DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

Pass Your CRISC Exam with Practice Tests 2024 Updated, Certified in Risk and Information Systems Control | SPOTO

Prepare effectively to pass your CRISC exam with SPOTO's updated practice tests for 2024. Access a variety of practice tests and mock exams to assess your knowledge and readiness. Our exam materials, including exam dumps and sample questions, reinforce key concepts in risk management and information systems control. Utilize our exam simulator for realistic exam practice, simulating the exam environment and improving your time management skills. With SPOTO, you'll have all the tools you need to succeed in your CRISC certification journey. Start your exam preparation today and become a certified risk management expert capable of optimizing risk management across your organization.
Take other online exams

Question #1
Which of the following controls is an example of non-technical controls?
A. Access control
B. Physical security
C. Intrusion detection system
D. Encryption
View answer
Correct Answer: B
Question #2
Which of the following are sub-categories of threat? Each correct answer represents a complete solution. Choose three. A. Natural and supernatural
B. Computer and user
C. Natural and man-made
D. Intentional and accidental
E. External and internal
View answer
Correct Answer: AD
Question #3
Your project team has completed the quantitative risk analysis for your project work. Based on their findings, they need to update the risk register with several pieces of information. Which one of the following components is likely to be updated in the risk register based on their analysis?
A. Listing of risk responses
B. Risk ranking matrix
C. Listing of prioritized risks
D. Qualitative analysis outcomes
View answer
Correct Answer: A
Question #4
Which of the following guidelines should be followed for effective risk management? Each correct answer represents a complete solution. Choose three.
A. Promote and support consistent performance in risk management B
C. Focus on enterprise's objective
D. Balance the costs and benefits of managing risk
View answer
Correct Answer: D
Question #5
Wendy is about to perform qualitative risk analysis on the identified risks within her project. Which one of the following will NOT help Wendy to perform this project management activity?
A. Risk management plan
B. Project scope statement
C. Risk register
D. Stakeholder register
View answer
Correct Answer: C
Question #6
You are the risk official of your enterprise. You have just completed risk analysis process. You noticed that the risk level associated with your project is less than risk tolerance level of your enterprise. Which of following is the MOST likely action you should take?
A. Apply risk response
B. Update risk register
C. No action
D. Prioritize risk response options
View answer
Correct Answer: C
Question #7
Which of the following is NOT true for risk governance?
A. Risk governance is based on the principles of cooperation, participation, mitigation and sustainability, and is adopted to achieve more effective risk management
B. Risk governance requires reporting once a year
C. Risk governance seeks to reduce risk exposure and vulnerability by filling gaps in risk policy
D. Risk governance is a systemic approach to decision making processes associated to natural and technological risks
View answer
Correct Answer: CDE
Question #8
Which of the following techniques examines the degree to which organizational strengths offset threats and opportunities that may serve to overcome weaknesses? A. SWOT Analysis
B. Delphi
C. Brainstorming
D. Expert Judgment
View answer
Correct Answer: B
Question #9
Which of the following is the first MOST step in the risk assessment process?
A. Identification of assets
B. Identification of threats
C. Identification of threat sources
D. Identification of vulnerabilities
View answer
Correct Answer: A
Question #10
Your project spans the entire organization. You would like to assess the risk of your project but worried about that some of the managers involved in the project could affect the outcome of any risk identification meeting. Your consideration is based on the fact that some employees would not want to publicly identify risk events that could declare their supervision as poor. You would like a method that would allow participants to anonymously identify risk events. What risk identification method could you us
A. Delphi technique
B. Root cause analysis
C. Isolated pilot groups
D. SWOT analysis
View answer
Correct Answer: C
Question #11
According to the Section-302 of the Sarbanes-Oxley Act of 2002, what does certification of reports implies? Each correct answer represents a complete solution. Choose three.
A. The signing officer has evaluated the effectiveness of the issuer's internal controls as of a date at the time to report
B. The financial statement does not contain any materially untrue or misleading information
C. The signing officer has reviewed the report
D. The signing officer has presented in the report their conclusions about the effectiveness of their internal controls based on their evaluation as of that date
View answer
Correct Answer: A
Question #12
You are the project manager in your enterprise. You have identified risk that is noticeable failure threatening the success of certain goals of your enterprise. In which of the following levels do this identified risk exists?
A. Moderate risk
B. High risk
C. Extremely high risk
D. Low risk
View answer
Correct Answer: A
Question #13
What are the two MAJOR factors to be considered while deciding risk appetite level? Each correct answer represents a part of the solution. Choose two.
A. The amount of loss the enterprise wants to accept
B. Alignment with risk-culture
C. Risk-aware decisions
D. The capacity of the enterprise's objective to absorb loss
View answer
Correct Answer: AD
Question #14
You are the project manager of a large networking project. During the execution phase the customer requests for a change in the existing project plan. What will be your immediate action?
