Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CRISC

ISACA CRISC Exam Questions
Certified in Risk and Information Systems Control (Page 69 )

Updated On: 28-Feb-2026
Page 69 of 380
PDF with 1895 Questions

Which of the following is the MOST important component of effective security incident response?

  1. Network time protocol synchronization
  2. Identification of attack sources
  3. Early detection of breaches
  4. A documented communications plan

Answer(s): D

Explanation:

The most important component of effective security incident response is a documented communications plan. A communications plan defines the roles and responsibilities, channels and methods, frequency and timing, and content and format of the communications that take place during and after a security incident. A communications plan helps to ensure that the relevant stakeholders are informed and updated about the incident status and outcome, and that the incident response activities are coordinated and consistent. A communications plan also helps to manage the expectations and perceptions of the stakeholders, and to maintain the trust and reputation of the enterprise. Network time protocol synchronization, identification of attack sources, and early detection of breaches are also important components of effective security incident response, but they are not as important as a documented communications plan. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 4, Section 4.2.1.2, page 1931
1: ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide, Answer to Question 660.



An organization's financial analysis department uses an in-house forecasting application for business projections.
Who is responsible for defining access roles to protect the sensitive data within this application?

  1. IT risk manager
  2. IT system owner
  3. Information security manager
  4. Business owner

Answer(s): D

Explanation:

According to the Data Roles and Responsibilities article, the business owner is the person who has authority over the business process that is supported by the data. The business owner is responsible for defining the access roles to protect the sensitive data within the application, as well as approving the access requests and ensuring the compliance with the data policies andstandards. The business owner may delegate this responsibility to a data steward, who is a person who acts on behalf of the business owner to manage the data quality, security, and usage. Therefore, the answer is D. Business owner. References = Data Roles and Responsibilities



A segregation of duties control was found to be ineffective because it did not account for all applicable functions when evaluating access.
Who is responsible for ensuring the control is designed to effectively address risk?

  1. Risk manager
  2. Control owner
  3. Control tester
  4. Risk owner

Answer(s): B

Explanation:

The control owner is the person who is responsible for ensuring that the control is designed to effectively address risk. The control owner is also responsible for implementing, operating, monitoring, and maintaining the control. The control owner should ensure that the control is aligned with the risk owner's risk appetite and tolerance, and that the control is periodically reviewed and updated to reflect changes in the risk environment. The risk manager, the control tester, and the risk owner are not directly responsible for the design of the control, although they may provide input, feedback, or approval. References = Risk and Information Systems Control Study Manual, Chapter 1, Section 1.3.2, page 1-15.



Which of the following should be the PRIMARY consideration when assessing the automation of control monitoring?

  1. impact due to failure of control
  2. Frequency of failure of control
  3. Contingency plan for residual risk
  4. Cost-benefit analysis of automation

Answer(s): D

Explanation:

Automation of control monitoring is the application of technology to allow continuous or high-frequency, automated monitoring of controls to validate the effectiveness of controls designed to mitigate risk1.
Automation of control monitoring can provide benefits such as increased test coverage, improved timeliness, reduced risk velocity, greater visibility, improved consistency, and the ability to identify trends23.
However, automation of control monitoring also involves costs such as the acquisition, implementation, maintenance, and updating of the technology, as well as the training and support of the staff who use it45.
Therefore, the primary consideration when assessing the automation of control monitoring is the cost-benefit analysis of automation, which compares the expected benefits and costs of automation and determines whether the benefits outweigh the costs or vice versa45. The other options are not the primary consideration, but rather secondary or tertiary factors that may influence the decision to automate or not. For example, the impact due to failure of controland the frequency of failure of control are aspects of the risk assessment that may indicatethe need for automation, but they do not provide the basis for evaluating the feasibility and desirability of automation45. Similarly, the contingency plan for residual risk is a component of the risk response that may include automation as a risk mitigation strategy, but it does not measure the effectiveness and efficiency of automation45. References =
2: A Practical Approach to Continuous Control Monitoring, ISACA Journal, Volume 2, 2015
3: Continuous Controls Monitoring: The Next Generation Of Controls Testing, Forbes

Technology Council, June 2, 2022
1: Making Continuous Controls Monitoring Work for Everyone, ISACA Now Blog, June 13,
4: Controls Automation - Monitoring vs. Operation - Part 3, Turnkey Consulting, July 29,
5: What's Continuous Control Monitoring and Why Is It Important?, MetricStream Blog, October 15, 2019



Which group has PRIMARY ownership of reputational risk stemming from unethical behavior within the organization?

  1. Board of directors
  2. Human resources (HR)
  3. Risk management committee
  4. Audit committee

Answer(s): A

Explanation:

The group that has primary ownership of reputational risk stemming from unethical behavior within the organization is A. Board of directors. According to the CFA Institute, the board of directors is responsible for setting the tone at the top and ensuring that the company adheres to high ethical standards and values. The board of directors also oversees the company's culture, governance, and risk management practices, and holds the management accountable for any misconduct or breach of trust1 The board of directors may delegate some of its oversight functions to other committees, such as the human resources, risk management, or audit committee, but ultimately, the board of directors bears the ultimate responsibility for the company's reputation and integrity



Viewing page 69 of 380
Viewing questions 341 - 345 out of 1895 questions



Post your Comments and Discuss ISACA CRISC exam dumps with other Community members:

CRISC Exam Discussions & Posts

AI Tutor