Certified in Risk and Information Systems Control CRISC (CRISC) — Questions 226300

500 questions total · 7pages · All types, answers revealed

Page 3

Page 4 of 7

Page 5
226
MCQhard

A company's control monitoring shows that a detective control has been 100% effective for the past year. However, a recent incident revealed that a data breach went undetected for three months. What is the MOST likely cause?

A.The control failure occurred but was not recorded.
B.The monitoring frequency was insufficient to detect the breach.
C.The control was not designed to detect the type of breach that occurred.
D.The control monitoring logs were tampered with.
AnswerC

Control scope may be narrow.

Why this answer

Option D is correct because the control may not have covered the specific scenario of the breach. Option A is wrong if no logs. Option B is wrong because 100% suggests no failures.

Option C is wrong because if monitoring was correct, it would have caught.

227
Multi-Selecthard

Which TWO of the following are characteristics of quantitative risk analysis compared to qualitative risk analysis? (Select 2)

Select 2 answers
A.It is always easier to communicate to non-technical stakeholders
B.It produces results in monetary values or percentages
C.It supports cost-benefit analysis of controls
D.It requires less specialized expertise to perform
E.It relies solely on expert judgment without numerical data
AnswersB, C

Quantitative outputs are numerical, e.g., ALE, SLE.

Why this answer

Quantitative risk analysis uses numerical data to assign monetary values or percentages to risk components such as asset value, exposure factor, and annualized loss expectancy. This allows for precise, data-driven comparisons and prioritization of risks based on financial impact.

Exam trap

The trap here is that candidates often confuse 'easier to communicate' with quantitative analysis because numbers seem objective, but in reality, qualitative ratings are usually simpler for non-technical audiences to grasp without specialized training.

228
MCQmedium

During a review, a risk practitioner discovers that a key control for a high-risk process is not operating effectively. The risk owner is reluctant to invest in additional controls due to budget constraints. What should the risk practitioner do FIRST?

A.Accept the risk owner's decision
B.Document the deficiency and move on
C.Communicate the risk exposure to senior management
D.Escalate directly to the board
AnswerC

Senior management needs to be aware of the risk and decide on additional funding.

Why this answer

Option C is correct because the risk practitioner's primary duty is to ensure that senior management is aware of material risk exposures that could impact business objectives. When a key control for a high-risk process is ineffective and the risk owner refuses to remediate due to budget constraints, the practitioner must communicate the residual risk exposure to senior management, who have the authority to allocate resources and make strategic risk acceptance decisions. This aligns with the CRISC framework's emphasis on escalating risk information to the appropriate decision-making level when the risk owner's response is inadequate.

Exam trap

The trap here is that candidates confuse 'documenting the deficiency' (Option B) with completing the risk management process, but CRISC requires active communication of risk exposure to the appropriate authority, not just passive recording.

How to eliminate wrong answers

Option A is wrong because accepting the risk owner's decision without further action would violate the risk practitioner's responsibility to ensure that risk acceptance is based on complete and accurate information; the risk owner's budget-driven refusal does not constitute a valid risk acceptance decision without senior management's informed consent. Option B is wrong because simply documenting the deficiency and moving on fails to address the material risk exposure; documentation is necessary but not sufficient—the practitioner must actively communicate the risk to those who can authorize additional controls or formally accept the risk. Option D is wrong because escalating directly to the board bypasses the proper escalation chain; the board should only be involved for strategic-level risks or after senior management has been informed and has failed to act, not as a first step.

229
MCQeasy

A manufacturing company uses an industrial control system (ICS) that is connected to the corporate network for monitoring. The risk manager is identifying risks related to this connectivity. Which of the following is the MOST significant risk?

A.Compromise of ICS causing physical damage to manufacturing equipment.
B.Malware infection spreading from corporate to ICS network.
C.Network congestion due to ICS traffic affecting corporate users.
D.Unauthorized access to corporate data through the ICS connection.
AnswerA

Physical damage can lead to safety incidents, production loss, and high repair costs.

Why this answer

The most significant risk is that a compromise of the ICS could lead to physical damage, such as equipment destruction, safety hazards, or environmental release. Unlike IT systems where data loss is the primary concern, ICS failures directly impact the physical world, making safety and operational integrity the top priority in risk identification.

Exam trap

The trap here is that candidates often focus on the most common IT risk (data breach or malware) and overlook the unique ICS risk of physical damage, which is the defining characteristic of operational technology risk management.

How to eliminate wrong answers

Option B is wrong because while malware spreading from corporate to ICS is a real threat, it is a means to an end; the ultimate impact (physical damage) is more significant than the infection itself. Option C is wrong because network congestion is a performance issue, not a safety or integrity risk, and ICS traffic is typically low-bandwidth and predictable. Option D is wrong because unauthorized access to corporate data is a confidentiality risk, which is secondary to the safety and availability risks posed by ICS compromise.

230
MCQmedium

An organization has implemented a new key risk indicator (KRI) for vendor management that measures the percentage of vendors without a signed contract. The current value is 15%, exceeding the risk appetite threshold of 10%. The risk owner wants to know the most appropriate action to take based on this KRI. What should the risk practitioner recommend?

A.Increase the frequency of KRI reporting from monthly to weekly to monitor the trend.
B.Update the risk appetite threshold to 15% to align with the current value.
C.Immediately communicate the KRI breach to the board of directors.
D.Analyze the root cause of the high percentage and develop a remediation plan.
AnswerD

Root cause analysis and remediation are the correct first steps when a KRI exceeds threshold.

Why this answer

Option D is correct because when a KRI exceeds the risk appetite threshold, the immediate priority is to understand why the breach occurred and to implement corrective actions. Analyzing the root cause and developing a remediation plan directly addresses the underlying issue—vendors without signed contracts—rather than merely monitoring or adjusting thresholds. This aligns with the CRISC principle that KRIs are leading indicators that should trigger risk response, not just reporting changes.

Exam trap

The trap here is that candidates often confuse monitoring actions (like increasing reporting frequency) with risk response actions, or they mistakenly believe that adjusting the threshold to match the current value is a valid risk treatment instead of recognizing it as risk acceptance without proper analysis.

How to eliminate wrong answers

Option A is wrong because increasing reporting frequency from monthly to weekly only monitors the trend without addressing the root cause or reducing the percentage; it is a monitoring action, not a risk treatment action. Option B is wrong because updating the risk appetite threshold to match the current value eliminates the KRI's purpose as an early warning indicator and effectively accepts the risk without analysis or remediation. Option C is wrong because immediate communication to the board is premature before root cause analysis and remediation planning; escalation is appropriate only after the risk owner has assessed the situation and determined the severity.

231
MCQmedium

Refer to the exhibit. Based on the risk register, which risk response is applied to the risk with the highest inherent risk?

A.Transfer
B.Avoid
C.Accept
D.Mitigate
AnswerA

Risk-001 uses Transfer.

Why this answer

Option B is correct because Risk-001 has inherent High and its response is Transfer. Options A, C, and D are incorrect.

232
Matchingmedium

Match each risk response strategy to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Eliminate the activity that causes the risk

Reduce the likelihood or impact of the risk

Shift the risk to a third party, e.g., insurance

Acknowledge the risk and take no further action

Why these pairings

These are the four primary risk response options per ISACA.

233
MCQmedium

A risk officer is evaluating the effectiveness of a control that prevents unauthorized changes to configuration files. The control has not detected any unauthorized changes in the past year. What does this indicate?

A.The control is unnecessary because no changes occurred.
B.The control is not configured correctly to detect changes.
C.The control is operating effectively and no violations occurred.
D.Further testing is needed to determine control effectiveness.
AnswerD

Requires validation to confirm.

Why this answer

The absence of detected unauthorized changes does not automatically confirm control effectiveness; it could also indicate that the control is not properly configured to detect changes (e.g., missing file integrity monitoring rules, incorrect baseline, or disabled logging). Further testing—such as manually introducing a test change or reviewing audit logs—is required to verify that the control can actually detect violations. This aligns with CRISC best practices for validating control effectiveness through testing rather than relying solely on absence of alerts.

Exam trap

The trap here is that candidates assume 'no detected violations' equals 'control is effective,' but CRISC emphasizes that absence of evidence is not evidence of absence—further testing is required to rule out detection failures.

How to eliminate wrong answers

Option A is wrong because the control's purpose is to detect unauthorized changes, and the fact that no changes were detected does not prove no changes occurred—it could mean the control missed them. Option B is wrong because while misconfiguration is a possible cause, it is not the only explanation; the control could be correctly configured but simply not have been triggered due to a lack of violations, so concluding misconfiguration without evidence is premature. Option C is wrong because the absence of detected violations does not confirm control effectiveness; it only indicates that no violations were recorded, which could be due to the control failing to detect them (e.g., a false negative scenario).

234
MCQhard

A risk practitioner is analyzing the results of a phishing simulation. The simulation had a 15% click rate on a test email targeting finance department staff. Which of the following conclusions is MOST valid regarding IT risk identification?

A.The email filtering system is ineffective
B.There is an increased risk of successful targeted phishing attacks against finance staff
C.This is an effective red team exercise
D.The organization has a low risk of credential theft
AnswerB

Directly identifies a risk from human factors.

Why this answer

A 15% click rate on a targeted phishing simulation indicates that a significant portion of finance staff are susceptible to social engineering, which directly increases the risk of a successful targeted phishing attack. This finding is a key input for IT risk identification because it reveals a control weakness (user awareness) that could be exploited by attackers to gain unauthorized access or initiate fraudulent transactions. The click rate itself is a risk indicator, not a definitive measure of control effectiveness like email filtering.

Exam trap

The trap here is that candidates may confuse a user awareness test result with a direct assessment of technical controls like email filtering, when in fact the simulation is designed to bypass those controls to measure human risk.

How to eliminate wrong answers

Option A is wrong because a 15% click rate does not directly measure the effectiveness of the email filtering system; the simulation email was deliberately allowed through to test user behavior, so filtering bypass is irrelevant to this conclusion. Option C is wrong because the simulation is a test of user awareness, not a red team exercise; red team exercises involve broader adversarial simulation including multiple attack vectors, not just a single phishing email. Option D is wrong because a 15% click rate indicates a non-trivial risk of credential theft, as clicking a phishing link can lead to credential harvesting or malware installation, so the risk is not low.

235
Multi-Selecthard

Which THREE of the following are effective risk identification techniques for a cloud migration project? (Select exactly THREE.)

