Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CRISC

ISACA CRISC Exam Questions
Certified in Risk and Information Systems Control (Page 68 )

Updated On: 28-Feb-2026
Page 68 of 380
PDF with 1895 Questions

Which of the following would be the GREATEST challenge when implementing a corporate risk framework for a global organization?

  1. Privacy risk controls
  2. Business continuity
  3. Risk taxonomy
  4. Management support

Answer(s): D

Explanation:

The greatest challenge when implementing a corporate risk framework for a global organization is the management support. A corporate risk framework is a set of principles,

policies, standards, and processes that guide and govern the risk management activities across the organization. Acorporate risk framework helps to establish a consistent and integrated approach to risk management, and to align the risk management objectives and strategies with the business goals and values. Implementing a corporate risk framework for a global organization requires the management support, which is the commitment, involvement, and endorsement of the senior management and the board. Management support is essential for providing the vision, direction, and resources for the risk management initiatives, and for ensuring the accountability, responsibility, and ownership of the risk management roles and functions. Management support is also critical for creating and sustaining a risk-aware culture, and for promoting the risk management awareness and communication among the stakeholders. Management support can be challenging to obtain and maintain, especially for a global organization, as it may face various barriers, such as different expectations, priorities, preferences, or perspectives of the management, lack of trust or confidence in the risk management value or performance, resistance to change or innovation, or competing interests or agendas. Privacy risk controls, business continuity, and risk taxonomy are not as challenging as management support, as they are thecomponents or outcomes of the corporate risk framework, andthey can be addressed or improved by applying the appropriate methods, techniques, or tools. References = CRISC Review Manual, 6th Edition, ISACA, 2015, page 35.



In an organization dependent on data analytics to drive decision-making, which of the following would BEST help to minimize the risk associated with inaccurate data?

  1. Establishing anintellectual property agreement
  2. Evaluating each of the data sources for vulnerabilities
  3. Periodically reviewing big data strategies
  4. Benchmarking to industry best practice

Answer(s): C

Explanation:

Periodically reviewing big data strategies is the best option to minimize the risk of inaccurate data, because it allows the organization to assess the quality, validity, and reliability of the data sources and the analytics methods. It also enables the organization to identify and address any gaps, errors, or inconsistencies in the data and the results. By reviewing the big data strategies, the organization can ensure that the data analytics are aligned with the business objectives and the risk appetite.
Establishing an intellectual property agreement is not relevant to the risk of inaccurate data, as it is a legal measure to protect the ownership and use of the data, not its quality or accuracy.
Evaluating each of the data sources for vulnerabilities is a good practice, but it is not sufficient to minimize the risk of inaccurate data, as it only focuses on the security aspect of the data, not the validity or reliability of the data itself. Benchmarking to industry best practice is a useful way to compare the performance and results of the data analytics, but it does not directly address the risk of inaccurate data, as it assumes that the data and the methods are already valid and reliable. References = Risk IT Framework, 2nd Edition, ISACA, 2019, page 62-63.



Which of the following would BEST help minimize the risk associated with social engineering threats?

  1. Enforcing employees' sanctions
  2. Conducting phishing exercises
  3. Enforcing segregation of dunes
  4. Reviewing the organization's risk appetite

Answer(s): B

Explanation:

Conducting phishing exercises would best help minimize the risk associated with social engineering threats, because they can help to raise awareness and educate employees about the common techniques and tactics used by social engineers, such as sending deceptive emails or text messages that ask for sensitive information or direct users to malicious websites. Phishing exercises are simulated attacks that test the employees' ability to recognize and respond to social engineering attempts, and provide feedback and guidance on how to improve their security behavior. By conducting phishing exercises, the organization can measure and improve the employees' level of security awareness and resilience, and reduce the likelihood and impact of falling victim to social engineering attacks. The other options are less effective ways to minimize the risk associated with social engineering threats. Enforcing employees' sanctions can help to deter and punish employees who violate the security policies or procedures, but it may not prevent or reduce the occurrence of social engineering attacks, as they may target employees who are unaware, careless, or coerced by the attackers. Enforcing segregation of duties can help to prevent or limit the damage caused by social engineering attacks, by restricting the access and authority of employees to perform certain tasks or functions, but it may not address the root cause or source of the attacks, which is the human factor. Reviewing the organization's risk appetite can help to define and communicate the amount and type of risk that the organization is willing to accept in pursuit of its objectives, but it may not directly affect or influence the employees' behavior or attitude toward social engineering threats, which may depend on their individual or situational factors. References = How to Prevent and Mitigate Social Engineering Attacks 1



An organization has adopted an emerging technology without following proper processes.
Which of the following is the risk practitioner's BEST course of action to address this risk?

  1. Accept the risk because the technology has already been adopted.
  2. Propose a transfer of risk to a third party with subsequent monitoring.
  3. Conduct a risk assessmentto determine risk exposure.
  4. Recommend to senior management to decommission the technology.

Answer(s): C

Explanation:

Conducting a risk assessment allows the organization to evaluate the exposure created by adopting the technology. This step ensures informed decision-making and aligns with the principles ofRisk Identification and Assessmentfor managing emerging risks effectively.



Which of the following is MOST effective in continuous risk management process improvement?

  1. Periodic assessments
  2. Change management
  3. Awareness training
  4. Policy updates

Answer(s): A

Explanation:

Continuous risk management process improvement is the practice of evaluating and enhancing the risk management process on a regular basis, to ensure that it is effective, efficient, and aligned with the business objectives and strategy. Continuous risk management processimprovement can help identify and address the gaps, weaknesses, or opportunities for improvement in the risk management process, and ensure that the process is responsive and adaptable to the changing risk environment. The most effective method for continuous risk management process improvement is periodic assessments, which are systematic and objective evaluations of the risk management process, performed at predefined intervals or after significant events. Periodic assessments can help measure and monitor the performance and maturity of the risk management process, using criteria such as the risk management framework, standards, policies, procedures, methods, tools, roles, responsibilities, and results. Periodic assessments can also help identify and analyze the strengths, weaknesses, threats, and opportunities of the risk management process, and provide feedback and recommendations for improvement. Periodic assessments can also help communicate and report the status and progress of the risk management process to the stakeholders, and obtain their input and support for improvement actions. References = Continuous Risk Management

Guidebook, p. 7-8, ISO 31000: riskmanagement and its continuous improvement, How Continuous Monitoring Drives Risk Management.



Viewing page 68 of 380
Viewing questions 336 - 340 out of 1895 questions



Post your Comments and Discuss ISACA CRISC exam dumps with other Community members:

CRISC Exam Discussions & Posts

AI Tutor