Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CRISC

ISACA CRISC Exam Questions
Certified in Risk and Information Systems Control (Page 60 )

Updated On: 24-Feb-2026
Page 60 of 380
PDF with 1895 Questions

A risk practitioner learns that a risk owner has been accepting gifts from a supplier of IT products. Some of these IT products are used to implement controls and to mitigate risk to acceptable levels.
Which of the following should the risk practitioner do FIRST?

  1. Initiate disciplinary action against the risk owner.
  2. Reassess the risk and review the underlying controls.
  3. Review organizational ethics policies.
  4. Report the activity to the supervisor.

Answer(s): D

Explanation:

Reporting the activity to the supervisor is the first thing that the risk practitioner should do when learning that a risk owner has been accepting gifts from a supplier of IT products. This is because accepting gifts from a supplier of IT products can create a conflict of interest, compromise the integrity and objectivity of the risk owner, and violate the organizational ethics policies. Reporting the activity to the supervisor can help ensure that the issue is escalated to the appropriate authority, investigated, and resolved in a timely and transparent manner. According to the CRISC Review Manual 2022, one of the key risk response techniques is to report the risk to the relevant stakeholders, such as the supervisor1.

According to the web search results, reporting the activity to the supervisor is a common and recommended action when encountering a potential ethical violation in the workplace



Which of the following is the MOST important information to cover a business continuity awareness Ira nine, program for all employees of the organization?

  1. Recovery time objectives (RTOs)
  2. Segregation of duties
  3. Communication plan
  4. Critical asset inventory

Answer(s): C

Explanation:

The most important information to cover in a business continuity awareness training program for all employees of the organization is the communication plan. A communication plan is a document that defines the roles, responsibilities, procedures, and resources for communicating with the internal and external stakeholders before, during, and after a business continuity event. A communication plan helps to ensure that the relevant and accurate information is delivered to the appropriate parties in a timely and consistent manner, and that the feedback and responses are received and addressed accordingly. A communication plan also helps to maintain the trust, confidence, and reputation of the organization, and to comply with the legal or regulatory requirements. A communication plan is the most important information to cover in a business continuity awareness training program, because it helps to prepare and educate the employees on how to communicate effectively and efficiently in a business continuity event, and how to avoid or minimize the communication errors, gaps, or conflicts that could affect the business continuity performance and recovery. The other options are not as important as the communication plan, although they may also be covered in a business continuity awareness training program.

Recovery time objectives (RTOs), segregation of duties, and critical asset inventory are all factors that could affect the business continuity planning and implementation, but they are notthe most important information to cover in a business continuity awareness training program. References = 6



Participants in a risk workshop have become focused on the financial cost to mitigate risk rather than choosing the most appropriate response.
Which of the following is the BEST way to address this type of issue in the long term?

  1. Perform a return on investment analysis.
  2. Review the risk register and risk scenarios.
  3. Calculate annualized loss expectancy of risk scenarios.
  4. Raise the maturity of organizational risk management.

Answer(s): D

Explanation:

The maturity of organizational risk management refers to the degree to which risk management is embedded and integrated into the organization's culture, processes, and decision-making1. A higher level of maturity implies that the organization has a clear and consistent understanding ofits risk appetite and tolerance, and that it can effectively identify, assess, respond, monitor, and communicate risks2.
The best way to address the issue of participants focusing on the financial cost to mitigate risk rather than choosing the most appropriate response is to raise the maturity of organizational risk management. This can help to:
Ensure that risk management is aligned with the organization's strategic objectives and values, and that risk responses are based on the potential impact and likelihood of risks, not just on the cost of mitigation
Foster a risk-aware culture that encourages proactive and collaborative risk management, and that recognizes and rewards good risk management practices Provide adequate training and guidance for risk management roles and responsibilities, and ensure that risk management skills and competencies are developed and maintained Implement a robust and consistent risk management framework, methodology, and tools that support the risk management process and enable continuous improvement and learning Enhance the quality and reliability of risk information and reporting, and ensure that risk management performance and outcomes are measured and evaluated3 References = Risk Maturity Model - Wikipedia, Risk Maturity Model - ISACA, Risk Maturity Model - IRM



Which of the following management action will MOST likely change the likelihood rating of a risk scenario related to remote network access?

  1. Updating the organizational policy for remote access
  2. Creating metrics to track remote connections
  3. Implementing multi-factor authentication
  4. Updating remote desktop software

Answer(s): C

Explanation:

The management action that will most likely change the likelihood rating of a risk scenario related to remote network access is implementing multi-factor authentication. Multi-factor authentication is a technique that requires the user to provide two or more pieces of evidence to verify their identity, such as a password, a token, or a biometric factor. Multi-factor authentication can help to reduce the likelihood of unauthorized or malicious access to theremote network, as it adds an extra layer of security and makes it harder for the attackers to compromise the user credentials. The other options are not as likely to change the likelihood rating of the risk scenario, as they are related to the update, creation, or maintenance of the remote network access, not the verification or protection of the remote network access. References = Risk and Information Systems Control Study Manual, Chapter
3: IT Risk Response, Section 3.3: IT Risk Response Implementation, page 145.



Which of the following would be of GREATEST concern regarding an organization's asset management?

  1. Lack of a mature records management program
  2. Lack of a dedicated asset management team
  3. Decentralized asset lists
  4. Incomplete asset inventory

Answer(s): D

Explanation:

Asset management is the process of identifying, tracking, and maintaining the physical and information assets of an organization. Asset management helps to optimize the value, performance, and security of the assets, and support the business objectives and strategies.

The factor that would be of greatest concern regarding an organization's asset management is an incomplete asset inventory, which is a list of all the assets that the organization owns or uses. An incomplete asset inventory may indicate that the organization does not have a clear and accurate understanding of its assets, their location, ownership, value, dependencies, etc. This may lead to various risks, such as asset loss, theft, misuse, damage, underutilization, overutilization, etc. An incomplete asset inventory may also affect the asset classification, protection, recovery, and disposal processes. References = 6






Post your Comments and Discuss ISACA CRISC exam dumps with other Community members:

Join the CRISC Discussion