Select 3 answers
A.Vendor lock-in analysis
B.User acceptance testing (UAT)
C.Cloud security assessment
D.Data classification
E.Network scanning of on-premises infrastructure
AnswersA, C, D

Evaluates risks related to dependency on a single cloud provider, such as migration difficulty.

Why this answer

Vendor lock-in analysis is an effective risk identification technique for cloud migration because it evaluates the dependency on a specific cloud provider's proprietary services, APIs, or data formats. Identifying this risk early allows the organization to plan for portability, avoid costly migration barriers, and negotiate exit strategies. Without this analysis, the project may face unexpected costs or technical constraints when attempting to switch providers or return to on-premises infrastructure.

Exam trap

The trap here is confusing post-migration validation activities (UAT) or on-premises-focused scans with proactive risk identification techniques that are specifically designed to uncover cloud migration risks.

236
MCQeasy

A medium-sized e-commerce company recently experienced a denial-of-service (DoS) attack that took down its website for two hours. The incident response team quickly mitigated the attack by blocking the source IPs. In the aftermath, the risk manager is tasked with identifying risks to prevent recurrence. The company relies heavily on a single internet service provider (ISP) and has no DDoS protection service. The IT director suggests purchasing additional server capacity to absorb future attacks. The CEO is concerned about the cost. The risk team has identified that the likelihood of a similar attack is high based on recent industry trends, and the impact includes lost revenue and customer trust. What is the MOST effective risk identification action the risk team should take next?

A.Implement a web application firewall (WAF) to filter malicious traffic.
B.Recommend purchasing DDoS protection from a cloud-based provider.
C.Accept the risk because the cost of mitigation exceeds expected loss.
D.Document the risk and evaluate alternative mitigation options, including diversifying ISPs.
AnswerD

Proper documentation and evaluation are core to risk identification.

Why this answer

Option D is correct because the risk team's primary role during risk identification is to document the risk and evaluate alternative mitigation options before committing to a specific solution. Diversifying ISPs addresses the single point of failure in the network architecture, which is a root cause of the DoS vulnerability, and aligns with the principle of defense in depth. Simply blocking source IPs is reactive, and the IT director's suggestion of adding server capacity is a costly and potentially ineffective absorption strategy against volumetric attacks.

Exam trap

The trap here is that candidates confuse risk identification with risk treatment, selecting a specific solution (like a WAF or DDoS protection) instead of first documenting the risk and evaluating all possible options, which is the correct next step in the risk management process.

How to eliminate wrong answers

Option A is wrong because implementing a WAF is a control for application-layer attacks (e.g., SQL injection, XSS) and does not effectively mitigate volumetric or network-layer DoS attacks that saturate bandwidth. Option B is wrong because recommending a specific vendor solution (cloud-based DDoS protection) is a risk treatment decision, not a risk identification action; the risk team must first document and evaluate all options. Option C is wrong because accepting the risk is premature without first documenting the risk and evaluating alternative mitigations; the cost of mitigation may not exceed expected loss when considering reputational damage and customer trust, which are difficult to quantify.

237
MCQeasy

An organization uses control self-assessments (CSAs) as part of its monitoring program. The results from the latest CSA show that the majority of controls are rated as effective, but an internal audit reveals several control failures in those same areas. What is the MOST likely reason for this discrepancy?

A.The CSA scope was narrower than the audit scope
B.The CSA questionnaire contained documentation errors
C.The inherent risk level of the processes decreased after the CSA
D.CSA respondents may have a bias toward reporting favorable results
AnswerD

Self-assessment can lead to overly optimistic ratings.

Why this answer

Option A is correct because CSAs may be biased if self-assessed by control owners. Option B is wrong because documentation errors would affect both. Option C is wrong because inherent risk changes would not affect control effectiveness assessment.

Option D is wrong because the scope of CSA is typically broader, not narrower.

238
MCQhard

Based on the exhibit, what risk is indicated by the IAM policy?

A.External auditor can access sensitive data from any location
B.Unrestricted public access to the S3 bucket
C.Bucket is configured to allow list operations
D.Data in transit is unencrypted
AnswerA

No IP restriction on the auditor's access.

Why this answer

Option B is correct. The second statement allows the external-auditor user to download objects from the corporate-data bucket without an IP restriction, meaning the auditor can access data from anywhere, not just the internal network. Option A is incorrect because the condition restricts the first statement, but the second lacks restrictions.

Option C is incorrect because there is no encryption requirement. Option D is incorrect because the policy allows GetObject, not list (ListBucket), so listing is not directly indicated, but risk is about access from anywhere.

239
MCQhard

A company's risk management team is evaluating the effectiveness of its control monitoring program. They find that many controls are tested at the same time each year, leading to a resource bottleneck. Which of the following approaches would BEST address this issue?

A.Increase the testing team size
B.Stagger testing cycles across the year
C.Implement continuous monitoring automation
D.Reduce the number of controls tested
AnswerB

Spreading testing evenly throughout the year reduces peak loads and optimizes resource use.

Why this answer

Option D is correct because staggering testing cycles spreads workload throughout the year. Option A reduces coverage, potentially increasing risk. Option B is a good practice but implementing continuous monitoring may be costly and does not directly address the existing bottleneck.

Option C is a temporary fix and does not address the root cause of scheduling.

240
MCQhard

During a quantitative risk analysis, the risk practitioner determines that the single loss expectancy (SLE) for a ransomware attack is $500,000 and the annualized rate of occurrence (ARO) is 0.4. The organization has a risk appetite that accepts annual losses up to $150,000. What is the recommended action?

A.Purchase insurance to cover the potential loss
B.Accept the risk because it is within the organization's risk appetite
C.Reassess using qualitative analysis because the ARO is not precise
D.Implement controls to reduce the likelihood or impact until ALE is below $150,000
AnswerD

Since ALE exceeds appetite, controls are necessary to bring residual risk within tolerance.

Why this answer

The ALE is $500,000 * 0.4 = $200,000, which exceeds the risk appetite of $150,000. Therefore, additional controls are needed to reduce either SLE or ARO. Option A is incorrect because residual risk is not yet acceptable; option B is not justified by cost; option D is only if risk is within appetite.

241
MCQmedium

After a risk assessment, the risk owner decides to mitigate a high-risk finding by implementing additional access controls. What should the risk manager do NEXT?

A.Update the risk register with the mitigation actions taken.
B.Accept the residual risk on behalf of the organization.
C.Reassess the residual risk level after controls are implemented.
D.Close the risk issue and move to the next priority.
AnswerC

Ensures the mitigation is effective and risk is within tolerance.

Why this answer

After mitigation controls are implemented, the risk manager must reassess the residual risk level to determine whether the controls have effectively reduced the risk to an acceptable level. This step ensures that the risk treatment decision is validated and that any remaining exposure is understood before updating the risk register or closing the issue.

Exam trap

The trap here is that candidates often confuse the order of risk management steps, assuming the risk register update (Option A) is the immediate next action, when in fact the residual risk reassessment must occur first to ensure the mitigation was effective.

How to eliminate wrong answers

Option A is wrong because updating the risk register with mitigation actions should occur after the residual risk has been reassessed, not before; the register must reflect the validated post-control risk level. Option B is wrong because accepting residual risk is a decision made by the risk owner, not the risk manager, and it should only occur after the residual risk has been reassessed and found to be within the organization's risk appetite. Option D is wrong because closing the risk issue without reassessing the residual risk ignores the possibility that the implemented controls may be ineffective or introduce new risks, violating the principle of continuous risk monitoring.

242
MCQeasy

A multinational corporation is conducting a risk assessment for its new online payment platform. The platform processes transactions in multiple currencies and stores sensitive customer financial data. The risk team has identified that the encryption algorithm used for data at rest is outdated and could be vulnerable to advanced attacks. The company's risk appetite is low for data breaches. The security team recommends upgrading the encryption to a modern standard, but the upgrade will require a 48-hour downtime impacting all global transactions. The business unit is concerned about revenue loss during the downtime. As the risk practitioner, what is the BEST course of action to balance security and business continuity?

A.Accept the risk and delay the upgrade until the next scheduled maintenance window in three months.
B.Plan the upgrade during a low-traffic period and implement compensating controls such as additional monitoring during the downtime.
C.Outsource the payment processing to a third-party vendor that already uses modern encryption.
D.Implement the upgrade immediately to mitigate the vulnerability, accepting the revenue loss.
AnswerB

This reduces risk while minimizing business disruption.

Why this answer

Option B is the best course of action because it balances the need to mitigate a high-risk encryption vulnerability with business continuity. By scheduling the upgrade during a low-traffic period and implementing compensating controls (e.g., enhanced monitoring and intrusion detection), the organization reduces the likelihood of exploitation during the 48-hour downtime while minimizing revenue loss. This aligns with the low risk appetite for data breaches and demonstrates a risk-based decision that treats the vulnerability without accepting unacceptable exposure.

Exam trap

The trap here is that candidates often choose immediate remediation (Option D) without considering business impact, failing to recognize that risk management requires balancing security with operational continuity through compensating controls and scheduling.

How to eliminate wrong answers

Option A is wrong because delaying the upgrade for three months while the encryption algorithm is known to be vulnerable to advanced attacks directly contradicts the company's low risk appetite for data breaches; it effectively accepts a high residual risk that could lead to a catastrophic data breach. Option C is wrong because outsourcing payment processing introduces new risks, such as loss of direct control over sensitive customer financial data, potential compliance issues (e.g., GDPR, PCI DSS), and the complexity of vendor risk management, which does not inherently resolve the immediate vulnerability in the existing platform. Option D is wrong because implementing the upgrade immediately without considering traffic patterns or compensating controls would cause significant revenue loss from a 48-hour global transaction halt, which is not a balanced approach; it ignores the business impact and fails to apply risk treatment options like mitigation through scheduling and compensating controls.

243
MCQeasy

Refer to the exhibit. Based on the KRI data for the current week, what action should the risk manager take FIRST?

A.Adjust the KRI threshold to 15 per day to reduce false positives.
B.Continue monitoring as all days are within Green or Amber.
C.Investigate Wednesday and Thursday spikes as they are above the Green threshold.
D.Escalate to the risk committee because the threshold was breached.
AnswerC

Amber days should be analyzed to understand root causes and prevent escalation to Red.

Why this answer

Option C is correct. Wednesday (12) and Thursday (15) are in the Amber zone (10-20), indicating a need for investigation. Option A is premature because the threshold for Red (>20) was not breached.