A. Update the risk register
B. Ask for a formal change request
C. Ignore the request as the project is in the execution phase
D. Refuse the change request
View answer
Correct Answer: D
Question #15
Which of the following is true for Single loss expectancy (SLE), Annual rate of occurrence (ARO), and Annual loss expectancy (ALE)?
A. ALE= ARO/SLE
B. ARO= SLE/ALE
C. ARO= ALE*SLE
D. ALE= ARO*SLE
View answer
Correct Answer: D
Question #16
You are the project manager of GHT project. You have applied certain control to prevent the unauthorized changes in your project. Which of the following control you would have applied for this purpose? A. Personnel security control
B. Access control
C. Configuration management control
D. Physical and environment protection control
View answer
Correct Answer: B
Question #17
Risks with low ratings of probability and impact are included for future monitoring in which of the following?
A. Risk alarm
B. Observation list C
D. Risk register
View answer
Correct Answer: ABC
Question #18
Which of the following is NOT true for risk management capability maturity level 1? A. There is an understanding that risk is important and needs to be managed, but it is viewed as a technical issue and the business primarily considers the downside of IT risk
B. Decisions involving risk lack credible information
C. Risk appetite and tolerance are applied only during episodic risk assessments
D. Risk management skills exist on an ad hoc basis, but are not actively developed
View answer
Correct Answer: B
Question #19
You are the project manager for BlueWell Inc. You have noticed that the risk level in your project increases above the risk tolerance level of your enterprise. You have applied several risk response. Now you have to update the risk register in accordance to risk response process. All of the following are included in the risk register except for which item?
A. Risk triggers
B. Agreed-upon response strategies
C. Network diagram analysis of critical path activities
D. Risk owners and their responsibility
View answer
Correct Answer: D
Question #20
You are the project manager of GHT project. You are performing cost and benefit analysis of control. You come across the result that costs of specific controls exceed the benefits of mitigating a given risk. What is the BEST action would you choose in this scenario?
A. The enterprise may apply the appropriate control anyway
B. The enterprise should adopt corrective control
C. The enterprise may choose to accept the risk rather than incur the cost of mitigation
D. The enterprise should exploit the risk
View answer
Correct Answer: A
Question #21
Which of the following statements are true for enterprise's risk management capability maturity level 3 ?
A. Workflow tools are used to accelerate risk issues and track decisions
B. The business knows how IT fits in the enterprise risk universe and the risk portfolio view
C. The enterprise formally requires continuous improvement of risk management skills, based on clearly defined personal and enterprise goals
D. Risk management is viewed as a business issue, and both the drawbacks and benefits of risk are recognized
View answer
Correct Answer: ABD
Question #22
You work as a project manager for Bluewell Inc. You have identified a project risk. You have then implemented the risk action plan and it turn out to be non- effective. What type of plan you should implement in such case?
A. Risk mitigation
B. Risk fallback plan
C. Risk avoidance
D. Risk response plan
View answer
Correct Answer: D
Question #23
Which of the following is the BEST way to ensure that outsourced service providers comply with the enterprise's information security policy?
A. Penetration testing
B. Service level monitoring
C. Security awareness training
D. Periodic audits
View answer
Correct Answer: D
Question #24
Which of the following is true for Cost Performance Index (CPI)?
A. If the CPI > 1, it indicates better than expected performance of project
B. CPI = Earned Value (EV) * Actual Cost (AC)
C. It is used to measure performance of schedule
D. If the CPI = 1, it indicates poor performance of project
View answer
Correct Answer: A
Question #25
Capability maturity models are the models that are used by the enterprise to rate itself in terms of the least mature level to the most mature level. Which of the following capability maturity levels shows that the enterprise does not recognize the need to consider the risk management or the business impact from IT risk?
A. Level 2
B. Level 0
C. Level 3
D. Level 1
View answer
Correct Answer: D
Question #26
You are the project manager of a HGT project that has recently finished the final compilation process. The project customer has signed off on the project completion and you have to do few administrative closure activities. In the project, there were several large risks that could have wrecked the project but you and your project team found some new methods to resolve the risks without affecting the project costs or project completion date. What should you do with the risk responses that you have identified
A. Include the responses in the project management plan
B. Include the risk responses in the risk management plan
C. Include the risk responses in the organization's lessons learned database
D. Nothing
View answer
Correct Answer: C
Question #27
Using which of the following one can produce comprehensive result while performing qualitative risk analysis?
A. Scenarios with threats and impacts
B. Cost-benefit analysis
C. Value of information assets
D. Vulnerability assessment
View answer
Correct Answer: B
Question #28
Which of the following are the principles of risk management? Each correct answer represents a complete solution. Choose three.
A. Risk management should be an integral part of the organization B
C. Risk management is the responsibility of executive management
D. Risk management should be transparent and inclusive
View answer
Correct Answer: A
Question #29
You are the project manager of HGT project. You are in the first phase of the risk response process and are doing following tasks : Communicating risk analysis results Reporting risk management activities and the state of compliance Interpreting independent risk assessment findings Identifying business opportunities Which of the following process are you performing?
A. Articulating risk
B. Mitigating risk
C. Tracking risk
D. Reporting risk
View answer
Correct Answer: C
Question #30
Which of the following characteristics of risk controls can be defined as under? "The separation of controls in the production environment rather than the separation in the design and implementation of the risk"
A. Trusted source
B. Secure
C. Distinct
D. Independent
View answer
Correct Answer: CD
Question #31
One of the risk events you've identified is classified as force majeure. What risk response is likely to be used?
A. Acceptance
B. Transference
C. Enhance
D. Mitigation
View answer
Correct Answer: C
Question #32
You are completing the qualitative risk analysis process with your project team and are relying on the risk management plan to help you determine the budget, schedule for risk management, and risk categories. You discover that the risk categories have not been created. When the risk categories should have been created?
A. Define scope process
B. Risk identification process
C. Plan risk management process
D. Create work breakdown structure process
View answer
Correct Answer: ACD
Question #33
You are the project manager of HGT project. You have identified project risks and applied appropriate response for its mitigation. You noticed a risk generated as a result of applying response. What this resulting risk is known as?
A. Pure risk
B. Secondary risk
C. Response risk
D. High risk
View answer
Correct Answer: C
Question #34
You are the project manager of HWD project. It requires installation of some electrical machines. You and the project team decided to hire an electrician as electrical work can be too dangerous to perform. What type of risk response are you following?
A. Avoidance
B. Transference
C. Mitigation
D. Acceptance
View answer
Correct Answer: B
Question #35
Mary is the project manager for the BLB project. She has instructed the project team to assemble, to review the risks. She has included the schedule management plan as an input for the quantitative risk analysis process. Why is the schedule management plan needed for quantitative risk analysis?
A. Mary will schedule when the identified risks are likely to happen and affect the project schedule
B. Mary will utilize the schedule controls and the nature of the schedule for the quantitative analysis of the schedule
C. Mary will use the schedule management plan to schedule the risk identification meetings throughout the remaining project
D. Mary will utilize the schedule controls to determine how risks may be allowed to change the project schedule
View answer
Correct Answer: B
Question #36
Which of the following are the security plans adopted by the organization? Each correct answer represents a complete solution. Choose all that apply.
A. Business continuity plan
B. Backup plan
C. Disaster recovery plan
D. Project management plan
View answer
Correct Answer: A
Question #37
Which of the following steps ensure effective communication of the risk analysis results to relevant stakeholders? Each correct answer represents a complete solution. Choose three.
A. The results should be reported in terms and formats that are useful to support business decisions
B. Provide decision makers with an understanding of worst-case and most probable scenarios, due diligence exposures and significant reputation, legal or regulatory considerations
C. Communicate the negative impacts of the events only, it needs more consideration
D. Communicate the risk-return context clearly
View answer
Correct Answer: B
Question #38
Which among the following acts as a trigger for risk response process?
A. Risk level increases above risk appetite
B. Risk level increase above risk tolerance C
D. Risk level equates the risk tolerance
View answer
Correct Answer: B
Question #39
You are the risk control professional of your enterprise. You have implemented a tool that correlates information from multiple sources. To which of the following do this monitoring tool focuses?
A. Transaction data
B. Process integrity
C. Configuration settings D
View answer
Correct Answer: A
Question #40
Which of the following is true for risk evaluation?
A. Risk evaluation is done only when there is significant change
B. Risk evaluation is done once a year for every business processes
C. Risk evaluation is done annually or when there is significant change
View answer
Correct Answer: B
Question #41
Shelly is the project manager of the BUF project for her company. In this project Shelly needs to establish some rules to reduce the influence of risk bias during the qualitative risk analysis process. What method can Shelly take to best reduce the influence of risk bias?
A. Establish risk boundaries
B. Group stakeholders according to positive and negative stakeholders and then complete the risk analysis
C. Determine the risk root cause rather than the person identifying the risk events
D. Establish definitions of the level of probability and impact of risk event
View answer
Correct Answer: C
Question #42
Stephen is the project manager of the GBB project. He has worked with two subject matter experts and his project team to complete the risk assessment technique. There are approximately 47 risks that have a low probability and a low impact on the project. Which of the following answers best describes what Stephen should do with these risk events?
A. Because they are low probability and low impact, Stephen should accept the risks
B. The low probability and low impact risks should be added to a watchlist for future monitoring
C. Because they are low probability and low impact, the risks can be dismissed
D. The low probability and low impact risks should be added to the risk register
View answer
Correct Answer: B

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number: