Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CRISC

ISACA CRISC Exam Questions
Certified in Risk and Information Systems Control (Page 56 )

Updated On: 24-Feb-2026
Page 56 of 380
PDF with 1895 Questions

Of the following, who is responsible for approval when a change in an application system is ready for release to production?

  1. Information security officer
  2. IT risk manager
  3. Business owner
  4. Chief risk officer (CRO)

Answer(s): C

Explanation:

The business owner is the person who is responsible for approval when a change in an application system is ready for release to production. The business owner is the person who has the authority and accountability for the business process or function that is supported by the application system. The business owner should approve the change to ensure that it meets the business requirements, objectives, and expectations, and that it does not introduce any adverse impacts or risks to the business operations. The information security officer, the IT risk manager, and the chief risk officer (CRO) are not responsible for the approval of the change, although they may provide input, feedback, or oversight. References = Risk and Information Systems Control Study Manual, Chapter 3, Section 3.4.1, page 3-32.



The PRIMARY benefit of using a maturity model is that it helps to evaluate the:

  1. capability to implement new processes
  2. evolution of process improvements
  3. degree of compliance with policies and procedures
  4. control requirements.

Answer(s): B

Explanation:

A maturity model is a framework that describes the stages or levels of development and improvement of a certain domain, such as a process, a function, or an organization. A maturitymodel can help to evaluate the current state, identify the strengths and weaknesses, set the goals and objectives, and measure the performance and improvement over time. The primary benefit of using a maturity model is that it helps to evaluate the evolution of process improvements, meaning that it can help to track the progress andchanges of the processes, as well as to identify the best practices and standards. A maturity model can also help to compare the processes with the industry benchmarks and competitors, as well as to align the processes with the business strategy and vision. References = Risk and Information Systems Control Study Manual, Chapter 3, Section 3.3.2.1, p. 118-119



Which of the following is the PRIMARY reason to use key control indicators (KCIs) to evaluate control operating effectiveness?

  1. To measure business exposure to risk
  2. Toidentify control vulnerabilities
  3. To monitor the achievement of set objectives
  4. To raise awareness of operational issues

Answer(s): C

Explanation:

Key control indicators (KCIs) are metrics that measure how well a specific control is performing in reducing the causes, consequences, or likelihood of a risk1. KCIs are used to evaluate the control operating effectiveness, which is the degree to which a control achieves its intended objectives and mitigates the risk2.
The primary reason to use KCIs to evaluate control operating effectiveness is to monitor the achievement of set objectives. This means that KCIs help to:
Track and report the progress and performance of the control against the predefined targets, standards, or benchmarks
Identify and address any gaps, deviations, or issues in the control operation or outcome Provide feedback and assurance to the stakeholders and regulators on the adequacy and reliability of the control
Support the continuous improvement and optimization of the control3 References = Key Control Indicator (KCI) - CIO Wiki, Evaluating and Improving Internal Control in Organizations - IFAC, A Methodical Approach to Key Control Indicators



Which of the following would be of MOST concern to a risk practitioner reviewing risk action plans for documented IT risk scenarios?

  1. Individuals outside IT are managing action plans for the risk scenarios.
  2. Target dates for completion are missing from some action plans.
  3. Senior managementapproved multiple changes to several action plans.
  4. Many action plans were discontinued after senior management accepted the risk.

Answer(s): D

Explanation:

The most concerning factor for a risk practitioner reviewing risk action plans for documented IT risk scenarios is that many action plans were discontinued after senior management accepted the risk. Risk action plans are documents that define the roles, responsibilities, procedures, and resources for implementing the risk responses and strategies for the IT risk scenarios. Risk action plans help to reduce, transfer, avoid, or accept the IT risks, and to monitor and report on the IT risk performance and improvement. Discontinuing risk action plans after senior management accepted the risk is a major concern, because it may indicate that the risk acceptance decision was not based on a proper risk analysisor evaluation, or that the risk acceptance decision was not communicated or coordinated with the relevant stakeholders, such as the board, management, business units, and IT functions. Discontinuing risk action plans after senior management accepted the risk may also create challenges or risks for the organization, such as compliance, legal, reputational, or operational risks, or conflicts or inconsistencies with the organization's risk appetite, risk objectives, or risk policies. The other options are not as concerning as discontinuing risk action plans after senior management accepted the risk, although they may also pose some difficulties or limitations for the risk management process. Individuals outside IT managing action plans for the risk scenarios, target dates for completion missing from some action plans, and senior management approving multiple changes to several action plans are all factors that could affect the quality and timeliness of the risk management process, but they donot necessarily indicate a lack of risk management accountability or oversight. References = Risk and Information Systems Control Study Manual, Chapter 4, Section 4.4.1, page 4-32.



Which of the following is the MOST important requirement when implementing a data loss prevention (DLP) system?

  1. Identifying users who have access
  2. Selecting an encryption solution
  3. Definingthe data retention period
  4. Determining the value of data

Answer(s): D

Explanation:

Determining the value of data is essential when implementing a DLP system. Understanding data value helps prioritize protection efforts, allocate resources effectively, and ensure that critical information assets are adequately safeguarded against loss or unauthorized access.


Reference:

ISACA CRISC Review Manual, 7th Edition, Chapter 2: IT Risk Assessment, Section: Data Classification and Protection.






Post your Comments and Discuss ISACA CRISC exam dumps with other Community members:

Join the CRISC Discussion