Option B ignores the amber days. Option D suggests adjusting the threshold without understanding the cause of the spikes.

244
MCQhard

Refer to the exhibit. Given the organization's risk appetite is Low, which risk response is most appropriate?

A.Accept the current residual risk because it is Medium.
B.Avoid the risk by discontinuing operations.
C.Transfer the risk via insurance.
D.Implement additional monitoring to reduce residual risk to Low.
AnswerD

Correct: This aligns with the low risk appetite by reducing residual risk to an acceptable level.

Why this answer

With a Low risk appetite, the organization requires residual risk to be Low. Option D proposes implementing additional monitoring to reduce the Medium residual risk to Low, which aligns with the risk appetite. This is a corrective response that mitigates the risk without unnecessary business disruption.

Exam trap

ISACA often tests the misconception that transferring risk (e.g., insurance) eliminates the risk itself, when in fact it only covers financial loss, leaving the operational risk level unchanged.

How to eliminate wrong answers

Option A is wrong because accepting a Medium residual risk violates the organization's Low risk appetite; acceptance is only appropriate when residual risk is within appetite. Option B is wrong because avoiding the risk by discontinuing operations is an extreme and disproportionate response that unnecessarily halts business functions when a less drastic mitigation (like monitoring) can achieve the required risk level. Option C is wrong because transferring risk via insurance does not reduce the inherent or residual risk level; it only shifts financial impact, leaving the operational risk still at Medium, which still violates the Low risk appetite.

245
Drag & Dropmedium

Order the steps for incident response handling.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Incident response follows preparation, detection, containment/eradication/recovery, lessons learned, and reporting.

246
MCQhard

An organization is designing a control monitoring program. Which THREE of the following are types of control monitoring activities that should be included?

A.Periodic internal audits of control processes
B.Defining risk appetite statements
C.Continuous automated monitoring of transactions
D.Penetration testing of critical systems
E.Control self-assessments performed by process owners
AnswerA, C, E

Internal audits provide independent assurance on control effectiveness.

Why this answer

Options A, C, and D are correct. Control monitoring includes continuous monitoring (A), periodic audits (C), and control self-assessments (D). Option B is wrong because penetration testing is a point-in-time assessment, not a distinct type of monitoring activity.

Option E is wrong because risk appetite is a boundary, not a monitoring activity.

247
MCQmedium

After implementing a new web application, the risk owner reports that the residual risk level is still above the risk appetite. Which of the following should be the risk practitioner's FIRST action?

A.Re-evaluate risk treatment options with the risk owner
B.Escalate directly to the board
C.Update the risk register to reflect the residual risk
D.Accept the residual risk
AnswerA

The practitioner should collaborate with the risk owner to identify additional controls or modify existing ones.

Why this answer

When residual risk remains above the risk appetite after treatment, the risk practitioner must first re-evaluate the existing risk treatment options with the risk owner. This collaborative review identifies whether additional controls (e.g., stricter input validation, rate limiting, or Web Application Firewall tuning) can further reduce the risk to an acceptable level before considering escalation or acceptance.

Exam trap

The trap here is that candidates often confuse the urgency of residual risk with the need to immediately escalate or accept it, when the correct first step is to revisit treatment options with the risk owner to see if further controls can close the gap.

How to eliminate wrong answers

Option B is wrong because escalating directly to the board bypasses the proper risk management process; the board should only be informed after all feasible treatment options have been exhausted and documented. Option C is wrong because updating the risk register to reflect residual risk is a documentation step that should occur after determining the final risk response, not as the first action. Option D is wrong because accepting residual risk above the risk appetite without first exploring additional mitigation measures violates the principle of risk reduction and could lead to unacceptable exposure.

248
Multi-Selectmedium

Which TWO of the following are key outputs of a risk assessment process?

Select 2 answers
A.Risk register
B.Risk treatment plan
C.Business continuity plan
D.Control design documentation
E.Audit report
AnswersA, B

Risk register is a direct output of risk assessment.

Why this answer

The risk register is a key output of the risk assessment process because it formally documents identified risks, their assessed likelihood and impact, risk scores, and ownership. This output serves as the central repository for all risk information generated during the assessment, enabling ongoing risk tracking and reporting.

Exam trap

The trap here is that candidates often confuse the risk treatment plan as a separate post-assessment activity, but CRISC explicitly recognizes it as a key output of the risk assessment process because the assessment directly informs and documents the chosen treatment strategies.

249
Multi-Selectmedium

Which TWO of the following are characteristics of an effective key risk indicator (KRI)?

Select 2 answers
A.Based on historical data only.
B.Predictive in nature.
C.Quantifiable.
D.Static.
E.Subjective.
AnswersB, C

A predictive KRI provides early warning of increasing risk.

Why this answer

Effective KRIs are predictive and quantifiable. Options A and B are correct. Options C, D, and E are not characteristics of effective KRIs.

250
Multi-Selecthard

An organization uses a risk and control monitoring system that generates weekly reports. The reports show a key control as 'effective' for the past three months. However, during a recent audit, a significant control failure was discovered. Which TWO of the following are MOST likely root causes for this discrepancy? (Choose two.)

Select 2 answers
A.The reporting system had a data integrity issue.
B.The control owner was not reporting accurately.
C.The monitoring frequency was too low.
D.The control test sample was not representative.
E.The KRI thresholds were set too high.
AnswersD, E

A non-representative sample can miss failures.

Why this answer

Options B and D are correct. KRI thresholds set too high would prevent alerts even when failures occur, and a non-representative test sample would miss failures in the rest of the population. Option A is possible but less likely if the system reported objectively.

Option C is possible but three months of effective reporting suggests frequency might not be the issue. Option E could be a cause but is less specific than B and D.

251
MCQmedium

A risk manager is evaluating the risk associated with a new third-party vendor that will have access to customer data. The vendor has been in business for 10 years and holds ISO 27001 certification. Which factor should be given the MOST weight when determining the vendor's risk level?

A.The vendor's years in operation.
B.The vendor's ISO 27001 certification.
C.The sensitivity and volume of data the vendor will access.
D.The contractual terms for data protection.
AnswerC

Data sensitivity directly impacts risk magnitude.

Why this answer

The sensitivity and volume of data directly determine the potential impact of a breach, which is a core component of inherent risk. Even with strong controls like ISO 27001, the risk level is primarily driven by the value and quantity of the asset at risk (customer data). In IT risk assessment, the asset's criticality and exposure outweigh historical or certification-based indicators when calculating residual risk.

Exam trap

The trap here is that candidates overvalue certifications and tenure as proxies for security, while the CRISC exam emphasizes that risk is fundamentally tied to the asset's value and exposure, not just the vendor's credentials.

How to eliminate wrong answers

Option A is wrong because years in operation are a proxy for stability, not a direct measure of security posture or the specific risk from data access; a mature vendor can still have weak controls for a particular data type. Option B is wrong because ISO 27001 certification indicates a management system is in place, but it does not guarantee that controls are effectively implemented for the specific data sensitivity or volume, nor does it eliminate the need to assess the asset's inherent risk. Option D is wrong because contractual terms are a risk mitigation mechanism, not a primary risk factor; they define remedies and obligations but do not change the inherent risk posed by the data access itself.

252
MCQeasy

Which risk assessment method uses a matrix to plot likelihood and impact to determine risk level?

A.Delphi technique
B.Annual loss expectancy
C.Qualitative
D.Quantitative
AnswerC

Qualitative assessment uses risk matrices.

Why this answer

The qualitative risk assessment method uses a matrix to plot likelihood and impact, typically with ordinal scales (e.g., high, medium, low) to derive a risk level. This approach is subjective and relies on expert judgment rather than numerical values, making it distinct from quantitative methods.

Exam trap

The trap here is that candidates confuse the qualitative risk matrix with the Delphi technique, which is a consensus-building method, or mistakenly think Annual Loss Expectancy (ALE) is plotted on a matrix, when in fact ALE is a quantitative output.

How to eliminate wrong answers

Option A is wrong because the Delphi technique is a structured communication method for achieving consensus among experts, not a risk assessment method that uses a likelihood-impact matrix. Option B is wrong because Annual Loss Expectancy (ALE) is a quantitative metric calculated as Single Loss Expectancy (SLE) multiplied by Annualized Rate of Occurrence (ARO), not a matrix-based qualitative approach. Option D is wrong because quantitative risk assessment uses numerical values (e.g., monetary amounts, percentages) and formulas like ALE, not a subjective matrix of likelihood and impact.

253
MCQmedium

An organization uses a third-party vendor for payment processing. The vendor's latest SOC 2 report shows a significant control exception in logical access. What is the BEST way to monitor the effectiveness of the compensating controls the vendor has implemented?

A.Accept the risk and apply a monetary penalty to the vendor.
B.Immediately terminate the vendor contract and switch to a new payment processor.
C.Request the vendor to include a clause in the contract that holds them liable for any breaches.
D.Obtain the vendor's remediation plan and schedule a follow-up assessment to verify the compensating controls.
AnswerD

Proactive monitoring of the vendor's corrective actions.

Why this answer

Option D is correct because reviewing the vendor's remediation plan and conducting a follow-up assessment verifies the effectiveness of compensating controls. Option A is wrong because switching vendors may not be feasible immediately. Option B is wrong because a clause is contractual, not monitoring.

Option C is wrong because a penalty does not ensure control effectiveness.

254
MCQhard

A risk assessment for a cloud migration project identifies that the cloud provider does not support encryption keys managed by the customer. Which of the following risk scenarios is MOST directly related to this finding?

A.Service availability disruption
B.Data loss due to misconfiguration
C.Unauthorized access by cloud provider employees
D.Non-compliance with data residency requirements
AnswerC

Directly related to key management control.

Why this answer

When the cloud provider does not support customer-managed encryption keys, the provider retains control over the key material. This means that provider employees with administrative access to the key management system could potentially decrypt and access customer data, leading to unauthorized access. This directly creates a risk scenario of unauthorized access by cloud provider employees, as the customer loses the ability to enforce separation of duties and key sovereignty.

Exam trap

The trap here is that candidates often confuse encryption key management with data residency or misconfiguration risks, but the core issue is that provider-managed keys eliminate the customer's ability to prevent the provider from decrypting their data, directly enabling unauthorized access by provider employees.

