DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

Latest ISACA CRISC Exam Questions for Effective Exam Preparation

Achieving the Certified in Risk and Information Systems Control (CRISC) certification is a valuable asset for risk management professionals. However, preparing for the CRISC exam can be a challenging task. That's where SPOTO's CRISC exam questions and resources come in handy. SPOTO offers a comprehensive collection of CRISC exam questions and answers, test questions, mock exams, and study materials tailored to the CRISC exam objectives. These exam preparation resources are designed to simulate the real exam environment, providing you with a realistic experience and boosting your confidence. With SPOTO's CRISC exam questions, you can identify areas where you need further study and practice, ensuring you have the knowledge and skills necessary to enhance your company's business resilience, deliver stakeholder value, and optimize risk management across the enterprise. By leveraging these exam resources and practicing with mock exams, you can effectively prepare and increase your chances of passing the CRISC certification exam successfully.
Take other online exams

Question #1
An assessment of information security controls has identified ineffective controls. Which of the following should be the risk practitioner’s FIRST course of action?
A. eploy a compensating control to address the identified deficiencies
B. eport the ineffective control for inclusion in the next audit report
C. etermine if the impact is outside the risk appetite
D. equest a formal acceptance of risk from senior management
View answer
Correct Answer: A

View The Updated CRISC Exam Questions

SPOTO Provides 100% Real CRISC Exam Questions for You to Pass Your CRISC Exam!

Question #2
Which of the following will BEST quantify the risk associated with malicious users in an organization?
A. usiness impact analysis
B. hreat risk assessment
C. ulnerability assessment
D. isk analysis
View answer
Correct Answer: B
Question #3
Which of the following should be the PRIMARY consideration when assessing the automation of control monitoring?
A. requency of failure of control
B. ontingency plan for residual risk
C. ost-benefit analysis of automation
D. mpact due to failure of control
View answer
Correct Answer: D
Question #4
For which of the following risk management capability maturity levels do the statement given below is true? "Real-time monitoring of risk events and control exceptions exists, as does automation of policy management"
A. evel 3
B. evel 0
C. evel 5
D. evel 2
View answer
Correct Answer: C
Question #5
Which of the following is the BEST indicator of the effectiveness of a control action plan’s implementation?
A. ncreased risk appetite
B. ncreased number of controls
C. educed risk level
D. takeholder commitment
View answer
Correct Answer: C
Question #6
You are the project manager of a large construction project. This project will last for 18 months and will cost $750,000 to complete. You are working with your project team, experts, and stakeholders to identify risks within the project before the project work begins. Management wants to know why you have scheduled so many risk identification meetings throughout the project rather than just initially during the project planning. What is the best reason for the duplicate risk identification sessions?
A. he iterative meetings allow all stakeholders to participate in the risk identification processes throughout the project phases
B. he iterative meetings allow the project manager to discuss the risk events which have passed the project and which did not happen
C. he iterative meetings allow the project manager and the risk identification participants to identify newly discovered risk events throughout the project
D. he iterative meetings allow the project manager to communicate pending risks events during project execution
View answer
Correct Answer: C
Question #7
An organization operates in a jurisdiction where heavy fines are imposed for leakage of customer data. Which of the following provides the BEST input to assess the inherent risk impact?
A. umber of customer records held
B. umber of databases that host customer data
C. umber of encrypted customer databases
D. umber of staff members having access to customer data
View answer
Correct Answer: D
Question #8
Which of the following are the MOST important risk components that must be communicated among all the stakeholders?Each correct answer represents a part of the solution. Choose three.
A. RGC models aim at building robust, integrative inter-disciplinary governance models for emerging and existing risks
B. RGC is both a concept and a tool
C. RGC addresses the development of resilience and the capacity of organizations and people to face unavoidable risks
D. RGC addresses understanding of the secondary impacts of a risk
View answer
Correct Answer: BCD
Question #9
You are the project manager of the QPS project. You and your project team have identified a pure risk. You along with the key stakeholders, decided to remove the pure risk from the project by changing the project plan altogether. What is a pure risk?
A.
B.
C.
D.
View answer
Correct Answer: A
Question #10
Which of the following would BEST help to ensure that identified risk is efficiently managed?
A. eviewing the maturity of the control environment
B. aintaining a key risk indicator for each asset in the risk register
C. egularly monitoring the project plan
D. eriodically reviewing controls per the risk treatment plan
View answer
Correct Answer: A
Question #11
Which of the following risk register updates is MOST important for senior management to review?
A. voiding a risk that was previously accepted
B. xtending the date of a future action plan by two months
C. etiring a risk scenario no longer used
D. hanging a risk owner
View answer
Correct Answer: B
Question #12
You are the project manager of the GHY Project for your company. You need to complete a project management process that will be on the lookout for new risks, changing risks, and risks that are now outdated. Which project management process is responsible for these actions?
A. isk planning
B. isk monitoring and controlling
C. isk identification
D. isk analysis
View answer
Correct Answer: B
Question #13
An application owner was specified the acceptable downtime in the event of an incident to be much lower the actual time required for the response team to recover the application. Which of the following should be the NEXT course of action?
A. nvoke the disaster recovery plan during an incident
B. educe the recovery time by strengthening the response team
C. repare a cost-benefit analysis of alternatives available
D. mplement redundant infrastructure for the application
View answer
Correct Answer: C
Question #14
Numerous media reports indicate a recently discovered technical vulnerability is being actively exploited. Which of the following would be the BEST response to this scenario?
A. ssess the vulnerability management process
B. onduct a control self-assessment
C. eassess the inherent risk of the target
D. onduct a vulnerability assessment
View answer
Correct Answer: D
Question #15
Which of the following aspects of an IT risk and control self-assessment would be MOST important to include in a report to senior management?
A. decrease in the number of key controls
B. hanges in control design
C. n increase in residual risk
D. hanges in control ownership
View answer
Correct Answer: D
Question #16
The annualized loss expectancy (ALE) method of risk analysis:
A. ses qualitative risk rankings such as low, medium, and high
B. an be used to determine the indirect business impact
C. elps in calculating the expected cost of controls
D. an be used in a cost-benefit analysis
View answer
Correct Answer: D
Question #17
Which of the following would be the BEST key performance indicator (KPI) for monitoring the effectiveness of the IT asset management process?
A. ercentage of unpatched IT assets
B. he number of IT assets procured during the previous month
C. he number of IT assets securely disposed during the past year
D. ercentage of IT assets without ownership
View answer
Correct Answer: C
Question #18
Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of a vulnerability management process?
A. ercentage of vulnerabilities remediated within the agreed service level
B. umber of vulnerabilities identified during the period
C. umber of vulnerabilities re-opened during the period
D. ercentage of vulnerabilities escalated to senior management
View answer
Correct Answer: A
Question #19
What are the requirements for creating risk scenarios? Each correct answer represents a part of the solution. (Choose three.)
A. etermination of cause and effect
B. etermination of the value of business process at risk
C. otential threats and vulnerabilities that could cause loss
D. etermination of the value of an asset
View answer
Correct Answer: BCD
Question #20
To help ensure the success of a major IT project, it is MOST important to:
A. btain approval from business process owners
B. btain the appropriate stakeholders’ commitment
C. pdate the risk register on a regular basis
D. lign it with the organization’s strategic plan
View answer
Correct Answer: B
Question #21
Which of the following is the BEST way of managing risk inherent to wireless network?
