DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

CRISC Exam Prep: Study Materials & Mock Tests, Certified in Risk and Information Systems Control | SPOTO

Prepare thoroughly for the CRISC® exam with SPOTO's comprehensive study materials and mock tests. Access a wide range of practice tests and mock exams to gauge your readiness and familiarize yourself with the exam format. Our exam materials include sample questions and exam dumps to reinforce your understanding of key concepts in risk management and information systems control. Utilize our exam simulator for effective exam practice, allowing you to simulate the exam environment and improve your time management skills. With SPOTO, you'll have all the resources you need to succeed in your CRISC® certification journey. Start your exam preparation today and become a certified risk management professional capable of optimizing risk management across your organization.
Take other online exams

Question #1
Malicious code protection is which type control?
A. Configuration management control
B. System and information integrity control
C. Media protection control
D. Personal security control
View answer
Correct Answer: B
Question #2
You are the project manager of GHT project. You have identified a risk event on your project that could save $100,000 in project costs if it occurs. Which of the following statements BEST describes this risk event?
A. This risk event should be mitigated to take advantage of the savings
B. This is a risk event that should be accepted because the rewards outweigh the threat to the project
C. This risk event should be avoided to take full advantage of the potential savings
D. This risk event is an opportunity to the project and should be exploited
View answer
Correct Answer: C
Question #3
Which of the following are the principles of access controls? Each correct answer represents a complete solution. Choose three.
A. Confidentiality
B. Availability
C. Reliability
D. Integrity
View answer
Correct Answer: D
Question #4
06.Which of the following examples includes ALL required components of a risk calculation?
A. ver the next quarter, it is estimated that there is a 30 percent chance of two projects failing to meet a contract deadline, resulting in a US $500,000 fine related to breach of service level agreements
B. ecurity experts believe that if a system is compromised, it will result in the loss of US $15 million in lost contracts
C. he likelihood of disk corruption resulting from a single event of uncontrolled system power failure is estimated by engineers to be 15 percent
D. he impact to security of a business line of a malware-related workstation event is estimated to be low
View answer
Correct Answer: a
Question #5
You are the project manager of GHT project. You have selected appropriate Key Risk Indicators for your project. Now, you need to maintain those Key Risk Indicators. What is the MOST important reason to maintain Key Risk Indicators? A. Risk reports need to be timely
B. Complex metrics require fine-tuning
C. Threats and vulnerabilities change over time
D. They help to avoid risk
View answer
Correct Answer: B
Question #6
Which of the following statements BEST describes policy?
A. A minimum threshold of information security controls that must be implemented
B. A checklist of steps that must be completed to ensure information security
C. An overall statement of information security scope and direction
D. A technology-dependent statement of best practices
View answer
Correct Answer: AB
Question #7
You are working in an enterprise. Your enterprise owned various risks. Which among the following is MOST likely to own the risk to an information system that supports a critical business process?
A. System users
B. Senior management
C. IT director
D. Risk management department
View answer
Correct Answer: AD
Question #8
Which of the following process ensures that extracted data are ready for analysis?
A. Data analysis
B. Data validation
C. Data gathering
D. Data access
View answer
Correct Answer: D
Question #9
Which of the following would be a risk practitioners BEST recommendation for preventing cyber intrusion?
A. Establish a cyber response plan
B. Implement data loss prevention (DLP) tools
C. Implement network segregation
D. Strengthen vulnerability remediation efforts
View answer
Correct Answer: D
Question #10
When a risk cannot be sufficiently mitigated through manual or automatic controls, which of the following options will BEST protect the enterprise from the potential financial impact of the risk?
A. Updating the IT risk registry
B. Insuring against the risk
C. Outsourcing the related business process to a third party
D. Improving staff-training in the risk area
View answer
Correct Answer: C
Question #11
Which of the following vulnerability assessment software can check for weak passwords on the network?
A. Password cracker
B. Antivirus software
C. Anti-spyware software
D. Wireshark
View answer
Correct Answer: AC
Question #12
You are the project manager of the NNN Project. Stakeholders in the two-year project have requested to send status reports to them via. email every week. You have agreed and send reports every Thursday. After six months of the project, the stakeholders are pleased with the project progress and they would like you to reduce the status reports to every two weeks. What process will examine the change to this project process and implement it in the project?
A. Configuration management B
C. Perform integrated change control process
D. Project change control process
View answer
Correct Answer: D
Question #13
An enterprise has identified risk events in a project. While responding to these identified risk events, which among the following stakeholders is MOST important for reviewing risk response options to an IT risk.
A. Information security managers
B. Internal auditors
C. Incident response team members
D. Business managers
View answer
Correct Answer: D
Question #14
Which of the following parameters would affect the prioritization of the risk responses and development of the risk response plan? Each correct answer represents a complete solution. Choose three.
A. Importance of the risk
B. Time required to mitigate risk
C. Effectiveness of the response
D. Cost of the response to reduce risk within tolerance levels
View answer
Correct Answer: D
Question #15
What is the most important benefit of classifying information assets?
A. Linking security requirements to business objectives
B. Allotting risk ownership
C. Defining access rights
D. Identifying controls that should be applied
View answer
Correct Answer: C
Question #16
Which of the following are external risk factors? Each correct answer represents a complete solution. Choose three.
A. Geopolitical situation
B. Complexity of the enterprise
C. Market D
View answer
Correct Answer: A
Question #17
Which of the following are true for quantitative analysis? Each correct answer represents a complete solution. Choose three.
A. Determines risk factors in terms of high/medium/low
B. Produces statistically reliable results
C. Allows discovery of which phenomena are likely to be genuine and which are merely chance occurrences
D. Allows data to be classified and counted
View answer
Correct Answer: A
Question #18
You work as a Project Manager for Company Inc. You are incorporating a risk response owner to take the job for each agreed-to and funded risk response. On which of the following processes are you working? A. Quantitative Risk Analysis
B. Identify Risks
C. Plan risk response
D. Qualitative Risk Analysis
View answer
Correct Answer: D
Question #19
You work as the project manager for Bluewell Inc. Your project has several risks that will affect several stakeholder requirements. Which project management plan will define who will be available to share information on the project risks?
A. Resource Management Plan
B. Risk Management Plan
C. Stakeholder management strategy
D. Communications Management Plan
View answer
Correct Answer: C
Question #20
You are working in Bluewell Inc. which make advertisement Websites. Someone had made unauthorized changes to a your Website. Which of the following terms refers to this type of loss?
A. Loss of confidentiality B
C. Loss of availability
D. Loss of revenue
View answer
Correct Answer: D
Question #21
You work as a project manager for TechSoft Inc. You are working with the project stakeholders on the qualitative risk analysis process in youproject. You have used all the tools to the qualitative risk analysis process in your project. Which of the following techniques is NOT used asa tool in qualitative risk analysis process?
A. Risk Urgency Assessment
B. Risk Reassessment
C. Risk Data Quality Assessment
D. Risk Categorization
View answer
Correct Answer: B
Question #22
In response to the threat of ransomware, an organization has implemented cybersecurity awareness activities. The risk practitioner's BEST recommendation to further reduce the impact of ransomware attacks would be to implement:
A. two-factor authentication
B. continuous data backup controls
C. encryption for data at rest
D. encryption for data in motion
View answer
Correct Answer: A
Question #23
When does the Identify Risks process take place in a project?
A. At the Planning stage
B. At the Executing stage
C. At the Initiating stage
D. Throughout the project life-cycle
View answer
Correct Answer: C
Question #24
David is the project manager of the HRC Project. He has identified a risk in the project, which could cause the delay in the project. David does not want this risk event to happen so he takes few actions to ensure that the risk event will not happen. These extra steps, however, cost the project an additional $10,000. What type of risk response has David adopted?
