Isaca CRISC Free Practice Questions

NEW QUESTION 1

Which of the following BEST indicates whether security awareness training is effective?

• A. User self-assessment
• B. User behavior after training
• C. Course evaluation
• D. Quality of training materials

Answer: B

NEW QUESTION 2

Which of the following is the MOST effective way to integrate risk and compliance management?

• A. Embedding risk management into compliance decision-making
• B. Designing corrective actions to improve risk response capabilities
• C. Embedding risk management into processes that are aligned with business drivers
• D. Conducting regular self-assessments to verify compliance

Answer: C

NEW QUESTION 3

A risk manager has determined there is excessive risk with a particular technology. Who is the BEST person to own the unmitigated risk of the technology?

• A. IT system owner
• B. Chief financial officer
• C. Chief risk officer
• D. Business process owner

Answer: D

NEW QUESTION 4

Which of the following is the MOST critical element to maximize the potential for a successful security implementation?

• A. The organization's knowledge
• B. Ease of implementation
• C. The organization's culture
• D. industry-leading security tools

Answer: C

NEW QUESTION 5

An external security audit has reported multiple findings related to control noncompliance. Which of the following would be MOST important for the risk practitioner to communicate to senior management?

• A. A recommendation for internal audit validation
• B. Plans for mitigating the associated risk
• C. Suggestions for improving risk awareness training
• D. The impact to the organization’s risk profile

Answer: B

NEW QUESTION 6

Which of the following is the BEST way to promote adherence to the risk tolerance level set by management?

• A. Defining expectations in the enterprise risk policy
• B. Increasing organizational resources to mitigate risks
• C. Communicating external audit results
• D. Avoiding risks that could materialize into substantial losses

Answer: D

NEW QUESTION 7

An organization has decided to outsource a web application, and customer data will be stored in the vendor's public cloud. To protect customer data, it is MOST important to ensure which of the following?

• A. The organization's incident response procedures have been updated.
• B. The vendor stores the data in the same jurisdiction.
• C. Administrative access is only held by the vendor.
• D. The vendor's responsibilities are defined in the contract.

Answer: D

NEW QUESTION 8

A newly enacted information privacy law significantly increases financial penalties for breaches of personally identifiable information (Pll). Which of the following will MOST likely outcome for an organization affected by the new law?

• A. Increase in compliance breaches
• B. Increase in loss event impact
• C. Increase in residual risk
• D. Increase in customer complaints

Answer: B

NEW QUESTION 9

During the risk assessment of an organization that processes credit cards, a number of existing controls have been found to be ineffective and do not meet industry standards. The overall control environment may still be effective if:

• A. compensating controls are in place.
• B. a control mitigation plan is in place.
• C. risk management is effective.
• D. residual risk is accepted.

Answer: A

NEW QUESTION 10

The MAIN purpose of conducting a control self-assessment (CSA) is to:

• A. gain a better understanding of the control effectiveness in the organization
• B. gain a better understanding of the risk in the organization
• C. adjust the controls prior to an external audit
• D. reduce the dependency on external audits

Answer: A

NEW QUESTION 11

Which of the following IT controls is MOST useful in mitigating the risk associated with inaccurate data?

• A. Encrypted storage of data
• B. Links to source data
• C. Audit trails for updates and deletions
• D. Check totals on data records and data fields

Answer: C

NEW QUESTION 12

An organization has identified that terminated employee accounts are not disabled or deleted within the time required by corporate policy. Unsure of the reason, the organization has decided to monitor the situation for three months to obtain more information. As a result of this decision, the risk has been:

• A. avoided.
• B. accepted.
• C. mitigated.
• D. transferred.

Answer: B

NEW QUESTION 13

Mapping open risk issues to an enterprise risk heat map BEST facilitates:

• A. risk response.
• B. control monitoring.
• C. risk identification.
• D. risk ownership.

Answer: D

NEW QUESTION 14

Which of the following is the MAIN reason to continuously monitor IT-related risk?

• A. To redefine the risk appetite and risk tolerance levels based on changes in risk factors
• B. To update the risk register to reflect changes in levels of identified and new IT-related risk
• C. To ensure risk levels are within acceptable limits of the organization's risk appetite and risk tolerance
• D. To help identify root causes of incidents and recommend suitable long-term solutions

Answer: C

NEW QUESTION 15

Which of the following elements of a risk register is MOST likely to change as a result of change in management's risk appetite?

• A. Key risk indicator (KRI) thresholds
• B. Inherent risk
• C. Risk likelihood and impact
• D. Risk velocity

Answer: A

NEW QUESTION 16

Which of the following will BEST help an organization select a recovery strategy for critical systems?

• A. Review the business impact analysis.
• B. Create a business continuity plan.
• C. Analyze previous disaster recovery reports.
• D. Conduct a root cause analysis.

Answer: A

NEW QUESTION 17

Which of the following is the BEST indication of an effective risk management program?

• A. Risk action plans are approved by senior management.
• B. Residual risk is within the organizational risk appetite
• C. Mitigating controls are designed and implemented.
• D. Risk is recorded and tracked in the risk register

Answer: B

NEW QUESTION 18

Which of the following provides the BEST evidence of the effectiveness of an organization's account provisioning process?

• A. User provisioning
• B. Role-based access controls
• C. Security log monitoring
• D. Entitlement reviews

Answer: B

NEW QUESTION 19

Which of the following is the GREATEST concern when using a generic set of IT risk scenarios for risk analysis?

• A. Quantitative analysis might not be possible.
• B. Risk factors might not be relevant to the organization
• C. Implementation costs might increase.
• D. Inherent risk might not be considered.

Answer: B

NEW QUESTION 20

The number of tickets to rework application code has significantly exceeded the established threshold. Which of the following would be the risk practitioner s BEST recommendation?

• A. Perform a root cause analysis
• B. Perform a code review
• C. Implement version control software.
• D. Implement training on coding best practices

Answer: A

NEW QUESTION 21

Which of the following would BEST enable mitigation of newly identified risk factors related to internet of Things (loT)?

• A. Introducing control procedures early in the life cycle
• B. Implementing loT device software monitoring
• C. Performing periodic risk assessments of loT
• D. Performing secure code reviews

Answer: A

NEW QUESTION 22

During an IT risk scenario review session, business executives question why they have been assigned ownership of IT-related risk scenarios. They feel IT risk is technical in nature and therefore should be owned by IT. Which of the following is the BEST way for the risk practitioner to address these concerns?

• A. Describe IT risk scenarios in terms of business risk.
• B. Recommend the formation of an executive risk council to oversee IT risk.
• C. Provide an estimate of IT system downtime if IT risk materializes.
• D. Educate business executives on IT risk concepts.

Answer: A

NEW QUESTION 23

A data processing center operates in a jurisdiction where new regulations have significantly increased penalties for data breaches. Which of the following elements of the risk register is MOST important to update to reflect this change?

• A. Risk impact
• B. Risk trend
• C. Risk appetite
• D. Risk likelihood

Answer: A

NEW QUESTION 24
......