Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CRISC

ISACA CRISC Exam Questions
Certified in Risk and Information Systems Control (Page 67 )

Updated On: 28-Feb-2026
Page 67 of 380
PDF with 1895 Questions

The BEST use of key risk indicators (KRIs) is to provide:

  1. Early indication of increasing exposure to a specific risk.
  2. Lagging indication of major information security incidents.
  3. Early indication of changes to required risk response.
  4. Insight into the performance of a monitored process.

Answer(s): A

Explanation:

Key risk indicators are designed to provide early warnings about increasing risk exposure, enabling timely risk mitigation efforts. This supports proactive risk management, as outlined in theRisk Monitoring and Reportingdomain of CRISC.



Deviation from a mitigation action plan's completion date should be determined by which of the following?

  1. Change management as determined by a change control board
  2. Benchmarking analysis with similar completed projects
  3. Project governance criteria as determined by the project office
  4. The risk owner as determined by risk management processes

Answer(s): D

Explanation:

Deviation from a mitigation action plan's completion date should be determined by the risk owner as determined by risk management processes, because the risk owner is the person or entity who has the accountability and authority to manage the risk and its associated mitigation actions. The risk owner should monitor and report the progress and status of the mitigation action plan, and determine if there is any deviation from the expected completion date, based on the risk management processes and criteria. The other options are not the ones who should determine the deviation, because:
Option A: Change management as determined by a change control board is a process that ensures that any changes to the project scope, schedule, cost, or quality are controlled and approved, but it does not determine the deviation from the mitigation action plan's completion date, which is a risk management activity. Option B: Benchmarking analysis with similar completed projects is a technique that compares the performance and practices of the current project with those of similar or successful projects, but it does not determine the deviation from the mitigation action plan's completion date, which is a risk management activity. Option C: Project governance criteria as determined by the project office is a set of rules and standards that define the roles, responsibilities, and authority of the project stakeholders, but it does notdetermine the deviation from the mitigation action plan's completion date, which is a risk management activity. References = Risk and Information Systems Control Study

Manual, 7th Edition, ISACA, 2020, p. 122.



Which of the following will BEST ensure that information security risk factors are mitigated when developing in-house applications?

  1. Identify information security controls in the requirements analysis
  2. Identify key risk indicators (KRIs) as process output.
  3. Design key performance indicators (KPIs) for security in system specifications.
  4. Include information security control specifications in business cases.

Answer(s): A

Explanation:

Information security risk factors are the sources of uncertainty that may affect the confidentiality, integrity, or availability of information assets within an organization. Information security risk factors can include threats, vulnerabilities, or impacts that may compromise the security of information assets. Information security risk factors should be mitigated when developing in-house applications, which are software applications that are designed, developed, and maintained by the organization itself, rather than by external vendors or providers. Mitigating information security risk factors when developing in-house applications canhelp prevent or reduce the occurrence or consequences of security incidents, such as data breaches, cyberattacks, unauthorized access, or data loss. The best way to ensure that information security risk factors are mitigated when developing in-house applications is to identify information security controls in the requirements analysis. The requirements analysis is the stage of the system development life cycle (SDLC) where the business needs and expectations of the application are defined and documented. The requirements analysis should include the functional and non-functional requirements of the application, such as the features, functions, performance, quality, reliability, and security of the application. Identifying information security controls in the requirements analysis can help ensure that the security requirements of the application are clearly specified and agreed upon by the stakeholders, and that they are aligned with the organization's security policies, standards, and regulations. Identifying information security controls in the requirements analysis can also help ensure that the security requirements are integrated into the design, development, testing, and deployment of the application, and that they are verified and validated throughout the SDLC. Identifying information security controls in the requirements analysis can also help ensure that the security requirements are traceable, measurable, and manageable, and that they can be monitored and reviewed for effectiveness and efficiency. References = THE SYSTEM DEVELOPMENT LIFE CYCLE (SDLC), p. 2- 3, System Development Life Cycle - GeeksforGeeks, 7.3: Systems Development Life Cycle -

Engineering LibreTexts, What Is SDLC? 7 Phases of System Development Life Cycle - Intetics.



Which of the following actions should a risk practitioner do NEXT when an increased industry trend of external cyber attacks is identified?

  1. Conduct a threat and vulnerability analysis.
  2. Notify senior management of the new risk scenario.
  3. Update the risk impact rating in the risk register.
  4. Update the key risk indicator (KRI) in the risk register.

Answer(s): A

Explanation:

A possible action that a risk practitioner should do next when an increased industry trend of external cyber attacks is identified is A. Conduct a threat and vulnerability analysis. A threat and vulnerability analysis is a process of identifying and assessing the potential sources and methodsof cyber attacks, as well as the weaknesses and gaps in the organization's information systems and security controls12 By conducting a threat and vulnerability analysis, a risk practitioner can determine the level of exposure and risk that the organization faces from external cyber attacks, and prioritize the actions and resources needed to mitigate or prevent them3 A threat and vulnerability analysis can also help to update the risk impact rating and the key risk indicator in the risk register, as well as to notify senior management of the new risk scenario, but these are subsequent steps that follow after the analysis is completed. Therefore, the first action that a risk practitioner should do next is to conduct a threat and vulnerability analysis.



Which of the following practices would be MOST effective in protecting personality identifiable information (Ptl) from unauthorized access m a cloud environment?

  1. Apply data classification policy
  2. Utilize encryption with logical access controls
  3. Require logical separation of company data
  4. Obtain the right to audit

Answer(s): B

Explanation:

The most effective practice in protecting personally identifiable information (PII) from unauthorized access in a cloud environment is to utilize encryption with logical access controls. Encryption is a technique that transforms the data into an unreadable or unintelligible form, making it inaccessible or unusable by unauthorized parties. Logical access controls are the mechanisms or rules that regulate who can access, view, modify, or delete the data, based on their identity, role, or privilege. By utilizing encryption with logical access controls, the PII can be protected from unauthorized access, disclosure, or theft, both in transit and at rest, in a cloud environment. The other options are not as effective as utilizing encryption with logical access controls, as they are related to the classification, separation, or audit of the data, not the protection or security of the data. References = Risk and Information Systems Control Study Manual, Chapter 3: IT Risk Response, Section 3.3:
IT Risk Response Implementation, page 145.



Viewing page 67 of 380
Viewing questions 331 - 335 out of 1895 questions



Post your Comments and Discuss ISACA CRISC exam dumps with other Community members:

CRISC Exam Discussions & Posts

AI Tutor