How to eliminate wrong answers

Option A is wrong because service availability disruption is typically caused by outages, DDoS attacks, or resource exhaustion, not by the lack of customer-managed encryption keys. Option B is wrong because data loss due to misconfiguration (e.g., public S3 buckets, incorrect retention policies) is a separate risk that can occur regardless of who manages the encryption keys. Option D is wrong because non-compliance with data residency requirements is about where data is stored geographically, not about who controls the encryption keys; even with provider-managed keys, data can be stored in compliant regions.

255
Multi-Selectmedium

Which TWO of the following are appropriate criteria for selecting key risk indicators (KRIs)?

Select 2 answers
A.Indicators that are quantifiable and reliable
B.Indicators that only cover financial risks
C.Indicators that provide early warning of potential risk events
D.Indicators that measure historical losses
E.Indicators that are easy to collect regardless of relevance
AnswersA, C

Essential for effective monitoring.

Why this answer

Option A is correct because key risk indicators (KRIs) must be quantifiable and reliable to provide objective, measurable data that can be consistently tracked over time. Quantifiable indicators allow for trend analysis and threshold setting, while reliability ensures the data source is accurate and repeatable, which is essential for effective risk monitoring in IT environments such as network security or system availability.

Exam trap

ISACA often tests the distinction between leading and lagging indicators, and the trap here is that candidates confuse historical loss metrics (lagging) with KRIs (leading), or assume that any easy-to-collect metric is automatically a valid KRI.

256
MCQeasy

A technology company has implemented a risk and control monitoring program for its software development lifecycle. The program includes key risk indicators (KRIs) such as number of critical bugs found in production, code review coverage, and time to patch vulnerabilities. After six months, the risk committee noticed that the KRI for code review coverage is consistently green (within threshold), but the number of critical bugs in production remains high. The risk manager suspects a disconnect between the KRI and actual risk. What should the risk manager do FIRST?

A.Implement additional testing controls to catch bugs before production.
B.Reduce the code review coverage target to lower the risk appetite.
C.Review the KRI definition and data source to ensure it reflects effective code review.
D.Adjust the code review coverage threshold to a higher percentage.
AnswerC

The KRI may be measuring review quantity, not quality.

Why this answer

Option C is correct because the KRI may not be accurately measuring risk; reviewing the KRI definition and data source will identify if it is measuring the right thing. Option A is wrong immediately modifying the threshold does not address the underlying measurement issue. Option B is wrong reducing coverage would likely increase risk.

Option D is wrong additional testing is a separate issue; the KRI itself needs investigation.

257
Drag & Dropmedium

Arrange the steps for performing a vulnerability assessment.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Vulnerability assessment starts with scope, scanning, analysis, prioritization, and reporting.

258
MCQhard

The policy in the exhibit is intended to enforce what security control?

A.Data classification
B.Access control
C.Encryption at rest
D.Encryption in transit
AnswerD

aws:SecureTransport enforces HTTPS for data in transit.

Why this answer

The policy explicitly requires TLS 1.2 or higher for all data transmissions, which enforces encryption in transit. This ensures that data is protected from interception or tampering while moving across networks, as opposed to being stored (at rest) or managed via classification or access rules.

Exam trap

The trap here is that candidates confuse 'encryption in transit' with 'encryption at rest' because both involve encryption, but the policy's focus on transmission protocols (TLS) clearly distinguishes it as a network-layer control.

How to eliminate wrong answers

Option A is wrong because data classification involves labeling data based on sensitivity, not enforcing encryption during transmission. Option B is wrong because access control governs who can view or modify data, not how data is encrypted while moving. Option C is wrong because encryption at rest protects stored data on disk or in databases, not data in transit over a network.

259
MCQeasy

Which of the following is the PRIMARY purpose of a risk register?

A.To track the status of risk remediation actions
B.To document identified risks, their analysis, and planned responses
C.To provide real-time alerts for risk events
D.To satisfy regulatory compliance requirements
AnswerB

The risk register is the central repository for risk information.

Why this answer

The risk register is the central repository for documenting identified risks, their analysis (including likelihood and impact), and the planned responses. While it can be used to track remediation actions, its primary purpose is to serve as the authoritative record of risk information, enabling informed decision-making and ongoing risk management.

Exam trap

The trap here is that candidates confuse the risk register's primary purpose (documentation and analysis) with its secondary uses (tracking remediation or compliance), leading them to select a plausible but incorrect option like A or D.

How to eliminate wrong answers

Option A is wrong because tracking the status of risk remediation actions is a secondary function of the risk register, not its primary purpose; that tracking is often managed via action plans or issue logs. Option C is wrong because a risk register is a static or periodically updated document, not a real-time alerting system; real-time alerts are provided by monitoring tools, SIEMs, or automated risk dashboards. Option D is wrong because while a risk register may help satisfy regulatory compliance requirements, that is a beneficial outcome, not the primary purpose; the core purpose is to document and manage risks, not to meet compliance obligations.

260
MCQhard

Based on the exhibit, what control monitoring deficiency is evident in the DLP policy?

A.The policy does not monitor or block credit card data exfiltration via cloud storage applications (e.g., Dropbox, OneDrive).
B.Alerts are not sent to the appropriate team.
C.Log retention is insufficient for forensic analysis.
D.The rules are too broadly defined and may cause false positives.
AnswerA

Missing coverage for common data loss vectors.

Why this answer

Option B is correct because the policy has no rule to block credit card data being uploaded to cloud storage or other file-sharing services; it only blocks external email and large files, leaving a gap. Option A is wrong because alerts are already sent to the security team. Option C is wrong because the policy is specific to PCI-DSS and the rules are narrowly defined.

Option D is wrong because logging is configured.

261
MCQeasy

An organization is updating its asset inventory to improve IT risk identification. Which of the following asset attributes is MOST critical for assessing cybersecurity risk?

A.Criticality rating based on business impact
B.IP address and location
C.Asset owner contact information
D.Software vendor name
AnswerA

Directly feeds into risk calculation.

Why this answer

For assessing cybersecurity risk, the most critical attribute is the criticality rating based on business impact because it directly quantifies the potential harm from a security incident. Without knowing which assets are most vital to business operations, risk prioritization becomes arbitrary, leading to misallocated security controls. This aligns with the CRISC focus on risk-based decision-making, where impact drives the urgency of mitigation.

Exam trap

The trap here is that candidates often confuse operational attributes (like IP address or owner) with risk attributes, assuming that knowing where an asset is or who owns it is sufficient for risk assessment, when in fact business impact is the primary driver of risk prioritization.

How to eliminate wrong answers

Option B is wrong because IP address and location are operational attributes that help with network mapping and incident response, but they do not indicate the asset's importance or the severity of risk if compromised. Option C is wrong because asset owner contact information is useful for accountability and notification, but it does not influence the inherent risk level of the asset itself. Option D is wrong because the software vendor name alone provides no insight into the asset's business value or the specific vulnerabilities that could be exploited; it is merely a procurement detail.

262
MCQhard

A software development team is adopting Agile methodology and wants to integrate risk identification into their sprints. Which approach BEST aligns with Agile principles while ensuring effective risk identification?

A.Conduct a risk workshop at the start of the project only
B.Assign risk identification solely to the product owner
C.Perform an annual risk assessment
D.Incorporate a risk identification task in each sprint backlog and review risks during sprint retrospectives
AnswerD

Continuous risk identification fits Agile's iterative nature.

Why this answer

Option D is correct because Agile emphasizes iterative, continuous improvement, and integrating risk identification into each sprint backlog ensures risks are identified and addressed as the project evolves. Reviewing risks during sprint retrospectives aligns with the Agile principle of inspecting and adapting, making risk management a recurring, team-driven activity rather than a one-time event. This approach is effective because it captures risks that emerge from changing requirements, technical debt, or integration issues during development.

Exam trap

The trap here is that candidates may think risk identification is a one-time planning activity (Option A) or a single role's responsibility (Option B), but CRISC emphasizes that risk identification must be continuous and collaborative in Agile environments to be effective.

How to eliminate wrong answers

Option A is wrong because conducting a risk workshop only at the start of the project violates the Agile principle of continuous feedback and adaptation; risks that emerge later in development (e.g., from new dependencies or scope changes) would be missed. Option B is wrong because assigning risk identification solely to the product owner contradicts the Agile principle of cross-functional team ownership and collaboration; risk identification is a shared responsibility that benefits from diverse technical perspectives. Option C is wrong because performing an annual risk assessment is too infrequent for Agile sprints, which typically last 1-4 weeks; this approach would fail to identify rapidly emerging risks such as security vulnerabilities introduced by new code or third-party library updates.

263
MCQhard

A large enterprise uses a risk matrix with impact categories (very low, low, medium, high, very high) and likelihood (rare, unlikely, possible, likely, almost certain). A risk identified has a 'likely' likelihood and 'high' impact. According to the matrix, risks with this combination are classified as 'high' risk. The risk appetite statement requires that all high risks have a response plan within 30 days. However, the risk owner argues that due to effective compensating controls, the residual risk is only 'medium'. Which of the following is the BEST course of action?

A.Formalize the risk treatment plan and include the compensating controls in the risk register.
B.Implement additional controls to ensure the residual risk becomes low.
C.Accept the risk as is, since controls reduce it to acceptable level.
D.Document the residual risk as medium and extend the response deadline beyond 30 days.
AnswerA

Formalizing the plan and documenting controls shows that the risk is managed and residual risk is acceptable.

Why this answer

Option B is correct because the organization should formally document the compensating controls and update the risk register to reflect residual risk. This ensures that the risk management process captures the true risk position. Option A is wrong because extending the deadline does not address the residual risk.

Option C is unnecessary if residual risk is within appetite. Option D lacks formality and may not satisfy the requirement.

264
MCQeasy

Which of the following is the BEST indicator that a risk assessment should be performed outside the normal cycle?

A.A new regulation is proposed
B.An employee leaves the company
C.A major IT infrastructure change
D.The annual budget is approved
AnswerC

Introduces new risks that need assessment.

Why this answer

A major IT infrastructure change introduces new or altered assets, data flows, and threat surfaces that were not considered in the previous risk assessment cycle. This change can invalidate existing control assumptions and risk ratings, making an ad-hoc assessment necessary to identify and evaluate emerging risks before they materialize.

Exam trap

The trap here is confusing routine operational events (like employee turnover or budget cycles) with events that fundamentally change the risk profile, leading candidates to overlook the necessity of an ad-hoc assessment triggered by a significant technical change.

