[email protected]
0
Cart
$0.00
[email protected]
Isaca CRISC Exam Dumps

Isaca CRISC Exam Dumps

Certified in Risk and Information Systems Control

Total Questions : 1960
Update Date : May 28, 2026
PDF + Test Engine
$65 $95
Test Engine
$55 $85
PDF Only
$45 $75

Sample Questions

Money back Guarantee

When it comes about your bright future with career Examforsure takes it really serious as you do and for any valid reason that our provided Isaca CRISC exam dumps haven't been helpful to you as, what we promise, you got full option to feel free claiming for refund.

100% Real Questions

Examforsure does verify that provided Isaca CRISC question and answers PDFs are summed with 100% real question from a recent version of exam which you are about to perform in. So we are sure with our wide library of exam study materials such Isaca exam and more.

Security & Privacy

Free downloadable Isaca CRISC Demos are available for you to download and verify that what you would be getting from Examforsure. We have millions of visitor who had simply gone on with this process to buy Isaca CRISC exam dumps right after checking out our free demos.


CRISC Exam Dumps


What makes Examforsure your best choice for preparation of CRISC exam?

Examforsure is totally committed to provide you Isaca CRISC practice exam questions with answers with make motivate your confidence level while been at exam. If you want to get our question material, you need to sign up Examforsure, as there are tons of our customers all over the world are achieving high grades by using our Isaca CRISC exam dumps, so can you also get a 100% passing grades you desired as our terms and conditions also includes money back guarantee.

Key to solution Preparation materials for Isaca CRISC Exam

Examforsure has been known for its best services till now for its final tuition basis providng Isaca CRISC exam Questions and answer PDF as we are always updated with accurate review exam assessments, which are updated and reviewed by our production team experts punctually. Provided study materials by Examforsure are verified from various well developed administration intellectuals and qualified individuals who had focused on Isaca CRISC exam question and answer sections for you to benefit and get concept and pass the certification exam at best grades required for your career. Isaca CRISC braindumps is the best way to prepare your exam in less time.

User Friendly & Easily Accessible

There are many user friendly platform providing Isaca exam braindumps. But Examforsure aims to provide latest accurate material without any useless scrolling, as we always want to provide you the most updated and helpful study material as value your time to help students getting best to study and pass the Isaca CRISC Exams. you can get access to our questions and answers, which are available in PDF format right after the purchase available for you to download. Examforsure is also mobile friendly which gives the cut to study anywhere as long you have access to the internet as our team works on its best to provide you user-friendly interference on every devices assessed. 

Providing 100% verified Isaca CRISC (Certified in Risk and Information Systems Control) Study Guide

Isaca CRISC questions and answers provided by us are reviewed through highly qualified Isaca professionals who had been with the field of Isaca from a long time mostly are lecturers and even Programmers are also part of this platforms, so you can forget about the stress of failing in your exam and use our Isaca CRISC-Certified in Risk and Information Systems Control question and answer PDF and start practicing your skill on it as passing Isaca CRISC isn’t easy to go on so Examforsure is here to provide you solution for this stress and get you confident for your coming exam with success garneted at first attempt. Free downloadable demos are provided for you to check on before making the purchase of investment in yourself for your success as our Isaca CRISC exam questions with detailed answers explanations will be delivered to you.


Isaca CRISC Sample Questions

Question # 1

A poster has been displayed in a data center that reads. "Anyone caught taking photographs in the data center may be subject to disciplinary action." Which of the following control types has been implemented? 

A. Corrective 
B. Detective 
C. Deterrent 
D. Preventative 



Question # 2

Which of the following would be the BEST way for a risk practitioner to validate the effectiveness of a patching program? 

A. Conduct penetration testing. 
B. Interview IT operations personnel. 
C. Conduct vulnerability scans. 
D. Review change control board documentation. 



Question # 3

The effectiveness of a control has decreased. What is the MOST likely effect on the associated risk? 

A. The risk impact changes. 
B. The risk classification changes. 
C. The inherent risk changes. 
D. The residual risk changes. 



Question # 4

A risk practitioner has been notified of a social engineering attack using artificial intelligence (Al) technology to impersonate senior management personnel. Which of the following would BEST mitigate the impact of such attacks? 

A. Training and awareness of employees for increased vigilance 
B. Increased monitoring of executive accounts 
C. Subscription to data breach monitoring sites 
D. Suspension and takedown of malicious domains or accounts 



Question # 5

Which of the following BEST supports an accurate asset inventory system? 

