Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CRISC

ISACA CRISC Exam Questions
Certified in Risk and Information Systems Control (Page 74 )

Updated On: 28-Feb-2026
Page 74 of 380
PDF with 1895 Questions

Which of the following is the BEST course of action to reduce risk impact?

  1. Create an IT security policy.
  2. Implement corrective measures.
  3. Implement detective controls.
  4. Leverage existing technology

Answer(s): B

Explanation:

To reduce risk impact, the best course of action is to implement corrective measures, which are actions taken to eliminate or minimize the negative effects of a risk event after it has occurred12.
Corrective measures can include restoring normal operations, repairing or replacing damaged assets, recovering lost data, compensating affected stakeholders, and implementing lessons learned12.
Corrective measures can reduce risk impact by minimizing the duration, severity, and scope of the consequences of a risk event, as well as preventing recurrence or escalation of similar risks in the future12.
The other options are not the best course of action to reduce risk impact, but rather different types of risk responses that may have different objectives and effects. For example:
Creating an IT security policy is an example of a preventive measure, which is an action taken to avoid or reduce the likelihood of a risk event before it occurs12. A preventive measure can reduce risk exposure, but not risk impact. Implementing detective controls is an example of a monitoring measure, which is an action taken to identify and measure the occurrence or status of a risk event during or after it occurs12. A monitoring measure can provide timely information and feedback, but not reduce risk impact.
Leveraging existing technology is an example of a mitigation measure, which is an action taken to reduce the likelihood or impact of a risk event before it occurs12. A mitigation measure can reduce risk exposure, but not necessarily risk impact. References =
1: Risk Management Guide for Information Technology Systems, NIST Special Publication 800-30, July 2002
2: Project Risk Management Handbook, California Department of Transportation, June 2011



Which of the following data would be used when performing a business impact analysis (BIA)?

  1. Cost-benefit analysis ofrunning the current business
  2. Cost of regulatory compliance
  3. Projected impact of current business on future business
  4. Expected costs for recovering the business

Answer(s): D

Explanation:

A business impact analysis (BIA) is a process that identifies and assesses the effects that accidents, emergencies, disasters, and other unplanned, negative events could have on a business. The BIA (sometimes also called business impact assessment) predicts how a business will be affected by everything from a hurricane to a labor strike1. One of the data that would be used when performing a BIA is the expected costs for recovering the business. This data can help to estimate the amount of resources and funds that would be needed to restore the normal operations and functions of the business after a disruption. The expected costs for recovering the business can include:
The costs of repairing or replacing damaged or lost assets, such as equipment, inventory, or facilities
The costs of hiring or training additional staff, or outsourcing some tasks or services The costs of implementing alternative or backup systems or processes, such as cloud computing or manual procedures

The costs of communicating and coordinating with customers, suppliers, partners, regulators, and other stakeholders
The costs of complying with legal or contractual obligations, or paying fines or penalties The costs of mitigating or preventing further losses or damages, such as insurance premiums or security measures23
The expected costs for recovering the business can help to determine the priority and urgency of the recovery activities, and to allocate the available resources and funds accordingly. The expected costs for recovering the business can also help to evaluate the cost-effectiveness and feasibility of the recovery strategies and options, and to justify the investment in the business continuity planning and management4.

The other options are not the data that would be used when performing a BIA, but rather the data that would be used for other purposes or processes. A cost-benefit analysis of running the current business is a data that would be used to compare the advantages and disadvantages of different business decisions or alternatives, such as launching a new product or service, or expanding to a new market. A cost-benefit analysis can help to assess the profitability and viability of the current business, but it does not measure the impact of a disruption on the business5. A cost of regulatory compliance is a data that would be used toestimate the amount of resources and funds that would be required to meet the rules and standards set by the authorities or agencies that govern the business, such as laws, regulations, or policies. A cost of regulatory compliance can help to ensure the legality and accountability of the business, but it does not measure the impactof a disruption on the business. A projected impact of current business on future business is a data that would be used to forecast the potential outcomes and consequences of the current business activities or strategies on the future business performance and growth, such as sales, revenue, market share, or customer satisfaction. A projected impact of current business on future business can help to plan and optimize the future business, but it does not measure the impact of a disruption on the current business. References =
Business Impact Analysis | Ready.gov
Business Impact Analysis Toolkit | Smartsheet
Business Impact Analysis (BIA): Prepare for Anything [2023] · Asana How To Conduct Business Impact Analysis in 8 Easy Steps - G2 Cost Benefit Analysis - ISACA
[Regulatory Compliance - ISACA]
[Impact Analysis - ISACA]
[CRISC Review Manual, 7th Edition]



An employee lost a personal mobile device that may contain sensitive corporate information.
What should be the risk practitioner's recommendation?

  1. Conduct a risk analysis.
  2. Initiate a remote data wipe.
  3. Invoke the incident response plan
  4. Disable the user account.

Answer(s): B

Explanation:

The best recommendation for a risk practitioner when an employee lost a personal mobile device that may contain sensitive corporate information is to initiate a remote data wipe. A remote data wipe is a process of erasing the data stored on a device remotely, using a command sent over anetwork or a wireless connection. A remote data wipe can help to prevent the unauthorized access, use, disclosure, or theft of the sensitive corporate information, and to minimize the potential impact of the loss on the enterprise's reputation, operations, and compliance. A remote data wipe can also help to comply with the data breach notification laws and regulations, and to reduce the legal liability and penalties. Conducting a risk analysis, invoking the incident response plan, and disabling the user account are not as immediate and effective as initiating a remote data wipe, as they do not address the primary risk of data exposure and loss. References = CRISC Review Manual, 6th Edition, ISACA, 2015, page 217.



Which of the following conditions presents the GREATEST risk to an application?

  1. Application controls are manual.
  2. Application development is outsourced.
  3. Source code is escrowed.
  4. Developers have accessto production environment.

Answer(s): D

Explanation:

The production environment is the environment where the application is deployed and used by the end users. The production environment should be protected from unauthorized or unintended changes that could compromise the availability, integrity, or confidentiality of the application and its data. Developers have access to the production environment presents the greatest risk to an application, as it could allow them tobypass the change management process, introduce errors or vulnerabilities, or manipulate the application or its data for malicious purposes. The other options are not as risky as developers having access to the production environment, as they involve different aspects of the application lifecycle:
Application controls are manual means that the application relies on human intervention to perform some functions or validations, such as data entry, reconciliation, or authorization. This could increase the risk of human error, fraud, or inefficiency, but it does not directly affect the production environment.
Application development is outsourced means that the application is developed by a third party, such as a vendor or a contractor. This could increase the risk of quality issues, contractual disputes, or intellectual property rights, but it does not directly affect the production environment.
Source code is escrowed means that the source code of the application is deposited with a trusted third party, such as a lawyer or a bank. This could provide assurance and continuity in case the original developer is unable or unwilling to maintain or support the application, but it does not directly affect the production environment. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 4, Section 4.1.1.1, pp. 144-145.



Read" rights to application files in a controlled server environment should be approved by the:

  1. business process owner.
  2. database administrator.
  3. chiefinformation officer.
  4. systems administrator.

Answer(s): A

Explanation:

Read rights: The permission to view or access the content of a file or a folder1. Application files: The files that contain the code, data, or resources of an application or a program2.
Controlled server environment: A server environment that is managed and secured by a set of policies, procedures, and tools3.
Business process owner: The person who is responsible for the design, execution, and performance of a business process.
Read rights to application files in a controlled server environment should be approved by the business process owner. The business process owner is the person who has the authority and accountability for the business process that uses or depends on the application files. The businessprocess owner should approve the read rights to application files in a controlled server environment to:
Ensure that the read rights are aligned with the business needs and objectives

Prevent unauthorized or unnecessary access to the application files Protect the confidentiality, integrity, and availability of the application files Comply with the relevant laws and regulations that govern the access to the application files The other options are not the best choices for approving the read rights to application files in a controlled server environment, because they do not have the same level of authority, responsibility, or knowledge as the business process owner. The database administrator, who is the person who manages and maintains the database systems and data, may have the technical skills and access to grant the read rights to application files, but they may not have the business insight or approval to do so. The chief information officer, who is the person who oversees the IT strategy and operations of the organization, may have the executive power and oversight to approve the read rights to application files, but they may not have the specific or detailed knowledge of the business process or the application files. The systems administrator, who is the person who configures and maintains the server systems and networks, may have the administrative privileges and tools to grant the read rights to application files, but they may not have the business understanding or authorization to do so. References = Read Permission - an overview | ScienceDirect Topics, What is an Application File? - Definition from Techopedia, What is a Server Environment? - Definition from Techopedia, [Business Process Owner: Definition, Roles, and Responsibilities]



Viewing page 74 of 380
Viewing questions 366 - 370 out of 1895 questions



Post your Comments and Discuss ISACA CRISC exam dumps with other Community members:

CRISC Exam Discussions & Posts

AI Tutor