Certified in Risk and Information Systems Control CRISC (CRISC) — Questions 151225

500 questions total · 7pages · All types, answers revealed

Page 2

Page 3 of 7

Page 4
151
MCQeasy

Refer to the exhibit. Which risk is MOST directly identified?

A.Denial of service vulnerability
B.Malware propagation across subnets
C.Weak password policy
D.Unauthorized remote access to a critical server
AnswerD

Allowing RDP from a broad range increases unauthorized access risk.

Why this answer

The exhibit (not shown) likely depicts a network diagram or access control list (ACL) configuration that allows inbound traffic from the internet to a critical server on a restricted port (e.g., RDP on TCP 3389 or SSH on TCP 22). This directly identifies the risk of unauthorized remote access, as an attacker could exploit this exposed management interface to gain control of the server. The other options are not directly indicated by such a configuration.

Exam trap

The trap here is that candidates may misinterpret a network diagram or ACL as indicating a denial of service vulnerability (Option A) because they focus on the inbound traffic volume or source, rather than recognizing that the specific risk is the exposure of a management interface to unauthorized remote access.

How to eliminate wrong answers

Option A is wrong because a denial of service vulnerability typically involves resource exhaustion or protocol-level attacks (e.g., SYN flood, ICMP flood), which are not directly identified by an ACL permitting remote access to a server. Option B is wrong because malware propagation across subnets would require evidence of lateral movement paths, such as unrestricted inter-subnet firewall rules or open file-sharing ports, not a single inbound rule to a critical server. Option C is wrong because a weak password policy is a governance or configuration issue unrelated to network access controls; it would be identified through password audits or policy reviews, not by examining ACLs or network diagrams.

152
MCQhard

An organization uses a risk appetite statement that limits operational losses to $2 million per quarter. A new risk reporting dashboard shows that current operational losses are $1.8 million with two weeks remaining in the quarter. The head of risk management wants to ensure that losses remain within appetite. Which of the following control monitoring reports would be MOST useful for proactive decision-making?

A.A projected loss report based on current trends and remaining period
B.A report on current loss amounts per business unit
C.A summary of historical operational losses by month
D.A detailed KRI report showing loss frequency by category
AnswerA

Projected reports allow management to take preemptive actions to stay within appetite.

Why this answer

Option D is correct because a projected loss report using trend analysis enables proactive action. Option A is wrong because a historical report is backward-looking. Option B is wrong because a KRI summary by category is too granular and may not show the overall projected trajectory.

Option C is wrong because loss per business unit does not provide a consolidated projection against appetite.

153
Matchingmedium

Match each risk management process step to its activity.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Find and list potential risks

Determine likelihood and impact

Compare risk levels to risk criteria

Select and implement controls

Why these pairings

These steps form the core risk management process per ISACA.

154
MCQhard

A large organization is implementing a continuous monitoring program for its critical systems. Which of the following is the MOST important factor for the program's success?

A.Use of advanced analytics and machine learning.
B.Integration with automated incident response workflows.
C.Support from senior management.
D.Clear definition of monitoring scope and objectives.
AnswerB

Automation ensures timely response to alerts.

Why this answer

Integration with automated incident response workflows is the most important factor because continuous monitoring is only effective if detected anomalies or threats can be acted upon in near real-time. Without automated response, alerts may be ignored or delayed, rendering the monitoring program ineffective. This aligns with the CRISC focus on reducing risk through timely remediation, not just detection.

Exam trap

The trap here is that candidates often choose 'Support from senior management' (Option C) because it seems universally important, but the question specifically asks for the 'MOST important factor for the program's success' in a technical monitoring context, where operational integration with response is the key differentiator.

How to eliminate wrong answers

Option A is wrong because advanced analytics and machine learning are enhancements, not foundational requirements; they can introduce false positives and complexity without guaranteeing success if response workflows are manual. Option C is wrong because while senior management support is necessary for funding and policy, it does not directly ensure the operational success of the monitoring program's technical execution. Option D is wrong because clear scope and objectives are prerequisites, but they alone do not ensure that monitoring leads to risk reduction; without automated response, even well-defined monitoring can fail to mitigate threats in time.

155
MCQhard

A financial institution is implementing a new real-time payment system that will process high-value transactions. To identify emerging risks, which method would be MOST effective during the development phase?

A.Embed automated security testing and threat modeling into the CI/CD pipeline
B.Wait for a post-implementation penetration test
C.Conduct a security review of the completed system before deployment
D.Develop a straw man architecture and perform a threat model
AnswerA

Continuous integration of security identifies risks early and often.

Why this answer

Embedding automated security testing and threat modeling into the CI/CD pipeline enables continuous risk identification as code is developed, which is critical for a real-time high-value payment system where vulnerabilities introduced early could lead to financial loss or fraud. This approach aligns with the CRISC focus on proactive risk identification during the development phase, rather than relying on later-stage reviews.

Exam trap

The trap here is that candidates often choose a later-stage review (like Option C) or a one-time threat model (Option D) because they underestimate the speed of risk emergence in agile development, but the CRISC exam emphasizes continuous risk identification during the development phase, making CI/CD integration the most effective method.

How to eliminate wrong answers

Option B is wrong because waiting for a post-implementation penetration test introduces a significant delay, allowing vulnerabilities to be baked into the production system and increasing remediation costs; it is reactive, not proactive. Option C is wrong because conducting a security review of the completed system before deployment is a point-in-time assessment that misses risks introduced during iterative development, and it does not provide continuous feedback. Option D is wrong because developing a straw man architecture and performing a threat model is a static, upfront activity that does not adapt to code changes or emerging risks during the development lifecycle, and it lacks the automation needed for a CI/CD environment.

156
MCQeasy

During a risk assessment, the risk owner identifies that the residual risk level is higher than the risk appetite. Which of the following actions should the risk owner take FIRST?

A.Update the risk register
B.Escalate to senior management
C.Implement additional controls
D.Reduce the risk appetite
AnswerB

Residual risk exceeding appetite requires senior management decision.

Why this answer

Option C is correct because the first step is to escalate to senior management as residual risk exceeding appetite requires their approval. Option A is wrong because updating the risk register does not address the issue. Option B is wrong because increasing controls may not be feasible.

Option D is wrong because reducing appetite without addressing risk is not appropriate.

157
Multi-Selecteasy

Which TWO of the following are examples of risk mitigation controls?

Select 2 answers
A.Implementing a firewall
B.Purchasing cyber insurance
C.Accepting the risk
D.Encrypting sensitive data
E.Discontinuing a high-risk service
AnswersA, D

Mitigation reduces risk through preventive controls.

Why this answer

Option A and D are correct. A firewall is a preventive control to mitigate network threats. Encryption protects data.

Option B is wrong because insurance is a risk transfer. Option C is wrong because accepting risk is not mitigation. Option E is wrong because avoiding risk means not engaging in the activity.

158
Multi-Selecthard

Which TWO of the following are valid reasons to accept a risk rather than mitigate it?

Select 2 answers
A.Management is not aware of the risk
B.The risk relates to regulatory non-compliance
C.The risk level is within the risk appetite
D.The organization wants to avoid the risk entirely
E.The cost of mitigation is higher than the potential loss
AnswersC, E

Acceptance is appropriate when within appetite.

Why this answer

Options A and E are correct. If mitigation cost exceeds potential loss, acceptance is cost-effective. If risk is within appetite, acceptance is appropriate.

Option B is wrong because lack of awareness is not valid. Option C is wrong because avoidance is a different response. Option D is wrong because regulatory risk should be mitigated or avoided.

159
MCQeasy

Which of the following is an example of a leading indicator?

A.Number of security incidents.
B.Percentage of employees trained.
C.Audit findings count.
D.Loss amount from fraud.
AnswerB

Training coverage can predict future compliance or security outcomes.

Why this answer

Leading indicators predict future risk events. Percentage of employees trained is a leading indicator for security incidents. Options A, C, and D are lagging indicators that report past events.

160
MCQhard

An organization is implementing a new cloud-based customer relationship management (CRM) system. The risk practitioner is designing the control monitoring plan. Which approach BEST ensures continuous monitoring of controls across both the application and infrastructure layers?

A.Implement a generic Security Information and Event Management (SIEM) system with standard rules.
B.Deploy an automated monitoring tool that ingests audit logs from the CRM and cloud infrastructure APIs to trigger alerts on anomalies.
C.Rely on the CRM vendor's SOC 2 Type II report for control assurance.
D.Schedule quarterly manual reviews of user access logs and system configurations.
AnswerB

Enables continuous, real-time monitoring across both layers.

Why this answer

Option C is correct because an automated monitoring framework that integrates with the CRM's audit logs and cloud provider's API enables continuous, real-time monitoring across layers. Option A is wrong because manual periodic reviews cannot provide continuous monitoring. Option B is wrong because relying solely on the vendor's SOC report is insufficient for real-time monitoring.

Option D is wrong because a generic framework without customization may miss application-specific risks.

161
MCQhard

An organization uses a legacy system that cannot be patched because the vendor is defunct. The system supports a core business function. The risk assessment shows a high likelihood of exploitation and high impact. The board has decided to keep the system operational due to its criticality. Which risk response should the risk manager recommend?

A.Accept the risk
B.Implement compensating controls
C.Transfer via insurance
D.Avoid by decommissioning
AnswerB

Controls like segmentation and monitoring reduce the risk.

Why this answer

Option B is correct because compensating controls mitigate the risk without replacing the system. Options A, C, and D are either unacceptable or impractical.

162
Multi-Selecthard

Which THREE of the following are effective risk treatment strategies?

Select 3 answers
A.Accept the risk without any analysis
B.Avoid the risk by discontinuing the activity
C.Ignore the risk if it has not materialized yet
D.Implement compensating controls to reduce risk
E.Transfer the risk through outsourcing
AnswersB, D, E

Avoidance eliminates risk entirely.

Why this answer

Option B is correct because avoiding risk by discontinuing the activity is a recognized risk treatment strategy under the ISACA Risk IT framework. By ceasing the activity that introduces the risk, the organization eliminates the possibility of the risk event occurring, which is a valid and often necessary response when the risk exceeds the organization's risk appetite and cannot be cost-effectively mitigated or transferred.

Exam trap

The trap here is confusing 'ignoring' or 'uninformed acceptance' with the legitimate risk acceptance strategy, which requires documented analysis and approval, and assuming that risks that have not yet materialized can be safely disregarded.

163
MCQhard

A company monitors key risk indicators (KRIs) using a dashboard. The risk manager notices that a KRI has a green status but the underlying control testing shows a high failure rate. What action should the risk manager take FIRST?

A.Escalate to the risk committee
B.Change the KRI threshold to amber
C.Investigate the KRI calculation methodology
D.Re-test the control
AnswerC

The KRI might be using incorrect data or outdated baselines.

Why this answer

Option C is correct because the discrepancy suggests the KRI calculation may be flawed. Option A jumps to adjusting thresholds without understanding the root cause. Option B may be premature if the control testing is accurate.

Option D escalates without first analyzing the issue.

164
Multi-Selecteasy

Which TWO of the following are examples of control monitoring activities?

Select 2 answers
A.Periodic manual testing of a sample of transactions for compliance with approval policy.
B.Automated alerts when a system control fails to execute.
C.Assigning owners to each control in the control framework.
D.Reporting key risk indicator values to the risk committee.
E.Updating the risk register based on control test results.
AnswersA, B

Direct testing verifies control operation.

Why this answer

Options A and C are correct. Automated alerts on control failures and manual testing of controls are direct monitoring activities. Option B is wrong because assigning ownership is part of control design, not monitoring.

Option D is wrong because updating risk register is a risk management activity, not direct control monitoring. Option E is wrong because the wording is confusing; KRIs are risk metrics, not control monitoring.

165
Multi-Selecteasy

A risk practitioner is reviewing the organization's risk response strategies for a high-value asset. Which TWO of the following are examples of risk mitigation techniques? (Choose two.)

Select 2 answers
A.Implementing firewalls to protect the network perimeter.
B.Conducting regular vulnerability assessments and patching.
C.Avoiding the risk by discontinuing the vulnerable activity.
D.Accepting the risk because the cost of mitigation exceeds the potential loss.
E.Purchasing cyber insurance to cover potential losses.
AnswersA, B

Correct: Firewalls reduce the likelihood of network-based attacks, which is a mitigation technique.

Why this answer

Implementing firewalls to protect the network perimeter is a risk mitigation technique because it reduces the likelihood of unauthorized access by filtering traffic based on security rules. Firewalls operate at layers 3 and 4 (and sometimes layer 7) of the OSI model, using stateful inspection or application-layer filtering to block malicious packets. This directly lowers the probability of a successful attack on the high-value asset, which is the essence of mitigation.

Exam trap

The trap here is that candidates often confuse risk mitigation with risk transfer (insurance) or risk acceptance, failing to recognize that mitigation involves active controls (like firewalls and patching) that reduce the risk level, not just financial compensation or inaction.

166
MCQhard

You are the risk manager for a multinational corporation that relies heavily on a cloud-based ERP system. The system is critical for financial reporting and supply chain management. Recently, the company experienced a significant increase in the number of failed user authentication attempts, which were traced to a misconfiguration in the identity management module. The misconfiguration was detected by the security operations center (SOC) through log analysis, but it took three days to identify and resolve. The root cause was a change made by a cloud administrator without following the change management process. The incident resulted in a temporary denial of service for external users. The company's risk appetite for system availability is low, with a tolerance for downtime of no more than one hour per month. The current monitoring controls include quarterly access reviews and SOC monitoring of logs with a 24-hour review cycle. The board has requested a report on the incident and recommendations to prevent recurrence. What is the MOST effective recommendation to improve monitoring and reduce the likelihood of similar incidents?

A.Implement automated real-time monitoring of critical configuration changes with alerts.
B.Require all change requests to be approved by the change advisory board (CAB).
C.Increase the frequency of access reviews to monthly.
D.Provide additional training to cloud administrators on security policies.
AnswerA

Real-time monitoring would detect and alert on unauthorized changes immediately.

Why this answer

Option B is correct because implementing real-time monitoring of critical configuration changes would have detected the misconfiguration immediately, preventing the extended downtime. Option A is wrong because while increasing change management oversight is important, it does not directly improve monitoring of the configuration itself. Option C is wrong because user awareness training does not address the configuration change issue.

Option D is wrong because quarterly access reviews are too infrequent to catch unauthorized changes in a timely manner.

167
Multi-Selecthard

Which THREE of the following are key considerations when designing a risk reporting framework? (Choose three.)

Select 3 answers
A.Timeliness of the information provided.
B.Including all operational data for completeness.
C.Consistency in definitions and metrics over time.
D.Aligning with industry best practices for risk reporting.
E.Tailoring the report to the target audience.
AnswersA, C, E

Timely information allows management to act promptly.

Why this answer

Options A, B, and D are correct. Risk reporting should be timely to support decision-making, tailored to the audience, and consistent over time for trend analysis. Option C is wrong because including all detailed data can overwhelm management.

Option E is wrong because reporting should generally align with the organization's risk appetite, not external benchmarks.

168
MCQhard

A financial institution has a control that manually reviews all wire transfers over $10,000. During an audit, it was found that the review is completed within 24 hours for 95% of transactions, but the target is 99%. The process owner wants to improve the control's effectiveness. Which of the following would be the MOST effective remediation?

A.Implement a second level of approval for all wire transfers.
B.Automate the review process using an application control.
C.Increase the number of staff performing the reviews.
D.Adjust the target to 95% to reflect current performance.
AnswerB

Automation reduces manual effort, errors, and improves timeliness.

Why this answer

Option D is correct because automating the review process ensures consistent and timely completion without relying on manual effort. Option A is wrong simply setting a stricter target does not address the underlying process issue. Option B is wrong increasing staff may help but is less efficient than automation.

Option C is wrong adding another approval step would further delay the process.

169
Multi-Selecthard

Which THREE factors should be considered when determining the likelihood of a threat exploiting a vulnerability?

Select 3 answers
A.Ease of exploitation
B.Regulatory fines
C.Asset value
D.Existing controls
E.Threat actor capability
AnswersA, D, E

Easier exploitation increases likelihood.

Why this answer

Ease of exploitation (A) is a key factor because it directly influences how readily a threat actor can leverage a vulnerability. For example, a vulnerability with a public exploit script or one that requires only low privileges is far more likely to be exploited than one requiring complex, custom tooling. This aligns with the CVSS exploitability metrics (Attack Vector, Attack Complexity, Privileges Required, User Interaction) that quantify how easy it is to trigger the vulnerability.

Exam trap

The trap here is confusing factors that determine likelihood (probability of occurrence) with factors that determine impact (consequences), leading candidates to incorrectly select asset value or regulatory fines as likelihood inputs.

170
MCQeasy

A risk manager notices that a key risk indicator (KRI) for network downtime has been steadily increasing over the past three months. The current value is 15% above the risk tolerance threshold. Which of the following is the BEST immediate action?

A.Lower the risk tolerance threshold to trigger more frequent alerts
B.Accept the increased risk without further analysis because the trend is gradual
C.Alert the risk owner and initiate a root cause analysis
D.Increase the risk tolerance threshold to match the current level
AnswerC

This follows the standard escalation process for KRI breaches.

Why this answer

Option C is correct because the KRI has exceeded the risk tolerance threshold, indicating a potential control failure or emerging threat. The immediate action is to alert the risk owner, who has accountability for the risk, and initiate a root cause analysis to identify why network downtime is increasing. This aligns with the CRISC process of monitoring KRIs and escalating when thresholds are breached.

Exam trap

The trap here is that candidates may confuse adjusting the threshold (a control metric) with managing the risk itself, but CRISC emphasizes that thresholds are set to trigger action, not to be moved to avoid action.

How to eliminate wrong answers

Option A is wrong because lowering the tolerance threshold would increase alert frequency but does not address the underlying cause of the increasing downtime; it merely changes the measurement baseline. Option B is wrong because accepting the risk without analysis violates the principle of proactive risk management; a gradual trend does not justify ignoring a threshold breach, as it may indicate a systemic issue. Option D is wrong because raising the tolerance threshold to match the current level effectively normalizes the breach, eliminating the early warning function of the KRI and masking the problem.

171
MCQeasy

An IT risk manager is facilitating a workshop to identify risks for a new mobile banking application. Which technique is MOST appropriate for generating a comprehensive list of risks?

A.Review risk registers from similar projects
B.Perform a SWOT analysis
C.Conduct a brainstorming session with cross-functional team members
D.Distribute a risk questionnaire to project stakeholders
AnswerC

Brainstorming with diverse members yields broad risk identification.

Why this answer

Brainstorming with a cross-functional team (option C) is the most appropriate technique for generating a comprehensive list of risks for a new mobile banking application because it leverages diverse perspectives from development, security, compliance, and business units. This collaborative approach helps uncover unknown or emergent risks specific to the application's architecture, such as API vulnerabilities, session management flaws, or regulatory gaps, which might not be captured by historical data or structured questionnaires.

Exam trap

The trap here is that candidates often choose 'Review risk registers from similar projects' (option A) because it seems efficient and data-driven, but they overlook that historical registers may miss novel risks specific to the new application's technology, such as mobile-specific attack vectors or updated compliance requirements.

How to eliminate wrong answers

Option A is wrong because reviewing risk registers from similar projects relies on historical data that may not account for the unique technology stack, threat landscape, or regulatory requirements of a new mobile banking application, leading to blind spots for novel risks. Option B is wrong because a SWOT analysis focuses on strategic strengths, weaknesses, opportunities, and threats at a high level, but it lacks the depth and specificity needed to identify technical risks like insecure data storage, weak authentication, or third-party SDK vulnerabilities. Option D is wrong because distributing a risk questionnaire to project stakeholders is a passive, one-way method that often yields incomplete or biased responses, missing the interactive discussion needed to surface complex, interdependent risks in a mobile banking context.

172
MCQeasy

A retail company uses a legacy inventory system that is no longer supported by the vendor. The IT department is planning to migrate to a modern cloud-based system. During risk identification, which of the following should be considered a PRIMARY risk?

A.Inadequate training of staff on the new system.
B.Potential cost overrun due to migration complexity.
C.Loss of data integrity during the data migration process.
D.Failure to decommission the legacy system after migration.
AnswerC

Data integrity loss directly impacts business operations and is a core IT risk.

Why this answer

Loss of data integrity during migration is the primary risk because the legacy system is unsupported, meaning there are no vendor patches or tools to validate or repair data inconsistencies. Corrupted or incomplete data transferred to the cloud-based system can lead to inaccurate inventory records, financial losses, and operational disruptions that are difficult to reverse without vendor support.

Exam trap

The trap here is that candidates often confuse operational risks (like training or decommissioning) with primary IT risks that directly impact data confidentiality, integrity, or availability during the migration itself.

How to eliminate wrong answers

Option A is wrong because inadequate training is an operational risk that arises after migration, not a primary risk during the identification phase of the migration project itself. Option B is wrong because cost overrun is a financial risk, not a primary IT risk; it is a consequence of technical issues like data loss or migration failure, not a root risk to the system's integrity. Option D is wrong because failure to decommission the legacy system is a post-migration operational risk that does not directly threaten the success or security of the data migration process.

173
Multi-Selectmedium

An IT risk manager is performing a risk assessment for a new cloud service. Which TWO of the following are key inputs to the risk identification process? (Select TWO.)

Select 2 answers
A.Risk appetite statement
B.Threat intelligence feeds
C.Control testing results
D.Residual risk levels
E.Asset inventory
AnswersB, E

Threat intelligence helps identify potential threats.

Why this answer

Threat intelligence feeds (B) provide current information about emerging threats, attack vectors, and adversary tactics, which are essential for identifying relevant risks to the cloud service. An asset inventory (E) is a foundational input because it lists all assets (e.g., data, VMs, APIs) that could be affected, enabling the risk manager to map threats to specific resources. Both are direct inputs to the risk identification phase, as defined by the CRISC framework.

Exam trap

The trap here is that candidates often confuse risk identification inputs with outputs from later phases, such as control testing results (C) or residual risk levels (D), because they are familiar terms in the overall risk management process but are not used at the start of identification.

174
Multi-Selecteasy

A risk practitioner is identifying risks related to a new API gateway implementation. Which TWO of the following are MOST likely to be significant risks?

Select 2 answers
A.Insufficient logging of API requests.
B.Lack of scalability for peak loads.
C.Insecure direct object references (IDOR) allowing unauthorized data access.
D.Use of outdated programming language.
E.High licensing cost.
AnswersA, C

Logging is critical for detection and forensics; its absence is a risk.

Why this answer

Insufficient logging of API requests (A) is a significant risk because it impairs the ability to detect, investigate, and respond to security incidents such as unauthorized access, injection attacks, or data exfiltration. Without comprehensive logs, the organization cannot perform effective forensic analysis or meet compliance requirements (e.g., PCI DSS, SOX). In the context of an API gateway, which acts as the central entry point for all API traffic, missing logs create a blind spot for threat detection and incident response.

Exam trap

The trap here is that candidates often confuse operational risks (scalability, cost) with security risks, or they incorrectly assume that outdated programming languages are a direct risk to the API gateway itself, when in fact the gateway abstracts away language-specific vulnerabilities.

175
MCQeasy

An organization has a risk indicator that shows the number of failed login attempts per day. The threshold is 100. Last week, the number spiked to 200 on two days. What does this indicate?

A.The system is experiencing a denial-of-service attack.
B.There may be a brute-force attack in progress.
C.The password policy needs to be updated.
D.Users have forgotten their passwords.
AnswerB

High failed logins suggest password guessing.

Why this answer

A spike in failed login attempts from a baseline of 100 to 200 per day is a classic indicator of a brute-force attack, where an attacker systematically tries multiple username/password combinations. This risk indicator directly measures authentication failures, which are the primary symptom of such an attack. The threshold breach signals that the control (account lockout or rate limiting) may be insufficient or failing.

Exam trap

The trap here is that candidates confuse a spike in failed logins with a DoS attack, but DoS attacks target availability (e.g., SYN flood) rather than authentication failures, which are a confidentiality/integrity concern.

How to eliminate wrong answers

Option A is wrong because a denial-of-service (DoS) attack typically causes a spike in traffic volume or resource exhaustion, not specifically failed login attempts; a DoS would likely overwhelm the entire system, not just authentication. Option C is wrong because a password policy update (e.g., complexity or expiration) would not cause a sudden two-day spike in failed logins; policy changes affect long-term compliance, not immediate authentication failure rates. Option D is wrong because users forgetting passwords would cause a consistent, low-level increase in failed logins, not a sharp spike to 200% of the threshold on only two days; such a pattern is more indicative of automated malicious activity.

176
MCQmedium

You are the IT risk manager for a financial institution. During a routine vulnerability scan, you discover that a critical web application has a high-severity vulnerability that could allow remote code execution. The development team states that a patch is not yet available from the vendor, and the application is business-critical with no acceptable downtime. The risk owner wants to accept the risk. However, the organization's risk appetite is very low for security vulnerabilities. You have been asked to recommend a course of action. Which of the following should you recommend?

A.Transfer the risk by purchasing cyber insurance.
B.Decommission the application immediately.
C.Implement a web application firewall (WAF) with virtual patching to reduce exploitability.
D.Accept the risk as the team will monitor for patches.
AnswerC

Provides compensating control until patch is available.

Why this answer

Option C is correct because implementing a web application firewall (WAF) with virtual patching provides an immediate, compensating control that reduces the exploitability of the vulnerability without requiring application downtime. This aligns with the organization's low risk appetite by actively mitigating the risk while waiting for an official vendor patch, rather than passively accepting it.

Exam trap

The trap here is that candidates may confuse risk transfer (insurance) with risk mitigation, or assume that accepting risk is always valid when the risk owner agrees, ignoring the organization's stated risk appetite.

How to eliminate wrong answers

Option A is wrong because purchasing cyber insurance transfers financial risk, not technical risk; the vulnerability remains exploitable, and insurance does not prevent a breach or reduce the likelihood of exploitation. Option B is wrong because decommissioning the application immediately would cause unacceptable business downtime, contradicting the requirement that the application is business-critical with no acceptable downtime. Option D is wrong because accepting the risk while monitoring for patches violates the organization's very low risk appetite for security vulnerabilities; passive acceptance without active mitigation is not appropriate when the risk appetite is low.

177
MCQmedium

During a risk assessment for a cloud migration project, the risk team identifies that the new SaaS application has not been tested for interoperability with existing identity management systems. The project manager argues that the integration will be straightforward and asks to remove this from the risk register. Which of the following is the BEST response from the risk practitioner?

A.Remove the risk as it is low priority.
B.Keep the risk in the register with a note that further assessment is needed.
C.Accept the risk but document the decision.
D.Escalate to the project steering committee.
AnswerB

Properly documents the risk until assessment clarifies.

Why this answer

Option C is correct because the risk should remain until proper assessment is done; removing it prematurely could lead to unaddressed issues. Option A is wrong because it is premature to remove without assessment. Option B is acceptable but not best without further evaluation.

Option D is escalation but not the first step.

178
MCQeasy

During a risk assessment, a risk owner is unsure about the likelihood rating for a specific threat. Which of the following is the BEST source of information to determine the likelihood?

A.Vendor documentation
B.The risk owner's personal opinion
C.The organization's financial statements
D.Historical incident data from industry reports
AnswerD

Provides objective data on actual occurrences.

Why this answer

Historical incident data from industry reports provides empirical evidence of threat frequency and impact across similar environments, making it the most objective and reliable source for determining likelihood. Unlike subjective opinions or unrelated financial data, industry reports aggregate real-world occurrences, enabling a data-driven risk assessment that aligns with the organization's threat landscape.

Exam trap

ISACA often tests the misconception that the risk owner's personal experience or vendor claims are sufficient for likelihood determination, but the correct approach relies on objective, historical data from industry sources to avoid bias and ensure repeatable risk scoring.

How to eliminate wrong answers

Option A is wrong because vendor documentation typically focuses on product capabilities, configurations, and known vulnerabilities, not on the frequency or probability of threat events in operational environments. Option B is wrong because the risk owner's personal opinion introduces subjective bias and lacks empirical evidence, which can lead to inaccurate likelihood ratings that do not reflect actual threat patterns. Option C is wrong because the organization's financial statements contain monetary data about assets and losses, but they do not provide historical frequency or probability metrics needed to assess threat likelihood.

179
MCQmedium

A company is implementing a new cloud-based customer relationship management (CRM) system. The IT risk manager needs to assess the risk of data exfiltration by a malicious insider at the cloud provider. Which risk assessment approach is most appropriate for this scenario?

A.Quantitative risk assessment using ALE and SLE
B.Application of the COSO ERM framework
C.Scenario analysis with a focus on likelihood and impact
D.Control self-assessment (CSA) against ISO 27001
AnswerC

Scenario analysis effectively evaluates specific threat scenarios like insider data exfiltration.

Why this answer

Scenario analysis is most appropriate because the risk of data exfiltration by a malicious insider at the cloud provider is a complex, low-frequency, high-impact threat that is difficult to quantify with historical data. This approach allows the risk manager to systematically evaluate specific attack paths (e.g., an insider with database access copying customer records) by focusing on likelihood and impact, which aligns with the qualitative nature of insider threat assessment in a cloud environment.

Exam trap

The trap here is that candidates often choose quantitative risk assessment (A) because it seems more rigorous, but they fail to recognize that insider threats at a cloud provider lack the historical data needed for ALE/SLE calculations, making scenario analysis the practical and most appropriate approach per CRISC best practices.

How to eliminate wrong answers

Option A is wrong because quantitative risk assessment using ALE and SLE requires reliable historical data on frequency and loss magnitude, which is typically unavailable for malicious insider threats at a cloud provider due to the rarity and variability of such events. Option B is wrong because the COSO ERM framework is an enterprise-level governance and internal control framework, not a specific risk assessment methodology for analyzing a discrete technical threat like data exfiltration by a cloud provider insider. Option D is wrong because control self-assessment (CSA) against ISO 27001 evaluates the effectiveness of existing controls against a standard, but it does not directly assess the likelihood and impact of a specific threat scenario like malicious insider data exfiltration.

180
MCQmedium

A control owner reports that a control is operating effectively, but the internal audit found a deficiency. What should the risk manager do?

A.Re-test the control independently.
B.Update the control description.
C.Remove the control from monitoring.
D.Accept audit's finding.
AnswerA

Independent testing provides objective evidence to resolve the discrepancy.

Why this answer

When there is a conflict between self-assessment and audit findings, independent re-testing is needed to determine the truth. Option B is correct. Option A accepts audit without verification.

Option C changes description without evidence. Option D removes monitoring prematurely.

181
MCQeasy

Which of the following is the BEST indicator that a control is effective in mitigating a risk?

A.Regular testing shows the control consistently reduces the risk to the desired level
B.The control is automated and runs daily
C.The control is documented in a policy
D.The cost of the control is lower than the potential loss
AnswerA

Testing provides evidence that the control is achieving its objective.

Why this answer

Option A is correct because the effectiveness of a control is ultimately measured by its ability to consistently reduce residual risk to the organization's defined risk appetite. Regular testing provides empirical evidence that the control is operating as intended and achieving the desired risk mitigation outcome, which is the primary goal of risk treatment.

Exam trap

The trap here is that candidates often confuse control attributes (automation, documentation, cost) with direct evidence of effectiveness, but only regular testing provides the empirical proof that the control is actually reducing risk to the desired level.

How to eliminate wrong answers

Option B is wrong because automation and frequency of execution do not guarantee that the control is actually reducing risk to the desired level; a control can run daily but still be misconfigured or ineffective. Option C is wrong because documentation in a policy only indicates intent or design, not operational effectiveness; a control may be well-documented yet never implemented or poorly executed. Option D is wrong because cost-benefit analysis (cost of control vs. potential loss) is a factor in control selection and justification, not a direct measure of its effectiveness in mitigating risk; a low-cost control can still be ineffective.

182
MCQmedium

An S3 bucket policy is configured as shown. During a monitoring review, the risk practitioner notices that the 'DenyAll' policy is never evaluated because of an explicit allow? What is the MOST likely monitoring gap?

A.No KRI is defined for unauthorized access attempts
B.Server-side encryption is not enabled for the bucket
C.No automated test validates that the DenyAll policy is effective
D.User access reviews are not performed quarterly
AnswerC

Without testing, policy misconfiguration may go unnoticed.

Why this answer

The correct answer is C. The DenyAll policy is overridden by the AllowRead policy because evaluation logic gives precedence to explicit deny over allow only if the deny is evaluated; but here the allow is explicit and matches, so the deny is not evaluated? Actually AWS evaluates explicit allow and explicit deny; an explicit deny always overrides allows. However, the exhibit shows two statements; the DenyAll would deny all actions, but the AllowRead allows GetObject.

In AWS, explicit deny overrides allow, so the DenyAll should block GetObject unless the condition? But the condition on AllowRead is 10.0.0.0/8. A request from 10.x.x.x would match AllowRead but then DenyAll would also match and deny. The key monitoring gap is that there is no mechanism to check if DenyAll is properly evaluated; the risk practitioner likely missed that the condition on AllowRead makes it only effective for a specific IP range, and the DenyAll might unintentionally block legitimate access.

But the question says 'never evaluated' which indicates a logic error: In AWS, explicit deny always overrides, so the DenyAll should be evaluated. However, the statement says 'because of an explicit allow' which is false; the proper gap is that the policy lacks monitoring to detect unintended deny effects. The intended correct answer is that the monitoring did not include policy validation tests.

Option A is about KRI, not policy validation. Option B is about access review, not policy. Option D is about encryption, unrelated.

So answer C.

183
MCQhard

An organization is evaluating threat intelligence feeds to improve IT risk identification. Which of the following criteria should be given the HIGHEST priority when selecting a feed?

A.Relevance to the organization's industry and technology stack
B.Ease of integration with existing security tools
C.The feed's update frequency
D.The number of indicators provided per day
AnswerA

Intelligence that is not relevant will lead to false positives and wasted resources.

Why this answer

Relevance to the organization's industry and technology stack is the highest priority because threat intelligence that does not align with the specific attack surface, software versions, and threat actors targeting that industry will generate excessive false positives and irrelevant alerts. For example, a healthcare organization using Epic EHR would prioritize feeds covering healthcare-specific ransomware (e.g., Ryuk) and medical device vulnerabilities over generic indicators, ensuring risk identification is actionable and contextually accurate.

Exam trap

The trap here is that candidates prioritize operational metrics like integration ease or update frequency over the strategic requirement of contextual relevance, confusing efficiency with effectiveness in risk identification.

How to eliminate wrong answers

Option B is wrong because ease of integration, while operationally convenient, does not address the core requirement of improving risk identification; a feed that integrates easily but provides irrelevant data will not reduce risk. Option C is wrong because update frequency alone is meaningless if the indicators are not relevant; a feed updated every 5 minutes with generic IPs from unrelated sectors adds noise and degrades detection fidelity. Option D is wrong because the number of indicators per day is a vanity metric; high volume often includes low-quality or outdated indicators (e.g., stale C2 IPs) that increase false positives without improving risk identification accuracy.

184
Drag & Dropmedium

Order the steps for implementing a risk treatment plan.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Risk treatment starts with selecting response, planning, approval, implementation, and monitoring.

185
MCQmedium

A company has identified a risk of data exfiltration through an outdated encryption protocol. The risk assessment team determines that the likelihood is low, but the impact is very high. The company decides to update the encryption protocol. This risk response is an example of:

A.Risk transfer
B.Risk acceptance
C.Risk mitigation
D.Risk avoidance
AnswerC

Updating the encryption reduces the vulnerability, mitigating the risk.

Why this answer

Updating the encryption protocol directly reduces the vulnerability that could lead to data exfiltration, thereby lowering the likelihood or impact of the risk. This is the definition of risk mitigation, where controls are applied to reduce risk to an acceptable level. The action does not transfer, accept, or avoid the risk; it actively addresses the root cause.

Exam trap

The trap here is confusing risk mitigation with risk avoidance: candidates often think that updating a protocol 'avoids' the risk, but avoidance requires ceasing the risky activity entirely, whereas mitigation reduces the risk while continuing the activity.

How to eliminate wrong answers

Option A is wrong because risk transfer involves shifting the financial burden of a loss to a third party (e.g., cyber insurance or outsourcing), not updating a technical control like an encryption protocol. Option B is wrong because risk acceptance means formally acknowledging the risk and choosing to take no action, which contradicts the decision to update the protocol. Option D is wrong because risk avoidance would mean eliminating the activity that introduces the risk (e.g., discontinuing the use of the system or data transmission entirely), not updating the encryption to make it secure.

186
MCQeasy

An organization is performing a risk assessment for its new customer relationship management (CRM) system. Which of the following is the BEST way to identify threats to the CRM?

A.Perform a vulnerability scan on the CRM server.
B.Conduct a threat modeling workshop with the development team.
C.Run a penetration test against the CRM application.
D.Review the business impact analysis for the CRM.
AnswerB

Threat modeling systematically identifies potential threats.

Why this answer

Threat modeling is a proactive, structured approach that identifies potential threats by analyzing the CRM's design, data flows, and trust boundaries. Unlike vulnerability scanning or penetration testing, which find existing weaknesses, threat modeling uncovers threats early in the lifecycle, such as SQL injection via customer input fields or privilege escalation in role-based access controls. This aligns with the CRISC focus on risk identification before controls are implemented.

Exam trap

ISACA often tests the distinction between threat identification (proactive, design-focused) and vulnerability assessment (reactive, implementation-focused), leading candidates to choose a technical test like a penetration test over a collaborative workshop.

How to eliminate wrong answers

Option A is wrong because a vulnerability scan only identifies known technical weaknesses (e.g., missing patches, misconfigurations) on the CRM server, not the broader set of threats like business logic flaws, insider threats, or data leakage through API endpoints. Option C is wrong because penetration testing validates exploitability of existing vulnerabilities but is a reactive, point-in-time test that misses threats not yet present in the code or configuration. Option D is wrong because a business impact analysis (BIA) assesses the consequences of disruption (e.g., financial loss, reputational damage) but does not identify specific threat sources or threat events targeting the CRM.

187
MCQeasy

A vulnerability scan of the internal network reveals a critical vulnerability in a legacy application that cannot be patched immediately. What is the FIRST step the risk practitioner should take?

A.Document the vulnerability and assess the associated risk in the risk register
B.Apply a virtual patch via an intrusion prevention system
C.Isolate the application from the network
D.Notify the application owner and request an emergency patch
AnswerA

Proper risk identification and documentation precede treatment decisions.

Why this answer

The first step is to document the vulnerability and assess the associated risk in the risk register because risk identification and assessment must precede any remediation decision. Without a formal risk assessment, the practitioner cannot determine whether compensating controls (like a virtual patch or isolation) are appropriate or whether the residual risk is acceptable to the business. This aligns with the CRISC framework's emphasis on risk-based decision-making before implementing technical controls.

Exam trap

The trap here is that candidates often jump to a technical control (like applying a virtual patch or isolating the application) because it seems immediate and effective, but the CRISC exam consistently tests that risk assessment and documentation must come first before any control implementation.

How to eliminate wrong answers

Option B is wrong because applying a virtual patch via an intrusion prevention system (IPS) is a compensating control that should only be selected after the risk has been assessed and documented; jumping to a technical fix without risk evaluation bypasses the risk management process. Option C is wrong because isolating the application from the network is a drastic technical control that may disrupt business operations and should be considered only after the risk assessment determines that the vulnerability's impact exceeds the organization's risk appetite. Option D is wrong because notifying the application owner and requesting an emergency patch is a reactive step that assumes a patch is feasible, but the scenario explicitly states the application cannot be patched immediately, making this action premature and potentially futile without first assessing the risk.

188
MCQeasy

Which of the following is the PRIMARY purpose of conducting a business impact analysis (BIA) during the IT risk assessment process?

A.To determine the criticality and recovery time objectives of business processes
B.To identify vulnerabilities in IT systems
C.To identify potential threat actors
D.To inventory all IT assets
AnswerA

BIA focuses on business impact.

Why this answer

Option B is correct because the BIA identifies critical business processes and their recovery priorities. Option A is wrong because vulnerability assessment is separate. Option C is wrong because threats are identified in threat modeling.

Option D is wrong because asset inventory is part of asset management.

189
Multi-Selectmedium

Which TWO of the following are examples of risk avoidance?

Select 2 answers
A.Implementing a firewall
B.Purchasing cyber insurance
C.Accepting the risk
D.Migrating to a different technology platform
E.Discontinuing a high-risk business process
AnswersD, E

Changing platforms can avoid risks of the old platform.

Why this answer

Migrating to a different technology platform (Option D) is a risk avoidance strategy because it eliminates the risk entirely by moving away from the vulnerable or high-risk technology. For example, if an organization uses an outdated operating system with known unpatched vulnerabilities, migrating to a modern, supported platform removes the attack surface, avoiding the risk rather than mitigating or transferring it.

Exam trap

The trap here is that candidates confuse risk mitigation (e.g., implementing controls like firewalls) with risk avoidance, failing to recognize that avoidance requires completely eliminating the risk source, not just reducing it.

190
Multi-Selectmedium

Which TWO of the following are characteristics of an effective key risk indicator (KRI)?

Select 2 answers
A.Leading indicators that provide early warning.
B.Large number of indicators to cover all risks.
C.Measurable and quantifiable metrics.
D.Lagging indicators that confirm past events.
E.Qualitative assessments based on expert opinion.
AnswersA, C

Leading indicators are predictive.

Why this answer

Option A and D are correct because KRIs should be leading (predictive) and measurable. Option B is wrong because lagging indicators are not predictive (though may be used). Option C is wrong because too many KRIs cause overload.

Option E is wrong because qualitative measures are sometimes needed but quantitative is preferred.

191
MCQeasy

A risk practitioner is facilitating a workshop to identify IT risks for a new product launch. Which technique BEST encourages participants to think about risks from different perspectives?

A.Using a structured framework such as STRIDE or OCTAVE.
B.Asking each participant to write risks individually.
C.Using a checklist of common IT risks.
D.Brainstorming without any predefined categories.
AnswerA

Structured frameworks guide thinking across risk categories.

Why this answer

A structured framework like STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) or OCTAVE provides predefined threat categories that force participants to systematically consider risks from multiple angles—such as security, operational, and compliance perspectives—rather than relying on ad hoc thinking. This ensures comprehensive coverage of the attack surface for the new product launch, including often-overlooked areas like repudiation or elevation of privilege in cloud-based microservices.

Exam trap

ISACA often tests the misconception that unstructured brainstorming (Option D) is the most creative approach, but the trap is that without a framework, participants miss systematic threat categories and the workshop fails to identify risks like elevation of privilege or repudiation that require structured prompting.

How to eliminate wrong answers

Option B is wrong because asking each participant to write risks individually lacks the collaborative cross-pollination of ideas needed to surface diverse perspectives; it tends to produce siloed, homogeneous viewpoints based on each person's limited experience. Option C is wrong because a checklist of common IT risks is static and retrospective, focusing on known issues (e.g., SQL injection, misconfigured firewalls) and missing novel or product-specific threats that emerge from the unique architecture of the new launch. Option D is wrong because brainstorming without any predefined categories often leads to groupthink, anchoring on the loudest voice, and missing entire threat categories like denial-of-service or privilege escalation that require structured prompting.

192
MCQeasy

You are the risk manager at a financial institution that processes online transactions. The organization relies on a legacy system for transaction authorization, which is monitored via manual log reviews performed weekly by a junior analyst. Recently, the internal audit team identified that several unauthorized transactions were not detected for over two weeks. The logs showed that the authorization control failed intermittently due to a known software bug, but the bug had been documented in the risk register with a low residual risk rating. The CRO asks you to recommend the most effective improvement to the control monitoring process. Which of the following would be the BEST course of action?

A.Implement an automated real-time monitoring tool that alerts on authorization failures.
B.Increase the frequency of log reviews to daily.
C.Update the risk register to increase the residual risk rating for the bug.
D.Retrain the junior analyst on log analysis techniques.
AnswerA

Automated monitoring provides immediate detection and reduces reliance on manual reviews.

Why this answer

Implementing an automated real-time monitoring tool that alerts on authorization failures directly addresses the root cause: the detection delay caused by manual weekly log reviews. Unlike manual reviews, automated monitoring provides immediate notification of control failures, enabling rapid response to intermittent software bugs and reducing the window of exposure for unauthorized transactions.

Exam trap

The trap here is that candidates often choose to increase review frequency (Option B) because it seems like a direct improvement, but they fail to recognize that manual reviews, regardless of frequency, still suffer from human delay and cannot match the immediacy of automated monitoring for intermittent control failures.

How to eliminate wrong answers

Option B is wrong because increasing log review frequency to daily still relies on manual analysis, which introduces human latency and potential oversight; it does not eliminate the detection gap for intermittent failures that occur between reviews. Option C is wrong because updating the risk register to increase the residual risk rating is a documentation change that does not improve the actual monitoring or detection capability; it merely acknowledges the problem without fixing it. Option D is wrong because retraining the junior analyst on log analysis techniques does not address the fundamental issue of manual review latency and the inability to detect failures in near real-time; even a highly skilled analyst cannot overcome the delay inherent in periodic manual checks.

193
MCQmedium

During a risk assessment, an organization identifies that its primary data center is located in a flood-prone area. Which risk treatment option would best address this risk?

A.Purchase business interruption insurance
B.Move all operations to a cloud provider
C.Implement flood barriers and redundant cooling systems
D.Accept the risk and document it in the risk register
AnswerC

This is a mitigation action.

Why this answer

Implementing flood barriers and redundant cooling systems directly reduces the likelihood and impact of a flood event on the data center's physical infrastructure. This is a risk mitigation strategy that proactively addresses the root cause of the risk (flooding) by hardening the facility, which is the most effective treatment for a high-probability, high-impact physical threat.

Exam trap

The trap here is that candidates often confuse risk transfer (insurance) with risk mitigation, failing to recognize that insurance does not prevent operational downtime or data loss, whereas physical controls directly reduce the risk's likelihood and impact.

How to eliminate wrong answers

Option A is wrong because purchasing business interruption insurance is a risk transfer strategy that only compensates for financial loss after an incident, but does not reduce the probability or impact of the flood itself; it leaves the organization's operations vulnerable to downtime. Option B is wrong because moving all operations to a cloud provider is a risk avoidance strategy that may be overly drastic and costly, and it does not address the underlying risk assessment of the existing data center; it also introduces new risks such as vendor lock-in and data sovereignty issues. Option D is wrong because accepting the risk without any active controls is inappropriate for a flood-prone location with high potential for catastrophic damage; risk acceptance is typically reserved for low-impact or low-probability risks, not for a clearly identified physical threat that can be mitigated.

194
MCQhard

An organization uses a quantitative risk analysis method. The annualized rate of occurrence (ARO) for a specific threat is 0.5, and the single loss expectancy (SLE) is $200,000. What is the annualized loss expectancy (ALE)?

A.$400,000
B.$100,000
C.$100,000
D.$200,000
AnswerB

ALE = ARO * SLE.

Why this answer

The annualized loss expectancy (ALE) is calculated as ARO × SLE = 0.5 × $200,000 = $100,000. This represents the expected annual financial loss from the threat, factoring in both the frequency of occurrence and the impact per incident.

Exam trap

The trap here is that candidates may confuse ARO with a probability (0.5) and mistakenly multiply by 2 instead of 0.5, or they may ignore the ARO entirely and select the SLE as the ALE, failing to annualize the loss correctly.

How to eliminate wrong answers

Option A ($400,000) is wrong because it incorrectly multiplies SLE by 2 instead of 0.5, possibly confusing ARO with a rate greater than 1 or misapplying the formula. Option C ($100,000) is a duplicate of the correct answer and thus not a distinct wrong option, but in the context of the list it is technically correct; however, the question presents two identical values, so the trap is that candidates might see two identical answers and second-guess themselves. Option D ($200,000) is wrong because it assumes the ARO is 1 (i.e., the threat occurs once per year), ignoring the given ARO of 0.5, which halves the annual loss.

195
MCQmedium

A multinational e-commerce company has experienced multiple security incidents involving unauthorized access to customer payment data. The incidents originated from different regional offices and exploited misconfigured firewall rules. The risk manager needs to identify the root cause of these risks. Which approach would BEST help in identifying the root cause of the IT risk?

A.Perform a root cause analysis on the firewall misconfigurations to determine underlying process weaknesses.
B.Implement additional logging on all firewall devices to capture configuration changes.
C.Conduct a penetration test targeting all regional office networks to identify vulnerabilities.
D.Update the risk register to include the incidents and assign risk owners.
AnswerA

Root cause analysis systematically identifies the fundamental reason for the misconfigurations, such as inadequate change management.

Why this answer

Option C is correct because conducting a root cause analysis on the firewall misconfigurations will identify the underlying weaknesses in the change management process. Option A is wrong because increasing logging without analysis does not identify root cause. Option B is wrong because a penetration test may find vulnerabilities but not the process failure.

Option D is wrong because updating the risk register is a result of identification, not a method to identify root cause.

196
Multi-Selecthard

Which THREE of the following should be included in a board-level risk report to effectively communicate the organization's risk profile?

Select 3 answers
A.Emerging risks and trend analysis of key risk indicators over the past quarter.
B.A list of the most recent security incidents with root cause analysis.
C.Detailed descriptions of all controls mitigating the top risks.
D.A risk heat map showing the current likelihood and impact of top risks.
E.A summary of current risk exposure relative to the board-approved risk appetite.
AnswersA, D, E

Trends and emerging risks support proactive oversight.

Why this answer

Options A, C, and E are correct. A risk heat map visualizes key risks; emerging risks and trend analysis provide context for forward-looking decisions; and risk appetite limits help the board assess alignment. Option B is wrong because detailed control descriptions are too granular for board level.

Option D is wrong because individual incident details are operational; aggregated trend is more appropriate.

197
MCQmedium

During a risk assessment, a financial institution identifies that its online banking application uses an outdated encryption protocol. The likelihood of exploitation is high, and the impact is moderate. What should the risk owner do FIRST?

A.Implement a compensating control to mitigate the risk
B.Validate the risk rating with additional data
C.Transfer the risk via cyber insurance
D.Accept the risk as low priority
AnswerB

Validation ensures correct prioritization.

Why this answer

The risk owner's first responsibility is to ensure the risk assessment is accurate before deciding on a response. Validating the risk rating with additional data (option B) confirms that the high likelihood and moderate impact are correctly assessed, which is a prerequisite for selecting an appropriate treatment. Jumping to implement controls, transfer, or accept the risk without validation could lead to misallocation of resources or inadequate mitigation.

Exam trap

The trap here is that candidates often jump to selecting a risk treatment option (like implementing a control or transferring risk) without recognizing that the risk owner must first validate the risk rating to ensure the assessment is accurate and actionable.

How to eliminate wrong answers

Option A is wrong because implementing a compensating control is a risk treatment decision that should only occur after the risk rating is validated and a response strategy is chosen; acting prematurely may result in unnecessary or ineffective controls. Option C is wrong because transferring risk via cyber insurance is a specific treatment option that requires a validated risk rating to determine if transfer is cost-effective and appropriate; it is not the first step. Option D is wrong because accepting the risk as low priority contradicts the assessment's high likelihood and moderate impact, and acceptance should only be considered after validation confirms the rating and the risk is within the organization's appetite.

198
MCQhard

Based on the firewall log exhibit, which of the following conclusions is MOST appropriate for risk identification?

A.External server 198.51.100.20 is attempting to exploit host 10.0.1.10
B.Host 10.0.1.15 is successfully communicating with external server 203.0.113.50
C.The firewall is functioning correctly with no security incidents
D.There is evidence of a potential reverse shell or malware beaconing from host 10.0.1.15
AnswerD

Denied outbound traffic from internal host to external IP on common malware ports indicates possible compromise.

Why this answer

Option D is correct because the firewall log shows an outbound connection from internal host 10.0.1.15 to external server 203.0.113.50 on a high ephemeral port (e.g., 4444), which is commonly associated with reverse shell payloads or malware command-and-control (C2) beaconing. This pattern indicates that the internal host may have been compromised and is establishing an outbound channel to an external attacker, bypassing typical inbound firewall rules. Such behavior is a critical risk indicator for IT risk identification, as it suggests active malicious activity within the network.

Exam trap

The trap here is that candidates focus on the source/destination IPs and assume any outbound connection is benign, overlooking the significance of the destination port (4444) as a common reverse shell indicator, which ISACA often uses to test understanding of outbound threat patterns versus simple inbound attack detection.

How to eliminate wrong answers

Option A is wrong because the log shows traffic from external server 198.51.100.20 to host 10.0.1.10 on port 80 (HTTP), which is typical web traffic and not indicative of an exploit unless accompanied by attack signatures or payload anomalies; the log alone does not confirm exploitation. Option B is wrong because while host 10.0.1.15 is indeed communicating with external server 203.0.113.50, the log shows a connection to a high port (4444) rather than a standard service port, making this communication suspicious rather than 'successful' in a benign sense. Option C is wrong because the presence of an outbound connection to a high, non-standard port from an internal host is a security incident indicator, contradicting the claim that the firewall is functioning correctly with no incidents.

199
Multi-Selectmedium

Which THREE of the following are characteristics of leading key risk indicators (KRIs)?

Select 3 answers
A.They are predictive in nature.
B.They are based on historical data.
C.They measure past events and losses.
D.They provide early warning of potential risk events.
E.They enable proactive risk mitigation.
AnswersA, D, E

Leading indicators predict future risk levels.

Why this answer

Leading key risk indicators (KRIs) are predictive in nature because they track forward-looking metrics that signal potential future risk events before they occur. Unlike lagging indicators that measure past outcomes, leading KRIs use trend analysis and threshold monitoring to forecast changes in risk exposure, enabling organizations to anticipate and address issues proactively.

Exam trap

The trap here is that candidates often confuse leading KRIs with lagging indicators, mistakenly selecting options that describe historical or past-event measurements because they think all KRIs are backward-looking, but CRISC emphasizes that leading KRIs are forward-looking and predictive.

200
MCQmedium

A new web application is being developed using several open-source libraries. Which risk identification method is most effective for identifying vulnerabilities in these libraries?

A.Static application security testing (SAST)
B.Software composition analysis (SCA)
C.Dynamic application security testing (DAST)
D.Manual code review
AnswerB

SCA scans dependencies and matches them against vulnerability databases, ideal for open-source risk identification.

Why this answer

Software Composition Analysis (SCA) is specifically designed to identify known vulnerabilities in open-source libraries by analyzing dependency manifests (e.g., pom.xml, package.json) and correlating them against vulnerability databases like the National Vulnerability Database (NVD). For a web application built with multiple open-source components, SCA automates the detection of outdated or vulnerable libraries, which is the most effective method for this risk identification scenario.

Exam trap

The trap here is that candidates confuse SAST (which finds code-level bugs) with SCA (which finds library vulnerabilities), assuming any security testing tool can identify open-source risks, but only SCA is designed to inventory and assess third-party components against known CVEs.

How to eliminate wrong answers

Option A is wrong because Static Application Security Testing (SAST) analyzes source code for security flaws in custom application logic (e.g., SQL injection, buffer overflows), but it does not scan or track third-party library dependencies or their known vulnerabilities. Option C is wrong because Dynamic Application Security Testing (DAST) tests the running application for runtime vulnerabilities (e.g., XSS, CSRF) by sending malicious payloads, but it cannot identify vulnerabilities embedded in library versions that are not actively exploited during the test. Option D is wrong because Manual code review, while thorough for custom code, is impractical for large open-source libraries and cannot efficiently cross-reference thousands of library versions against vulnerability databases like SCA does.

201
Multi-Selecteasy

A SIEM generates alerts for the following events. Which TWO events should be considered potential emerging risks? (Select exactly 2.)

Select 2 answers
A.Scheduled backup completed successfully
B.Software update installed on server
C.High number of failed authentication attempts from a single IP
D.Low disk space alert on a file server
E.Unusual increase in outbound traffic from a database server
AnswersC, E

Indicates a brute-force attack attempt.

Why this answer

A high number of failed authentication attempts from a single IP (C) is a classic indicator of a brute-force or password-spraying attack. This represents an emerging risk because it signals active reconnaissance or attempted unauthorized access, which could lead to account compromise or lateral movement if successful.

Exam trap

The trap here is that candidates confuse operational alerts (like low disk space or successful backups) with security risks, failing to recognize that emerging risks must involve active threat indicators such as reconnaissance or anomalous traffic patterns.

202
MCQhard

Based on the exhibit, which of the following poses the HIGHEST risk to the environment?

A.The web servers are in a public subnet
B.The communication between web and application servers is encrypted via HTTPS
C.The application servers use embedded credentials to access the database
D.The database has a direct SSH connection from the internet
AnswerD

Direct internet access to the database, even from a single IP, exposes a critical asset to external threats.

Why this answer

Option D is correct because a direct SSH connection from the internet to the database server bypasses all network segmentation and firewall controls, exposing the database to brute-force attacks, credential theft, and unauthorized remote access. SSH is a management protocol, not an application protocol, and its exposure on the internet creates a direct attack surface on the most sensitive data tier, which is the highest risk to the environment.

Exam trap

ISACA often tests the misconception that 'encryption always reduces risk' or that 'public subnets are inherently dangerous,' when in reality the highest risk is exposing management interfaces (like SSH) directly to the internet, not the application-layer exposure of web servers.

How to eliminate wrong answers

Option A is wrong because web servers are typically placed in a public subnet to serve traffic to users; this is a standard architectural design and not inherently high risk as long as proper security groups and WAFs are in place. Option B is wrong because HTTPS encryption between web and application servers protects data in transit from eavesdropping and tampering, which actually reduces risk rather than posing a risk. Option C is wrong because while embedded credentials are a security concern (they can be extracted from code), they do not expose the database to direct internet-based attacks and are a lower risk compared to an open SSH management channel from the internet.

203
Multi-Selecteasy

A risk manager is designing monthly risk reports for senior management. Which THREE of the following should be included in an effective risk report? (Choose three.)

Select 3 answers
A.Names of individual employees responsible for control failures.
B.Changes in the risk landscape.
C.Key risk indicators (KRIs) and their trends.
D.Detailed control test results for every control.
E.Status of risk treatment plans.
AnswersB, C, E

Keeps management informed of external and internal changes.

Why this answer

Options A, C, and D are correct. KRIs and trends provide a high-level view, status of risk treatment plans shows progress, and changes in the risk landscape highlight emerging risks. Option B is wrong because detailed test results are too granular for senior management.

Option E is wrong because naming individuals is inappropriate and not constructive.

204
MCQmedium

A company is implementing a new continuous monitoring tool for its network security controls. Which of the following is the MOST important step to ensure the tool provides meaningful risk information?

A.Configure the tool to generate real-time alerts for all events.
B.Provide training to all users on how to interpret the tool's output.
C.Ensure the tool is integrated with the existing SIEM system.
D.Align the tool's monitoring parameters with key risk indicators and critical controls.
AnswerD

Alignment ensures the tool focuses on what matters for risk management.

Why this answer

Option C is correct because the tool must be configured to monitor the key controls that address high-risk areas to be effective. Option A is wrong real-time alerts are useful but not the most important if they monitor irrelevant controls. Option B is wrong integration with SIEM is operational, not a prerequisite for meaningful risk info.

Option D is wrong training is important but secondary to proper configuration.

205
MCQmedium

A risk practitioner is reviewing the monitoring reports for a critical business process. The report shows that a key control has a 95% effectiveness rate, but the risk appetite for the associated risk is 98%. What should the practitioner do?

A.Accept the current effectiveness as it is close to the target.
B.Immediately escalate to senior management.
C.Recommend enhancements to the control to improve effectiveness.
D.Reduce the risk appetite to 95%.
AnswerC

Aligns control with risk appetite.

Why this answer

Option C is correct because the control effectiveness (95%) is below the risk appetite threshold (98%), meaning the residual risk exceeds the acceptable level. The practitioner should recommend enhancements to close this gap, as accepting the current state would violate risk appetite. This aligns with the principle that controls must be improved when monitoring shows performance below the defined tolerance.

Exam trap

The trap here is that candidates may think 'close enough' (Option A) is acceptable, but CRISC requires strict adherence to risk appetite thresholds, not approximations.

How to eliminate wrong answers

Option A is wrong because accepting a 95% effectiveness when the risk appetite is 98% means the residual risk is above the acceptable threshold, which is not permissible; 'close to the target' is not sufficient in risk management. Option B is wrong because immediate escalation to senior management is premature; the practitioner should first analyze the gap and recommend control improvements, as escalation is reserved for critical failures or when remediation is beyond the practitioner's authority. Option D is wrong because reducing the risk appetite to match the current control performance is a reactive and inappropriate approach; risk appetite is set by the board and should drive control improvement, not be lowered to accommodate weak controls.

206
MCQhard

A risk manager discovers that a business unit has been using an unapproved software-as-a-service (SaaS) application for three months. The application stores customer PII. Which of the following risk identification techniques should the risk manager use to understand the full extent of the risk?

A.Run an automated data discovery tool across the network
B.Interview the business unit head about the application's use and data stored
C.Request an independent audit of the SaaS provider
D.Review network logs to identify data transfers to the SaaS provider
AnswerB

Interview provides context on what data is stored and why, critical for risk identification.

Why this answer

Option B is correct because interviewing the business unit head is the most direct and effective technique to understand the full extent of the risk. The risk manager needs to know the specific business processes, the types and volume of PII stored, the purpose of the application, and how data flows into and out of the SaaS application. Automated tools or logs can only provide technical evidence of usage, but they cannot capture the business context, data classification, or the actual data handling practices that define the risk's scope.

Exam trap

The trap here is that candidates often choose an automated or technical option (like A or D) because they seem objective and efficient, but the question specifically asks for a technique to 'understand the full extent of the risk,' which requires human insight into business context and data handling, not just technical detection.

How to eliminate wrong answers

Option A is wrong because running an automated data discovery tool across the network can identify the presence of the SaaS application and data transfers, but it cannot determine the business purpose, the exact PII fields stored, or the data handling procedures, which are essential for understanding the full risk extent. Option C is wrong because requesting an independent audit of the SaaS provider is a reactive and external step that assumes the provider will cooperate and that the risk manager already knows the scope of data shared; it does not help the risk manager initially understand the internal usage and data stored. Option D is wrong because reviewing network logs can show data transfers to the SaaS provider, but logs alone cannot reveal the specific PII content, the business justification, or the data lifecycle within the application, leaving significant gaps in risk understanding.

207
Multi-Selectmedium

A risk assessment for a financial trading platform has identified a high-risk vulnerability in the order matching engine. The risk owner has recommended implementing compensating controls rather than fixing the underlying code. Which TWO of the following are valid compensating controls? (Choose two.)

Select 2 answers
A.Rewrite the order matching engine in a memory-safe language
B.Deploy a Web Application Firewall (WAF) to block malicious payloads
C.Enable detailed logging for all order matching transactions
D.Require manual approval for all orders above a threshold
E.Implement rate limiting on order submissions
AnswersD, E

Manual approval adds a human verification step, reducing the impact of a potential exploit.

Why this answer

Option D is correct because requiring manual approval for orders above a threshold directly reduces the impact of a successful exploit by preventing large-scale financial loss, even if the underlying code vulnerability remains unpatched. This compensating control shifts the risk acceptance decision to a human operator, effectively adding a business logic layer that can catch anomalous or malicious order matching attempts. Option E is correct because rate limiting on order submissions mitigates the risk of an attacker exploiting the vulnerability to submit a high volume of malicious orders, thereby limiting the blast radius and preventing denial-of-service or market manipulation scenarios.

Exam trap

The trap here is that candidates confuse detective controls (logging) or remediation (rewriting code) with compensating controls, failing to recognize that a compensating control must actively reduce risk without fixing the original vulnerability.

208
Multi-Selecthard

A company's IT risk team is conducting a risk identification exercise for a new blockchain-based supply chain solution. Which THREE risks are MOST specific to this technology?

Select 3 answers
A.51% attack on the underlying consensus mechanism.
B.Incompatibility with legacy database systems.
C.High electricity consumption of mining nodes.
D.Smart contract vulnerabilities leading to unintended execution.
E.Cryptographic key management failures.
AnswersA, D, E

Consensus attacks are specific to blockchain.

Why this answer

A 51% attack is a specific risk to blockchain consensus mechanisms where a single entity or group gains majority hashing power, allowing them to reverse transactions or prevent new blocks from being confirmed. This directly undermines the integrity and immutability that blockchain promises for the supply chain solution.

Exam trap

ISACA often tests the distinction between generic IT risks and technology-specific risks, so candidates mistakenly select 'high electricity consumption' without considering that many blockchain implementations (especially in enterprise supply chains) do not use energy-intensive proof-of-work.

209
Multi-Selecteasy

Which TWO of the following are primary sources of risk identification for IT projects? (Select exactly 2.)

Select 2 answers
A.Security baseline
B.Project documentation
C.Risk treatment plan
D.Firewall logs
E.Lessons learned from previous projects
AnswersB, E

Requirements, design, and architecture documents contain information to identify risks.

Why this answer

Project documentation (Option B) is a primary source of risk identification because it contains the project scope, schedule, requirements, and assumptions that directly reveal potential risks such as resource constraints or scope creep. Lessons learned from previous projects (Option E) provide empirical data on actual risks encountered, mitigation effectiveness, and failure patterns, making them a critical input for identifying risks in new IT projects. Both sources are explicitly cited in the CRISC Review Manual as foundational inputs for the risk identification process.

Exam trap

The trap here is that candidates confuse operational artifacts (like firewall logs or security baselines) with project-level risk identification sources, or mistakenly think the risk treatment plan is an input rather than an output of the risk identification process.

210
MCQhard

During a risk assessment, the IT risk manager needs to prioritize risks for treatment. Which of the following risk characteristics should be weighted MOST heavily?

A.The degree to which the risk affects strategic business objectives
B.The ease of implementing mitigating controls
C.The likelihood that the threat will be exploited
D.The financial impact calculated in monetary terms
AnswerA

Risks that impact strategic objectives are of highest priority.

Why this answer

In CRISC, risk prioritization is fundamentally driven by alignment with strategic business objectives because IT risk management exists to protect the enterprise’s mission and goals. Even a high-likelihood or high-financial-impact risk may be deprioritized if it does not materially affect the organization’s strategic objectives, as the risk treatment decision must support business value and continuity. This weighting ensures that resources are allocated to risks that most threaten the enterprise’s ability to achieve its core mission.

Exam trap

ISACA often tests the misconception that financial impact or likelihood should be the primary weighting factor, but CRISC emphasizes that strategic alignment is the overriding criterion because risk treatment must support the enterprise’s overall business goals, not just minimize cost or probability.

How to eliminate wrong answers

Option B is wrong because the ease of implementing mitigating controls is a tactical implementation consideration, not a primary risk prioritization factor; prioritizing based on ease can lead to treating low-impact risks while ignoring critical strategic threats. Option C is wrong because likelihood alone is insufficient—a threat with high likelihood but negligible business impact should not be weighted more heavily than a lower-likelihood risk that could cripple strategic objectives. Option D is wrong because financial impact in isolation ignores non-monetary strategic factors such as reputational damage, regulatory compliance, or competitive advantage, which may be more critical to the enterprise’s survival than a simple dollar figure.

211
MCQmedium

Based on the exhibit, what is the primary risk to the organization?

A.Unauthorized modification of customer data
B.Data loss due to accidental deletion
C.Unauthorized disclosure of sensitive customer data
D.Denial of service due to excessive read requests
AnswerC

Public access exposes data to anyone on the internet.

Why this answer

The exhibit shows a database server with customer data accessible via a web application that uses unencrypted HTTP (port 80) and has direct internet exposure. This configuration allows an attacker to intercept traffic or exploit the lack of encryption to read sensitive customer data in transit, making unauthorized disclosure the primary risk. The core reasoning is that unencrypted HTTP exposes data to eavesdropping and man-in-the-middle attacks, directly violating confidentiality requirements for sensitive customer information.

Exam trap

The trap here is that candidates often focus on the database server's role (e.g., modification or deletion risks) instead of recognizing that the unencrypted HTTP exposure directly enables unauthorized disclosure of data in transit, which is the most immediate and severe risk to confidentiality.

How to eliminate wrong answers

Option A is wrong because unauthorized modification of customer data requires write access or injection vulnerabilities (e.g., SQL injection), but the exhibit only shows read access via HTTP without any indication of write capabilities or input validation flaws. Option B is wrong because data loss due to accidental deletion typically involves lack of backups or improper access controls on delete operations, whereas the exhibit highlights unencrypted read access and internet exposure, not deletion risks. Option D is wrong because denial of service due to excessive read requests would require a resource exhaustion scenario (e.g., lack of rate limiting or DDoS protection), but the primary risk from unencrypted HTTP is data exposure, not availability.

212
Multi-Selecthard

Which THREE of the following are best practices for reporting risk and control monitoring results to stakeholders?

Select 3 answers
A.Tailor the report to the audience's level of understanding.
B.Include trend analysis and comparisons to thresholds.
C.Include detailed technical logs for each control.
D.Provide reports only when issues occur.
E.Highlight changes in risk exposure and control effectiveness.
AnswersA, B, E

Customization improves comprehension.

Why this answer

Option B, D, and E are correct. Option A is wrong because detailed technical information may not be appropriate for all. Option C is wrong because reporting should be consistent, not ad hoc.

213
MCQhard

A government agency is migrating its critical applications to a public cloud infrastructure. The risk assessment reveals that the cloud provider uses shared tenancy, and the agency's sensitive data will be stored alongside other customers' data. The agency has a very low risk appetite for data leakage and must comply with strict data sovereignty laws. The cloud provider offers data encryption at rest and in transit, as well as dedicated hardware security modules (HSMs) for key management. However, the provider's physical datacenters are located in another country with different legal frameworks. As the risk practitioner, which of the following should be the PRIMARY risk response?

A.Avoid the risk by keeping sensitive data on-premises and using the cloud only for non-sensitive workloads.
B.Reduce the risk by negotiating a contract that includes specific data handling clauses and audit rights.
C.Transfer the risk by requiring the provider to maintain a large cyber insurance policy.
D.Accept the risk after verifying the provider's compliance certifications.
AnswerA

Avoidance is appropriate given low risk appetite.

Why this answer

Option A is correct because the agency's very low risk appetite for data leakage and strict data sovereignty laws cannot be adequately mitigated by encryption or contractual measures when the physical datacenters are in a foreign jurisdiction with different legal frameworks. Shared tenancy in a public cloud inherently increases the attack surface for side-channel attacks and misconfiguration risks, and even with encryption at rest (e.g., AES-256) and in transit (e.g., TLS 1.3), the cloud provider's staff or foreign legal authorities could potentially access decryption keys or compel key disclosure. Avoiding the risk by keeping sensitive data on-premises eliminates the exposure to foreign legal frameworks and shared tenancy, directly aligning with the agency's risk appetite.

Exam trap

The trap here is that candidates often overestimate the effectiveness of encryption and contractual controls, failing to recognize that physical jurisdiction and shared tenancy introduce residual risks that cannot be fully mitigated, making avoidance the only appropriate response for a very low risk appetite.

How to eliminate wrong answers

Option B is wrong because negotiating data handling clauses and audit rights reduces but does not eliminate the risk; the provider's physical location in another country means local laws (e.g., the US CLOUD Act or EU GDPR cross-border transfer restrictions) could override contractual terms, and shared tenancy still exposes the data to potential side-channel attacks or misconfiguration by other tenants. Option C is wrong because transferring risk via cyber insurance does not prevent data leakage or address sovereignty laws; insurance only provides financial compensation after a breach, which is unacceptable for an agency with a very low risk appetite for data leakage. Option D is wrong because accepting the risk after verifying compliance certifications (e.g., ISO 27001, SOC 2) is insufficient; certifications attest to controls at a point in time but do not guarantee protection against foreign legal compulsion or shared tenancy vulnerabilities, and acceptance contradicts the stated very low risk appetite.

214
MCQmedium

A retail company uses a third-party vendor for payment processing. The vendor's service level agreement (SLA) requires 99.9% uptime. Recently, there were two incidents of downtime totaling 0.2% in a month, still within the SLA. However, the company's internal risk monitoring detected a pattern of increasing minor incidents. The vendor insists the SLA is met. The risk manager must decide on monitoring and reporting. The company's board wants to understand the risk. What is the best course of action?

A.Request a root cause analysis from the vendor and monitor trend more closely, reporting to board if trend worsens.
B.Terminate the vendor contract.
C.Increase the SLA penalty.
D.Accept the vendor's assurance as SLA is met.
AnswerA

Proactive management of increasing incidents aligns with risk monitoring best practices.

Why this answer

The increasing trend of incidents indicates potential risk even though the SLA is met. Requesting root cause analysis and monitoring the trend allows proactive management. Option B is correct.

Option A ignores the trend. Option C is drastic. Option D may not address the root cause.

215
Multi-Selecthard

Which TWO of the following are valid techniques for identifying risk in IT risk assessment?

Select 2 answers
A.SWOT analysis
B.Brainstorming sessions
C.Residual risk assessment
D.Risk aggregation
E.Monte Carlo simulation
AnswersA, B

SWOT helps identify strengths, weaknesses, opportunities, and threats.

Why this answer

SWOT analysis (Strengths, Weaknesses, Opportunities, Threats) is a structured technique used to identify both internal and external risk factors during IT risk assessment. It helps uncover threats that could exploit weaknesses, as well as opportunities that might mitigate risks, making it a valid identification method.

Exam trap

The trap here is confusing risk identification techniques (like SWOT and brainstorming) with risk analysis or evaluation techniques (like residual risk assessment, risk aggregation, and Monte Carlo simulation), which are applied after risks have already been identified.

216
Drag & Dropmedium

Order the steps for change management in an IT environment.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Change management includes request, approval, testing, implementation, and review.

217
MCQmedium

The exhibit shows a control monitoring configuration in JSON format. Which of the following is the MOST critical gap in this monitoring setup?

A.The control was last tested over a month ago
B.The data source 'transaction_log' is not specific enough
C.The monitoring frequency is set to daily, which may miss real-time breaches
D.There is no action defined for when the threshold is first breached
AnswerD

The escalation levels only trigger after 1 and 4 hours, but no action on initial breach.

Why this answer

Option D is correct because the configuration lacks a defined breach action for the initial alert (when threshold is first exceeded), only escalation actions. Option A is wrong because the test date is recent. Option B is wrong because the frequency is daily.

Option C is wrong because the data source is specified.

218
Multi-Selectmedium

Which TWO of the following are appropriate actions when a control deficiency is identified during monitoring? (Select exactly two.)

Select 2 answers
A.Increase the risk appetite
B.Document the deficiency and its impact
C.Assign a remediation plan with deadlines
D.Ignore if the deficiency is minor
E.Immediately terminate the control owner
AnswersB, C

Proper documentation is essential.

Why this answer

Option B is correct because documenting the deficiency and its impact is a fundamental step in the risk and control monitoring process. It ensures that the nature, severity, and potential consequences of the control failure are formally recorded, which is essential for risk assessment, reporting, and audit trails. Without this documentation, the organization cannot properly evaluate the risk exposure or justify remediation efforts.

Exam trap

The trap here is that candidates may confuse 'immediate termination' (Option E) with accountability, but CRISC emphasizes corrective and preventive actions over punitive measures, and ignoring minor deficiencies (Option D) violates the principle of continuous monitoring.

219
MCQmedium

An organization maintains a risk register. Which of the following updates should be made on an ongoing basis?

A.Continuously add new risks as they are identified
B.Update controls only when an incident occurs
C.Revise risk levels only after an internal audit
D.Update the register only during the annual risk assessment
AnswerA

An effective risk register is a living document updated whenever new risks arise.

Why this answer

A risk register is a living document that must be updated continuously to reflect the current threat landscape. New risks can emerge from changes in technology, business processes, or external threats, and failing to capture them promptly leaves the organization exposed to unmitigated vulnerabilities.

Exam trap

The trap here is that candidates often assume risk registers are updated only during formal assessment cycles, but the CRISC exam emphasizes that risk management is a continuous process requiring real-time updates as new risks are identified.

How to eliminate wrong answers

Option B is wrong because controls should be reviewed and updated proactively based on risk changes, not only reactively after an incident occurs. Option C is wrong because risk levels should be revised whenever new information or changes in the environment affect the likelihood or impact, not only after an internal audit. Option D is wrong because an annual update cycle is too infrequent; risks can emerge or change significantly within a year, and the register must be maintained on an ongoing basis to remain relevant.

220
MCQmedium

A retail company recently deployed a point-of-sale (POS) system that processes credit card transactions. The system is connected to the corporate network and transmits transaction data to a payment processor over the internet. During a risk assessment, the IT risk manager identifies that the POS system is vulnerable to malware injection via unvalidated input from barcode scanners. Which of the following is the MOST appropriate risk mitigation strategy?

A.Encrypt all transaction data in transit using TLS 1.2.
B.Install a next-generation firewall at the internet boundary.
C.Implement network segmentation to isolate the POS system from the corporate network.
D.Deploy application-layer input validation and sanitization for barcode scanner inputs.
AnswerD

Input validation directly prevents injection attacks.

Why this answer

Option D is the most appropriate risk mitigation strategy because the vulnerability is specifically malware injection via unvalidated input from barcode scanners. Application-layer input validation and sanitization directly addresses the root cause by ensuring that only expected, safe data is processed by the POS system, preventing injection attacks at the point of entry.

Exam trap

The trap here is that candidates often choose network-level controls like firewalls or encryption, overlooking that the vulnerability originates from local input that never traverses the network boundary.

How to eliminate wrong answers

Option A is wrong because encrypting transaction data in transit with TLS 1.2 protects data confidentiality during transmission but does not prevent malware injection through barcode scanner input. Option B is wrong because a next-generation firewall at the internet boundary inspects traffic leaving or entering the network, but it cannot validate input from a local barcode scanner connected directly to the POS system. Option C is wrong because network segmentation isolates the POS system from the corporate network, which limits lateral movement but does not prevent the initial injection of malware via unvalidated barcode scanner input.

221
Matchingmedium

Match each control type to its example.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Firewall blocking unauthorized traffic

Intrusion detection system alerts

Backup restoration after data loss

Security warning banners

Why these pairings

Controls are categorized by their function in risk treatment.

222
Multi-Selectmedium

Which TWO of the following are primary techniques for identifying IT risks in an organization? (Choose two.)

Select 2 answers
A.Vulnerability scanning
B.Business impact analysis (BIA)
C.Brainstorming workshops with process owners
D.Control self-assessments
E.Reviewing internal and external audit findings
AnswersC, E

A common qualitative risk identification technique.

Why this answer

Correct: A and C. Brainstorming workshops (A) and reviewing audit findings (C) are direct risk identification methods. Vulnerability scanning (B) identifies technical issues, not risk per se.

BIA (D) focuses on impact. Control testing (E) tests controls, not identify risks.

223
MCQmedium

Based on the exhibit, which risk response should be prioritized?

A.Implement account lockout policy
B.Avoid by taking the server offline
C.Accept the risk because it's only a single server
D.Transfer the risk to a cloud provider
AnswerA

Account lockout reduces the effectiveness of brute-force attacks.

Why this answer

Option A is correct because implementing account lockout directly addresses the threat of brute-force attacks, which is mitigation.

224
Multi-Selecthard

A risk practitioner is evaluating the effectiveness of existing risk mitigation controls for a critical financial application. Which THREE of the following are key indicators that controls are operating effectively?

Select 3 answers
A.Control testing results show 95% pass rate over the last quarter.
B.Audit findings for the application have been resolved within the agreed remediation timeline.
C.All control owners have completed annual training on their responsibilities.
D.The application's uptime is 99.9% as per service level agreement.
E.The number of security incidents related to the application has decreased by 30% year-over-year.
AnswersA, B, C

Testing pass rate demonstrates control operation.

Why this answer

A is correct because control testing results showing a 95% pass rate over the last quarter provide direct, quantitative evidence that the controls are functioning as intended. This metric is a primary indicator of control effectiveness in risk management frameworks, as it measures the actual performance of control activities against defined criteria. A pass rate of 95% suggests that the vast majority of control tests met their objectives, indicating reliable operation of the controls for the critical financial application.

Exam trap

The trap here is that candidates often confuse outcome-based metrics (like uptime or incident reduction) with direct control effectiveness indicators, failing to recognize that only control testing results and audit remediation timelines provide direct evidence of control operation and corrective action.

225
MCQmedium

A bank implements a new transaction monitoring system to detect fraudulent activities. After six months, the system has a high false positive rate, causing analysts to miss real threats. Which of the following is the BEST way to address this risk?

A.Accept the false positives as a cost of doing business
B.Tune the system to reduce false positives
C.Remove the monitoring system to focus on other controls
D.Hire additional analysts to review all alerts
AnswerB

Tuning improves detection accuracy.

Why this answer

Option C is correct because tuning the system reduces false positives, improving effectiveness. Option A is wrong as removal would leave the bank exposed. Option B is wrong as hiring more analysts does not fix the root cause.

Option D is wrong as ignoring false positives would increase risk.

Page 2

Page 3 of 7

Page 4

All pages