is a condition thatindicates that the organization's controls, which are the measures or actions taken to manage or mitigate the risks, are not performing well or optimally7. This may affect the quality and performance of the controls, but it does not necessarily increase the aggregate risk level or the tolerance threshold. Vulnerabilities are not being mitigated is a condition that indicates that the organization's vulnerabilities, which are the weaknesses or gaps that may be exploited by the threats, are not being addressed or reduced8. This may increase the likelihood or impact of the risks, but it does not necessarily increase the aggregate risk level or the tolerance threshold. References = 1: IT/Information Security Exception Request Process2: [Risk Ownership - Risk Management] 3: [Risk Practitioner - ISACA] 4: Risk Threshold: Definition, Meaning & Example - PM Study Circle5: Risk Appetite vs Risk Tolerance vs Risk Threshold - projectcubicle6: [Security Policy Review and Update - SANS Institute] 7: [Control Effectiveness and Efficiency - ISACA] 8: [Vulnerability Management - ISACA] : [Risk andInformation Systems Control Study Manual, Chapter 1: IT Risk Identification, Section 1.1: IT Risk Concepts, pp. 17-19.] : [Risk and Information Systems Control Study Manual, Chapter 2: IT Risk Assessment, Section 2.1: Risk Identification, pp. 57-59.] : [Risk and Information Systems Control Study Manual, Chapter 4: Risk and Control Monitoring and Reporting, Section 4.2: Risk Monitoring, pp. 189-191.] : [Risk and Information Systems Control Study Manual, Chapter 5: Information Systems Control Design and Implementation, Section 5.1: Control Design, pp. 233-235.] : [Risk and Information Systems Control Study Manual, Chapter 5: Information Systems Control Design and Implementation, Section 5.2: Control Implementation, pp. 243-245.] : [Risk and Information Systems Control Study Manual, Chapter 5: Information Systems Control Design and Implementation, Section 5.3: Control Monitoring and Maintenance, pp. 251-253.]



Which of the following is the MOST important key performance indicator (KPI) to monitor the effectiveness of disaster recovery processes?

  1. Percentage of IT systems recovered within the mean time to restore (MTTR) during the disaster recovery test
  2. Percentage of issues arising from the disaster recovery test resolved on time
  3. Percentage of IT systems included in the disaster recovery test scope
  4. Percentage of IT systems meeting the recovery time objective (RTO) during the disaster recovery test

Answer(s): D

Explanation:

The most important key performance indicator (KPI) to monitor the effectiveness of disaster recovery processes is the percentage of IT systems meeting the recovery time objective (RTO) during the disaster recovery test. The RTO is the maximum acceptable time that a system orprocess can be unavailable after a disruption. The disaster recovery test is a simulation of a disaster scenario to evaluate the readiness and capability of the organization to restore its critical functions and systems. By measuring the percentage ofIT systems meeting the RTO during the test, the organization can assess how well the disaster recovery processes meet the predefined objectives and standards. Percentage of IT systems recovered within the mean time to restore (MTTR), percentage of issues arising from the disaster recovery test resolved on time, and percentage of IT systems included in the disaster recovery test scope are other possible KPIs, but they are not as important as the percentage of IT systems meeting the RTO. References = ISACA Certified in Risk and Information Systems Control (CRISC) Certification Exam Question and Answers, question 12; CRISC Review Manual, 6th Edition, page 215.






Post your Comments and Discuss ISACA CRISC exam dumps with other Community members:

Join the CRISC Discussion