DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

2024 Updated CRISC Exam Questions & Practice Tests, Certified in Risk and Information Systems Control | SPOTO

Prepare effectively for the 2024 CRISC exam with SPOTO's updated exam questions and practice tests tailored for the Certified in Risk and Information Systems Control certification. Our comprehensive study materials cover all essential topics, ensuring you're fully prepared to become a risk management expert. Access free test samples and exam dumps to familiarize yourself with the exam format and content. Utilize our mock exams and sample questions to simulate the testing environment and refine your exam-taking skills. With SPOTO's exam simulator and online exam questions, you can confidently practice and prepare for success. Start your exam preparation journey today with SPOTO and maximize your chances of passing the CRISC certification exam with flying colors.
Take other online exams

Question #1
Adrian is a project manager for a new project using a technology that has recently been released and there's relatively little information about the technology. Initial testing of the technology makes the use of it look promising, but there's still uncertainty as to the longevity and reliability of the technology. Adrian wants to consider the technology factors a risk for her project. Where should she document the risks associated with this technology so she can track the risk status and responses?
A. Project scope statement
B. Project charter
C. Risk low-level watch list
D. Risk register
View answer
Correct Answer: B
Question #2
A control for mitigating risk in a key business area cannot be implemented immediately. Which of the following is the risk practitioner's BEST course of action when a compensating control needs to be applied?
A. Obtain the risk owner's approval
B. Record the risk as accepted m the risk register
C. Inform senior management
D. update the risk response plan
View answer
Correct Answer: A
Question #3
A global organization is planning to collect customer behavior data through social media advertising. Which of the following is the MOST important business risk to be considered?
A. Regulatory requirements may differ in each country
B. Data sampling may be impacted by various industry restrictions
C. Business advertising will need to be tailored by country
D. The data analysis may be ineffective in achieving objectives
View answer
Correct Answer: D
Question #4
A project team member has just identified a new project risk. The risk event is determined to have significant impact but a low probability in the project. Should the risk event happen it'll cause the project to be delayed by three weeks, which will cause new risk in the project. What should the project manager do with the risk event?
A. Add the identified risk to a quality control management chart
C. Add the identified risk to the risk register
D. Add the identified risk to the low-level risk watch-list
View answer
Correct Answer: B
Question #5
The BEST key performance indicator (KPI) to measure the effectiveness of a vulnerability remediation program is the number of:
A. vulnerability scans
B. recurring vulnerabilities
C. vulnerabilities remediated,
D. new vulnerabilities identified
View answer
Correct Answer: B
Question #6
Which of the following risks is associated with not receiving the right information to the right people at the right time to allow the right action to be taken?
A. Relevance risk
B. Integrity risk
C. Availability risk D
View answer
Correct Answer: C
Question #7
You work as the project manager for Company Inc. The project on which you are working has several risks that will affect several stakeholder requirements. Which project management plan will define who will be available to share information on the project risks?
A. Resource Management Plan
B. Communications Management Plan
C. Risk Management Plan
D. Stakeholder management strategy
View answer
Correct Answer: ABD
Question #8
How are the potential choices of risk based decisions are represented in decision tree analysis?
A. End node B
C. Event node
D. Decision node
View answer
Correct Answer: C
Question #9
In which of the following risk management capability maturity levels does the enterprise takes major business decisions considering the probability of loss and the probability of reward? Each correct answer represents a complete solution. Choose two.
A. Level 0
B. Level 2
C. Level 5
D. Level 4
View answer
Correct Answer: B
Question #10
What are the functions of audit and accountability control? Each correct answer represents a complete solution. Choose all that apply.
A. Provides details on how to protect the audit logs
B. Implement effective access control
C. Implement an effective audit program
D. Provides details on how to determine what to audit
View answer
Correct Answer: D
Question #11
Which of the following techniques would be used during a risk assessment to demonstrate to stakeholders that all known alternatives were evaluated?