A. nabling auditing on every host that connects to a wireless network
B. equire private, key-based encryption to connect to the wireless network
C. equire that every host that connect to this network have a well-tested recovery plan
D. nable auditing on every connection to the wireless network
View answer
Correct Answer: B
Question #22
It is MOST appropriate for changes to be promoted to production after they are:
A. pproved by the business owner
B. ested by business owners
C. ommunicated to business management
D. nitiated by business users
View answer
Correct Answer: B
Question #23
Which of the following is the MOST important outcome of reviewing the risk management process?
A. mproving the competencies of employees who performed the review
B. ssuring the risk profile supports the IT objectives
C. etermining what changes should be made to IS policies to reduce risk
D. etermining that procedures used in risk assessment are appropriate
View answer
Correct Answer: B
Question #24
Which of the following is the BEST way to determine the ongoing efficiency of control processes?
A. nterview process owners
B. eview the risk register
C. erform annual risk assessments
D. nalyze key performance indicators (KPIs)
View answer
Correct Answer: D
Question #25
Which of the following items is considered as an objective of the three dimensional model within the framework described in COSO ERM?
A. isk assessment
B. inancial reporting
C. ontrol environment
D. onitoring
View answer
Correct Answer: B
Question #26
Reviewing results from which of the following is the BEST way to identify information systems control deficiencies?
A. ontrol self-assessment (CSA)
B. ulnerability and threat analysis
C. ser acceptance testing (UAT)
D. ontrol remediation planning
View answer
Correct Answer: B
Question #27
The BEST key performance indicator (KPI) to measure the effectiveness of a backup process would be the number of:
A. ackup recovery requests
B. esources to monitor backups
C. estoration monitoring reports
D. ecurring restore failures
View answer
Correct Answer: C
Question #28
Which of the following considerations should be taken into account while selecting risk indicators that ensures greater buy-in and ownership?
A. ag indicator
B. ead indicator
C. oot cause
D. takeholder
View answer
Correct Answer: D
Question #29
Which of the following is the BEST control to detect an advanced persistent threat (APT)?
A. onitoring social media activities
B. onducting regular penetration tests
C. tilizing antivirus systems and firewalls
D. mplementing automated log monitoring
View answer
Correct Answer: B
Question #30
Which of the following is the process of numerically analyzing the effects of identified risks on the overall enterprise's objectives?
A. dentifying Risks
B. uantitative Risk Assessment
C. ualitative Risk Assessment
D. onitoring and Controlling Risks
View answer
Correct Answer: B
Question #31
For the first time, the procurement department has requested that IT grant remote access to third-party suppliers. Which of the following is the BEST course of action for IT in responding to the request?
A. ropose a solution after analyzing IT risk
B. esign and implement key authentication controls
C. esign and implement a secure remote access process
D. dequate internal standards to fit the new business case
View answer
Correct Answer: A
Question #32
To help ensure all applicable risk scenarios are incorporated into the risk register, it is MOST important to review the:
A. isk assessment results
B. ost-benefit analysis
C. ulnerability assessment results
D. isk mitigation approach
View answer
Correct Answer: A
Question #33
Using which of the following one can produce comprehensive result while performing qualitative risk analysis?
A. cenarios with threats and impacts
B. ost-benefit analysis
C. alue of information assets
D. ulnerability assessment
View answer
Correct Answer: A
Question #34
A risk practitioner is assisting with the preparation of a report on the organization’s disaster recovery (DR) capabilities. Which information would have the MOST impact on the overall recovery profile?
A. he percentage of systems meeting recovery target times has increased
B. he number of systems requiring a recovery plan has increased
C. he number of systems tested in the last year has increased
D. he percentage of systems with long recovery target times has decreased
View answer
Correct Answer: B
Question #35
Which of the following business requirements MOST relates to the need for resilient business and information systems processes?
A. onfidentiality
B. ffectiveness
C. ntegrity
D. vailability
View answer
Correct Answer: D
Question #36
The PRIMARY benefit of maintaining an up-to-date risk register is that it helps to:
A. nsure business unit risk uniformly distributed
B. uild a risk profile for management review
C. uantify the organization’s risk appetite
D. mplement uniform controls for common risk scenarios
View answer
Correct Answer: B
Question #37
What type of policy would an organization use to forbid its employees from using organizational e-mail for personal use?
A. nti-harassment policy
B. cceptable use policy
C. ntellectual property policy
D. rivacy policy
View answer
Correct Answer: B
Question #38
When reviewing management’s IT control self-assessments, a risk practitioner noted an ineffective control that links to several low residual risk scenarios. What should be the NEXT course of action?
A. ropose mitigating controls
B. ssess management’s risk tolerance
C. ecommend management accept the low risk scenarios
D. e-evaluate the risk scenarios associated with the control
View answer
Correct Answer: A
Question #39
You are the project manager of GHT project. You have applied certain control to prevent the unauthorized changes in your project. Which of the following control you would have applied for this purpose?
A. ersonnel security control
B. ccess control
C. onfiguration management control
D. hysical and environment protection control
View answer
Correct Answer: C
Question #40
Which of the following is the PRIMARY purpose of analyzing log data collected from systems?
A. o identify risk that may materialize
B. o facilitate incident investigation
C. o detect changes in risk ownership
D. o prevent incidents caused by materialized risk
View answer
Correct Answer: A
Question #41
Which of the following is the MOST important key performance indicator (KPI) to establish in the service agreement (SLA) for an outsourced data center?
A. umber of key systems hosted
B. ercentage of system availability
C. verage response time to resolve system incidents
D. ercentage of systems included in recovery processes
View answer
Correct Answer: B
Question #42
The MOST effective approach to prioritize risk scenarios is by:
A. ssessing impact to the strategic plan
B. oliciting input from risk management experts
C. ligning with industry best practices
D. valuating the cost of risk response
View answer
Correct Answer: A
Question #43
Which of the following is the MOST effective way to mitigate identified risk scenarios?
A. ocument the risk tolerance of the organization
B. ssign ownership of the risk response plan
C. rovide awareness in early detection of risk
D. erform periodic audits on identified risk areas
View answer
Correct Answer: D
Question #44
Suppose you are working in Techmart Inc. which sells various products through its website. Due to some recent losses, you are trying to identify the most important risks to the Website. Based on feedback from several experts, you have come up with a list. You now want to prioritize these risks. Now in which category you would put the risk concerning the modification of the Website by unauthorized parties.
A. ing Flooding Attack
B. eb defacing
C. enial of service attack
D. TP Bounce Attack
View answer
Correct Answer: B
Question #45
You are the project manager of GHT project. You have analyzed the risk and applied appropriate controls. In turn, you got residual risk as a result of this. Residual risk can be used to determine which of the following?
A. ssue
B. ontingency response
C. rigger
D. hreshold
View answer
Correct Answer: CD
Question #46
You are working in Bluewell Inc. which make advertisement Websites. Someone had made unauthorized changes to your Website. Which of the following terms refers to this type of loss?
A. oss of confidentiality
B. oss of integrity
C. oss of availability
D. oss of revenue
View answer
Correct Answer: B
Question #47
For a large software development project, risk assessments are MOST effective when performed:
A. uring the development of the business case
B. t each stage of the SDLC
C. t system development
D. efore system development begins
View answer
Correct Answer: B
Question #48
You are the project manager of HGT project. You are in the first phase of the risk response process and are doing following tasks:-Communicating risk analysis results-Reporting risk management activities and the state of compliance Interpreting independent risk assessment findings-Identifying business opportunitiesWhich of the following process are you performing?
A. rticulating risk
B. itigating risk
C. racking risk
D. eporting risk
View answer
Correct Answer: A
Question #49
You are working in an enterprise. Assuming that your enterprise periodically compares finished goods inventory levels to the perpetual inventories in its ERP system. What kind of information is being provided by the lack of any significant differences between perpetual levels and actual levels?
