Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CRISC

ISACA CRISC Exam Questions
Certified in Risk and Information Systems Control (Page 71 )

Updated On: 28-Feb-2026
Page 71 of 380
PDF with 1895 Questions

Which of the following statements describes the relationship between key risk indicators (KRIs) and key control indicators (KCIs)?

  1. KRI design must precededefinition of KCIs.
  2. KCIs and KRIs are independent indicators and do not impact each other.
  3. A decreasing trend of KRI readings will lead to changes to KCIs.
  4. Both KRIs and KCIs provide insight to potential changes in the level of risk.

Answer(s): D

Explanation:

KRIs and KCIs are both metrics that measure and monitor the risk and control environment of an enterprise. KRIs are indicators that reflect the level and trend of risk exposure, and help to identify potential risk events or issues. KCIs are indicators that reflect the performance andeffectiveness of the risk controls, and help to ensure that the controls are operating as intended and mitigating the risk. Both KRIs and KCIs provide insight to potential changes in the level of risk, as they can signal the need for risk response actions, such as enhancing, modifying, or implementing new controls, or adjusting the risk strategy and objectives. References = Most Asked CRISC Exam Questions and Answers. CRISC:
Certified in Risk & Information Systems Control Sample Questions, Question 240.



An organization has just implemented changes to close an identified vulnerability that impacted a critical business process.
What should be the NEXT course of action?

  1. Redesign the heat map.
  2. Review the risk tolerance.
  3. Perform a business impact analysis (BIA)
  4. Update the risk register.

Answer(s): D

Explanation:

According to the CRISC Review Manual1, the risk register is a tool that records the results of risk identification, analysis, evaluation, and treatment. It should be updated whenever there is a change in the risk profile, such as when a vulnerability is closed or a new threat is identified. Updating the risk register allows the organization to monitor the current status of risks and the effectiveness of risk responses. Therefore, the next course of action after implementing changes to close an identifiedvulnerability is to update the risk register with the new information. References = CRISC Review Manual1, page 191.



Which of the following is MOST important to include in a risk assessment of an emerging technology?

  1. Risk response plans
  2. Risk and control ownership
  3. Key controls
  4. Impact and likelihood ratings

Answer(s): D

Explanation:

The most important thing to include in a risk assessment of an emerging technology is the impact and likelihood ratings of the risks associated with the technology. Impact and likelihood ratings are the measures of the potential consequences and probabilities of the risk events that could affect the achievement of the enterprise's objectives. Impact and likelihood ratings can help to evaluate the level andnature of the risk exposure, and to prioritize the risks for further analysis and response. Impact and likelihood ratings can also help to communicate the risk profile and appetite of the enterprise, and to support the risk-based decision making. Risk response plans, risk and control ownership, and key controls are not as important as impact and likelihood ratings, as they are the outputs or outcomes of the risk assessment process, and not the inputs or components of the risk assessment process. References = CRISC Review Manual, 6th Edition, ISACA, 2015, page 49.



Prudent business practice requires that risk appetite not exceed:

  1. inherent risk.
  2. risk tolerance.
  3. risk capacity.
  4. residual risk.

Answer(s): C

Explanation:

Risk appetite is the amount and type of risk that an organization is willing to accept in order to achieve its objectives. Risk appetite reflects the organization's risk attitude and its willingness to take on risk in specific scenarios. Risk appetite is usually expressed in a qualitative statement approved by the board of directors1. Risk capacity is the maximum amount of risk that an organization can responsibly take on without jeopardizing its financial stability or other key objectives. Risk capacity is determined by objective factors like income, assets, liabilities, debts, insurance coverage, dependents, and time horizon. Risk capacity is usually expressed in a quantitative measure that sets the limit of how much risk the organization can handle2. Prudent business practice requires that risk appetite not exceed risk capacity, because this would mean that the organization is taking on more risk than it can afford or sustain. If the risk appetiteis higher than the risk capacity, the organization may face serious consequences such as insolvency, bankruptcy, reputational damage, legal liability, or regulatory sanctions. Therefore, the organization should align its risk appetite with its risk capacity, and ensure that its risk exposure is within its risk tolerance3. The other options are not correct. Inherent risk is the level of risk that exists in the absence of controls or mitigations. It is the natural level of risk inherent in a process or activity. Residual risk is the level of riskthat remains after the controls or mitigations have been applied. It is the remaining risk after the risk response has been implemented. Risk tolerance is the acceptable variation in the outcomes related to specific objectives or risks. It is the range of risk exposure that the organization is prepared to accept4. None of these concepts are directly comparable torisk appetite, and none of them represent the limit of how much risk the organization can take on. References =
Risk Appetite vs. Risk Tolerance: What is the Difference? - ISACA What Is the Difference Between Risk Tolerance and Risk Capacity? - Investopedia Risk Management: Understanding Risk Capacity, Appetite, and Tolerance - Consulting Edge

[CRISC Review Manual, 7th Edition]



Which of the following would BEST mitigate the ongoing risk associated with operating system (OS) vulnerabilities?

  1. Temporarily mitigate the OS vulnerabilities
  2. Document and implement a patching process
  3. Evaluate permanent fixes such as patches and upgrades
  4. Identify the vulnerabilities and applicableOS patches

Answer(s): B

Explanation:

The best way to mitigate the ongoing risk associated with operating system (OS) vulnerabilities is to document and implement a patching process. A patching process is a set of procedures and guidelines that define how to identify, evaluate, test, apply, and monitor patches for the OS. Patches are updates or fixes that address the known vulnerabilities or bugs in the OS. By documenting and implementing a patching process, the organization can ensure that the OS is regularly updated and protected from the potential exploits or attacks that may exploit the vulnerabilities. The other options are not as effective as documenting and implementing a patching process, as they are related to the temporary, partial, or reactive measures to deal with the OS vulnerabilities, not the proactive and continuous measures to prevent or reduce the OS vulnerabilities. References = Risk and Information Systems Control Study Manual, Chapter 3: IT Risk Response, Section 3.3: IT Risk Response Implementation, page 145.



Viewing page 71 of 380
Viewing questions 351 - 355 out of 1895 questions



Post your Comments and Discuss ISACA CRISC exam dumps with other Community members:

CRISC Exam Discussions & Posts

AI Tutor