A. Control chart
B. Sensitivity analysis
C. Trend analysis
D. Decision tree
View answer
Correct Answer: C
Question #12
Tom works as a project manager for BlueWell Inc. He is determining which risks can affect the project. Which of the following inputs of the identify risks process is useful in identifying risks, and provides a quantitative assessment of the likely cost to complete the scheduled activities?
A. Activity duration estimates
B. Risk management plan
C. Cost management plan
D. Activity cost estimates
View answer
Correct Answer: C
Question #13
You are preparing to complete the quantitative risk analysis process with your project team and several subject matter experts. You gather the necessary inputs including the project's cost management plan. Why is it necessary to include the project's cost management plan in the preparation for the quantitative risk analysis process?
A. The project's cost management plan provides control that may help determine the structure for quantitative analysis of the budget
B. The project's cost management plan can help you to determine what the total cost of the project is allowed to be
C. The project's cost management plan provides direction on how costs may be changed due to identified risks
D. The project's cost management plan is not an input to the quantitative risk analysis process
View answer
Correct Answer: D
Question #14
You are the project manager of GHT project. You identified a risk of noncompliance with regulations due to missing of a number of relatively simple procedures. The response requires creating the missing procedures and implementing them. In which of the following risk response prioritization should this case be categorized?
A. Business case to be made
B. Quick win
C. Risk avoidance
D. Deferrals
View answer
Correct Answer: B
Question #15
What are the responsibilities of the CRO? Each correct answer represents a complete solution. Choose three.
A. Managing the supporting risk management function
B. Managing the risk assessment process C
D. Implement corrective actions
View answer
Correct Answer: ABCD
Question #16
Which of the following would prompt changes in key risk indicator {KRI) thresholds?
A. Changes to the risk register
B. Changes in risk appetite or tolerance
C. Modification to risk categories
D. Knowledge of new and emerging threats
View answer
Correct Answer: D
Question #17
You have been assigned as the Project Manager for a new project that involves building of a new roadway between the city airport to a designated point within the city. However, you notice that the transportation permit issuing authority is taking longer than the planned time to issue the permit to begin construction. What would you classify this as?
A. Project Risk
B. Status Update
C. Risk Update
D. Project Issue
View answer
Correct Answer: D
Question #18
An organization has opened a subsidiary in a foreign country. Which of the following would be the BEST way to measure the effectiveness of the subsidiary's IT systems controls?
A. Implement IT systems in alignment with business objectives
B. Review metrics and key performance indicators (KPIs)
C. Review design documentation of IT systems
D. Evaluate compliance with legal and regulatory requirements
View answer
Correct Answer: D
Question #19
Which of the following laws applies to organizations handling health care information?
A. GLBA B
C. SOX
D. FISMA
View answer
Correct Answer: ACD
Question #20
Your project is an agricultural-based project that deals with plant irrigation systems. You have discovered a byproduct in your project that your organization could use to make a profit. If your organization seizes this opportunity it would be an example of what risk response?
A. Enhancing
B. Positive
C. Opportunistic
D. Exploiting
View answer
Correct Answer: A
Question #21
You are the project manager of the GHY project for your company. This project has a budget of $543,000 and is expected to last 18 months. In this project, you have identified several risk events and created risk response plans. In what project management process group will you implement risk response plans?
A. Monitoring and Controlling
B. In any process group where the risk event resides
C. Planning
D. Executing
View answer
Correct Answer: C
Question #22
You are the project manager of GHT project. A stakeholder of this project requested a change request in this project. What are your responsibilities as the project manager that you should do in order to approve this change request? Each correct answer represents a complete solution. Choose two.
A. Archive copies of all change requests in the project file
B. Evaluate the change request on behalf of the sponsor
C. Judge the impact of each change request on project activities, schedule and budget
D. Formally accept the updated project plan
View answer
Correct Answer: C
Question #23
You are the risk professional of your enterprise. You have performed cost and benefit analysis of control that you have adopted. What are all the benefits of performing cost and benefit analysis of control? Each correct answer represents a complete solution. Choose three.
