Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CRISC

ISACA CRISC Exam Questions
Certified in Risk and Information Systems Control (Page 55 )

Updated On: 24-Feb-2026
Page 55 of 380
PDF with 1895 Questions

Which of the following represents a vulnerability?

  1. An identity thief seeking toacquire personal financial data from an organization
  2. Media recognition of an organization's market leadership in its industry
  3. A standard procedure for applying software patches two weeks after release
  4. An employee recently fired for insubordination

Answer(s): C

Explanation:

A vulnerability is a weakness or gap in a system, application, or network that can be exploited by a threat to cause harm or gain unauthorized access1. A vulnerability can be caused by various factors, such as design flaws, coding errors, configuration errors, or outdated software2.
Among the four options given, only option C (a standard procedure for applying software patches two weeks after release) represents a vulnerability. This is because software patches are updates or fixes that address security weaknesses or bugs in software applications or systems3. By applying software patches two weeks after release, the organization is exposing itself to the risk of being attacked or compromised by malicious actors who may exploit the known vulnerabilities in the software before they are patched. This risk is especially high if the software is internet-facing or critical to the organization's operations4. References = What is a Vulnerability?, Vulnerability Definition & Meaning - Merriam- Webster, Vulnerability Patching: A Resource Guide - Rezilion, Why is Software Vulnerability Patching Crucial for Your Software and ...



Which of the following analyses is MOST useful for prioritizing risk scenarios associated with loss of IT assets?

  1. SWOT analysis
  2. Business impact analysis (BIA)
  3. Cost-benefit analysis
  4. Root cause analysis

Answer(s): B

Explanation:

Business impact analysis (BIA) is the most useful analysis for prioritizing risk scenarios associated with loss of IT assets, because it evaluates the potential consequences of disruption tocritical business functions and processes. BIA helps to identify the most significant risks and the most urgent recovery needs. SWOT analysis, cost-benefit analysis, and root cause analysis are all useful tools for different purposes, but they do not directly address the impact of risk scenarios on business continuity and resilience. References = Risk and Information Systems Control Study Manual, Chapter 4, Section 4.2.1, page 143



Which of the following BEST reduces the risk associated with the theft of a laptop containing sensitive information?

  1. Cable lock
  2. Data encryption
  3. Periodic backup
  4. Biometricsaccess control

Answer(s): B

Explanation:

The best way to reduce the risk associated with the theft of a laptop containing sensitive information is to use data encryption. Data encryption is a process that transforms the data into an unreadable or unintelligible format, using a secret key or algorithm, to protect the data from unauthorized access or disclosure. Data encryption helps to reduce the risk of data theft, because even if the laptop is stolen, the data on the laptop cannot be accessed or used by the thief without the proper key or algorithm. Data encryption also helps to comply with the relevant laws, regulations, standards, and contracts that may require the protection of sensitive data. The other options are not as effective as data encryption, although they may provide some protection for the laptop or the data. A cable lock, a periodic backup, and a biometrics access control are allexamples of physical or logical controls, which may help to prevent or deter the theft of the laptop, or to recover or restore the data on the laptop, but they do not necessarily protect the data from unauthorized access or disclosure if the laptop is stolen. References = 8



A failed IT system upgrade project has resulted in the corruption of an organization's asset inventory database.
Which of the following controls BEST mitigates the impact of this incident?

  1. Encryption
  2. Authentication
  3. Configuration
  4. Backups

Answer(s): D

Explanation:

Backups are the best control to mitigate the impact of a failed IT system upgrade project that has resulted in the corruption of an organization's asset inventory database, as they allow theorganization to restore the data from a previous state and resume normal operations. Encryption, authentication, and configuration are not the best controls, as they do not address the data corruption issue, but rather the datasecurity, access, and quality issues, respectively. References = CRISC Review Manual, 7th Edition, page 153.



A risk assessment has been completed on an application and reported to the application owner. The report includes validated vulnerability findings that require mitigation.
Which of the following should be the NEXT step?

  1. Report the findings to executive management to enable treatment decisions.
  2. Reassess each vulnerability to evaluate the risk profile of the application.
  3. Conduct a penetration test to determine how to mitigate the vulnerabilities.
  4. Prepare a risk response that is aligned to the organization's risk tolerance.

Answer(s): D

Explanation:

Preparing a risk response that is aligned to the organization's risk tolerance is the next step after completing a risk assessment and reporting the validated vulnerability findings that require mitigation to the application owner, because it helps to define and implement the appropriate actions to reduce or eliminate the risk, or to prepare for and recover from the potentialconsequences. A risk response is a strategy or tactic for managing the identified risks, such as avoiding, transferring, mitigating, or accepting the risk. A risk response should be aligned to the organization's risk tolerance, which is the acceptable level of variation from the organization's objectives or expectations. A vulnerability is a weakness or flaw in an IT system or application that can be exploited by a threat or attack to cause harm or damage. A vulnerability finding is a result of a vulnerability assessment, which is a process of identifying and evaluating the vulnerabilities in an IT system or application. A vulnerability finding requires mitigation, which is a type of risk response that involves applying controls or countermeasures to reduce the likelihood or impact of the risk. Therefore, preparing a risk response that is aligned to the organization's risk tolerance is the next step, as it helps to address the vulnerability findings and to achieve the desired level of risk. Reporting the findings to executive management, reassessing each vulnerability, and conducting a penetration test are all possible steps to perform afterpreparing a risk response, but they are not the next step, as they depend on the results and approval of the risk response. References = Risk and Information Systems Control Study Manual, Chapter 3, Section 3.4.2, page 103






Post your Comments and Discuss ISACA CRISC exam dumps with other Community members:

Join the CRISC Discussion