Isaca CRISC Free Practice Questions

NEW QUESTION 1

Quantifying the value of a single asset helps the organization to understand the:

• A. overall effectiveness of risk management
• B. consequences of risk materializing
• C. necessity of developing a risk strategy,
• D. organization s risk threshold.

Answer: B

NEW QUESTION 2

A new policy has been published to forbid copying of data onto removable media. Which type of control has been implemented?

• A. Preventive
• B. Detective
• C. Directive
• D. Deterrent

Answer: C

NEW QUESTION 3

An organization has opened a subsidiary in a foreign country. Which of the following would be the BEST way to measure the effectiveness of the subsidiary's IT systems controls?

• A. Implement IT systems in alignment with business objectives.
• B. Review metrics and key performance indicators (KPIs).
• C. Review design documentation of IT systems.
• D. Evaluate compliance with legal and regulatory requirements.

Answer: B

NEW QUESTION 4

Which of the following is the BEST way to support communication of emerging risk?

• A. Update residual risk levels to reflect the expected risk impact.
• B. Adjust inherent risk levels upward.
• C. Include it on the next enterprise risk committee agenda.
• D. Include it in the risk register for ongoing monitoring.

Answer: D

NEW QUESTION 5

Which of the following is MOST important to review when determining whether a potential IT service provider s control environment is effective?

• A. Independent audit report
• B. Control self-assessment
• C. Key performance indicators (KPIs)
• D. Service level agreements (SLAs)

Answer: A

NEW QUESTION 6

An organization that has been the subject of multiple social engineering attacks is developing a risk awareness program. The PRIMARY goal of this program should be to:

• A. reduce the risk to an acceptable level.
• B. communicate the consequences for violations.
• C. implement industry best practices.
• D. reduce the organization's risk appetite

Answer: B

NEW QUESTION 7

An internal audit report reveals that not all IT application databases have encryption in place. Which of the following information would be MOST important for assessing the risk impact?

• A. The number of users who can access sensitive data
• B. A list of unencrypted databases which contain sensitive data
• C. The reason some databases have not been encrypted
• D. The cost required to enforce encryption

Answer: B

NEW QUESTION 8

The PRIMARY benefit associated with key risk indicators (KRls) is that they

• A. help an organization identify emerging threats.
• B. benchmark the organization's risk profile.
• C. identify trends in the organization's vulnerabilities.
• D. enable ongoing monitoring of emerging risk.

Answer: A

NEW QUESTION 9

Which of the following should be the PRIMARY objective of promoting a risk-aware culture within an organization?

• A. Better understanding of the risk appetite
• B. Improving audit results
• C. Enabling risk-based decision making
• D. Increasing process control efficiencies

Answer: C

NEW QUESTION 10

A risk practitioners PRIMARY focus when validating a risk response action plan should be that risk response:

• A. reduces risk to an acceptable level
• B. quantifies risk impact
• C. aligns with business strategy
• D. advances business objectives.

Answer: A

NEW QUESTION 11

Numerous media reports indicate a recently discovered technical vulnerability is being actively exploited. Which of the following would be the BEST response to this scenario?

• A. Assess the vulnerability management process.
• B. Conduct a control serf-assessment.
• C. Conduct a vulnerability assessment.
• D. Reassess the inherent risk of the target.

Answer: C

NEW QUESTION 12

Which of the following would BEST help to ensure that identified risk is efficiently managed?

• A. Reviewing the maturity of the control environment
• B. Regularly monitoring the project plan
• C. Maintaining a key risk indicator for each asset in the risk register
• D. Periodically reviewing controls per the risk treatment plan

Answer: D

NEW QUESTION 13

Management has noticed storage costs have increased exponentially over the last 10 years because most users do not delete their emails. Which of the following can BEST alleviate this issue while not sacrificing security?

• A. Implementing record retention tools and techniques
• B. Establishing e-discovery and data loss prevention (DLP)
• C. Sending notifications when near storage quota
• D. Implementing a bring your own device 1BVOD) policy

Answer: A

NEW QUESTION 14

Which of the following tools is MOST effective in identifying trends in the IT risk profile?

• A. Risk self-assessment
• B. Risk register
• C. Risk dashboard
• D. Risk map

Answer: C

NEW QUESTION 15

After a high-profile systems breach at an organization s key vendor, the vendor has implemented additional mitigating controls. The vendor has voluntarily shared the following set of assessments:
After a high-profile systems breach at an organization s key vendor, the vendor has implemented additional mitigating controls. The vendor has voluntarily shared the following set of assessments:
Which of the assessments provides the MOST reliable input to evaluate residual risk in the vendor's control environment?

• A. External audit
• B. Internal audit
• C. Vendor performance scorecard
• D. Regulatory examination

Answer: B

NEW QUESTION 16

Reviewing results from which of the following is the BEST way to identify information systems control deficiencies?

• A. Vulnerability and threat analysis
• B. Control remediation planning
• C. User acceptance testing (UAT)
• D. Control self-assessment (CSA)

Answer: D

NEW QUESTION 17

Which of the following is the BEST way to identify changes to the risk landscape?

• A. Internal audit reports
• B. Access reviews
• C. Threat modeling
• D. Root cause analysis

Answer: C

NEW QUESTION 18

Which of the following is the GREATEST concern associated with redundant data in an organization's inventory system?

• A. Poor access control
• B. Unnecessary data storage usage
• C. Data inconsistency
• D. Unnecessary costs of program changes

Answer: C

NEW QUESTION 19

A business manager wants to leverage an existing approved vendor solution from another area within the organization. Which of the following is the risk practitioner's BEST course of action?

• A. Recommend allowing the new usage based on prior approval.
• B. Request a new third-party review.
• C. Request revalidation of the original use case.
• D. Assess the risk associated with the new use case.

Answer: D

NEW QUESTION 20

Which of the following is the BEST key performance indicator (KPI) for determining how well an IT policy is aligned to business requirements?

• A. Total cost to support the policy
• B. Number of exceptions to the policy
• C. Total cost of policy breaches
• D. Number of inquiries regarding the policy

Answer: C

NEW QUESTION 21

Several network user accounts were recently created without the required management approvals. Which of the following would be the risk practitioner's BEST recommendation to address this situation?

• A. Conduct a comprehensive compliance review.
• B. Develop incident response procedures for noncompliance.
• C. Investigate the root cause of noncompliance.
• D. Declare a security breach and Inform management.

Answer: C

NEW QUESTION 22

What is the BEST information to present to business control owners when justifying costs related to controls?

• A. Loss event frequency and magnitude
• B. The previous year's budget and actuals
• C. Industry benchmarks and standards
• D. Return on IT security-related investments

Answer: D

NEW QUESTION 23

An IT risk practitioner has determined that mitigation activities differ from an approved risk action plan. Which of the following is the risk practitioner's BEST course of action?

• A. Report the observation to the chief risk officer (CRO).
• B. Validate the adequacy of the implemented risk mitigation measures.
• C. Update the risk register with the implemented risk mitigation actions.
• D. Revert the implemented mitigation measures until approval is obtained

Answer: A

NEW QUESTION 24
......