A. It helps in determination of the cost of protecting what is important
B. It helps in taking risk response decisions
C. It helps in providing a monetary impact view of risk
D. It helps making smart choices based on potential risk mitigation costs and losses
View answer
Correct Answer: D
Question #24
Which of the following would be a weakness in procedures for controlling the migration of changes to production libraries?
A. The programming project leader solely reviews test results before approving the transfer to production
B. Test and production programs are in distinct libraries
C. Only operations personnel are authorized to access production libraries
D. A synchronized migration of executable and source code from the test environment to the production environment is allowed
View answer
Correct Answer: B
Question #25
Qualitative risk assessment uses which of the following terms for evaluating risk level? Each correct answer represents a part of the solution. Choose two.
A. Impact
B. Annual rate of occurrence
C. Probability
D. Single loss expectancy
View answer
Correct Answer: C
Question #26
A peer review of a risk assessment finds that a relevant threat community was not included. Mitigation of the risk will require substantial changes to a software application. Which of the following is the BEST course of action?
A. Ask the business to make a budget request to remediate the problem
B. Build a business case to remediate the fix
C. Research the types of attacks the threat can present
D. Determine the impact of the missing threat
View answer
Correct Answer: D
Question #27
Which of the following is the MOST important characteristic of an effective risk management program?
A. Risk response plans are documented
B. Controls are mapped to key risk scenarios
C. Key risk indicators are defined
D. Risk ownership is assigned
View answer
Correct Answer: B
Question #28
You work as a project manager for BlueWell Inc. You have declined a proposed change request because of the risk associated with the proposed change request. Where should the declined change request be documented and stored?
A. Change request log
B. Project archives
C. Lessons learned
D. Project document updates
View answer
Correct Answer: B
Question #29
What is the FIRST phase of IS monitoring and maintenance process?
A. Report result
B. Prioritizing risks
C. Implement monitoring
D. Identifying controls
View answer
Correct Answer: A
Question #30
Which of the following is MOST important to review when determining whether a potential IT service provider s control environment is effective?
A. Independent audit report
B. Control self-assessment
C. Key performance indicators (KPIs)
D. Service level agreements (SLAs)
View answer
Correct Answer: D
Question #31
Which of the following is the MOST effective way to mitigate identified risk scenarios?
A. Assign ownership of the risk response plan
B. Provide awareness in early detection of risk
C. Perform periodic audits on identified risk
D. areas Document the risk tolerance of the organization
View answer
Correct Answer: B
Question #32
You are the project manager of your enterprise. While performing risk management, you are given a task to identify where your enterprise stand in certain practice and also to suggest the priorities for improvements. Which of the following models would you use to accomplish this task?
A. Capability maturity model
B. Decision tree model
C. Fishbone model
D. Simulation tree model
View answer
Correct Answer: ACD
Question #33
You are elected as the project manager of GHT project. You are in project initialization phase and are busy in defining requirements for your project. While defining requirements you are describing how users will interact with a system. Which of the following requirements are you defining here?
A. Technical requirement
B. Project requirement
C. Functional requirement
D. Business requirement
View answer
Correct Answer: ACD
Question #34
What are the key control activities to be done to ensure business alignment? Each correct answer represents a part of the solution. Choose two.
A. Define the business requirements for the management of data by IT
B. Conduct IT continuity tests on a regular basis or when there are major changes in the IT infrastructure
C. Periodically identify critical data that affect business operations
D. Establish an independent test task force that keeps track of all events
View answer
Correct Answer: B
Question #35
Which of following is NOT used for measurement of Critical Success Factors of the project?
A. Productivity
B. Quality
C. Quantity
D. Customer service
View answer
Correct Answer: A
Question #36
You are the risk official at Bluewell Inc. There are some risks that are posing threat on your enterprise. You are measuring exposure of those risk factors, which has the highest potential, by examining the extent to which the uncertainty of each element affects the object under consideration when all other uncertain elements are held at their baseline values. Which type of analysis you are performing?
A. Sensitivity analysis
B. Fault tree analysis
C. Cause-and-effect analysis
D. Scenario analysis
View answer
Correct Answer: AC
Question #37
Which of the following assets are the examples of intangible assets of an enterprise? Each correct answer represents a complete solution. Choose two.
A. Customer trust
B. Information
C. People
D. Infrastructure
View answer
Correct Answer: CD
Question #38
What activity should be done for effective post-implementation reviews during the project?
A. Establish the business measurements up front
B. Allow a sufficient number of business cycles to be executed in the new system
C. Identify the information collected during each stage of the project
D. Identify the information to be reviewed
View answer
Correct Answer: B
Question #39
You are the project manager of the GHT project. This project will last for 18 months and has a project budget of $567,000. Robert, one of your stakeholders, has introduced a scope change request that will likely have an impact on the project costs and schedule. Robert assures you that he will pay for the extra time and costs associated with the risk event. You have identified that change request may also affect other areas of the project other than just time and cost. What project management component is re
A. Configuration management
B. Integrated change control C
D. Project change control system
View answer
Correct Answer: D
Question #40
Which of the following is a KEY outcome of risk ownership?
A. Risk responsibilities are addressed
B. Risk-related information is communicated
C. Risk-oriented tasks are defined
D. Business process risk is analyzed
View answer
Correct Answer: D
Question #41
You are the project manager of HJT project. Important confidential files of your project are stored on a computer. Keeping the unauthorized access of this computer in mind, you have placed a hidden CCTV in the room, even on having protection password. Which kind of control CCTV is?
A. Technical control
B. Physical control
C. Administrative control
D. Management control
View answer
Correct Answer: D
Question #42
Which of the following is the priority of data owners when establishing risk mitigation method?
A. User entitlement changes
B. Platform security
C. Intrusion detection
D. Antivirus controls
View answer
Correct Answer: A
Question #43
You are the project manager for GHT project. You need to perform the Qualitative risk analysis process. When you have completed this process, you will produce all of the following as part of the risk register update output except which one?
A. Probability of achieving time and cost estimates
B. Priority list of risks
C. Watch list of low-priority risks
D. Risks grouped by categories
View answer
Correct Answer: ABC
Question #44
Which of the following is the MOST cost-effective way to test a business continuity plan?
A. Conduct interviews with key stakeholders
B. Conduct a tabletop exercise
C. Conduct a disaster recovery exercise
D. Conduct a full functional exercise
View answer
Correct Answer: B
Question #45
You work as a project manager for BlueWell Inc. You are about to complete the quantitative risk analysis process for your project. You can use three available tools and techniques to complete this process. Which one of the following is NOT a tool or technique that is appropriate for the quantitative risk analysis process?
A. Data gathering and representation techniques
B. Expert judgment
C. Quantitative risk analysis and modeling techniques
D. Organizational process assets
View answer
Correct Answer: D
Question #46
You are the project manager of the GHY project for your organization. You are working with your project team to begin identifying risks for the project. As part of your preparation for identifying the risks within the project you will need eleven inputs for the process. Which one of the following is NOT an input to the risk identification process?
A. Quality management plan
B. Stakeholder register C
D. Procurement management plan
View answer
Correct Answer: CD
Question #47
Controls should be defined during the design phase of system development because:
A. it is more cost-effective to determine controls in the early design phase
B. structured analysis techniques exclude identification of controls
C. structured programming techniques require that controls be designed before coding begins
D. technical specifications are defined during this phase
View answer
Correct Answer: A
Question #48
Which of the following is the FIRST step in managing the security risk associated with wearable technology in the workplace?
A. Identify the potential risk
B. Monitor employee usage
C. Assess the potential risk
D. Develop risk awareness training
View answer
Correct Answer: C
Question #49
You are the project manager of GHT project. You and your team have developed risk responses for those risks with the highest threat to or best opportunity for the project objectives. What are the immediate steps you should follow, after planning for risk response process? Each correct answer represents a complete solution. Choose three.
A. Updating Project management plan and Project document B
C. Updating Risk register
D. Prepare Risk-related contracts
View answer
Correct Answer: C
Question #50
Which of the following is a key component of strong internal control environment?
A. RMIS
B. Segregation of duties
C. Manual control
D. Automated tools
View answer
Correct Answer: B
Question #51
A risk practitioners PRIMARY focus when validating a risk response action plan should be that risk response:
A. reduces risk to an acceptable level
B. quantifies risk impact
C. aligns with business strategy
D. advances business objectives
View answer
Correct Answer: B
Question #52
Which of the following is MOST helpful in verifying that the implementation of a risk mitigation control has been completed as intended?
A. An updated risk register
B. Risk assessment results
C. Technical control validation
D. Control testing results
View answer
Correct Answer: D
Question #53
You are elected as the project manager of GHT project. You have to initiate the project. Your Project request document has been approved, and now you have to start working on the project. What is the FIRST step you should take to initialize the project?
A. Conduct a feasibility study B
C. Define requirements of project
D. Plan project management
View answer
Correct Answer: D
Question #54
As part of an overall IT risk management plan, an IT risk register BEST helps management:
A. align IT processes with business objectives
B. communicate the enterprise risk management policy
C. stay current with existing control status
D. understand the organizational risk profile
View answer
Correct Answer: B
Question #55
Which of the following events refer to loss of integrity? Each correct answer represents a complete solution. Choose three.
A. Someone sees company's secret formula B
C. An e-mail message is modified in transit
D. A virus infects a file
View answer
Correct Answer: A
Question #56
Which of The following is the PRIMARY consideration when establishing an organization's risk management methodology?
A. Business context
B. Risk tolerance level
C. Resource requirements
D. Benchmarking information
View answer
Correct Answer: C
Question #57
Which of the following would be the BEST way to help ensure the effectiveness of a data loss prevention (DLP) control that has been implemented to prevent the loss of credit card data?
A. Testing the transmission of credit card numbers
B. Reviewing logs for unauthorized data transfers
C. Configuring the DLP control to block credit card numbers
D. Testing the DLP rule change control process
View answer
Correct Answer: C
Question #58
Which of the following processes is described in the statement below? "It is the process of implementing risk response plans, tracking identified risks, monitoring residual risk, identifying new risks, and evaluating risk process effectiveness throughout the project."
A. Perform Quantitative Risk Analysis
B. Monitor and Control Risks
C. Identify Risks
D. Perform Qualitative Risk Analysis
View answer
Correct Answer: A
Question #59
Which of the following is the MOST critical security consideration when an enterprise outsource its major part of IT department to a third party whose servers are in foreign company?
A. A security breach notification may get delayed due to time difference
B. The enterprise could not be able to monitor the compliance with its internal security and privacy guidelines
C. Laws and regulations of the country of origin may not be enforceable in foreign country
D. Additional network intrusion detection sensors should be installed, resulting in additional cost
View answer
Correct Answer: C
Question #60
During the control evaluation phase of a risk assessment, it is noted that multiple controls are ineffective. Which of the following should be the risk practitioner's FIRST course of action?
A. Recommend risk remediation of the ineffective controls
B. Compare the residual risk to the current risk appetite
C. Determine the root cause of the control failures
D. Escalate the control failures to senior management
View answer
Correct Answer: D
Question #61
Who is BEST suited to determine whether a new control properly mitigates data loss risk within a system?
A. Data owner
B. Control owner
C. Risk owner
D. System owner
View answer
Correct Answer: A
Question #62
You are the project manager for TTP project. You are in the Identify Risks process. You have to create the risk register. Which of the following are included in the risk register? Each correct answer represents a complete solution. Choose two. A. List of potential responses
B. List of key stakeholders
C. List of mitigation techniques
D. List of identified risks
View answer
Correct Answer: ABC
Question #63
Which of the following role carriers is accounted for analyzing risks, maintaining risk profile, and risk-aware decisions?
A. Business management B
C. Chief information officer (CIO)
D. Chief risk officer (CRO)
View answer
Correct Answer: C

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number: