Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CRISC

ISACA CRISC Exam Questions
Certified in Risk and Information Systems Control (Page 65 )

Updated On: 28-Feb-2026
Page 65 of 380
PDF with 1895 Questions

An organization with a large number of applications wants to establish a security risk assessment program.
Which of the following would provide the MOST useful information when determining the frequency of risk assessments?

  1. Feedback from end users
  2. Results of a benchmark analysis
  3. Recommendations from internal audit
  4. Prioritization from business owners

Answer(s): B

Explanation:

A benchmark analysis is a process of comparing the organization's performance, practices, and processes with those of other organizations in the same industry or sector. A benchmark analysis can provide the most useful information when determining the frequency of risk assessments, because it can help the organization to identify the best practices, standards, and expectations for security risk management in its industry. A benchmark analysis can also help the organization to assess its current level of maturity, capability, and compliance in relation to security risk management, and to determine the gaps and areas for improvement. By conducting a benchmark analysis, the organization can establish a realistic and appropriate frequency of risk assessments that aligns with its industry norms and its own risk profile. The other options are not as useful as a benchmark analysis, because they do not provide a comprehensive and relevant view of the security risk management landscape, but rather focus on specific or partial aspects of the organization's situation. References = Risk and Information Systems Control Study Manual, Chapter 1, Section 1.3.2, page 18.



Which of the following stakeholders are typically included as part of a line of defense within the three lines of defense model?

  1. Board of directors
  2. Vendors
  3. Regulators
  4. Legal team

Answer(s): D

Explanation:

The three lines of defense model is a framework that describes the roles and responsibilities of different stakeholders in the risk management and internal control processes of an organization. The three lines of defense are:
The first line of defense: the operational management and staff who are responsible for identifying, assessing, and responding to the risks, as well as implementing and maintaining the controls within their areas of activity.
The second line of defense: the risk management, compliance, and security functions who are responsible for establishing the risk policies and standards, providing guidance and support, monitoring and reporting on the risk performance and compliance, and facilitating the risk management and internal control processes across the organization. The third line of defense: the internal audit function who is responsible for providing independent and objective assurance on the effectiveness and efficiency of the risk management and internal control processes, as well as recommending improvements and best practices. The stakeholders who are typically included as part of a line of defense within the three lines of defense model are the legal team, who belong to the second line of defense. The legal team is responsible for ensuring that the organization complies with the relevant laws and regulations, aswell as for advising and assisting the organization on the legal aspects and implications of the risk management and internal control processes. References = Risk and Information Systems Control Study Manual, Chapter 1, Section 1.4.1, p. 32-33



Which of the following approaches to bring your own device (BYOD) service delivery provides the BEST protection from data loss?

  1. Enable data wipe capabilities
  2. Penetration testing and session timeouts
  3. Implement remote monitoring
  4. Enforce strong passwords and data encryption

Answer(s): D

Explanation:

The best approach to bring your own device (BYOD) service delivery that provides the best protection from data loss is to enforce strong passwords and data encryption. BYOD is a service delivery model that allows the users to use their own personal devices, such as smartphones, tablets, or laptops, to access the enterprise's network, applications, or data. BYOD can provide various benefits, such as increased productivity, flexibility, and satisfaction of the users, as well as reduced costs and maintenance of the enterprise. However, BYOD also poses various risks, such as data loss, data breach, malware infection, or unauthorized access, as the personal devices may not have the same level of security and control as the enterprise-owned devices. Enforcing strong passwords and data encryption is the best approach to protect the data on the personal devices, as it helps to prevent or limit the unauthorized access, disclosure, or theft of the data, especially if the devices are lost, stolen, or compromised. Enforcing strong passwords and data encryption also helps to comply with the legal and regulatory requirements for data protection and privacy. Enabling data wipe capabilities, penetration testing and session timeouts, and implementing remote monitoring are also useful approaches, but they are not as effective as enforcing strong passwords and data encryption, as they are either reactive or detective measures, rather than proactive or preventive measures. References = CRISC Review Manual, 6th Edition, ISACA, 2015, page 217.



Which of the following is the MAIN reason to continuously monitor IT-related risk?

  1. To redefine the risk appetite and risk tolerance levels based on changes in risk factors
  2. To update the risk register to reflect changes in levels of identified and new IT-related risk
  3. Toensure risk levels are within acceptable limits of the organization's risk appetite and risk tolerance
  4. To help identify root causes of incidents and recommend suitable long-term solutions

Answer(s): C

Explanation:

According to the CRISC Review Manual (Digital Version), the main reason to continuously monitor IT-related risk is to ensure risk levels are within acceptable limits of the organization'srisk appetite and risk tolerance. The risk appetite is the amount and type of risk that an organization is willing to accept in pursuit of its objectives, while the risk tolerance is the acceptable variation in outcomes related to specific performance measures linked to objectives. Continuous monitoring is a process that tracks the security state of an information system on an ongoing basis and maintains the security authorization for the system over time.
Continuous monitoring helps to:
Provide ongoing assurance that the implemented security controls are operating effectively and efficiently
Detect changes in the risk profile of the information system and the environment of operation Identify new or emerging threats and vulnerabilities that may affect the information system Support risk-based decisions by providing timely and relevant risk information to stakeholders
Facilitate the implementation of corrective actions and risk mitigation strategies Promote accountability and transparency in the risk management process Enhance the security awareness and culture within the organization References = CRISC Review Manual (Digital Version), Chapter 4: IT Risk Monitoring and Reporting, Section 4.1: IT Risk Monitoring, pp. 213-2141



A risk practitioner is developing a set of bottom-up IT risk scenarios. The MOST important time to involve business stakeholders is when:

  1. updating the risk register.
  2. validating the risk scenarios.
  3. documenting the risk scenarios.
  4. identifying risk mitigation controls.

Answer(s): B

Explanation:

According to the CRISC Review Manual, the most important time to involve business stakeholders in the development of bottom-up IT risk scenarios is when validating the risk scenarios, as they can provide valuable input on the relevance, completeness, and accuracy of the scenarios and their impact on the business objectives and processes2
1: CRISC Review Questions, Answers & Explanations Database, Question ID: 100001 2:
CRISC Review Manual, 7th Edition, page 97



Viewing page 65 of 380
Viewing questions 321 - 325 out of 1895 questions



Post your Comments and Discuss ISACA CRISC exam dumps with other Community members:

CRISC Exam Discussions & Posts

AI Tutor