Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CRISC

ISACA CRISC Exam Questions
Certified in Risk and Information Systems Control (Page 7 )

Updated On: 21-Feb-2026
Page 7 of 380
PDF with 1895 Questions

A threat intelligence team has identified an indicator of compromise related to an advanced persistent threat (APT) actor.
Which of the following is the risk practitioner's BEST course of action?

  1. Review the most recent vulnerability scanning report.
  2. Determine the business criticality of the asset.
  3. Determine the adequacy of existing security controls.
  4. Review prior security incidents related to the asset.

Answer(s): B



A risk practitioner has been asked to assess the risk associated with a new critical application used by a financial process team that the risk practitioner was a member of two years ago.
Which of the following is the GREATEST concern with this request?

  1. The risk assessment team may be overly confident of its ability to identify issues.
  2. The risk practitioner may be unfamiliar with recentapplication and process changes.
  3. The risk practitioner may still have access rights to the financial system.
  4. Participation in the risk assessment may constitute a conflict of interest.

Answer(s): D

Explanation:

Participation in the risk assessment may constitute a conflict of interest, because it may create a situation where the risk practitioner's personal or professional interests or relationships interfere with their objectivity, independence, or impartiality in conducting the risk assessment. A conflict of interest is a type of risk that may compromise the integrity, quality, or validity of the risk assessment process and outcomes, and may damage the reputation or trust of the risk practitioner or the organization. A conflict of interest may arise when the risk practitioner has a direct or indirect connection or involvement with the subject or stakeholder of the risk assessment, such as a previous or current role, responsibility, or relationship, that may influence or bias theirjudgment or decision. Participation in the risk assessment may constitute a conflict of interest, as the risk practitioner may have a prior or residual interest or loyalty to the financialprocess team or the new critical application, and may not be able to assess the risk in a fair and unbiased manner.
The risk assessment team being overly confident of its ability to identify issues, the risk practitioner being unfamiliar with recent application and process changes, and the risk practitioner still having access rights to the financial system are all possible concerns with the request, but they are not the greatest concern, as they do not necessarily imply a conflict of interest, and they may be mitigated or resolved by other means, such as training, documentation, or review.



Which of the following would MOST likely result in updates to an IT risk appetite statement?

  1. External audit findings
  2. Feedback from focus groups
  3. Self-assessment reports
  4. Changes in senior management

Answer(s): D

Explanation:

An IT risk appetite statement is a document that expresses the amount and type of IT risk that an organization is willing to accept or pursue in order to achieve its objectives. An IT risk appetite statement can help guide the IT risk management process, by setting the boundaries, criteria, andtargets for IT risk identification, assessment, response, and reporting. An IT risk appetite statement should be aligned with the organization's overall risk appetite and strategy, and should be reviewed and updated periodically to reflect the changes in the internal and external environment. One of the factors that would most likely result in updates to an IT risk appetite statement is changes in senior management. Senior management is the group of executives who have the authority and responsibility for the strategic direction and performance of the organization. Changes in senior management can affect the IT risk appetite statement, as they may introduce new perspectives, priorities, expectations, or preferences for IT risk taking or avoidance. Changes in senior management can also affect the IT risk appetite statement, as they may require new or revised IT objectives, goals, or initiatives, which may entail different levelsor types of IT risk. Therefore, changes in senior management should trigger a review and update of the IT risk appetite statement, to ensure that it is consistent and compatible with the new leadership and direction of the organization. References = Organisations must define their IT risk appetite and tolerance, Risk Appetite Statements - Institute of Risk Management, Develop Your Technology Risk Appetite - Gartner.



Which of the following is the BEST indicator of executive management's support for IT risk mitigation efforts?

  1. The number of stakeholders involved in IT risk identification workshops
  2. The percentage of corporate budget allocated to IT risk activities
  3. The percentage of incidents presented to theboard
  4. The number of executives attending IT security awareness training

Answer(s): D

Explanation:

The best indicator of executive management's support for IT risk mitigation efforts is the number of executives attending IT security awareness training. This shows that the executives are committed to enhancing their knowledge and skills on IT security issues, and that they are setting a positive example for the rest of the organization. The number of stakeholders involved in IT risk identification workshops, the percentage of corporate budget allocated to IT risk activities, and the percentage of incidents presented to the board are other possible indicators, but they are not as strong as the number of executives attending IT security awareness training. References = ISACA Certified in Risk and Information Systems Control (CRISC) Certification Exam Question and Answers, question 7; CRISC Review Manual, 6th Edition, page 202.



While reviewing a contract of a cloud services vendor, it was discovered that the vendor refuses to accept liability for a sensitive data breach.
Which of the following controls will BES reduce the risk associated with such a data breach?

  1. Ensuring the vendordoes not know the encryption key
  2. Engaging a third party to validate operational controls
  3. Using the same cloud vendor as a competitor
  4. Using field-level encryption with a vendor supplied key

Answer(s): A

Explanation:

Encryption is a technique that transforms data into an unreadable format using a secret key, so that only authorized parties can access and decrypt the data. Encryption can help to protectsensitive data from unauthorized access or disclosure, especially when the data is stored or transmitted in the cloud1.
Ensuring the vendor does not know the encryption key is a control that will best reduce the risk associated with a data breach, because it can help to:
Prevent the vendor from accessing or disclosing the sensitive data, intentionally or unintentionally
Limit the exposure or impact of the data breach, even if the vendor's systems or networks are compromised by hackers or malicious insiders
Maintain the confidentiality and integrity of the sensitive data, regardless of the vendor's liability or responsibility
Enhance the trust and confidence of the customers and stakeholders, who may be concerned about the vendor's refusal to accept liability for a data breach23 The other options are not as effective as ensuring the vendor does not know the encryption key for reducing the risk associated with a data breach. Engaging a third party to validate operational controls is a control that can help to verify and improve the vendor's security practices and processes, but it does not guarantee that the vendor will prevent or respond to a data breach adequately or timely. Using the same cloud vendor as a competitor is not a control, but rather a business decision that may increase the risk associated with a data breach, as the vendor may have access to or disclose the sensitive data of both parties, or may favor one party over the other. Using field-level encryption with a vendor supplied key is a control that can help to encrypt specific fields or columns of data, such as names, addresses, or credit card numbers, but it does not prevent the vendor from accessing or disclosing the data, as the vendor has the encryption key4. References = Encryption - ISACA
Cloud Encryption: Using Data Encryption in The Cloud Cloud Encryption: Why You Need It and How to Do It Right Field-Level Encryption - ISACA
[CRISC Review Manual, 7th Edition]






Post your Comments and Discuss ISACA CRISC exam dumps with other Community members:

Join the CRISC Discussion