Free ISACA CRISC Practice Exams - Page 2 of 73

Question #11

A business unit is updating a risk register with assessment results for a key project.

Which of the following is MOST important to capture in the register?

A . The team that performed the risk assessment
B . An assigned risk manager to provide oversight
C . Action plans to address risk scenarios requiring treatment
D . The methodology used to perform the risk assessment

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

A risk register is a tool that records and tracks the risks that may affect a project, as well as the actions that are taken or planned to manage them1. A risk register should include information such as the risk description, category, source, impact, likelihood, severity, owner, status, and response2. Among these, the most important information to capture in the risk register is the action plans to address risk scenarios requiring treatment. This is because the action plans are the specific steps that are taken to reduce, avoid, transfer, or accept the risks, depending on the chosen risk treatment option3. The action plans should be clear, realistic, measurable, and aligned with the project objectives and constraints4. The action plans should also be monitored and updated regularly to ensure that they are effective and appropriate for the changing risk environment5. The action plans are essential for managing the risks and ensuring the successful delivery of the project. The other options are not the most important information to capture in the risk register, as they are either less relevant or less actionable than the action plans. The team that performed the risk assessment is the group of people who identified, analyzed, and evaluated the risks, using various tools and techniques6. While this information may be useful for accountability and communication purposes, it is not as important as the action plans, as it does not indicate how the risks are treated or resolved. The assigned risk manager to provide oversight is the person who has the responsibility and authority to oversee the risk management process and ensure that the risks are properly identified, assessed, treated, and reported. While this information may be useful for governance and coordination purposes, it is not as important as the action plans, as it does not specify what actions are taken or planned to manage the risks. The methodology used to perform the risk assessment is the approach or framework that is used to identify, analyze, and evaluate the risks, based on the project context, scope, and objectives. While this information may be useful for consistency and transparency purposes, it is not as important as the action plans, as it does not describe how the risks are addressed or mitigated.

Reference: = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 2, Section 2.1.5, Page 55.

Question #12

Which of the following criteria is MOST important when developing a response to an attack that would compromise data?

A . The recovery time objective (RTO)
B . The likelihood of a recurring attack
C . The organization’s risk tolerance
D . The business significance of the information

Reveal Solution Hide Solution

Question #13

An audit reveals that there are changes in the environment that are not reflected in the risk profile.

Which of the following is the BEST course of action?

A . Review the risk identification process.
B . Inform the risk scenario owners.
C . Create a risk awareness communication plan.
D . Update the risk register.

Reveal Solution Hide Solution

Question #14

Which of the following would be a risk practitioner’s BEST course of action when a project team has accepted a risk outside the established risk appetite?

A . Reject the risk acceptance and require mitigating controls.
B . Monitor the residual risk level of the accepted risk.
C . Escalate the risk decision to the project sponsor for review.
D . Document the risk decision in the project risk register.

Reveal Solution Hide Solution

Question #15

Which of the following will BEST communicate the importance of risk mitigation initiatives to senior management?

A . Business case
B . Balanced scorecard
C . Industry standards
D . Heat map

Reveal Solution Hide Solution

Question #16

Which of the following issues found during the review of a newly created disaster recovery plan (DRP) should be of MOST concern?

A . Some critical business applications are not included in the plan
B . Several recovery activities will be outsourced
C . The plan is not based on an internationally recognized framework
D . The chief information security officer (CISO) has not approved the plan

Reveal Solution Hide Solution

Question #17

Which of the following is the MOST important consideration when prioritizing risk response?

A . Requirements for regulatory obligations.
B . Cost of control implementation.
C . Effectiveness of risk treatment.
D . Number of risk response options.

Reveal Solution Hide Solution

Question #18

Which of the following should a risk practitioner do FIRST when an organization decides to use a cloud service?

A . Review the vendor selection process and vetting criteria.
B . Assess whether use of service falls within risk tolerance thresholds.
C . Establish service level agreements (SLAs) with the vendor.
D . Check the contract for appropriate security risk and control provisions.

Reveal Solution Hide Solution

Question #19

An organization control environment is MOST effective when:

A . control designs are reviewed periodically
B . controls perform as intended.
C . controls are implemented consistently.
D . controls operate efficiently

Reveal Solution Hide Solution

Question #20

Which of the following should be considered FIRST when assessing risk associated with the adoption of emerging technologies?

A . Organizational strategy
B . Cost-benefit analysis
C . Control self-assessment (CSA)
D . Business requirements

Reveal Solution Hide Solution