A. Avoidance
B. Mitigation
C. Acceptance
D. Transfer
View answer
Correct Answer: ABD
Question #25
Which of the following BEST describes the utility of a risk?
A. The finance incentive behind the risk
B. The potential opportunity of the risk
C. The mechanics of how a risk works
D. The usefulness of the risk to individuals or groups
View answer
Correct Answer: AD
Question #26
Which of the following role carriers are responsible for setting up the risk governance process, establishing and maintaining a common risk view, making risk- aware business decisions, and setting the enterprise's risk culture? Each correct answer represents a complete solution. Choose two.
A. Senior management
B. Chief financial officer (CFO)
C. Human resources (HR)
D. Board of directors
View answer
Correct Answer: CD
Question #27
Which of the following methods involves the use of predictive or diagnostic analytical tool for exposing risk factors?
A. Scenario analysis
B. Sensitivity analysis
C. Fault tree analysis
D. Cause and effect analysis
View answer
Correct Answer: ACD
Question #28
Which of the following is true for risk management frameworks, standards and practices? Each correct answer represents a part of the solution. Choose three.
A. They act as a guide to focus efforts of variant teams
B. They result in increase in cost of training, operation and performance improvement
C. They provide a systematic view of "things to be considered" that could harm clients or an enterprise
D. They assist in achieving business objectives quickly and easily
View answer
Correct Answer: C
Question #29
Which of the following business requirements MOST relates to the need for resilient business and information systems processes?
A. Confidentiality
B. Effectiveness
C. Integrity
D. Availability
View answer
Correct Answer: D
Question #30
Which of the following risk responses include feedback and guidance from well-qualified risk officials and those internal to the project?
A. Contingent response strategy
B. Risk Acceptance
C. Expert judgment
D. Risk transfer
View answer
Correct Answer: B
Question #31
02.Which of the following factors will have the GREATEST impact on the type of information security governance model that an enterprise adopts?
A. he number of employees
B. he enterprise’s budget
C. he organizational structure
D. he type of technology that the enterprise uses
View answer
Correct Answer: c
Question #32
Which of the following is BEST described by the definition below? "They are heavy influencers of the likelihood and impact of risk scenarios and should be taken into account during every risk analysis, when likelihood and impact are assessed."
A. Obscure risk
B. Risk factors
C. Risk analysis
D. Risk event
View answer
Correct Answer: ACD
Question #33
07.Which of the following is MOST useful in developing a series of recovery time objectives?
A. egression analysis
B. isk analysis
C. ap analysis
D. usiness impact analysis
View answer
Correct Answer: d
Question #34
John works as a project manager for BlueWell Inc. He is determining which risks can affect the project. Which of the following inputs of the identify risks process is useful in identifying risks associated to the time allowances for the activities or projects as a whole, with a width of the range indicating the degrees of risk?
A. Activity duration estimates
B. Activity cost estimates
C. Risk management plan
D. Schedule management plan
View answer
Correct Answer: C
Question #35
In the project initiation phase of System Development Life Cycle, there is information on project initiated by which of the following role carriers?
A. CRO
B. Sponsor
C. Business management
D. CIO
View answer
Correct Answer: A
Question #36
You are the project manager of GHT project. Your project utilizes a machine for production of goods. This machine has the specification that if its temperature would rise above 450 degree Fahrenheit then it may result in burning of windings. So, there is an alarm which blows when machine's temperature reaches 430 degree Fahrenheit and the machine is shut off for 1 hour. What role does alarm contribute here?
A. Of risk indicator B
C. Of risk trigger
D. Of risk response
View answer
Correct Answer: D
Question #37
You are the project manager for your organization to install new workstations, servers, and cabling throughout a new building, where your company will be moving into. The vendor for the project informs you that the cost of the cabling has increased due to the some reason. This new cost will cause the cost of your project to increase by nearly eight percent. What change control system should the costs be entered into for review?