A. Asset management metrics are aligned to industry benchmarks 
B. Organizational information risk controls are continuously monitored 
C. There are defined processes in place for onboarding assets 
D. The asset management team is involved in the budgetary planning process 



Question # 6

A vulnerability assessment of a vendor-supplied solution has revealed that the software is susceptible to cross-site scripting and SQL injection attacks. Which of the following will BEST mitigate this issue? 

A. Monitor the databases for abnormal activity 
B. Approve exception to allow the software to continue operating 
C. Require the software vendor to remediate the vulnerabilities
D. Accept the risk and let the vendor run the software as is 



Question # 7

A risk practitioner has been notified that an employee sent an email in error containing customers' personally identifiable information (Pll). Which of the following is the risk practitioner's BEST course of action?

 A. Report it to the chief risk officer. 
B. Advise the employee to forward the email to the phishing team.
C. follow incident reporting procedures. 
D. Advise the employee to permanently delete the email. 



Question # 8

After entering a large number of low-risk scenarios into the risk register, it is MOST important for the risk practitioner to: 

A. prepare a follow-up risk assessment. 
B. recommend acceptance of the risk scenarios. 
C. reconfirm risk tolerance levels. 
D. analyze changes to aggregate risk. 



Question # 9

When performing a risk assessment of a new service to support a ewe Business process. which of the following should be done FRST10 ensure continuity of operations?

 A. a identity conditions that may cause disruptions 
B. Review incident response procedures
 C. Evaluate the probability of risk events 
D. Define metrics for restoring availability 



Question # 10

Which of the following is a risk practitioner's BEST course of action when a control is not meeting agreed-upon performance criteria? 

A. Implement additional controls to further mitigate risk 
B. Review performance results with the control owner 
C. Redefine performance criteria based on control monitoring results 
D. Recommend a tool to meet the performance requirements



Question # 11

A global organization is planning to collect customer behavior data through social media advertising. Which of the following is the MOST important business risk to be considered? 

A. Regulatory requirements may differ in each country. 
B. Data sampling may be impacted by various industry restrictions. 
C. Business advertising will need to be tailored by country. 
D. The data analysis may be ineffective in achieving objectives. 



Question # 12

To enable effective integration of IT risk scenarios and enterprise risk management (ERM), it is MOST important to have a consistent approach to reporting: 

A. Key risk indicators (KRIs). 
B. Risk velocity. 
C. Risk response plans and owners. 
D. Risk impact and likelihood. 



Question # 13

Which of the following should be the PRIMARY driver for the prioritization of risk responses?

 A. Residual risk 
B. Risk appetite 
C. Mitigation cost 
D. Inherent risk 



Question # 14

Which of the following is the MOST important consideration when implementing ethical remote work monitoring? 

A. Monitoring is only conducted between official hours of business 
B. Employees are informed of how they are bong monitored 
C. Reporting on nonproductive employees is sent to management on a scheduled basis 
D. Multiple data monitoring sources are integrated into security incident response procedures 



Question # 15

Risk acceptance of an exception to a security control would MOST likely be justified when: 

A. automation cannot be applied to the control 
B. business benefits exceed the loss exposure. 
C. the end-user license agreement has expired.
 D. the control is difficult to enforce in practice. 



Question # 16

Which of the following is the MOST useful input when developing risk scenarios? 

A. Common attacks in other industries 
B. Identification of risk events 
C. Impact on critical assets 
D. Probability of disruptive risk events 



Question # 17

An organization is using a cloud service provider located in another country. Management becomes concerned about potential legal and regulatory risks due to differences in foreign legislation. What should the organization do FIRST?

A. Ensure compliance with local legislation because it has a higher priority.
B. Conduct a risk assessment and develop mitigation options.
C. Terminate the current cloud contract and migrate to a local cloud provider.
D. Accept the risk because foreign legislation does not apply to the organization.



Question # 18

Which of the following is the MOST appropriate key control indicator (KCI) to help an organization prevent successful cyber risk events on the external-facing infrastructure?

A. Increasing number of threat actors 
B. Increasing number of intrusion detection system (IDS) false positive alerts 
C. Increasing percentage of unpatched demilitarized zone (DMZ) servers 
D. Increasing trend of perimeter attacks 



Question # 19

A business delegates its application data management to the internal IT team. Which of the following is the role of the internal IT team in this situation? 

A. Data controllers 
B. Data custodians
 C. Data analysts 
D. Data owners 



Question # 20

Which of the following is the MOST effective way to help ensure future risk levels do not exceed the organization's risk appetite? 

A. Developing contingency plans for key processes 
B. Implementing key performance indicators (KPIs) 
C. Adding risk triggers to entries in the risk register 
D. Establishing a series of key risk indicators (KRIs) 



Question # 21

Which of the following would provide the MOST useful information for communicating an organization’s risk level to senior management? 

A. A list of organizational threats 
B. A high-level risk map 
C. Specialized risk publications 
D. A list of organizational vulnerabilities 



Question # 22

An organization is measuring the effectiveness of its change management program to reduce the number of unplanned production changes. Which of the following would be the BEST metric to determine if the program is performing as expected? 

A. Decrease in the time to move changes to production 
B. Ratio of emergency fixes to total changes 
C. Ratio of system changes to total changes 
D. Decrease in number of changes without a fallback plan 



Question # 23

A multinational organization is considering implementing standard background checks to' all new employees A KEY concern regarding this approach 

A. fail to identity all relevant issues. 
B. be too costly 
C. violate laws in other countries 
D. be too line consuming 



Question # 24

A business is conducting a proof of concept on a vendor’s AI technology. Which of the following is the MOST important consideration for managing risk? 

A. Use of a non-production environment
 B. Regular security updates 
C. Third-party management plan 
D. Adequate vendor support 



Question # 25

A business unit is updating a risk register with assessment results for a key project. Which of the following is MOST important to capture in the register? 

A. The methodology used to perform the risk assessment 
B. Action plans to address risk scenarios requiring treatment 
C. Date and status of the last project milestone 
D. The individuals assigned ownership of controls  



Question # 26

How should an organization approach the retention of data that is no longer needed for business operations? 

A. Data should be retained for a reasonable period of time in case of system rollback. 
B. Data should be destroyed or retained on the basis of a cost-benefit analysis. 
C. Data should be retained based on regulatory requirements. 
D. Data should be destroyed to avoid any risk exposure. 



Question # 27

Senior management has requested more information regarding the risk associated with introducing a new application into the environment. Which of the following should be done FIRST? 

A. Perform an audit. 
B. Conduct a risk analysis. 
C. Develop risk scenarios. 
D. Perform a cost-benefit analysis. 



Question # 28

Which of the following BEST balances the costs and benefits of managing IT risk*? 

A. Prioritizing and addressing risk in line with risk appetite. Eliminating risk through preventive and detective controls 
B. Considering risk that can be shared with a third party 
C. Evaluating the probability and impact of risk scenarios 



Question # 29

A failed IT system upgrade project has resulted in the corruption of an organization's asset inventory database. Which of the following controls BEST mitigates the impact of this incident? 

A. Encryption 
B. Authentication 
C. Configuration 
D. Backups 



Question # 30

Of the following, who is BEST suited to assist a risk practitioner in developing a relevant set of risk scenarios? 

A. Internal auditor 
B. Asset owner
 C. Finance manager 
D. Control owner 



Question # 31

When assessing the maturity level of an organization's risk management framework, which of the following deficiencies should be of GREATEST concern to a risk practitioner?

A. Unclear organizational risk appetite 
B. Lack of senior management participation 
C. Use of highly customized control frameworks 
D. Reliance on qualitative analysis methods 



Question # 32

In a public company, which group is PRIMARILY accountable for ensuring sufficient attention and resources are applied to the risk management process? 

A. Board of directors 
B. Risk officers
 C. Line management 
D. Senior management 



Question # 33

Which of the following should be the PRIMARY concern when changes to firewall rules do not follow change management requirements? 

A. Potential audit findings 
B. Insufficient risk governance 
C. Potential business impact 
D. Inaccurate documentation 



Question # 34

An IT organization is replacing the customer relationship management (CRM) system. Who should own the risk associated with customer data leakage caused by insufficient IT security controls for the new system? 

A. Chief information security officer 
B. Business process owner 
C. Chief risk officer 
D. IT controls manager 



Question # 35

Which of the following is MOST important for managing ethical risk? 

A. Involving senior management in resolving ethical disputes 
B. Developing metrics to trend reported ethics violations 
C. Identifying the ethical concerns of each stakeholder 
D. Establishing a code of conduct for employee behavior 



Question # 36

Which of the following is the PRIMARY reason to perform periodic vendor risk assessments? 

A. To provide input to the organization's risk appetite 
B. To monitor the vendor's control effectiveness 
C. To verify the vendor's ongoing financial viability 
D. To assess the vendor's risk mitigation plans 



Question # 37

Which of the following is the MAIN benefit to an organization using key risk indicators (KRIs)? 

A. KRIs provide an early warning that a risk threshold is about to be reached. 
B. KRIs signal that a change in the control environment has occurred. 
C. KRIs provide a basis to set the risk appetite for an organization. 
D. KRIs assist in the preparation of the organization's risk profile. 



Question # 38

Which of the following is the MOST important information to be communicated during security awareness training? 

A. Management's expectations 
B. Corporate risk profile 
C. Recent security incidents 
D. The current risk management capability 



Question # 39

Which of the following is the BEST metric to measure employee adherence to organizational security policies? 

A. Total number of security policy audit findings 
B. Total number of regulatory violations 
C. Total number of security policy exceptions 
D. Total number of opened phishing emails 



Question # 40

Which of the following should be an element of the risk appetite of an organization? 

A. The effectiveness of compensating controls 
B. The enterprise's capacity to absorb loss 
C. The residual risk affected by preventive controls 
D. The amount of inherent risk considered appropriate 



Question # 41

Which of the following is MOST important to consider when determining risk appetite? 

A. Service level agreements (SLAs) 
B. Risk heat map
C. IT capacity 
D. Risk culture 



Question # 42

Which of the following is the PRIMARY benefit when senior management periodically reviews and updates risk appetite and tolerance levels? 

A. It ensures compliance with the risk management framework. 
B. It ensures an effective risk aggregation process. 
C. It ensures decisions are risk-informed. 
D. It ensures a consistent approach for risk assessments. 



Question # 43

Which of the following should be done FIRST when developing a data protection management plan? 

A. Perform a cost-benefit analysis. 
B. Identify critical data. 
C. Establish a data inventory.
 D. Conduct a risk analysis. 



Question # 44

When is the BEST to identify risk associated with major project to determine a mitigation plan? 

A. Project execution phase 
B. Project initiation phase 
C. Project closing phase 
D. Project planning phase 



Question # 45

Which of the following is the BEST way for a risk practitioner to help management prioritize risk response? 

A. Align business objectives to the risk profile.
 B. Assess risk against business objectives 
C. Implement an organization-specific risk taxonomy. 
D. Explain risk details to management. 



Question # 46

During a review of an organization’s risk management practices, an auditor notices that the identified risk scenarios do not reflect recent changes in the business environment, such as new technologies and emerging threats. Which of the following is the MOST likely cause of this issue?

A. Some risk remediation activities from the last assessment are still in progress.
B. The risk scenarios have never been updated.
C. The risk scenario development process was led by an external consultant.
D. The number of risk scenarios is very high.



Question # 47

A data processing center operates in a jurisdiction where new regulations have significantly increased penalties for data breaches. Which of the following elements of the risk register is MOST important to update to reflect this change? 

A. Risk impact 
B. Risk trend 
C. Risk appetite 
D. Risk likelihood 



Question # 48

Which of the following is the MOST effective way to mitigate identified risk scenarios? 

A. Assign ownership of the risk response plan 
B. Provide awareness in early detection of risk. 
C. Perform periodic audits on identified risk. 
D. areas Document the risk tolerance of the organization. 



Question # 49

IT risk assessments can BEST be used by management: 

A. for compliance with laws and regulations 
B. as a basis for cost-benefit analysis. 
C. as input for decision-making 
D. to measure organizational success. 



Question # 50

An organizational policy requires critical security patches to be deployed in production within three weeks of patch availability. Which of the following is the BEST metric to verify adherence to the policy? 

A. Maximum time gap between patch availability and deployment 
B. Percentage of critical patches deployed within three weeks 
C. Minimum time gap between patch availability and deployment 
D. Number of critical patches deployed within three weeks 



Question # 51

Which of the following is the GREATEST benefit of involving business owners in risk scenario development? 

A. Business owners have the ability to effectively manage risk. 
B. Business owners have authority to approve control implementation. 
C. Business owners understand the residual risk of competitors. 
D. Business owners are able to assess the impact. 



Question # 52

An organization with a large number of applications wants to establish a security risk assessment program. Which of the following would provide the MOST useful information when determining the frequency of risk assessments?

A. Feedback from end users 
B. Results of a benchmark analysis
 C. Recommendations from internal audit 
D. Prioritization from business owners 



Question # 53

The PRIMARY advantage of implementing an IT risk management framework is the: 

A. establishment of a reliable basis for risk-aware decision making. 
B. compliance with relevant legal and regulatory requirements. 
C. improvement of controls within the organization and minimized losses.
 D. alignment of business goals with IT objectives. 



Question # 54

Which of the following should be included in a risk scenario to be used for risk analysis? 

A. Risk appetite 
B. Threat type 
C. Risk tolerance 
D. Residual risk 



Question # 55

During a data loss incident, which role in the RACI chart would be aligned to the risk practitioner? 

A. Responsible 
B. Accountable 
C. Informed 
D. Consulted 



Question # 56

Which of the following will BEST help in communicating strategic risk priorities?

 A. Heat map 
B. Business impact analysis (BIA)
 C. Balanced Scorecard 
D. Risk register 



Question # 57

Which of the following risk activities is BEST facilitated by enterprise architecture (EA)? 

A. Aligning business unit risk responses to organizational priorities 
B. Determining attack likelihood per business unit 
C. Adjusting business unit risk tolerances 
D. Customizing incident response plans for each business unit 



Question # 58

Numerous media reports indicate a recently discovered technical vulnerability is being actively exploited. Which of the following would be the BEST response to this scenario? 

A. Assess the vulnerability management process. 
B. Conduct a control serf-assessment.
 C. Conduct a vulnerability assessment. 
D. Reassess the inherent risk of the target.



Question # 59

Which of the following is the BEST way to prevent the loss of highly sensitive data when disposing of storage media? 

A. Physical destruction 
B. Degaussing 
C. Data anonymization 
D. Data deletion 



Question # 60

Which of the following is MOST likely to introduce risk for financial institutions that use blockchain? 

A. Cost of implementation 
B. Implementation of unproven applications 
C. Disruption to business processes 
D. Increase in attack surface area 



Question # 61

Which of the following is the BEST approach when a risk practitioner has been asked by a business unit manager for special consideration during a risk assessment of a system? 

A. Conduct an abbreviated version of the assessment. 
B. Report the business unit manager for a possible ethics violation. 
C. Perform the assessment as it would normally be done. 
D. Recommend an internal auditor perform the review. 



Question # 62

Which of the following should be management's PRIMARY consideration when approving risk response action plans? 

A. Ability of the action plans to address multiple risk scenarios 
B. Ease of implementing the risk treatment solution 
C. Changes in residual risk after implementing the plans 
D. Prioritization for implementing the action plans 



Question # 63

An organization has implemented a cloud-based backup solution to help prevent loss of transactional data from offices in an earthquake zone. This strategy demonstrates risk: 

A. Avoidance 
B. Mitigation
 C. Transfer 
D. Acceptance 



Question # 64

Which of the following is the BEST indication of an improved risk-aware culture following the implementation of a security awareness training program for all employees? 

A. A reduction in the number of help desk calls 
B. An increase in the number of identified system flaws 
C. A reduction in the number of user access resets 
D. An increase in the number of incidents reported 



Question # 65

When defining thresholds for control key performance indicators (KPIs). it is MOST helpful to align: 

A. information risk assessments with enterprise risk assessments. 
B. key risk indicators (KRIs) with risk appetite of the business. 
C. the control key performance indicators (KPIs) with audit findings. 
D. control performance with risk tolerance of business owners. 



Question # 66

The PRIMARY reason a risk practitioner would be interested in an internal audit report is to: 

A. plan awareness programs for business managers. 
B. evaluate maturity of the risk management process. 
C. assist in the development of a risk profile. 
D. maintain a risk register based on noncompliance. 



Question # 67

An information security audit identified a risk resulting from the failure of an automated control Who is responsible for ensuring the risk register is updated accordingly? 

A. The risk practitioner 
B. The risk owner 
C. The control owner 
D. The audit manager 



Question # 68

Which of the following is the BEST indication that key risk indicators (KRls) should be revised? 

A. A decrease in the number of critical assets covered by risk thresholds 
B. An Increase In the number of risk threshold exceptions 
C. An increase in the number of change events pending management review 
D. A decrease In the number of key performance indicators (KPls) 



Question # 69

Which of the following provides the BEST level of assurance to an organization that its vendors' controls are effective?

 A. Control matrix documentation 
B. Vendor security reports 
C. Service Level Agreement (SLA) 
D. An independent third-party audit 



Question # 70

The MOST essential content to include in an IT risk awareness program is how to: 

A. define the IT risk framework for the organization 
B. populate risk register entries and build a risk profile for management reporting
C. comply with the organization's IT risk and information security policies 
D. prioritize IT-related actions by considering risk appetite and risk tolerance 



Question # 71

An organization has decided to use an external auditor to review the control environment of an outsourced service provider. The BEST control criteria to evaluate the provider would be based on: 

A. a recognized industry control framework 
B. guidance provided by the external auditor 
C. the service provider's existing controls
 D. The organization's specific control requirements 



Question # 72

A control owner identifies that the organization's shared drive contains personally identifiable information (Pll) that can be accessed by all personnel. Which of the following is the MOST effective risk response? 

A. Protect sensitive information with access controls. 
B. Implement a data loss prevention (DLP) solution. 
C. Re-communicate the data protection policy. 
D. Implement a data encryption solution.



Question # 73

A PRIMARY function of the risk register is to provide supporting information for the development of an organization's risk:

A. strategy.
 B. profile. 
C. process. 
D. map.



Question # 74

Which of the following BEST enables effective risk reporting to the board of directors? 

A. Presenting case studies of breaches from other similar organizations 
B. Mapping risk scenarios to findings identified by internal audit 
C. Communicating in terms that correlate to corporate objectives and business value 
D. Reporting key metrics that indicate the efficiency and effectiveness of risk governance 



Question # 75

Which of the following offers the SIMPLEST overview of changes in an organization's risk profile? 

A. A risk roadmap 
B. A balanced scorecard 
C. A heat map 
D. The risk register 



Question # 76

An organization delegates its data processing to the internal IT team to manage information through its applications. Which of the following is the role of the internal IT team in this situation? 

A. Data controllers 
B. Data processors 
C. Data custodians
 D. Data owners 



Question # 77

Which of the following is MOST helpful in verifying that the implementation of a risk mitigation control has been completed as intended?

 A. An updated risk register 
B. Risk assessment results 
C. Technical control validation 
D. Control testing results 



Question # 78

A business unit has implemented robotic process automation (RPA) for its repetitive back-office tasks. Which of the following should be the risk practitioner's GREATEST concern? 

A. The security team is unaware of the implementation. 
B. The organization may lose institutional knowledge. 
C. The robots may fail to work effectively. 
D. Virtual clients are used for implementation. 



Question # 79

To minimize the risk of a potential acquisition being exposed externally, an organization has selected a few key employees to be engaged in the due diligence process. A member of the due diligence team realizes a close acquaintance is a high-ranking IT professional at a subsidiary of the company about to be acquired. What is the BEST course of action for this team member? 

A. Enforce segregation of duties. 
B. Disclose potential conflicts of interest. 
C. Delegate responsibilities involving the acquaintance.
 D. Notify the subsidiary's legal team. 



Question # 80

Which of the following is the BEST way to ensure data is properly sanitized while in cloud storage? 

A. Deleting the data from the file system 
B. Cryptographically scrambling the data 
C. Formatting the cloud storage at the block level 
D. Degaussing the cloud storage media 



Question # 81

Which of the following is the BEST way for a risk practitioner to present an annual risk management update to the board'' 

A. A summary of risk response plans with validation results 
B. A report with control environment assessment results 
C. A dashboard summarizing key risk indicators (KRIs)
 D. A summary of IT risk scenarios with business cases 



Question # 82

An organization uses one centralized single sign-on (SSO) control to cover many applications. Which of the following is the BEST course of action when a new application is added to the environment after testing of the SSO control has been completed? 

A. Initiate a retest of the full control 
B. Retest the control using the new application as the only sample. 
C. Review the corresponding change control documentation 
D. Re-evaluate the control during (he next assessment 



Question # 83

When assessing the maturity level of an organization's risk management framework, which of the following should be of GREATEST concern to a risk practitioner? 

A. Reliance on qualitative analysis methods 
B. Lack of a governance, risk, and compliance (GRC) tool 
C. Lack of senior management involvement 
D. Use of multiple risk registers 



Question # 84

The BEST key performance indicator (KPI) to measure the effectiveness of a backup process would be the number of: 

A. resources to monitor backups 
B. restoration monitoring reports 
C. backup recovery requests 
D. recurring restore failures 



Question # 85

Which of the following scenarios represents a threat? 

A. Connecting a laptop to a free, open, wireless access point (hotspot) 
B. Visitors not signing in as per policy 
C. Storing corporate data in unencrypted form on a laptop 
D. A virus transmitted on a USB thumb drive 



Question # 86

In an organization with a mature risk management program, which of the following would provide the BEST evidence that the IT risk profile is up to date? 

A. Risk questionnaire 
B. Risk register
 C. Management assertion 
D. Compliance manual 



Question # 87

An organization has implemented a preventive control to lock user accounts after three unsuccessful login attempts. This practice has been proven to be unproductive, and a change in the control threshold value has been recommended. Who should authorize changing this threshold? 

A. Risk owner 
B. IT security manager 
C. IT system owner 
D. Control owner 



Question # 88

Which of the following is MOST important to update following a change in organizational risk appetite and tolerance? 

A. Business impact assessment (BIA) 
B. Key performance indicators (KPIs) 
C. Risk profile 
D. Industry benchmark analysis 



Question # 89

A risk practitioner is reviewing the status of an action plan to mitigate an emerging IT risk and finds the risk level has increased. The BEST course of action would be to: 

A. implement the planned controls and accept the remaining risk. 
B. suspend the current action plan in order to reassess the risk. 
C. revise the action plan to include additional mitigating controls. 
D. evaluate whether selected controls are still appropriate. 



Question # 90

Which of The following is the MOST comprehensive input to the risk assessment process specific to the effects of system downtime? 

A. Business continuity plan (BCP) testing results 
B. Recovery lime objective (RTO) 
C. Business impact analysis (BIA) 
D. results Recovery point objective (RPO) 



Question # 91

An organization is concerned that its employees may be unintentionally disclosing data through the use of social media sites. Which of the following will MOST effectively mitigate tins risk? 

A. Requiring the use of virtual private networks (VPNs) 
B. Establishing a data classification policy
 C. Conducting user awareness training 
D. Requiring employee agreement of the acceptable use policy 



Question # 92

Which of the following will BEST ensure that controls adequately support business goals and objectives? 

A. Using the risk management process 
B. Enforcing strict disciplinary procedures in case of noncompliance 
C. Reviewing results of the annual company external audit 
D. Adopting internationally accepted controls 



Question # 93

A failure in an organization’s IT system build process has resulted in several computers on the network missing the corporate endpoint detection and response (EDR) software. Which of the following should be the risk practitioner's IMMEDIATE concern? 

A. Threats are not being detected. 
B. Multiple corporate build images exist. 
C. The IT build process was not followed.
 D. The process documentation was not updated. 



Question # 94

A recent risk workshop has identified risk owners and responses for newly identified risk scenarios. Which of the following should be the risk practitioner's NEXT step? 

A. Develop a mechanism for monitoring residual risk. 
B. Update the risk register with the results. 
C. Prepare a business case for the response options. 
D. Identify resources for implementing responses. 



Question # 95

Management has required information security awareness training to reduce the risk associated with credential compromise. What is the BEST way to assess the effectiveness of the training?

A. Conduct social engineering testing. 
B. Audit security awareness training materials. 
C. Administer an end-of-training quiz. 
D. Perform a vulnerability assessment. 



Question # 96

Which of the following is the BEST indicator of the effectiveness of IT risk management processes? 

A. Percentage of business users completing risk training 
B. Percentage of high-risk scenarios for which risk action plans have been developed 
C. Number of key risk indicators (KRIs) defined 
D. Time between when IT risk scenarios are identified and the enterprise's response 



Question # 97

Which of the following would be MOST important for a risk practitioner to provide to the internal audit department during the audit planning process? 

A. Closed management action plans from the previous audit 
B. Annual risk assessment results 
C. An updated vulnerability management report 
D. A list of identified generic risk scenarios 



Question # 98

The PRIMARY goal of a risk management program is to:

 A. facilitate resource availability. 
B. help ensure objectives are met. 
C. safeguard corporate assets. 
D. help prevent operational losses. 




Related Exams


Copyright © Examforsure. All rights reserved.