How to eliminate wrong answers

Option A is wrong because a proposed regulation is not yet enacted; risk assessments are triggered by compliance requirements only after the regulation is finalized and effective. Option B is wrong because an employee departure is a personnel event that typically triggers an access review or segregation-of-duties check, not a full risk assessment outside the normal cycle. Option D is wrong because budget approval is a financial planning event that does not directly alter the risk landscape; it may enable risk treatment actions but does not itself require a new risk assessment.

265
Multi-Selecteasy

A risk manager is designing a monitoring and reporting framework. Which THREE of the following are essential components of an effective risk and control monitoring program?

Select 3 answers
A.Control self-assessments (CSAs)
B.Key performance indicators (KPIs)
C.Risk reporting dashboards
D.Key risk indicators (KRIs)
E.Risk response plans
AnswersA, C, D

CSAs involve business owners evaluating control effectiveness, which is essential for monitoring.

Why this answer

Control self-assessments (CSAs) are essential because they empower process owners to evaluate the design and operating effectiveness of internal controls, providing firsthand evidence for the monitoring program. This bottom-up approach complements top-down testing by identifying control gaps and remediation needs directly from those who execute the controls, which is critical for a comprehensive risk and control monitoring framework.

Exam trap

ISACA often tests the distinction between KPIs and KRIs, where candidates mistakenly select KPIs because they confuse operational performance metrics with risk indicators, but KPIs do not directly measure risk exposure or control effectiveness.

266
MCQmedium

An employee with access to sensitive financial data has been observed accessing systems outside of normal working hours and exhibiting erratic behavior. The IT risk manager suspects insider threat. What is the most appropriate risk response?

A.Terminate the employee immediately
B.Implement additional monitoring and restrictions
C.Accept the risk as the employee is trusted
D.Transfer via fidelity insurance
AnswerB

Mitigation through controls reduces the risk.

Why this answer

Option D is correct because monitoring and restrictions address the risk without premature termination. Options A, B, and C are either too harsh or insufficient.

267
MCQeasy

A mid-sized retail company processes over 1 million credit card transactions daily. It uses an automated monitoring system with static thresholds to flag potential fraud. Recently, the fraud detection team has been overwhelmed by a 40% increase in false positive alerts, causing legitimate transactions to be delayed and customer service complaints to rise. The risk manager is tasked with improving the situation. After reviewing the alert logs, it is clear that the thresholds have not been updated in 18 months, and transaction patterns have shifted due to seasonal promotions and new payment methods. The team has limited resources and cannot handle the current alert volume. What should the risk manager recommend as the most effective course of action?

A.Perform a root cause analysis on the false positives to refine the detection rules and thresholds.
B.Deploy an additional monitoring tool with machine learning capabilities.
C.Engage an external fraud detection consultant to review the system.
D.Immediately increase the alert thresholds to reduce the volume of alerts.
AnswerA

This directly addresses why false positives are high and enables data-driven adjustments.

Why this answer

Performing root cause analysis to refine detection rules addresses the core issue of outdated thresholds causing false positives. Option A (increasing thresholds) might reduce alerts but could miss true positives. Option B (engaging consultants) is costly and not immediate.

Option D (deploying more tools) adds complexity without fixing the root cause.

268
Multi-Selecteasy

Which TWO of the following are key inputs to a risk assessment?

Select 2 answers
A.Asset inventory
B.Threat intelligence feeds
C.Employee satisfaction survey
D.Business continuity plan
E.Risk appetite statement
AnswersA, B

Identifies what needs to be protected.

269
Multi-Selectmedium

Which THREE of the following are key components of a risk assessment report?

Select 3 answers
A.Risk register with identified risks
B.Copies of vendor contracts
C.Recommended risk response actions
D.Network topology diagram
E.Risk analysis (likelihood and impact)
AnswersA, C, E

The risk register lists all identified risks and their attributes.

Why this answer

A risk register is a core component of a risk assessment report because it formally documents each identified risk, its owner, status, and tracking information. This register serves as the authoritative record that links risk identification to subsequent analysis and response activities, ensuring traceability throughout the risk management lifecycle.

Exam trap

The trap here is that candidates confuse supporting artifacts (like network diagrams or contracts) with mandatory report components, but the CRISC exam specifically tests that the risk assessment report must include the risk register, risk analysis, and risk response recommendations as its key deliverables.

270
Multi-Selectmedium

Which TWO of the following are examples of risk avoidance? (Select TWO.)

Select 2 answers
A.Accepting the risk
B.Installing a firewall
C.Deciding not to enter a new market
D.Purchasing insurance
E.Discontinuing a risky product line
AnswersC, E

Not entering the market avoids the associated risks.

Why this answer

Options C and D are correct because discontinuing a product and not entering a market both eliminate the risk by avoiding the activity.

271
MCQmedium

A company has implemented a key risk indicator (KRI) for system availability, with a threshold of 99.5%. The monitoring team observes that availability has dropped to 99.2% for two consecutive months. What is the most appropriate next step?

A.Implement additional redundancy to improve availability.
B.Increase the threshold to 99.0% to avoid false alarms.
C.Notify the risk owner and initiate a root cause analysis.
D.Escalate immediately to the board of directors.
AnswerC

Standard practice for threshold breaches.

Why this answer

Option C is correct because a sustained breach of a KRI threshold (99.2% vs. 99.5%) for two consecutive months indicates a systemic issue that requires formal risk management action. The risk owner must be notified to assess the impact, and a root cause analysis (RCA) should be initiated to identify underlying failures—such as network congestion, hardware faults, or software bugs—before any remediation is planned.

Exam trap

The trap here is that candidates often jump to immediate remediation (Option A) or threshold adjustment (Option B), failing to recognize that the CRISC framework mandates a structured risk response starting with notification and analysis before any control changes.

How to eliminate wrong answers

Option A is wrong because implementing additional redundancy without first understanding the root cause could waste resources on the wrong fix (e.g., adding servers when the issue is a misconfigured load balancer or a DDoS attack). Option B is wrong because lowering the threshold to 99.0% is a form of risk acceptance without analysis, which violates the principle of maintaining objective KRIs and could mask a deteriorating service level agreement (SLA). Option D is wrong because immediate escalation to the board is premature; the board should be informed only after the risk owner has assessed the situation and determined that the risk exceeds the enterprise risk appetite, not for a single KRI breach.

272
MCQhard

An organization is considering outsourcing its IT support to a third-party provider. The risk manager has identified that the provider's data handling practices may not comply with regulatory requirements. Which of the following is the BEST risk response strategy?

A.Mitigate by regularly monitoring the provider
B.Avoid by keeping IT support in-house
C.Transfer the risk through the outsourcing contract
D.Accept the risk because the provider is cheaper
AnswerB

Avoidance is appropriate when compliance cannot be assured.

Why this answer

Option D is correct because the most effective response is to avoid by not outsourcing if compliance cannot be ensured. Option A is wrong because transferring via contract may not be sufficient. Option B is wrong because mitigation through monitoring may not ensure compliance.

Option C is wrong because acceptance is not appropriate when regulatory non-compliance is possible.

273
MCQeasy

A SOC analyst observes repeated failed login attempts from an external IP address targeting a user account. What is the best next step in the IT risk identification process?

A.Block the IP address immediately
B.Conduct a vulnerability scan of the target system
C.Investigate if the IP address is associated with known malicious activity
D.Escalate to the incident response team
AnswerC

Checking the IP against threat intelligence helps identify whether this is a known attacker, informing risk assessment.

Why this answer

Option C is correct because the first step in the IT risk identification process is to validate whether the observed event represents a genuine threat. Investigating the external IP address against threat intelligence feeds (e.g., VirusTotal, AlienVault OTX) confirms if it is associated with known malicious activity, such as a botnet or brute-force campaign, before taking any action. This aligns with the CRISC risk identification phase, where the goal is to characterize the risk event, not immediately respond or escalate.

Exam trap

ISACA often tests the distinction between risk identification and risk response, trapping candidates who jump to blocking or escalation without first validating the threat through investigation.

How to eliminate wrong answers

Option A is wrong because immediately blocking the IP address is a reactive response that bypasses the risk identification process; the IP could be a legitimate user behind a NAT or a false positive from a misconfigured proxy, and blocking without investigation may disrupt business operations. Option B is wrong because conducting a vulnerability scan of the target system addresses system weaknesses, not the immediate event of failed login attempts; vulnerability scanning is part of risk assessment, not risk identification, and does not confirm if the IP is malicious. Option D is wrong because escalating to the incident response team is premature before confirming the IP is malicious; incident response is triggered after risk identification and validation, not as the first step.

274
MCQeasy

An organization decides to outsource its data center operations to a third party. This is an example of which risk response?

A.Risk reduction
B.Risk transfer
C.Risk acceptance
D.Risk avoidance
AnswerB

Outsourcing transfers operational risk to the third party.

Why this answer

Outsourcing data center operations transfers the financial and operational risks associated with managing the infrastructure to a third-party provider. This is a classic risk transfer response because the organization retains ownership of the data and business accountability but shifts the liability for physical security, hardware maintenance, and uptime to the vendor via contractual agreements, such as SLAs with penalty clauses.

Exam trap

The trap here is that candidates confuse risk transfer with risk reduction, mistakenly thinking that outsourcing reduces the risk of hardware failure, when in fact it only shifts the financial liability for that failure, not the operational impact on the business.

How to eliminate wrong answers

Option A is wrong because risk reduction involves implementing controls to lower the likelihood or impact of a risk, such as deploying redundant power supplies or fire suppression systems, not outsourcing operations. Option C is wrong because risk acceptance means formally acknowledging the risk and choosing to bear it without additional action, which contradicts the active decision to engage a third party. Option D is wrong because risk avoidance would mean ceasing the activity that generates the risk, such as shutting down the data center entirely, rather than transferring its management to another entity.

275
MCQeasy

An organization is considering migrating its customer database to a public cloud provider. Which of the following is the PRIMARY risk identification technique that should be used to identify potential data exposure risks?

A.Vulnerability scanning
B.Threat modeling
C.Penetration testing
D.Business impact analysis
AnswerB

Threat modeling systematically identifies threats relevant to the cloud migration.

Why this answer

Threat modeling is the primary risk identification technique for proactively identifying potential data exposure risks during a cloud migration. It systematically analyzes the system architecture, data flows, and trust boundaries to uncover threats such as misconfigured access controls, insecure APIs, or data leakage between tenants. Unlike reactive techniques, threat modeling focuses on design-level vulnerabilities before they are exploited.

Exam trap

The trap here is that candidates confuse vulnerability scanning (a reactive, point-in-time check) with proactive risk identification, but threat modeling is the only technique that addresses design-level data exposure risks before migration.

How to eliminate wrong answers

Option A is wrong because vulnerability scanning identifies known software flaws (e.g., CVEs) in running systems but does not assess architectural risks like data exposure from shared cloud storage or improper IAM policies. Option C is wrong because penetration testing validates exploitability of existing vulnerabilities after deployment, not the proactive identification of data exposure risks during migration planning. Option D is wrong because business impact analysis prioritizes critical assets and recovery objectives, not the technical identification of data exposure threats.

276
MCQmedium

An organization is designing a risk and control monitoring program for a new cloud-based application. Which of the following is the MOST important factor to consider when selecting Key Risk Indicators (KRIs)?

A.Historical loss data availability.
B.Ease of automated data collection.
C.Industry best practices.
D.Alignment with strategic objectives.
AnswerD

KRIs should reflect the organization's risk appetite and objectives to be meaningful.

Why this answer

Option A is correct because KRIs must be aligned with risk appetite and business objectives to ensure they measure what matters. Option B is wrong because ease of collection is secondary to relevance. Option C is wrong because historical data may not exist for new applications.

Option D is wrong because industry best practices are guidelines, not a primary factor.

277
MCQhard

You are the IT risk manager for a mid-sized e-commerce company. The company processes credit card payments and stores customer data. Recently, the company experienced a security incident where an attacker exploited a SQL injection vulnerability in the web application, exfiltrating a database of customer records. The vulnerability was introduced three months ago during a feature upgrade. The development team claims they followed secure coding guidelines, but the vulnerability was missed due to insufficient testing. The company's risk appetite is moderate, and they have a risk management policy that requires risks to be treated within 30 days of identification. The CISO wants to know the most effective way to reduce the likelihood of similar incidents. You have assessed that the current risk score for web application vulnerabilities is 16 (High). The company has a bug bounty program, but it has not been effective. Which of the following courses of action would BEST address the root cause and reduce the risk?

A.Increase the frequency of vulnerability scanning and patch management.
B.Deploy a web application firewall (WAF) to block SQL injection attempts.
C.Increase the reward amounts in the bug bounty program to attract more researchers.
D.Implement a secure software development lifecycle (SSDLC) with mandatory security training, code reviews, and automated security testing.
AnswerD

This addresses the root cause by preventing vulnerabilities from being introduced.

Why this answer

Option D is correct because the root cause of the incident is a failure in the development process: secure coding guidelines were followed but insufficient testing allowed a SQL injection vulnerability to be introduced. Implementing a Secure Software Development Lifecycle (SSDLC) with mandatory security training, code reviews, and automated security testing directly addresses this root cause by embedding security controls into every phase of development, preventing vulnerabilities from being introduced in the first place. This is the most effective way to reduce the likelihood of similar incidents, as it proactively fixes the process rather than relying on reactive measures.

Exam trap

The trap here is that candidates often choose a compensating control (like a WAF or vulnerability scanning) because it seems faster or more familiar, but the question asks for the BEST way to reduce likelihood by addressing the root cause, which requires a preventive, process-level change like SSDLC.

How to eliminate wrong answers

Option A is wrong because increasing vulnerability scanning and patch management is a reactive measure that detects vulnerabilities after deployment, not preventing them from being introduced during development; it does not address the root cause of insufficient testing in the SDLC. Option B is wrong because deploying a WAF is a compensating control that can block some SQL injection attempts, but it does not fix the underlying insecure coding practices and can be bypassed by sophisticated attackers or misconfigurations; it reduces impact but not likelihood. Option C is wrong because increasing bug bounty rewards may attract more researchers, but the program has already been ineffective, and relying on external researchers to find vulnerabilities after release is reactive and does not prevent the introduction of vulnerabilities during development.

278
MCQhard

A global financial services firm has implemented a risk monitoring system that aggregates data from 50+ systems across three regions (Americas, EMEA, APAC). The system uses a centralized data lake and provides dashboards to regional risk committees. Recently, the APAC committee reported that their dashboard shows a spike in cyber risk indicators, but the Americas and EMEA dashboards show no change. The data source for the spike is a single system in APAC that tracks failed VPN logins. The risk owner for that system believes the spike is due to a misconfiguration during a recent patch. However, the APAC risk committee is concerned that this indicates a coordinated attack. The Chief Risk Officer (CRO) wants a clear assessment. Which course of action is most appropriate?

A.Recommend implementing additional monitoring controls across all regions to detect similar spikes.
B.Advise the CRO that the spike is likely a false positive due to the recent patch and recommend the system owner confirm and fix the misconfiguration.
C.Suggest the APAC committee accept the risk based on the system owner's opinion.
D.Immediately escalate to the board and activate the incident response team.
AnswerB

Addresses the likely cause directly.

Why this answer

Option B is correct because the spike originates from a single system in APAC tracking failed VPN logins, and the risk owner has identified a misconfiguration from a recent patch as the cause. This is a classic false positive scenario where a technical anomaly (e.g., a patch altering authentication timeout or lockout thresholds) generates an alert spike without evidence of lateral movement or other indicators. The CRO needs a clear assessment, and the most appropriate action is to confirm the misconfiguration and fix it, rather than escalating or adding controls prematurely.

Exam trap

The trap here is that candidates may overreact to a spike in risk indicators and choose escalation (Option D) or broad control additions (Option A), failing to recognize that a single-system anomaly with a plausible technical explanation (patch misconfiguration) should first be investigated and confirmed before any further action.

How to eliminate wrong answers

Option A is wrong because implementing additional monitoring controls across all regions would be a reactive, resource-intensive response to a single-system anomaly that is likely a false positive, and it does not address the root cause (the misconfiguration). Option C is wrong because suggesting the APAC committee accept the risk based solely on the system owner's opinion bypasses the need for verification and documentation, which is critical in a regulated financial services environment. Option D is wrong because immediately escalating to the board and activating the incident response team is a severe overreaction to a single-system spike with a known probable cause (patch misconfiguration), and it would waste resources and cause unnecessary alarm.

279
MCQhard

A multinational corporation is migrating critical applications to a public cloud provider. The IT risk manager needs to design a risk assessment approach that addresses shared responsibility. Which of the following is the MOST appropriate approach?

A.Assess only the cloud provider's security controls
B.Assume that the provider's controls cover all risks
C.Perform a data leakage risk assessment for each application
D.Map controls to the shared responsibility model and assess both sides
AnswerD

This ensures all areas are covered according to the provider's model.

Why this answer

In a public cloud shared responsibility model, the cloud provider secures the infrastructure (e.g., physical security, hypervisor), while the customer secures their data, configurations, and access controls. Option D is correct because it requires mapping each control to the specific party responsible (customer vs. provider) and assessing both sides, ensuring no gaps in coverage. This approach aligns with the CSA Cloud Controls Matrix and NIST SP 800-146, which mandate joint accountability.

Exam trap

The trap here is that candidates assume the cloud provider is fully responsible for all security, overlooking the customer's contractual and operational obligations under the shared responsibility model, which is a core CRISC concept for cloud risk assessments.

How to eliminate wrong answers

Option A is wrong because assessing only the provider's controls ignores customer-side responsibilities like IAM policies, encryption key management, and application-layer security, leading to unmitigated risks. Option B is wrong because assuming the provider covers all risks violates the shared responsibility model; the provider explicitly disclaims responsibility for customer data and configurations in their SLA (e.g., AWS Shared Responsibility Model). Option C is wrong because a data leakage risk assessment is too narrow; it omits other critical risks such as misconfigured network ACLs, insecure APIs, and compliance violations (e.g., GDPR data residency).

280
Multi-Selecteasy

Which TWO outcomes indicate that a risk assessment process is effective?

Select 2 answers
A.All potential risks have been identified.
B.Risk treatment decisions are based on clear, prioritized findings.
C.Residual risk is consistently below the risk appetite.
D.No negative risk events occur after the assessment.
E.The organization achieves full compliance with security standards.
AnswersB, C

Effective assessment produces actionable priorities.

Why this answer

Option B is correct because an effective risk assessment must produce prioritized findings that directly inform risk treatment decisions. Without clear prioritization (e.g., based on inherent risk scores or likelihood/impact ratings), the organization cannot allocate resources efficiently or select appropriate controls. The CRISC framework emphasizes that the output of risk assessment is actionable intelligence, not just a list of risks.

Exam trap

The trap here is that candidates confuse the goal of risk assessment (producing prioritized, decision-ready findings) with other risk management activities like risk identification (A), risk monitoring (D), or compliance (E), leading them to select options that sound desirable but do not directly measure assessment effectiveness.

281
MCQhard

A multinational corporation has deployed a centralized log management system that collects security events from all subsidiaries. The CRO notices that the number of critical alerts from the Asia-Pacific region has dropped significantly over the past week. Upon investigation, the log source status shows that 30% of the devices in that region have not sent any logs in 48 hours. What is the MOST likely cause?

A.The security team applied a new log suppression rule that filters out low-severity events.
B.The region experienced a distributed denial-of-service (DDoS) attack that overwhelmed the log collection infrastructure.
C.A configuration change was made to the log forwarder agent on the affected devices, causing it to stop sending logs.
D.The network team recently implemented a segmentation change that blocked log traffic from those devices.
AnswerC

Misconfigured log forwarders are a common cause of log loss.

Why this answer

Option C is correct because a configuration change to the log forwarder agent (e.g., syslog-ng, rsyslog, or a proprietary agent) is the most plausible cause for a sudden, sustained drop in log volume from a subset of devices. Unlike network segmentation (Option D), which would affect all traffic, or a DDoS (Option B), which would cause intermittent or total loss, an agent misconfiguration selectively stops log generation while the device remains online. The 48-hour window and 30% device impact align with a staged or partial rollout of a faulty agent configuration.

Exam trap

The trap here is that candidates confuse a reduction in alerts (Option A) with a loss of raw logs, or assume a network change (Option D) is the root cause without considering that a configuration change to the log forwarder agent is a more targeted and common failure mode in centralized logging architectures.

How to eliminate wrong answers

Option A is wrong because a new log suppression rule filtering low-severity events would reduce alert volume but not stop log transmission entirely; the log source status would still show recent heartbeats or connectivity. Option B is wrong because a DDoS attack overwhelming the log collection infrastructure would cause a widespread, not regional, loss of logs, and the log source status would likely show intermittent connectivity or timeouts, not a clean 48-hour gap. Option D is wrong because a network segmentation change blocking log traffic (e.g., UDP 514 or TCP 6514) would affect all devices in the affected subnet, not a specific 30% subset, and would typically be detected by network monitoring tools.

282
Multi-Selectmedium

Which TWO of the following are valid triggers for initiating a risk assessment outside the regular cycle? (Select 2)

Select 2 answers
A.An employee completing annual security awareness training
B.A significant change in the IT infrastructure
C.Introduction of a new regulatory requirement
D.The annual internal audit of financial controls
E.Completion of a routine security patch cycle
AnswersB, C

Changes introduce new risks and require reassessment.

Why this answer

A significant change in IT infrastructure (Option B) is a classic trigger for ad-hoc risk assessment because it introduces new vulnerabilities, alters the attack surface, or changes the effectiveness of existing controls. For example, migrating from on-premises servers to a cloud environment (e.g., AWS, Azure) changes network segmentation, identity management, and data residency, requiring a fresh risk evaluation to identify and treat new threats before they are exploited.

Exam trap

ISACA often tests the distinction between routine, scheduled activities (like training, audits, or patching) and genuine change events that alter the risk profile, tricking candidates into selecting familiar operational tasks as triggers.

283
MCQeasy

Refer to the exhibit. What is the most likely risk indicated by this error log?

A.Buffer overflow
B.SQL injection
C.Denial of service
D.Cross-site scripting
AnswerB

The error line contains a SQL injection payload (' OR 1=1 --), indicating an attempt to exploit a SQL injection vulnerability.

Why this answer

The error log shows a SQL query with a single quote (') in the input, which is a classic indicator of a SQL injection attempt. The query 'SELECT * FROM users WHERE username = 'admin' OR '1'='1'' is attempting to manipulate the SQL statement to bypass authentication or extract data. This directly corresponds to SQL injection (option B), as the attacker is injecting malicious SQL code through user input.

Exam trap

The trap here is that candidates may confuse SQL injection with cross-site scripting because both involve input manipulation, but the key distinction is the context: SQL injection targets the database layer via SQL queries, while XSS targets the browser via HTML/JavaScript rendering.

How to eliminate wrong answers

Option A (Buffer overflow) is wrong because the error log shows a SQL query, not a memory corruption or overflow of a buffer; buffer overflows typically involve stack or heap corruption from excessive input, not SQL syntax errors. Option C (Denial of service) is wrong because the log shows a single malformed query, not a flood of requests or resource exhaustion that would cause a denial of service; DoS attacks aim to overwhelm the system, not inject SQL. Option D (Cross-site scripting) is wrong because the input is being used in a SQL query, not rendered in a web page; XSS involves injecting client-side scripts (e.g., JavaScript) into a browser, not server-side SQL statements.

284
MCQmedium

During a risk assessment, the risk practitioner discovers that a critical database does not have an active failover solution. The database is used by multiple business applications. Which of the following factors should be given the HIGHEST weight when determining the inherent risk level?

A.The criticality of the database to business operations
B.The number of existing compensating controls
C.The frequency of vulnerability scans
D.The cost to restore the database from backup
AnswerA

Inherent risk is based on the asset's value and exposure; business criticality determines impact.

Why this answer

The inherent risk level is determined by the potential impact and likelihood of a threat exploiting a vulnerability, without considering controls. The criticality of the database to business operations directly drives the impact severity—if the database fails, multiple business applications could be disrupted, leading to significant operational and financial damage. This makes option A the highest-weighted factor because it defines the worst-case consequence, which is the foundation of inherent risk.

Exam trap

The trap here is that candidates confuse inherent risk with residual risk, and incorrectly weigh compensating controls or recovery costs as primary factors for inherent risk, when they only apply after controls are considered.

How to eliminate wrong answers

Option B is wrong because compensating controls are considered when assessing residual risk, not inherent risk; inherent risk assumes no controls are in place. Option C is wrong because the frequency of vulnerability scans is a control activity that reduces risk, not a factor that increases or defines inherent risk. Option D is wrong because the cost to restore from backup is a recovery metric (RTO/RPO) that influences residual risk or risk treatment decisions, not the inherent risk level, which focuses on the raw exposure before any mitigation.

285
Multi-Selecthard

Which TWO risk identification techniques are most appropriate for identifying emerging risks from new technologies?

Select 2 answers
A.Scenario analysis
B.Historical incident review
C.Delphi technique
D.Peer benchmarking
E.Threat intelligence feeds
AnswersA, E

Scenario analysis explores potential future risks from new technologies.

Why this answer

Scenario analysis is correct because it involves constructing plausible future states to explore how new technologies might introduce unforeseen risks, making it ideal for emerging technologies where historical data is absent. Threat intelligence feeds are correct because they provide real-time, external data on vulnerabilities, exploits, and attack patterns targeting new technologies, enabling proactive risk identification.

Exam trap

The trap here is that candidates often choose historical incident review or peer benchmarking because they seem data-driven, but they fail to recognize that emerging technologies lack the historical data or peer maturity needed for these methods to be effective.

286
MCQmedium

After a security incident, an organization discovers that a critical database was accessed by an unauthorized user due to weak authentication controls. As part of the IT risk assessment process, which step should have identified this vulnerability?

A.Risk treatment
B.Risk monitoring
C.Risk identification
D.Risk evaluation
AnswerC

Risk identification is the step that identifies vulnerabilities.

Why this answer

Risk identification is the step in the IT risk assessment process where potential vulnerabilities, such as weak authentication controls, are systematically discovered and documented. In this scenario, the weak authentication that allowed unauthorized database access should have been identified during risk identification, which involves cataloging assets, threats, and existing controls. This step precedes any treatment, monitoring, or evaluation activities.

Exam trap

The trap here is that candidates confuse risk identification with risk evaluation or risk treatment, mistakenly thinking that evaluating the impact of a weak control or treating it after discovery is the same as initially finding the vulnerability.

How to eliminate wrong answers

Option A is wrong because risk treatment involves selecting and implementing controls to mitigate identified risks, not discovering vulnerabilities; the weak authentication would have already needed to be known before treatment could occur. Option B is wrong because risk monitoring is a continuous process of tracking identified risks and control effectiveness over time, not the initial step to find a vulnerability like weak authentication. Option D is wrong because risk evaluation compares the level of risk against risk criteria to prioritize treatment, but it assumes the vulnerability has already been identified; it does not discover new vulnerabilities.

287
MCQeasy

An organization is implementing a new data loss prevention (DLP) solution. The risk manager is identifying potential risks related to the DLP solution itself. Which of the following is a risk that should be considered?

A.The DLP solution may generate a high volume of false positives, causing alert fatigue and missed real incidents.
B.The DLP solution will reduce the risk of data exfiltration.
C.The DLP solution will block all unauthorized data transfers.
D.The DLP solution will automatically encrypt sensitive data in transit.
AnswerA

False positives are a common risk with DLP implementations.

Why this answer

Option A is correct because a DLP solution may generate false positives, leading to alert fatigue and missed detections. Option B is a benefit, not a risk. Option C is a control.

Option D is a desired outcome.

288
Multi-Selectmedium

An organization is implementing a continuous monitoring program for its critical IT processes. Which TWO of the following are key indicators that should be included to effectively monitor control performance?

Select 2 answers
A.Key performance indicators (KPIs)
B.Audit findings
C.Key control indicators (KCIs)
D.Service level agreements (SLAs)
E.Key risk indicators (KRIs)
AnswersA, E

KPIs measure process effectiveness and efficiency.

Why this answer

KPIs are correct because they measure the efficiency and effectiveness of control operations over time, directly indicating whether a control is performing as intended. In continuous monitoring, KPIs such as processing error rates or system uptime percentages provide real-time visibility into control health.

Exam trap

The trap here is that candidates confuse KRIs (which measure risk exposure) with KPIs (which measure control performance), or they mistakenly think audit findings or SLAs are suitable for real-time monitoring when they are retrospective or contractual in nature.

289
MCQmedium

A company uses a DevOps approach with a continuous integration/continuous deployment (CI/CD) pipeline. Which risk identification technique is best suited for detecting code vulnerabilities early in the development lifecycle?

A.Quarterly penetration testing
B.Automated security scanning integrated into the pipeline
C.Threat modeling of system architecture
D.Manual code review
AnswerB

Automated scanning integrates seamlessly with CI/CD, providing immediate vulnerability detection.

Why this answer

Automated security scanning integrated into the CI/CD pipeline is best suited for detecting code vulnerabilities early because it runs continuously on every code commit, providing immediate feedback to developers. This aligns with the DevOps principle of shifting security left, catching issues like SQL injection or insecure dependencies before they reach production. Unlike periodic tests, this technique ensures vulnerabilities are identified at the moment of introduction, minimizing remediation cost and risk.

Exam trap

The trap here is that candidates may choose threat modeling (Option C) because it is a recognized risk identification technique, but they fail to recognize that it is not designed to detect code-level vulnerabilities early in the development lifecycle, which requires continuous, automated scanning within the pipeline.

How to eliminate wrong answers

Option A is wrong because quarterly penetration testing is a periodic, point-in-time assessment that occurs long after code is deployed, failing to detect vulnerabilities early in the development lifecycle. Option C is wrong because threat modeling of system architecture is a design-phase technique that identifies high-level threats and attack surfaces, not specific code-level vulnerabilities like buffer overflows or injection flaws. Option D is wrong because manual code review, while valuable, is slower, less consistent, and cannot scale to the frequency of commits in a CI/CD pipeline, making it impractical for early and continuous detection.

290
MCQeasy

During a risk assessment of a web application, the risk owner identifies that the application uses outdated encryption algorithms. What is the most appropriate next step?

A.Escalate the issue to senior management for approval to accept the risk.
B.Accept the risk without action because encryption is not critical.
C.Document the finding in the risk register and assign a remediation timeline.
D.Immediately patch the application to use modern encryption without further analysis.
AnswerC

Proper documentation ensures the risk is tracked and addressed.

Why this answer

Option C is correct because the risk owner has identified a specific vulnerability (outdated encryption algorithms) that must be formally recorded in the risk register. The next step is to document the finding and assign a remediation timeline, which aligns with the risk assessment process of treating identified risks. This ensures the issue is tracked, prioritized, and addressed within the organization's risk management framework, rather than being escalated, ignored, or patched without analysis.

Exam trap

The trap here is that candidates may confuse the immediate need to patch (Option D) with the proper risk management process, which requires documentation and analysis before any remediation action is taken.

How to eliminate wrong answers

Option A is wrong because escalating to senior management for risk acceptance is premature; the risk must first be documented and assessed for impact and likelihood before any acceptance decision. Option B is wrong because accepting the risk without action ignores the fact that outdated encryption algorithms (e.g., DES, RC4, or 3DES) are known to be vulnerable to attacks (e.g., brute force, cryptanalysis) and can lead to data breaches, making encryption critical for confidentiality. Option D is wrong because immediately patching without further analysis bypasses the risk assessment process; a patch could introduce compatibility issues or fail to address the root cause, and a proper change management process is required.

291
Multi-Selecthard

An organization is implementing a quantitative risk assessment for its customer database. Which TWO elements are essential for calculating the annualized loss expectancy (ALE)?

Select 2 answers
A.Annualized rate of occurrence (ARO)
B.Control effectiveness rating
C.Asset value (AV)
D.Inherent risk score
E.Risk appetite threshold
AnswersA, C

ARO is directly multiplied by SLE to derive ALE.

Why this answer

The annualized loss expectancy (ALE) is calculated by multiplying the single loss expectancy (SLE) by the annualized rate of occurrence (ARO). SLE itself is derived from the asset value (AV) multiplied by the exposure factor (EF), making AV the second essential element. Without both ARO and AV, you cannot compute the expected monetary loss over a one-year period for the customer database.

Exam trap

The trap here is that candidates often confuse the components of SLE (AV and EF) with the ALE formula itself, mistakenly thinking control effectiveness or inherent risk scores are direct multipliers in the ALE calculation, when in fact they are separate risk assessment inputs.

292
MCQeasy

A company is identifying risks associated with a new cloud-based CRM. Which of the following is the MOST effective method for identifying potential threats?

A.Threat modeling workshops with stakeholders
B.Reviewing industry standards only
C.Conducting penetration testing alone
D.Analyzing historical security incidents from similar organizations
AnswerA

Threat modeling workshops are systematic and collaborative, effectively identifying threats specific to the CRM.

Why this answer

Threat modeling workshops with stakeholders are the most effective method because they leverage diverse expertise to systematically identify threats specific to the cloud-based CRM architecture, including misconfigurations in IAM roles, API vulnerabilities, and data residency issues. This collaborative approach aligns with the CRISC focus on proactive risk identification by considering business context, technical constraints, and regulatory requirements early in the lifecycle.

Exam trap

The trap here is that candidates often choose penetration testing (Option C) because it is a familiar technical activity, but the question asks for the 'most effective method for identifying potential threats' in a new system, where proactive collaboration (threat modeling) outperforms reactive testing.

How to eliminate wrong answers

Option B is wrong because reviewing industry standards only provides a baseline of known controls but fails to capture organization-specific threats, such as custom CRM integrations or unique data flows. Option C is wrong because conducting penetration testing alone is a reactive, point-in-time validation that may miss logical threats (e.g., privilege escalation via business logic flaws) and does not involve stakeholder input for comprehensive threat enumeration. Option D is wrong because analyzing historical security incidents from similar organizations offers hindsight but cannot predict novel attack vectors or misconfigurations unique to the company's cloud deployment model (e.g., SaaS vs.

PaaS).

293
MCQhard

The exhibit shows a warning from a control monitoring system. Based on the log, which of the following is the MOST likely control deficiency?

A.There is no approver assigned for transactions exceeding the limit
B.The threshold of 50000 USD is set too high
C.The monitoring system is generating false positives
D.The user JSmith should not have authority to initiate such transactions
AnswerA

The 'Approver: not assigned' indicates a control failure in the approval process.

Why this answer

Option C is correct because the warning indicates that a transaction exceeded the approval limit without an assigned approver, meaning the control is not being executed. Option A is wrong because the threshold was set at 50000. Option B is wrong because the log shows the user, but the control deficiency is lack of approval.

Option D is wrong because the system is working by generating the alert.

294
MCQmedium

An organization has a policy requiring all sensitive data to be encrypted at rest. During an audit, it is found that encryption keys are stored in plaintext on the same server. Which risk response is MOST appropriate?

A.Avoid by removing the data
B.Mitigate by encrypting the key file
C.Accept the risk because encryption is still applied
D.Transfer the risk to a cloud provider
AnswerB

Encrypting the keys protects them, reducing the risk of unauthorized decryption.

Why this answer

Option B is correct because encrypting the key file directly addresses the vulnerability, which is mitigation.

295
Multi-Selecthard

A risk assessment team is calculating the Annual Loss Expectancy (ALE) for a critical server. The Single Loss Expectancy (SLE) is $50,000 and the Annual Rate of Occurrence (ARO) is estimated to be 2. The team is considering implementing a new backup solution costing $40,000 per year. Which TWO of the following statements are true regarding the cost-benefit analysis? (Select TWO.)

Select 2 answers
A.The net benefit of the backup is $60,000 per year.
B.The backup is cost-effective if the ALE reduction exceeds the annual cost.
C.The ALE after implementing the backup is $100,000 minus the backup cost.
D.The payback period for the backup is one year.
E.The current ALE without backup is $100,000.
AnswersB, E

Cost-effectiveness is determined by comparing risk reduction to cost.

Why this answer

Option B is correct because a cost-benefit analysis for a risk mitigation measure like a backup solution requires that the reduction in ALE (the benefit) exceed the annual cost of the control. Here, the current ALE is $100,000 (SLE $50,000 × ARO 2). If the backup reduces the ALE by more than $40,000 per year, it is cost-effective.

Option E is correct because the current ALE without backup is indeed $50,000 × 2 = $100,000.

Exam trap

The trap here is that candidates mistakenly assume the backup cost is subtracted directly from the current ALE to get a net benefit, ignoring that the control reduces but does not eliminate the risk, and that the payback period requires knowing the actual annual benefit.

296
Multi-Selectmedium

Which TWO of the following are primary factors that determine how often a risk assessment should be performed?

Select 2 answers
A.Available risk assessment budget
B.Rate of change in the IT environment
C.Number of IT employees
D.Inherent risk level of critical assets
E.Number of past security incidents
AnswersB, D

Higher change rate requires more frequent assessments.

Why this answer

The rate of change in the IT environment directly impacts the risk landscape; frequent changes (e.g., new applications, infrastructure updates, cloud migrations) introduce new vulnerabilities and alter existing threat vectors, requiring more frequent assessments to ensure controls remain effective. Inherent risk level of critical assets determines priority—higher inherent risk (e.g., systems processing PII or financial transactions) demands more frequent assessments because the potential impact of exploitation is greater, aligning with the ISACA risk assessment scheduling principle.

Exam trap

The trap here is that candidates confuse operational constraints (budget, staff count) or reactive metrics (past incidents) with the proactive, risk-driven factors that ISACA emphasizes for determining assessment frequency, leading them to select budget or incident count instead of change rate and inherent risk.

297
MCQmedium

A healthcare organization is subject to strict regulatory requirements regarding patient data privacy. The organization has a control that requires all access to patient records to be logged and reviewed weekly by the compliance team. The review is currently performed manually by sampling 10% of the logs. The compliance team reports that the review takes 20 hours per week and they are often unable to complete it on time. As a result, some suspicious access patterns are detected weeks after they occur. The risk manager needs to propose an improvement to the monitoring process. The organization's risk appetite for undetected unauthorized access is very low. Which of the following is the MOST effective recommendation?

A.Reduce the review frequency to bi-weekly to free up time.
B.Hire additional staff to perform the manual reviews.
C.Deploy user behavior analytics (UBA) tools for automated anomaly detection.
D.Increase the sample size to 50% of logs for better coverage.
AnswerC

UBA provides continuous, automated monitoring and immediate alerts.

Why this answer

Option B is correct because implementing user behavior analytics (UBA) automates the detection of anomalous access patterns, reducing manual effort and improving detection speed. Option A is wrong increasing sample size does not address the timeliness issue. Option C is wrong hiring more staff is costly and may not scale.

Option D is wrong reducing frequency would delay detection further, increasing risk.

298
MCQmedium

A large e-commerce company uses several key risk indicators (KRIs) to monitor credit card fraud. The risk committee noticed that one KRI has been trending above the threshold for three consecutive months, yet no risk response was initiated. Which of the following is the MOST likely root cause?

A.The KRI was not validated for accuracy
B.The risk response workflow was not triggered automatically
C.The KRI threshold was set too lenient
D.The monitoring tool failed to capture data
AnswerB

Without automated triggering, the breach may go unnoticed despite being detected.

Why this answer

Option A is correct because if the risk response workflow was not triggered automatically, the breach may not have been escalated. Option B is wrong because KRI validation addresses accuracy, not action. Option C is wrong if threshold too lenient it would not be breached.

Option D is wrong because a monitoring tool failure would likely show no data or alerts.

299
MCQmedium

A risk assessment team is evaluating the effectiveness of existing controls for a critical application. Which of the following approaches best determines whether controls are operating as intended?

A.Interviewing the control owner
B.Reviewing control documentation
C.Conducting a walkthrough and testing the controls
D.Analyzing historical audit findings
AnswerC

Provides direct evidence of effectiveness.

Why this answer

Option C is correct because walkthroughs and testing provide direct, empirical evidence that controls are functioning as designed. For a critical application, this approach validates actual control execution (e.g., verifying that an automated access control list (ACL) on a database server actually blocks unauthorized queries), rather than relying on secondhand accounts or static documentation. Testing confirms operational effectiveness in real-time, which is essential for accurate risk assessment.

Exam trap

The trap here is that candidates often confuse 'design effectiveness' (confirmed by documentation and interviews) with 'operating effectiveness' (confirmed only by walkthroughs and testing), leading them to choose Option B or A when the question explicitly asks whether controls are operating as intended.

How to eliminate wrong answers

Option A is wrong because interviewing the control owner only yields subjective, self-reported information about how controls are supposed to work, not objective proof of actual operation; control owners may overstate effectiveness or omit failures. Option B is wrong because reviewing control documentation (e.g., policy documents, configuration guides) shows intended design but cannot reveal whether controls are consistently applied or have degraded over time (e.g., a documented firewall rule may have been inadvertently disabled). Option D is wrong because analyzing historical audit findings provides evidence of past issues but does not confirm current control operation; controls may have been remediated or new gaps may have emerged since the last audit.

300
Drag & Dropmedium

Sequence the steps for implementing a new control based on risk assessment findings.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Control implementation involves design, procurement/build, testing, deployment, and monitoring.

Page 3

Page 4 of 7

Page 5

All pages