isaca crisc practice test

Certified in Risk and Information Systems Control

Last exam update: Nov 24 ,2023
Page 1 out of 72
Viewing questions 1-15 out of 1089

Question 1 Topic 4

Topic 4
The PRIMARY reason for prioritizing risk scenarios is to:

  • A. facilitate risk response decisions.
  • B. support risk response tracking.
  • C. assign risk ownership.
  • D. provide an enterprise-wide view of risk.
Answer:

A

Discussions
0 / 1000

Question 2 Topic 4

Topic 4
A third-party vendor has offered to perform user access provisioning and termination. Which of the following control
accountabilities is BEST retained within the organization?

  • A. Reviewing access control lists
  • B. Performing user access recertification
  • C. Authorizing user access requests
  • D. Terminating inactive user access
Answer:

C

Discussions
0 / 1000

Question 3 Topic 4

Topic 4
In order to determine if a risk is under-controlled, the risk practitioner will need to:

  • A. determine the sufficiency of the IT risk budget
  • B. monitor and evaluate IT performance
  • C. identify risk management best practices
  • D. understand the risk tolerance
Answer:

D

Discussions
0 / 1000

Question 4 Topic 4

Topic 4
Which of the following is the BEST way to quantify the likelihood of risk materialization?

  • A. Balanced scorecard
  • B. Business impact analysis (BIA)
  • C. Threat and vulnerability assessment
  • D. Compliance assessments
Answer:

C

Discussions
0 / 1000

Question 5 Topic 4

Topic 4
Which of the following is the PRIMARY responsibility of the first line of defense related to computer-enabled fraud?

  • A. Ensuring that risk and control assessments consider fraud
  • B. Implementing processes to detect and deter fraud
  • C. Providing oversight of risk management processes
  • D. Monitoring the results of actions taken to mitigate fraud
Answer:

B

Discussions
0 / 1000

Question 6 Topic 4

Topic 4
Which of the following is MOST important for an organization to update following a change in legislation requiring notification
to individuals impacted by data breaches?

  • A. Security awareness training
  • B. Policies and standards
  • C. Risk appetite and tolerance
  • D. Insurance coverage
Answer:

B

Discussions
0 / 1000

Question 7 Topic 4

Topic 4
An organization striving to be on the leading edge in regard to risk monitoring would MOST likely implement:

  • A. a tool for monitoring critical activities and controls
  • B. procedures to monitor the operation of controls
  • C. real-time monitoring of risk events and control exceptions
  • D. monitoring activities for all critical assets.
Answer:

C

Discussions
0 / 1000

Question 8 Topic 4

Topic 4
Which of the following is MOST helpful to understand the consequences of an IT risk event?

  • A. Fault tree analysis
  • B. Root cause analysis
  • C. Business impact analysis (BIA)
  • D. Historical trend analysis
Answer:

C

Discussions
0 / 1000

Question 9 Topic 4

Topic 4
What information related to a system vulnerability would be MOST useful to management in making an effective risk-based
decision?

  • A. Consequences if the vulnerability is exploited
  • B. Availability of patches to mitigate the vulnerability
  • C. Vulnerability scanning tools currently in place
  • D. Risk mitigation plans for the vulnerability
Answer:

A

Discussions
0 / 1000

Question 10 Topic 4

Topic 4
Which of the following risk-related information is MOST valuable to senior management when formulating an IT strategic
plan?

  • A. Risk mitigation plans
  • B. IT risk appetite statement
  • C. Emerging IT risk scenarios
  • D. Key risk indicators (KRIs)
Answer:

D

Discussions
0 / 1000

Question 11 Topic 4

Topic 4
Before assigning sensitivity levels to information, it is MOST important to:

  • A. define the information classification policy.
  • B. conduct a sensitivity analysis.
  • C. identify information custodians.
  • D. define recovery time objectives (RTOs).
Answer:

A

Discussions
0 / 1000

Question 12 Topic 4

Topic 4
Within the three lines of defense model, the accountability for the system of internal controls resides with:

  • A. enterprise risk management.
  • B. the risk practitioner.
  • C. the chief information officer (CIO).
  • D. the board of directors.
Answer:

A

Discussions
0 / 1000

Question 13 Topic 4

Topic 4
The PRIMARY purpose of using a framework for risk analysis is to:

  • A. help define risk tolerance
  • B. help develop risk scenarios
  • C. improve consistency
  • D. improve accountability.
Answer:

A

Discussions
0 / 1000

Question 14 Topic 4

Topic 4
Which of the following will BEST help to ensure the continued effectiveness of the IT risk management function within an
organization experiencing high employee turnover?

  • A. Change and release management
  • B. Well documented policies and procedures
  • C. Risk and issue tracking
  • D. An IT strategy committee
Answer:

B

Discussions
0 / 1000

Question 15 Topic 4

Topic 4
Which of the following is MOST important to review when determining whether a potential IT service providers control
environment is effective?

  • A. Control self-assessment (CSA)
  • B. Service level agreements (SLAs)
  • C. Key performance indicators (KPIs)
  • D. Independent audit report
Answer:

D

Discussions
0 / 1000
To page 2