Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CRISC

ISACA CRISC Exam Questions
Certified in Risk and Information Systems Control (Page 8 )

Updated On: 21-Feb-2026
Page 8 of 380
PDF with 1895 Questions

While evaluating control costs, management discovers that the annual cost exceeds the annual loss expectancy (ALE) of the risk. This indicates the:

  1. control is ineffective and should be strengthened
  2. risk is inefficiently controlled.
  3. risk is efficiently controlled.
  4. control is weak and should be removed.

Answer(s): B

Explanation:

Risk is inefficiently controlled when the annual cost of the control exceeds the annual loss expectancy (ALE) of the risk, as this means that the organization is spending more on the control than the potential loss that the control is supposed to prevent or reduce. This indicates that the control is not cost-effective or optimal, and that the organization should consider alternative or complementary controls that can lower the cost or increase the benefit of the risk management. Control is ineffective and should be strengthened when the control does not reduce the likelihood or impact of the risk to an acceptable level, regardless of the cost. Risk is efficiently controlled when the annual cost of the control is equal to or less than the annual loss expectancy (ALE) of the risk, as this means that the organization is spending less or equal on the control than the potential loss that the control is supposed to prevent or reduce. Control is weak and should be removed when the control does not provide any benefit or value to the risk management,regardless of the cost. References = CRISC Certified in Risk and Information Systems Control ­ Question205; ISACA Certified in Risk and Information Systems Control (CRISC) Certification Exam Question and Answers, question 205.



Which of the following should be the PRIMARY objective of promoting a risk-aware culture within an organization?

  1. Better understanding of the risk appetite
  2. Improving audit results
  3. Enabling risk-based decision making
  4. Increasing process control efficiencies

Answer(s): C

Explanation:

The primary objective of promoting a risk-aware culture within an organization is enabling risk-based decision making, because this helps the organization to achieve its goals and objectives while managing its risks effectively and efficiently. A risk-aware culture is one where everyone understands the organization's approach to risk, takes personal responsibility to manage risk in everything they do, and encourages others to follow their example. A risk- aware culture also fosters communication, collaboration, and learning about risk across the organization. By promoting a risk-aware culture, the organization can empower its employees to make informed and balanced decisions that consider both the potential benefits and the potential risks of their actions. This can enhance the organization's performance, resilience, and competitiveness in a dynamic and uncertain environment. References = Risk IT Framework, ISACA, 2022, p. 17



Which of the following is MOST important to ensure when continuously monitoring the performance of a client-facing application?

  1. Objectives are confirmed with the business owner.
  2. Control owners approve control changes.
  3. End-user acceptance testing has been conducted.
  4. Performance information in the log is encrypted.

Answer(s): A

Explanation:

The performance of a client-facing application is the measure of how well the application meets the expectations and requirements of the clients who use it. The performance of a client-facing application can be affected by various factors, such as functionality, usability, reliability, availability, security, and scalability. Continuously monitoring the performance of a client-facing application is the process of collecting, analyzing, and reporting on the performance data and metrics of the application over time. Continuously monitoring the performance of a client-facing application can help identify and resolve issues, improve quality, optimize resources, and enhance client satisfaction. The most important thing to ensure when continuously monitoring the performance of a client-facing application is that the objectives are confirmed with the business owner. The business owner is the person or entity who has the authority and responsibility for the business value and outcomes of the application. The business owner defines the objectives, goals, and requirements of the application, and sets the performance criteria and targets. Confirming the objectives with the business owner can help ensure that the performance monitoring is aligned with the business needs and expectations, and that the performance data and metrics are relevant, accurate, and meaningful. References = Risk and Information SystemsControl Study Manual, Chapter 4:
Risk and Control Monitoring and Reporting, Section 4.3: Continuous Monitoring, p. 203- 205.



An organization that has been the subject of multiple social engineering attacks is developing a risk awareness program. The PRIMARY goal of this program should be to:

  1. reduce the risk to an acceptable level.
  2. communicate the consequences for violations.
  3. implement industry best practices.
  4. reduce the organization's risk appetite

Answer(s): A

Explanation:

According to the CRISC Review Manual (Digital Version), the primary goal of a risk awareness program is to reduce the risk to an acceptable level by increasing the knowledge and understanding of the risk among the stakeholders. A risk awareness program should:
Educate the stakeholders about the sources, types and impacts of IT-related risks Explain the roles and responsibilities of the stakeholders in the risk management process Promote a risk-aware culture that supports the risk appetite and risk tolerance of the organization
Provide guidance and tools for identifying, assessing, responding and monitoring IT-related risks
Encourage the reporting and escalation of risk issues and incidents Reinforce the benefits and value of effective risk management References = CRISC Review Manual (Digital Version), Chapter 4: IT Risk Monitoring and Reporting, Section 4.2: IT Risk Reporting, pp. 224-2251



Which of the following is the PRIMARY risk management responsibility of the second line of defense?

  1. Monitoring risk responses
  2. Applying risk treatments
  3. Providing assurance of control effectiveness
  4. Implementing internal controls

Answer(s): A

Explanation:

The primary risk management responsibility of the second line of defense is to monitor the risk responses. The second line of defense is the function that oversees and supports the risk management activities of the first line of defense, which is the function that owns and manages the risks. The second line of defense includes the risk management, compliance, and quality assurance functions, among others. The second line of defense is responsible for monitoring the risk responses, which are the actions taken to address the risks, such as avoiding, transferring, mitigating, or accepting the risks. The second line of defense monitors the risk responses to ensure that they are implemented effectively and efficiently, that they achieve the desired outcomes, and that they are aligned with the risk appetite and tolerance of the organization. The second line of defense also provides guidance, advice, and feedback to the first line of defense on the risk responses, and reports the results and issues to the senior management and the board. Applying risk treatments, providing assurance of control effectiveness, and implementing internal controls are not the primary risk management responsibilities of the second line of defense, as they are either the responsibilities of the first line of defense or the third line ofdefense, which is the function that provides independent assurance of the risk management activities, such as the internal audit function. References = CRISC Review Manual, 6th Edition, ISACA, 2015, page 36.






Post your Comments and Discuss ISACA CRISC exam dumps with other Community members:

Join the CRISC Discussion