A. irect information
B. ndirect information
C. isk management plan
D. isk audit information
View answer
Correct Answer: B
Question #50
How are the potential choices of risk based decisions are represented in decision tree analysis?
A. takeholder management strategy
B. essons learned documentation
C. isk register
D. isk management plan
View answer
Correct Answer: D
Question #51
Which of the following is the MOST effective way to incorporate stakeholder concerns when developing risk scenarios?
A. valuating risk impact
B. reating quarterly risk reports
C. stablishing key performance indicators
D. onducting internal audits
View answer
Correct Answer: C
Question #52
From a business perspective, which of the following is the MOST important objective of a disaster recovery test?
A. ll business critical systems are successfully tested
B. rrors are discovered in the disaster recovery process
C. ll critical data is recovered within recovery time objectives (RTOs)
D. he organization gains assurance it can recover from a disaser
View answer
Correct Answer: C
Question #53
A risk practitioner has observed that risk owners have approved a high number of exceptions to the information security policy. Which of the following should be the risk practitioner’s GREATEST concern?
A. ggregate risk approaching the tolerance threshold
B. ulnerabilities are not being mitigated
C. ecurity policies are not being reviewed periodically
D. isk owners are focusing more on efficiency
View answer
Correct Answer: A
Question #54
Which of the following is the priority of data owners when establishing risk mitigation method?
A. ser entitlement changes
B. latform security
C. ntrusion detection
D. ntivirus controls
View answer
Correct Answer: A
Question #55
Which of the following would BEST help secure online financial transactions from improper users?
A. ulti-factor authentication
B. eriodic review of audit trails
C. ulti-level authorization
D. eview of log-in attempts
View answer
Correct Answer: A
Question #56
A risk practitioner has determined that a key control does not meet design expectations. Which of the following should be done NEXT?
A. nvoke the incident response plan
B. odify the design of the control
C. ocument the finding in the risk register
D. e-evaluate key risk indicators
View answer
Correct Answer: C
Question #57
Which of the following is an example of the second line in the three lines of defense model?
A. xternal auditors
B. nternal auditors
C. isk management committee
D. isk owners
View answer
Correct Answer: C
Question #58
The GREATEST concern when maintaining a risk register is that:
A. xecutive management does not perform periodic reviews
B. ignificant changes in risk factors are excluded
C. T risk is not linked with IT assets
D. mpacts are recorded in qualitative terms
View answer
Correct Answer: B
Question #59
Which of the following aspect of monitoring tool ensures that the monitoring tool has the ability to keep up with the growth of an enterprise?
A. calability
B. ustomizability
C. ustainability
D. mpact on performance
View answer
Correct Answer: A
Question #60
Which of the following documents is described in the statement below?"It is developed along with all processes of the risk management. It contains the results of the qualitative risk analysis, quantitative risk analysis, and risk response planning."
A. eduction in the frequency of a threat
B. inimization of inherent risk
C. eduction in the impact of a threat
D. inimization of residual risk
View answer
Correct Answer: C
Question #61
Which of the following terms is described in the statement below?"They are the prime monitoring indicators of the enterprise, and are highly relevant and possess a high probability of predicting or indicating important risk."
A. ey risk indicators
B. ag indicators
C. ead indicators
D. isk indicators
View answer
Correct Answer: A
Question #62
To implement the MOST effective monitoring of key risk indicators (KRIs), which of the following needs to be in place?
A. utomated data feed
B. ontrols monitoring
C. scalation procedures
D. hreshold definition
View answer
Correct Answer: B
Question #63
Which among the following acts as a trigger for risk response process?
A.
B. nfinity
C. 0
D.
View answer
Correct Answer: B
Question #64
You are the IT manager in Bluewell Inc. You identify a new regulation for safeguarding the information processed by a specific type of transaction. What would be the FIRST action you will take?
A. ssess whether existing controls meet the regulation
B. pdate the existing security privacy policy
C. eet with stakeholders to decide how to comply
D. nalyze the key risk in the compliance process
View answer
Correct Answer: A
Question #65
Which of the following role carriers has to account for collecting data on risk and articulating risk?
A. nterprise risk committee
B. usiness process owner
C. hief information officer (CIO)
D. hief risk officer (CRO)
View answer
Correct Answer: D
Question #66
Which of the following interpersonal skills has been identified as one of the biggest reasons for project success or failure?
A. otivation
B. nfluencing
C. ommunication
D. olitical and cultural awareness
View answer
Correct Answer: C
Question #67
Which of the following would BEST help identify the owner for each risk scenario in a risk register?
A. llocating responsibility for risk factors equally to asset owners
B. etermining resource dependency of assets
C. apping identified risk factors to specific business processes
D. etermining which departments contribute most to risk
View answer
Correct Answer: C
Question #68
Wendy has identified a risk event in her project that has an impact of $75,000 and a 60 percent chance of happening. Through research, her project team learns that the risk impact can actually be reduced to just $15,000 with only a ten percent chance of occurring. The proposed solution will cost $25,000. Wendy agrees to the $25,000 solution. What type of risk response is this?
A. itigation
B. voidance
C. ransference
D. nhancing
View answer
Correct Answer: A
Question #69
Which of the following processes is described in the statement below?"It is the process of exchanging information and views about risks among stakeholders, such as groups, individuals, and institutions."
A. isk governance
B. isk identification
C. isk response planning
D. isk communication
View answer
Correct Answer: D
Question #70
You are the risk professional in Bluewell Inc. You have identified a risk and want to implement a specific risk mitigation activity. What you should PRIMARILY utilize?
A. ulnerability assessment report
B. usiness case
C. echnical evaluation report
D. udgetary requirements
View answer
Correct Answer: B
Question #71
Which of the following is the MAIN reason to continuously monitor IT-related risk?
A. o ensure risk levels are within acceptable limits of the organization’s risk appetite and risk tolerance
B. o redefine the risk appetite and risk tolerance levels based on changes in risk factors
C. o help identify root causes of incidents and recommend suitable long-term solutions
D. o update the risk register to reflect changes in levels of identified and new IT-related risk
View answer
Correct Answer: A
Question #72
An organization has just started accepting credit card payments from customers via the corporate website. Which of the following is MOST likely to increase as a result of this new initiative?
A. isk appetite
B. esidual risk
C. isk tolerance
D. nherent risk
View answer
Correct Answer: D
Question #73
A risk owner should be the person accountable for:
A. mplementing actions
B. anaging controls
C. he risk management process
D. he business process
View answer
Correct Answer: A
Question #74
An effective control environment is BEST indicated by controls that:
A. inimize senior management’s risk tolerance
B. anage risk within the organization’s risk appetite
C. re cost-effective to implement
D. educe the thresholds of key risk indicators (KRIs)
View answer
Correct Answer: D
Question #75
Which of the following BEST provides an early warning that network access of terminated employees is not being revoked in accordance with the service level agreement (SLA)?
A. onitoring key access control performance indicators
B. pdating multi-factor authentication
C. nalyzing access control logs for suspicious activity
D. evising the service level agreement (SLA)
View answer
Correct Answer: A
Question #76
Accountability for a particular risk is BEST represented in a:
A. isk register
B. ACI matrix
C. isk catalog
D. isk scenario
View answer
Correct Answer: B
Question #77
You are the project manager of RFT project. You have identified a risk that the enterprise's IT system and application landscape is so complex that, within a few years, extending capacity will become difficult and maintaining software will become very expensive. To overcome this risk, the response adopted is re- architecture of the existing system and purchase of new integrated system. In which of the following risk prioritization options would this case be categorized?
A. eferrals
B. uick win
C. usiness case to be made
D. ontagious risk
View answer
Correct Answer: C
Question #78
The MOST important characteristic of an organization’s policies is to reflect the organization’s:
A. isk appetite
B. apabilities
C. sset value
D. isk assessment methodology
View answer
Correct Answer: A
Question #79
Which of the following BEST measures the operational effectiveness of risk management capabilities?
A. apability maturity models (CMMs)
B. etric thresholds
C. ey risk indicators (KRIs)
D. ey performance indicators (KPIs)
View answer
Correct Answer: D
Question #80
The PRIMARY reason, a risk practitioner would be interested in an internal audit report is to:
A. aintain a risk register based on noncompliances
B. lan awareness programs for business managers
C. ssist in the development of a risk profile
D. valuate maturity of the risk management process
View answer
Correct Answer: D
Question #81
An organization has procured a managed hosting service and just discovered the location is likely to be flooded every 20 years. Of the following, who should be notified of this new information FIRST?
A. he risk owner who also owns the business service enabled by this infrastructure
B. he site manager who is required to provide annual risk assessments under the contract
C. he data center manager who is also employed under the managed hosting services contract
D. he chief information officer (CIO) who is responsible for the hosted services
View answer
Correct Answer: A
Question #82
You are the project manager for your company and a new change request has been approved for your project. This change request, however, has introduced several new risks to the project. You have communicated these risk events and the project stakeholders understand the possible effects these risks could have on your project. You elect to create a mitigation response for the identified risk events. Where will you record the mitigation response?
A. isk register
B. isk log
C. roject management plan
D. isk management plan
View answer
Correct Answer: A
Question #83
You are the project manager of the GHT project. You are accessing data for further analysis. You have chosen such a data extraction method in which management monitors its own controls. Which of the following data extraction methods you are using here?
A. xtracting data directly from the source systems after system owner approval
B. xtracting data from the system custodian (IT) after system owner approval
C. xtracting data from risk register
D. xtracting data from lesson learned register
View answer
Correct Answer: A
Question #84
Which of the following should be the PRIMARY objective of a risk awareness training program?
A. o promote awareness of the risk governance function
B. o clarify fundamental risk management principles
C. o enable risk-based decision making
D. o ensure sufficient resources are available
View answer
Correct Answer: A
Question #85
The BEST method to align an organization’s business continuity plan (BCP) and disaster recovery plan (DRP) with core business needs to:
A. utsource the maintenance of the BCP and DRP to a third party
B. nclude BCP and DRP responsibilities as part of the new employee training
C. xecute periodic walk-throughs of the BCP and DRP
D. pdate the business impact analysis (BIA) for significant business changes
View answer
Correct Answer: C
Question #86
A data processing center operates in a jurisdiction where new regulations have significantly increased penalties for data breaches. Which of the following elements of the risk register is MOST important to update to reflect this change?
A. isk impact
B. isk trend
C. isk appetite
D. isk likelihood
View answer
Correct Answer: C
Question #87
During an IT department reorganization, the manager of a risk mitigation action plan was replaced. The new manager has begun implementing a new control after identifying a more effective option. Which of the following is the risk practitioner’s BEST course of action?
A. ommunicate the decision to the risk owner for approval
B. dentify an owner for the new control
C. odify the action plan in the risk register
D. eek approval from the previous action plan manager
View answer
Correct Answer: B
Question #88
Jeff works as a Project Manager for www.company.com Inc. He and his team members are involved in the identify risk process. Which of the following tools & techniques will Jeff use in the identify risk process?Each correct answer represents a complete solution. (Choose three.)
A. ary will schedule when the identified risks are likely to happen and affect the project schedule
B. ary will utilize the schedule controls and the nature of the schedule for the quantitative analysis of the schedule
C. ary will use the schedule management plan to schedule the risk identification meetings throughout the remaining project
D. ary will utilize the schedule controls to determine how risks may be allowed to change the project schedule
View answer
Correct Answer: ABC
Question #89
The FIRST task when developing a business continuity plan should be to:
A. dentify critical business functions and resources
B. etermine data backup and recovery availability at an alternate site
C. efine roles and responsibilities for implementation
D. dentify recovery time objectives (RTOs) for critical business applications
View answer
Correct Answer: A
Question #90
In addition to the risk register, what should a risk practitioner review to develop an understanding of the organization’s risk profile?
A. he asset profile
B. usiness objectives
C. he control catalog
D. ey risk indicators (KRIs)
View answer
Correct Answer: D
Question #91
Your project change control board has approved several scope changes that will drastically alter your project plan. You and the project team set about updating the project scope, the WBS, the WBS dictionary, the activity list, and the project network diagram. There are also some changes caused to the project risks, communication, and vendors. What also should the project manager update based on these scope changes?
A. ransaction data
B. rocess integrity
C. onfiguration settings
D. ystem changes
View answer
Correct Answer: C
Question #92
Which of the following laws applies to organizations handling health care information?
A. LBA
B. IPAA
C. OX
D. ISMA
View answer
Correct Answer: B
Question #93
You are the project manager of your enterprise. You have introduced an intrusion detection system for the control. You have identified a warning of violation of security policies of your enterprise. What type of control is an intrusion detection system (IDS)?
A. etective
B. orrective
C. reventative
D. ecovery
View answer
Correct Answer: A
Question #94
What can be determined from the risk scenario chart?
A. he multiple risk factors addressed by a chosen response
B. elative positions on the risk map
C. apability of enterprise to implement
D. isk treatment options
View answer
Correct Answer: A
Question #95
Which of the following parameters are considered for the selection of risk indicators? Each correct answer represents a part of the solution. Choose three.
A. anagement approval
B. ontinued awareness activities
C. ommunication to employees
D. aintenance and review
View answer
Correct Answer: ABD
Question #96
Quantifying the value of a single asset helps the organization to understand the:
A. ecessity of developing a risk strategy
B. onsequences of risk materializing
C. rganization’s risk threshold
D. verall effectiveness of risk management
View answer
Correct Answer: A
Question #97
Which of the following are true for threats?Each correct answer represents a complete solution. Choose three.
A. minimum threshold of information security controls that must be implemented
B. checklist of steps that must be completed to ensure information security
C. n overall statement of information security scope and direction
D. technology-dependent statement of best practices
View answer
Correct Answer: ABD
Question #98
Which of the following is the PRIMARY requirement before choosing Key performance indicators of an enterprise?
A. etermine size and complexity of the enterprise
B. rioritize various enterprise processes
C. etermine type of market in which the enterprise operates
D. nterprise must establish its strategic and operational goals
View answer
Correct Answer: D
Question #99
You are the project manager of your enterprise. You have identified several risks. Which of the following responses to risk is considered the MOST appropriate?
A. ny of the above
B. nsuring
C. voiding
D. ccepting
View answer
Correct Answer: A
Question #100
You work as a project manager for BlueWell Inc. You have declined a proposed change request because of the risk associated with the proposed change request. Where should the declined change request be documented and stored?
A. hange request log
B. roject archives
C. essons learned
D. roject document updates
View answer
Correct Answer: A
Question #101
Which of the following is the MOST important requirement for monitoring key risk indicators (KRIs) using log analysis?
A. ollecting logs from the entire set of IT systems
B. roviding accurate logs in a timely manner
C. mplementing an automated log analysis tool
D. btaining logs in an easily readable format
View answer
Correct Answer: A
Question #102
Which of the following BEST indicates the effectiveness of an organization’s data loss prevention (DLP) program?
A. eduction in financial impact associated with data loss incidents
B. eduction in the number of false positives and false negatives
C. eduction in the number of approved exceptions to the DLP policy
D. eduction in the severity of detected data loss events
View answer
Correct Answer: D
Question #103
When developing risk scenarios, it is MOST important to ensure they are:
A. tructured and reportable
B. lexible and scalable
C. elevant and realistic
D. omprehensive and detailed
View answer
Correct Answer: C
Question #104
A risk practitioner is organizing a training session to communicate risk assessment methodologies to ensure a consistent risk view within the organization. Which of the following is the MOST important topic to cover in this training?
A. pplying risk factors
B. pplying risk appetite
C. nderstanding risk culture
D. eferencing risk event data
View answer
Correct Answer: C
Question #105
An organization has raised the risk appetite for technology risk. The MOST likely result would be:
A. ower risk management cost
B. ecreased residual risk
C. igher risk management cost
D. ncreased inherent risk
View answer
Correct Answer: B
Question #106
Which among the following is the MOST crucial part of risk management process?
A. isk communication
B. uditing
C. isk monitoring
D. isk mitigation
View answer
Correct Answer: A
Question #107
Which of the following is the BEST indication of an improved risk-aware culture following the implementation of a security awareness training program for all employees?
A. n increase in the number of identified system flaws
B. reduction in the number of help desk calls
C. n increase in the number of incidents reported
D. reduction in the number of user access resets
View answer
Correct Answer: C
Question #108
Which of the following would provide the BEST guidance when selecting an appropriate risk treatment plan?
A. eturn on investment
B. isk mitigation budget
C. ost-benefit analysis
D. usiness impact analysis
View answer
Correct Answer: C
Question #109
Which of the following is true for risk evaluation?
A. isk evaluation is done only when there is significant change
B. isk evaluation is done once a year for every business processes
C. isk evaluation is done annually or when there is significant change
D. isk evaluation is done every four to six months for critical business processes
View answer
Correct Answer: C
Question #110
An organization is planning to acquire a new financial system. Which of the following stakeholders would provide the MOST relevant information for analyzing the risk associated with the new IT solution?
A. rocess owner
B. nternal auditor
C. isk manager
D. roject sponsor
View answer
Correct Answer: C
Question #111
What are the PRIMARY requirements for developing risk scenarios? Each correct answer represents a part of the solution. Choose two.
A. ontract change control system
B. cope change control system
C. ost change control system
D. chedule change control system
View answer
Correct Answer: AB
Question #112
Which of the following should an organization perform to forecast the effects of a disaster?
A. nalyze capability maturity model gaps
B. efine recovery time objectives (RTO)
C. evelop a business impact analysis (BIA)
D. imulate a disaster recovery
View answer
Correct Answer: D
Question #113
Which of the following data would be used when performing a business impact analysis (BIA)?
A. ost of regulatory compliance
B. xpected costs for recovering the business
C. ost-benefit analysis of running the current business
D. rojected impact of current business on future business
View answer
Correct Answer: B
Question #114
Which of the following provides the BEST evidence of the effectiveness of an organization’s account provisioning process?
A. ser provisioning
B. ecurity log monitoring
C. ntitlement reviews
D. ole-based access controls
View answer
Correct Answer: A
Question #115
You are the project manager of HJT project. Important confidential files of your project are stored on a computer. Keeping the unauthorized access of this computer in mind, you have placed a hidden CCTV in the room, even on having protection password. Which kind of control CCTV is?
A. echnical control
B. hysical control
C. dministrative control
D. anagement control
View answer
Correct Answer: B
Question #116
The BEST way to justify the risk mitigation actions recommended in a risk assessment would be to:
A. ocus on the business drivers
B. eference best practice
C. enchmark with competitor’s actions
D. lign with audit results
View answer
Correct Answer: A
Question #117
What is the BEST information to present to business control owners when justifying costs related to controls?
A. eturn on IT security-related investments
B. he previous year’s budget and actuals
C. ndustry benchmarks and standards
D. oss event frequency and magnitude
View answer
Correct Answer: D
Question #118
What is the value of exposure factor if the asset is lost completely?
A. nhancing
B. ositive
C. pportunistic
D. xploiting
View answer
Correct Answer: A
Question #119
Which of the following should be the PRIMARY input when designing IT controls?
A. nternal and external risk reports
B. utcome of control self-assessments
C. enchmark of industry standards
D. ecommendations from IT risk experts
View answer
Correct Answer: A
Question #120
Which of the following should be the risk practitioner’s PRIMARY focus when determining whether controls are adequate to mitigate risk?
A. ost-benefit analysis
B. ensitivity analysis
C. evel of residual risk
D. isk appetite
View answer
Correct Answer: D
Question #121
As part of an overall IT risk management plan, an IT risk register BEST helps management:
A. tay current with existing control status
B. lign IT processes with business objectives
C. nderstand the organizational risk profile
D. ommunicate the enterprise risk management policy
View answer
Correct Answer: A
Question #122
When reviewing a business continuity plan (BCP), which of the following would be the MOST significant deficiency?
A. CP is often tested using the walkthrough method
B. CP testing is not in conjunction with the disaster recovery plan (DRP)
C. ach business location has separate, inconsistent BCPs
D. ecovery time objectives (RTOs) do not meet business requirements
View answer
Correct Answer: B
Question #123
Which of the following activities would BEST facilitate effective risk management throughout the organization?
A. erforming a business impact analysis
B. erforming frequent audits
C. eviewing risk-related process documentation
D. onducting periodic risk assessments
View answer
Correct Answer: A
Question #124
Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of a disaster recovery plan (DRP)?
A. ercentage of issues related as a result of DRP testing
B. umber of users that participated in the DRP testing
C. umber of issues identified during DRP testing
D. ercentage of applications that met the RTO during DRP testing
View answer
Correct Answer: D
Question #125
Which of the following is prepared by the business and serves as a starting point for producing the IT Service Continuity Strategy?
A. usiness Continuity Strategy
B. ndex of Disaster-Relevant Information
C. isaster Invocation Guideline
D. vailability/ ITSCM/ Security Testing Schedule
View answer
Correct Answer: A
Question #126
Which of the following risk responses include feedback and guidance from well-qualified risk officials and those internal to the project?
A. ontingent response strategy
B. isk Acceptance
C. xpert judgment
D. isk transfer
View answer
Correct Answer: C
Question #127
Your company is covered under a liability insurance policy, which provides various liability coverage for information security risks, including any physical damage of assets, hacking attacks, etc. Which of the following risk management techniques is your company using?
A. nvolve subject matter experts in the risk analysis activities
B. nvolve the stakeholders for risk identification only in the phases where the project directly affects them
C. se qualitative risk analysis to quickly assess the probability and impact of risk events
D. ocus on the high-priority risks through qualitative risk analysis
View answer
Correct Answer: A
Question #128
You work as a project manager for BlueWell Inc. You have declined a proposed change request because of the risk associated with the proposed change request. Where should the declined change request be documented and stored?
A. hange request log
B. roject archives
C. essons learned
D. roject document updates
View answer
Correct Answer: A
Question #129
An organization is planning to engage a cloud-based service provider for some of its data-intensive business processes. Which of the following is MOST important to help define the IT risk associated with this outsourcing activity?
A. ervice level agreement
B. ight to audit the provider
C. ustomer service reviews
D. cope of services provided
View answer
Correct Answer: A
Question #130
Which of the following should be the MOST important consideration when determining controls necessary for a highly critical information system?
A. he number of vulnerabilities to the system
B. he level of acceptable risk to the organization
C. he organization’s available budget
D. he number of threats to the system
View answer
Correct Answer: A
Question #131
A risk assessment has identified that an organization may not be in compliance with industry regulations. The BEST course of action would be to:
A. ollaborate with management to meet compliance requirements
B. onduct a gap analysis against compliance criteria
C. dentify necessary controls to ensure compliance
D. odify internal assurance activities to include control validation
View answer
Correct Answer: A
Question #132
If one says that the particular control or monitoring tool is sustainable, then it refers to what ability?
A. he ability to adapt as new elements are added to the environment
B. he ability to ensure the control remains in place when it fails
C. he ability to protect itself from exploitation or attack
D. he ability to be applied in same manner throughout the organization
View answer
Correct Answer: A
Question #133
Which of the following should be a risk practitioner's NEXT action after identifying a high probability of data loss in a system?
A. onduct a control assessment
B. urchase cyber insurance from a third party
C. ncrease the frequency of incident reporting
D. nhance the security awareness program
View answer
Correct Answer: A
Question #134
Which of the following statements are true for enterprise's risk management capability maturity level 3?
A. usiness management
B. usiness process owner
C. hief information officer (CIO)
D. hief risk officer (CRO)
View answer
Correct Answer: ABD
Question #135
John is the project manager of the NHQ Project for his company. His project has 75 stakeholders, some of which are external to the organization. John needs to make certain that he communicates about risk in the most appropriate method for the external stakeholders. Which project management plan will be the best guide for John to communicate to the external stakeholders?
A. isk Response Plan
B. ommunications Management Plan
C. roject Management Plan
D. isk Management Plan
View answer
Correct Answer: B
Question #136
An organization has outsourced its lease payment process to a service provider who lacks evidence of compliance with a necessary regulatory standard. Which risk treatment was adopted by the organization?
A. cceptance
B. ransfer
C. itigation
D. voidance
View answer
Correct Answer: A
Question #137
Employees are repeatedly seen holding the door open for others, so that trailing employees do not have to stop and swipe their own ID badges. This behavior BEST represents:
A. vulnerability
B. control
C. n impact
D. threat
View answer
Correct Answer: A
Question #138
Which of the following is MOST important when developing key risk indicators (KRIs)?
A. vailability of qualitative data
B. lignment with regulatory requirements
C. roperty set thresholds
D. lignment with industry benchmarks
View answer
Correct Answer: B
Question #139
Which of the following issues regarding an organization's IT incident response plan would be the GREATEST concern?
A. he incident response capability is outsourced
B. eams are not operational until an incident occurs
C. ot all employees have attended incident response training
D. oles and responsibilities are not clearly defined
View answer
Correct Answer: D
Question #140
What is the most important benefit of classifying information assets?
A. inking security requirements to business objectives
B. llotting risk ownership
C. efining access rights
D. dentifying controls that should be applied
View answer
Correct Answer: D
Question #141
When reviewing a risk response strategy, senior management’s PRIMARY focus should be placed on the:
A. nvestment portfolio
B. lignment with risk appetite
C. ey performance indicators (KPIs)
D. ost-benefit analysis
View answer
Correct Answer: D
Question #142
What is the PRIMARY need for effectively assessing controls?
A. ontrol's alignment with operating environment
B. ontrol's design effectiveness
C. ontrol's objective achievement
D. ontrol's operating effectiveness
View answer
Correct Answer: C
Question #143
You are the project manager of the GHY project for your company. This project has a budget of $543,000 and is expected to last 18 months. In this project, you have identified several risk events and created risk response plans. In what project management process group will you implement risk response plans?
A. isk response
B. onitoring and Control Risk
C. uantitative risk assessment
D. ualitative risk assessment
View answer
Correct Answer: A
Question #144
Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of an anti- virus program?
A. requency of anti-virus software updates
B. umber of alerts generated by the anti-virus software
C. ercentage of IT assets with current malware definitions
D. umber of false positives detected over a period of time
View answer
Correct Answer: C
Question #145
Which of the following is MOST effective in continuous risk management process improvement?
A. olicy updates
B. eriodic assessments
C. wareness training
D. hange management
View answer
Correct Answer: B
Question #146
An organization's chief technology officer (CTO) has decided to accept the risk associated with the potential loss from a denial-of-service (DoS) attack. In this situation, the risk practitioner's BEST course of action is to:
A. alidate the CTO's decision wish the business process owner
B. ecommend that the CTO revisit the risk acceptance decision
C. dentify key risk indicators (KRIs) for ongoing monitoring
D. pdate the risk register with the selected risk response
View answer
Correct Answer: A
Question #147
Which of the following is true for Single loss expectancy (SLE), Annual rate of occurrence (ARO), and Annual loss expectancy (ALE)?
A. LE= ARO/SLE
B. RO= SLE/ALE
C. RO= ALE*SLE
D. LE= ARO*SLE
View answer
Correct Answer: D
Question #148
The BEST criteria when selecting a risk response is the:
A. ffectiveness of risk response options
B. lignment of response to industry standards
C. mportance of IT risk within the enterprise
D. apability to implement the response
View answer
Correct Answer: A
Question #149
Which of the following is the BEST method to identify unnecessary controls?
A. valuating existing controls against audit requirements
B. eviewing system functionalities associated with business processes
C. onitoring existing key risk indicators (KRIs)
D. valuating the impact of removing existing controls
View answer
Correct Answer: B
Question #150
The best way to test the operational effectiveness of a data backup procedure is to:
A. nspect a selection of audit trails and backup logs
B. onduct an audit of files stored offsite
C. emonstrate a successful recovery from backup files
D. nterview employees to compare actual with expected procedures
View answer
Correct Answer: C
Question #151
Which of the following MUST be assessed before considering risk treatment options for a scenario with significant impact?
A. ost-benefit analysis
B. ndent probability
C. isk magnitude
D. isk appetite
View answer
Correct Answer: C
Question #152
Fred is the project manager of a large project in his organization. Fred needs to begin planning the risk management plan with the project team and key stakeholders. Which plan risk management process tool and technique should Fred use to plan risk management?
A. nformation gathering techniques
B. ata gathering and representation techniques
C. lanning meetings and analysis
D. ariance and trend analysis
View answer
Correct Answer: C
Question #153
Implementing which of the following will BEST help ensure that systems comply with an established baseline before deployment?
A. ontinuous monitoring and alerting
B. ccess controls and active logging
C. onfiguration management
D. ulnerability scanning
View answer
Correct Answer: A
Question #154
Which of the following is the way to verify control effectiveness?
A. he capability of providing notification of failure
B. hether it is preventive or detective
C. ts reliability
D. he test results of intended objectives
View answer
Correct Answer: D
Question #155
An organization moved its payroll system to a Software as a Service (SaaS) application. A new data privacy regulation stipulates that data can only be processed within the country where it is collected. Which of the following should be done FIRST when addressing this situation?
A. nalyze data protection methods
B. nderstand data flows
C. nclude a right-to-audit clause
D. mplement strong access controls
View answer
Correct Answer: B
Question #156
You work as the project manager for Bluewell Inc. Your project has several risks that will affect several stakeholder requirements. Which project management plan will define who will be available to share information on the project risks?
A. isk Management Plan
B. takeholder management strategy
C. ommunications Management Plan
D. esource Management Plan
View answer
Correct Answer: C
Question #157
You are the project manager of GHT project. You have identified a risk event on your project that could save $100,000 in project costs if it occurs. Which of the following statements BEST describes this risk event?
A. his risk event should be mitigated to take advantage of the savings
B. his is a risk event that should be accepted because the rewards outweigh the threat to the project
C. his risk event should be avoided to take full advantage of the potential savings
D. his risk event is an opportunity to the project and should be exploited
View answer
Correct Answer: D
Question #158
An organization uses a vendor to destroy hard drives. Which of the following would BEST reduce the risk of data leakage?
A. mplement an encryption policy for the hard drives
B. equire the vendor to degauss the hard drives
C. se an accredited vendor to dispose of the hard drives
D. equire confirmation of destruction from the IT manager
View answer
Correct Answer: D
Question #159
Which of the following would be MOST important for a risk practitioner to provide to the internal audit department during the audit planning process?
A. losed management action plans from the previous audit
B. nnual risk assessment results
C. n updated vulnerability management report
D. list of identified generic risk scenarios
View answer
Correct Answer: B
Question #160
Mary is the project manager for the BLB project. She has instructed the project team to assemble, to review the risks. She has included the schedule management plan as an input for the quantitative risk analysis process. Why is the schedule management plan needed for quantitative risk analysis?
A. eterrent control
B. etective control
C. ompensation control
D. reventative control
View answer
Correct Answer: B
Question #161
The MAIN reason for creating and maintaining a risk register is to:
A. ccount for identified key risk factors
B. nsure assets have low residual risk
C. efine the risk assessment methodology
D. ssess effectiveness of different projects
View answer
Correct Answer: A
Question #162
Which of the following role carriers are responsible for setting up the risk governance process, establishing and maintaining a common risk view, making risk-aware business decisions, and setting the enterprise's risk culture?Each correct answer represents a complete solution. Choose two.
A. isk avoidance
B. isk transference
C. isk acceptance
D. isk mitigation
View answer
Correct Answer: AD
Question #163
Which of the following is the FOREMOST root cause of project risk? Each correct answer represents a complete solution. Choose two.
A. roject management plan updates
B. n organizational process asset updates
C. hange requests
D. roject document updates
View answer
Correct Answer: CD
Question #164
Which of the following attributes of a key risk indicator (KRI) is MOST important?
A. epeatable
B. ualitative
C. utomated
D. uantitative
View answer
Correct Answer: D
Question #165
There are four inputs to the Monitoring and Controlling Project Risks process. Which one of the following will NOT help you, the project manager, to prepare for risk monitoring and controlling?
A. isk register
B. ork Performance Information
C. roject management plan
D. hange requests
View answer
Correct Answer: D
Question #166
Which of the following is the MOST important consideration when selecting key risk indicators (KRIs) to monitor risk trends over time?
A. bility to predict trends
B. ngoing availability of data
C. vailability of automated reporting systems
D. bility to aggregate data
View answer
Correct Answer: D
Question #167
Which of the following is MOST important to include in regulatory and risk updates when a new legal requirement affects the organization?
A. ecommended key risk indicator (KRI) thresholds
B. ost of changes to critical business processes
C. isk associated with noncompliance
D. ime frame to remediate noncompliance risk
View answer
Correct Answer: C
Question #168
The acceptance of control costs that exceed risk exposure is MOST likely an example of:
A. orporate culture alignment
B. orporate culture misalignment
C. ow risk tolerance
D. igh risk tolerance
View answer
Correct Answer: C
Question #169
Which of the following statements BEST describes risk appetite?
A. cceptable variation between risk thresholds and business objectives
B. he amount of risk an organization is willing to accept
C. he effective management of risk and internal control environments
D. he acceptable variation relative to the achievement of objectives
View answer
Correct Answer: B
Question #170
Which of the following is the MOST relevant input to an organization’s risk profile?
A. xternal audit’s risk assessment
B. anagement’s risk self-assessment
C. nternal audit’s risk assessment
D. nformation security’s vulnerability assessment
View answer
Correct Answer: A
Question #171
Which of the following tools is MOST helpful when mapping IT risk management outcomes to organizational objectives?
A. isk dashboard
B. ACI chart
C. nformation security risk map
D. trategic business plan
View answer
Correct Answer: D
Question #172
Which of the following would BEST provide early warning of a high-risk condition?
A. isk assessment
B. ey risk indicator (KRI)
C. isk register
D. ey performance indicator (KPI)
View answer
Correct Answer: B
Question #173
Which of the following provides the BEST measurement of an organization’s risk management maturity level?
A. T alignment to business objectives
B. evel of residual risk
C. ey risk indicators (KRIs)
D. he results of a gap analysis
View answer
Correct Answer: A
Question #174
You work as a project manager for BlueWell Inc. You are preparing for the risk identification process. You will need to involve several of the project's key stakeholders to help you identify and communicate the identified risk events. You will also need several documents to help you and the stakeholders identify the risk events. Which one of the following is NOT a document that will help you identify and communicate risks within the project?
A. takeholder registers
B. ctivity duration estimates
C. ctivity cost estimates
D. isk register
View answer
Correct Answer: D
Question #175
You and your project team are identifying the risks that may exist within your project. Some of the risks are small risks that won't affect your project much if they happen. What should you do with these identified risk events?
A. hese risks can be dismissed
B. hese risks can be accepted
C. hese risks can be added to a low priority risk watch list
D. ll risks must have a valid, documented risk response
View answer
Correct Answer: C
Question #176
You are the project manager of the HGT project in Bluewell Inc. The project has an asset valued at $125,000 and is subjected to an exposure factor of 25 percent. What will be the Single Loss Expectancy of this project?
A. 125,025
B. 31,250
C. 5,000
D. 3,125,000
View answer
Correct Answer: B
Question #177
In an organization with a mature risk management program, which of the following would provide the BEST evidence that the IT risk profile is up to date?
A. isk questionnaire
B. isk register
C. ompliance manual
D. anagement assertion
View answer
Correct Answer: B
Question #178
You are the project manager of the GHY project for your organization. You are working with your project team to begin identifying risks for the project. As part of your preparation for identifying the risks within the project you will need eleven inputs for the process. Which one of the following is NOT an input to the risk identification process?
A. uality management plan
B. takeholder register
C. ost management plan
D. rocurement management plan
View answer
Correct Answer: D
Question #179
Ben is the project manager of the CMH Project for his organization. He has identified a risk that has a low probability of happening, but the impact of the risk event could save the project and the organization with a significant amount of capital. Ben assigns Laura to the risk event and instructs her to research the time, cost, and method to improve the probability of the positive risk event. Ben then communicates the risk event and response to management. What risk response has been used here?
A. ransference
B. nhance
C. xploit
D. haring
View answer
Correct Answer: B
Question #180
Which of the following is the first MOST step in the risk assessment process?
A. dentification of assets
B. dentification of threats
C. dentification of threat sources
D. dentification of vulnerabilities
View answer
Correct Answer: A
Question #181
The PRIMARY benefit associated with key risk indicators (KRIs) is that they:
A. dentify trends in the organization’s vulnerabilities
B. rovide ongoing monitoring of emerging risk
C. elp an organization identify emerging threats
D. enchmark the organization’s risk profile
View answer
Correct Answer: C
Question #182
You are the project manager of HFD project. You have identified several project risks. You have adopted alternatives to deal with these risks which do not attempt to reduce the probability of a risk event or its impacts. Which of the following response have you implemented?
A. cceptance
B. itigation
C. voidance
D. ontingent response
View answer
Correct Answer: D
Question #183
Your project has several risks that may cause serious financial impact if they occur. You have studied the risk events and made some potential risk responses for the risk events but management wants you to do more. They'd like you to create some type of a chart that identified the risk probability and impact with a financial amount for each risk event. What is the likely outcome of creating this type of chart?
A. isk response plan
B. ontingency reserve
C. isk response
D. uantitative analysis
View answer
Correct Answer: B
Question #184
Which of the following is the MOST important consideration when developing an organization’s risk taxonomy?
A. T strategy
B. eading industry frameworks
C. usiness context
D. egulatory requirements
View answer
Correct Answer: C
Question #185
The BEST way to determine the likelihood of a system availability risk scenario is by assessing the:
A. vailability of fault tolerant software
B. trategic plan for business growth
C. ulnerability scan results of critical systems
D. edundancy of technical infrastructure
View answer
Correct Answer: D
Question #186
Which of the following would MOST likely result in updates to an IT risk appetite statement?
A. hanges in senior management
B. xternal audit findings
C. eedback from focus groups
D. elf-assessment reports
View answer
Correct Answer: B
Question #187
Which of the following decision tree nodes have probability attached to their branches?
A. oot node
B. vent node
C. nd node
D. ecision node
View answer
Correct Answer: B
Question #188
A risk practitioner has identified that the organization’s secondary data center does not provide redundancy for a critical application. Who should have the authority to accept the associated risk?
A. usiness continuity director
B. usiness application owner
C. isaster recovery manager
D. ata center manager
View answer
Correct Answer: B
Question #189
What should a risk practitioner do NEXT if an ineffective key control is identified on a critical system?
A. evalidate the risk assessment
B. scalate to senior management
C. ropose acceptance of the risk
D. onduct a gap analysis
View answer
Correct Answer: D
Question #190
Which of the following assets are the examples of intangible assets of an enterprise? Each correct answer represents a complete solution. Choose two.
A. onitoring and Controlling
B. n any process group where the risk event resides
C. lanning
D. xecuting
View answer
Correct Answer: AB
Question #191
Which of the following is MOST important to include when identifying risk scenarios for inclusion in a risk review of a third-party service provider?
A. pen vendor issues
B. urchasing agreements
C. upplier questionnaires
D. rocess mapping
View answer
Correct Answer: D
Question #192
Which of the following will BEST ensure that information security risk factors are mitigated when developing in- house applications?
A. nclude information security control specifications in business cases
B. dentify key risk indicators (KRIs) as process output
C. dentify information security controls in the requirements analysis
D. esign key performance indicators (KPIs) for security in system specifications
View answer
Correct Answer: C
Question #193
Calculation of the recovery time objective (RTO) is necessary to determine the:
A. nnual loss expectancy (ALE)
B. riority of restoration
C. oint of synchronization
D. ime required to restore files
View answer
Correct Answer: D
Question #194
Mapping open risk issues to an enterprise risk heat map BEST facilitates:
A. isk ownership
B. isk identification
C. isk response
D. ontrol monitoring
View answer
Correct Answer: B
Question #195
Which of the following controls do NOT come under technical class of control?
A. rogram management control
B. ystem and Communications Protection control
C. dentification and Authentication control
D. ccess Control
View answer
Correct Answer: A
Question #196
When reporting risk assessment results to senior management, which of the following is MOST important to include to enable risk-based decision making?
A. list of assets exposed to the highest risk
B. otential losses compared to treatment cost
C. ecent audit and self-assessment results
D. isk action plans and associated owners
View answer
Correct Answer: B
Question #197
After identifying new risk events during a project, the project manager’s NEXT step should be to:
A. ontinue with a quantitative risk analysis
B. etermine if the scenarios need to be accepted or responded to
C. ontinue with a qualitative risk analysis
D. ecord the scenarios into the risk register
View answer
Correct Answer: A
Question #198
Which of the following is a technique that provides a systematic description of the combination of unwanted occurrences in a system?
A. ensitivity analysis
B. cenario analysis
C. ault tree analysis
D. ause and effect analysis
View answer
Correct Answer: C
Question #199
You are the risk official of your enterprise. You have just completed risk analysis process. You noticed that the risk level associated with your project is less than risk tolerance level of your enterprise. Which of following is the MOST likely action you should take?
A. pply risk response
B. pdate risk register
C. o action
D. rioritize risk response options
View answer
Correct Answer: C
Question #200
You work as the project manager for Company Inc. The project on which you are working has several risks that will affect several stakeholder requirements. Which project management plan will define who will be available to share information on the project risks?
A. esource Management Plan
B. ommunications Management Plan
C. isk Management Plan
D. takeholder management strategy
View answer
Correct Answer: B
Question #201
Which of the following phases is involved in the Data Extraction, Validation, Aggregation and Analysis?
A. isk response and Risk monitoring
B. equirements gathering, Data access, Data validation, Data analysis, and Reporting and corrective action
C. ata access and Data validation
D. isk identification, Risk assessment, Risk response and Risk monitoring
View answer
Correct Answer: B
Question #202
Which of the following is the MOST important consideration for a risk practitioner when making a system implementation go-live recommendation?
A. vailability of in-house resources
B. ompleteness of system documentation
C. ariances between planned and actual cost
D. esults of end user acceptance testing
View answer
Correct Answer: B
Question #203
Which of the following tools is MOST effective in identifying trends in the IT risk profile?
A. isk dashboard
B. isk register
C. isk self-assessment
D. isk map
View answer
Correct Answer: D
Question #204
What is the PRIMARY reason to periodically review key performance indicators (KPIs)?
A. dentify trends
B. ptimize resources needed for controls
C. nsure compliance
D. romote a risk-aware culture
View answer
Correct Answer: B
Question #205
Which of the following is the BEST indicator of an effective IT security awareness program?
A. ecreased success rate of internal phishing tests
B. umber of employees that complete security training
C. umber of disciplinary actions issued for security violations
D. ecreased number of reported security incidents
View answer
Correct Answer: D
Question #206
A project team member has just identified a new project risk. The risk event is determined to have significant impact but a low probability in the project. Should the risk event happen it'll cause the project to be delayed by three weeks, which will cause new risk in the project. What should the project manager do with the risk event?
A. dd the identified risk to a quality control management chart
B. dd the identified risk to the issues log
C. dd the identified risk to the risk register
D. dd the identified risk to the low-level risk watch-list
View answer
Correct Answer: C
Question #207
Which of the following is the MOST important data source for monitoring key risk indicators (KRIs)?
A. udit reports from internal information systems audits
B. irectives from legal and regulatory authorities
C. rend analysis of external risk factors
D. utomated logs collected from different systems
View answer
Correct Answer: D
Question #208
A part of a project deals with the hardware work. As a project manager, you have decided to hire a company to deal with all hardware work on the project. Which type of risk response is this?
A. ransference
B. itigation
C. voidance
D. xploit
View answer
Correct Answer: A
Question #209
After the review of a risk record, internal audit questioned why the risk was lowered from medium to low. Which of the following is the BEST course of action in responding to this inquiry?
A. otify the business at the next risk briefing
B. btain industry benchmarks related to the specific risk
C. rovide justification for the lower risk rating
D. eopen the risk issue and complete a full assessment
View answer
Correct Answer: C
Question #210
Which of the following is MOST critical to the design of relevant risk scenarios?
A. he scenarios are linked to probable organizational situations
B. he scenarios are based on past incidents
C. he scenarios are aligned with risk management capabilities
D. he scenarios are mapped to incident management capabilities
View answer
Correct Answer: A

View The Updated ISACA Exam Questions

SPOTO Provides 100% Real ISACA Exam Questions for You to Pass Your ISACA Exam!

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number: