Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CRISC

ISACA CRISC Exam Questions
Certified in Risk and Information Systems Control (Page 75 )

Updated On: 28-Feb-2026
Page 75 of 380
PDF with 1895 Questions

A risk practitioner has received an updated enterprise risk management (ERM) report showing that residual risk is now within the organization's defined appetite and tolerance levels.
Which of the following is the risk practitioner's BEST course of action?

  1. Identify new risk entries to include in ERM.
  2. Remove the risk entries from the ERM register.
  3. Re-perform the risk assessment to confirm results.
  4. Verify the adequacy of risk monitoring plans.

Answer(s): D

Explanation:

The risk practitioner's best course of action when the residual risk is now within the organization's defined appetite and tolerance levels is to verify the adequacy of risk monitoring plans. Risk monitoring is the process of tracking and reviewing the risk status and performance, and ensuring that the risk responses are effective and efficient1. Risk monitoring plans are the documents that specify the objectives, scope, methods, roles, and responsibilities for the riskmonitoring activities2. By verifying the adequacy of risk monitoring plans, the risk practitioner can:
Ensure that the risk monitoring plans are aligned with the organization's risk strategy,

objectives, and policies, and that they comply with the relevant standards and regulations3. Evaluate whether the risk monitoring plans are comprehensive and consistent, and that they cover all the key aspects and indicators of the risks and the risk responses4. Identify and address any gaps, issues, or challenges that may affect the implementation or outcome of the risk monitoring plans, and recommend and implement appropriate improvement actions5.
The other options are not the best course of action, because:
Identifying new risk entries to include in ERM is not a relevant or necessary course of action, as it is not directly related to the residual risk or the risk responses. ERM is the process of identifying, analyzing, evaluating, and managing the risks that may affect the organization's strategic, operational, financial, or reputational objectives6. Identifying new risk entries is a part of the risk identification process, which is the first step in ERM. It should be performedperiodically or when there are significant changes in the internal or external environment, not when the residual risk is within the appetite and tolerance levels7. Removing the risk entries from the ERM register is not a valid or advisable course of action, as it may create a false sense of security or complacency. The ERM register is a tool that records and summarizes the key information and data about the identified risks and the risk responses. Removing the risk entries from the ERM register may imply that the risks no longer exist or matter, which is not true. The risks may still occur or change, and the risk responses may still fail or become obsolete. Therefore, the risk entries should be kept and updated in the ERM register, unless the risks are completely eliminated or transferred. Re-performing the risk assessment to confirm results is not an efficient or effective course of action, as it may be redundant or unnecessary. Risk assessment is the process of estimating the probability and impact of the risks, and prioritizing the risks based on their significance and urgency. Re-performing the risk assessment may not provide any new or useful information or insights, and may waste time and resources. Instead, the risk practitioner should verify and validate the risk assessment results, and ensure that they are accurate and reliable.
References =
Risk Monitoring - CIO Wiki
Risk Monitoring Plan - CIO Wiki
Risk Monitoring and Reporting - ISACA
Risk Monitoring and Control - Project Management Institute Risk Monitoring and Review - The National Academies Press Enterprise Risk Management - CIO Wiki
Risk Identification - CIO Wiki
[Risk Register - CIO Wiki]
[Risk Register: How to Use It in Project Management - ProjectManager.com] [Risk Assessment - CIO Wiki]
[Risk Assessment Process - ISACA]



An organization automatically approves exceptions to security policies on a recurring basis.
This practice is MOST likely the result of:

  1. a lack of mitigating actions for identified risk
  2. decreased threat levels
  3. ineffective service delivery
  4. ineffective IT governance

Answer(s): D

Explanation:

IT governance is the process of ensuring that IT supports the organization's objectives and strategies, and that IT risks are managed appropriately. IT governance involves defining the roles, responsibilities, and accountabilities of the IT stakeholders, establishing the IT policies, standards, and procedures, and monitoring and evaluating the IT performance and outcomes1.
An organization that automatically approves exceptions to security policies on a recurring basis is most likely the result of ineffective IT governance, because it indicates that the organization:
Lacks a clear and consistent IT strategy and direction, and does not align IT with the business goals and needs
Fails to implement and enforce the IT policies, standards, and procedures, and does not ensure the compliance and accountability of the IT users and providers Neglects to identify and assess the IT risks, and does not implement the appropriate risk responses and controls
Does not monitor and measure the IT performance and outcomes, and does not review and improve the IT processes and practices23
The other options are not the most likely results of ineffective IT governance, but rather some of the possible causes or consequences of it. A lack of mitigating actions for identified risk is a possible consequence of ineffective IT governance, as it implies that the organization does not have a systematic and proactiveapproach to IT risk management, and does not address the IT risks in a timely and effective manner. Decreased threat levels is a possible cause of ineffective IT governance, as it may create a false sense of security and complacency, and reduce the motivation and urgency to implement and follow the IT policies, standards, and procedures. Ineffective service delivery is a possible consequence of ineffective IT governance, as it means that the organization does not deliver the IT services that meet the expectations and requirements of the customers and stakeholders, and does not ensure the quality and reliability of the IT services. References =

IT Governance - ISACA
IT Governance: What It Is and Why You Need It
IT Governance: The Benefits of an Effective Enterprise IT Governance Framework [CRISC Review Manual, 7th Edition]



Who is PRIMARILY accountable for identifying risk on a daily basis and ensuring adherence to the organization's policies?

  1. Third line of defense
  2. Line of defense subject matter experts
  3. Second line of defense
  4. First line of defense

Answer(s): D



Which of the following describes the relationship between risk appetite and risk tolerance?

  1. Risk appetite is completely independent of risk tolerance.
  2. Risk tolerance is used todetermine risk appetite.
  3. Risk appetite and risk tolerance are synonymous.
  4. Risk tolerance may exceed risk appetite.

Answer(s): D

Explanation:

Relationship between Risk Appetite and Risk Tolerance:
Risk Appetite: Defined as the amount of risk an organization is willing to accept in pursuit of its objectives. It is a broad measure that reflects the organization's strategy and goals. Risk Tolerance: Refers to the acceptable level of variation in performance relative to achieving objectives. It is narrower and can sometimes exceed the risk appetite in specific situations where deviations are permissible.
Contextual Understanding:
Controlled Exceedance: Risk tolerance allows for occasional and controlled exceedance of the risk appetite, typically under specific conditions and for compelling business reasons. Management Decisions: Decisions to exceed risk appetite should be carefully considered and documented, ensuring they do not threaten the overall risk capacity of the organization.
Comparison with Other Options:
Independent of Each Other: Incorrect, as risk tolerance is related to risk appetite.

Risk Tolerance Determines Risk Appetite: Incorrect, risk appetite is generally broader and set before determining risk tolerance.
Synonymous: Incorrect, they are distinct concepts with risk tolerance providing operational flexibility within the boundaries set by risk appetite.
Best Practices:
Clear Definitions: Clearly define and communicate the organization's risk appetite and risk tolerance.
Regular Reviews: Regularly review and adjust risk appetite and tolerance to align with changes in business strategy and external environment.


Reference:

CRISC Review Manual: Provides detailed definitions and examples illustrating the relationship between risk appetite and risk tolerance . ISACA Guidelines: Emphasize the importance of understanding and managing the interplay between risk appetite and tolerance for effective risk management .



Which of the following is the BEST way to ensure data is properly sanitized while in cloud storage?

  1. Deleting the data from the file system
  2. Cryptographically scrambling the data
  3. Formatting the cloud storage at the block level
  4. Degaussing the cloud storage media

Answer(s): B

Explanation:

The best way to ensure data is properly sanitized while in cloud storage is to cryptographically scramble the data. Cryptographic scrambling is the process of transforming data into an unreadable form using a secret key or algorithm. Cryptographic scrambling protects the data from unauthorized access, modification, or deletion, even if the cloud storage provider or a third party gains access to the data. Cryptographic scrambling also ensures that the data can be restored to its original form using the same key or algorithm, if needed. The other options are not as effective as cryptographic scrambling, because they either do not completely remove the data,or they make it impossible to recover the data. References = Risk and Information Systems Control Study Manual, Chapter 3, Section 3.3.1, page 3-21.



Viewing page 75 of 380
Viewing questions 371 - 375 out of 1895 questions



Post your Comments and Discuss ISACA CRISC exam dumps with other Community members:

CRISC Exam Discussions & Posts

AI Tutor