A. Cost change control system
B. Contract change control system
C. Scope change control system
D. Only changes to the project scope should pass through a change control system
View answer
Correct Answer: C
Question #38
Which of the following is the way to verify control effectiveness?
A. The capability of providing notification of failure
B. Whether it is preventive or detective
C. Its reliability
D. The test results of intended objectives
View answer
Correct Answer: C
Question #39
A part of a project deals with the hardware work. As a project manager, you have decided to hire a company to deal with all hardware work on the project. Which type of risk response is this?
A. Transference
B. Mitigation
C. Avoidance
D. Exploit
View answer
Correct Answer: ACD
Question #40
What is the process for selecting and implementing measures to impact risk called? A. Risk Treatment
B. Control
C. Risk Assessment
D. Risk Management
View answer
Correct Answer: AD
Question #41
Which of the following events refer to loss of integrity? Each correct answer represents a complete solution. Choose three.
A. Someone sees company's secret formula
B. Someone makes unauthorized changes to a Web site
C. An e-mail message is modified in transit
D. A virus infects a file
View answer
Correct Answer: B
Question #42
You are the risk professional of your enterprise. You need to calculate potential revenue loss if a certain risks occurs. Your enterprise has an electronic (e- commerce) web site that is producing US $1 million of revenue each day, then if a denial of service (DoS) attack occurs that lasts half a day creates how much loss?
A. US $250,000 loss
B. US $500,000 loss C
D. US $100,000 loss
View answer
Correct Answer: D
Question #43
09.Which of the following is the BEST way to ensure that contract programmers comply with organizational security policies?
A. ave the contractors acknowledge the security policies in writing
B. xplicitly refer to contractors in the security standards
C. erform periodic security reviews of the contractors
D. reate penalties for noncompliance in the contracting agreement
View answer
Correct Answer: c
Question #44
You are the project manager of the GHT project. You are accessing data for further analysis. You have chosen such a data extraction method in which management monitors its own controls. Which of the following data extraction methods you are using here?
A. Extracting data directly from the source systems after system owner approval
B. Extracting data from the system custodian (IT) after system owner approval
C. Extracting data from risk register
D. Extracting data from lesson learned register
View answer
Correct Answer: C
Question #45
You work as a project manager for BlueWell Inc. You are preparing for the risk identification process. You will need to involve several of the project's key stakeholders to help you identify and communicate the identified risk events. You will also need several documents to help you and the stakeholders identify the risk events. Which one of the following is NOT a document that will help you identify and communicate risks within the project? A. Stakeholder registers
B. Activity duration estimates
C. Activity cost estimates
D. Risk register
View answer
Correct Answer: A
Question #46
You are the project manager of GHT project. You have analyzed the risk and applied appropriate controls. In turn, you got residual risk as a result of this. Residual risk can be used to determine which of the following? A. Status of enterprise's risk
B. Appropriate controls to be applied next
C. The area that requires more control
D. Whether the benefits of such controls outweigh the costs
View answer
Correct Answer: D
Question #47
What are the requirements for creating risk scenarios? Each correct answer represents a part of the solution. Choose three.
A. Determination of cause and effect
B. Determination of the value of business process at risk
C. Potential threats and vulnerabilities that could cause loss
D. Determination of the value of an asset
View answer
Correct Answer: B
Question #48
05.A global financial institution has decided not to take any further action on a denial-of-service vulnerability found by the risk assessment team. The MOST likely reason for making this decision is that:
A. he needed countermeasure is too complicated to deploy
B. here are sufficient safeguards in place to prevent this risk from happening
C. he likelihood of the risk occurring is unknown
D. he cost of countermeasure outweighs the value of the asset and potential loss
View answer
Correct Answer: d
Question #49
Which of the following is an acceptable method for handling positive project risk?
A. Exploit
B. Avoid
C. Mitigate
D. Transfer
View answer
Correct Answer: A

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number: