Certified in Risk and Information Systems Control CRISC (CRISC) — Questions 301375

500 questions total · 7pages · All types, answers revealed

Page 4

Page 5 of 7

Page 6
301
Multi-Selecthard

Which THREE of the following are key components of an IT risk assessment report as per ISACA guidelines?

Select 3 answers
A.Detailed results of control testing
B.Cost-benefit analysis of risk responses
C.Identified risk scenarios and their risk levels
D.Residual risk after implementing controls
E.Recommended risk response options
AnswersC, D, E

Risk scenarios and levels are core to the assessment report.

Why this answer

Option C is correct because an IT risk assessment report, per ISACA guidelines, must include identified risk scenarios and their associated risk levels. This is a core component that documents the specific threats, vulnerabilities, and the resulting inherent risk ratings (e.g., using a 5x5 risk matrix) to provide a clear picture of the risk landscape.

Exam trap

The trap here is that candidates often confuse the risk assessment report with the risk treatment plan or control testing report, leading them to select options like cost-benefit analysis or detailed control testing results, which are not core components of the risk assessment report per ISACA guidelines.

302
MCQeasy

A company uses a third-party SaaS application for payroll processing. What is the most important activity to identify IT risks associated with this service?

A.Conducting a vendor risk assessment
B.Performing penetration testing on the SaaS application
C.Reviewing the service-level agreement (SLA)
D.Implementing multi-factor authentication (MFA)
AnswerA

Vendor risk assessment systematically identifies and evaluates risks from third-party services.

Why this answer

A vendor risk assessment is the most important activity because it systematically evaluates the third-party SaaS provider's security controls, compliance posture, and operational resilience before and during service use. For a payroll SaaS, this includes reviewing data protection measures for sensitive employee PII, understanding the provider's SOC 2 Type II report, and assessing their incident response capabilities. Without this assessment, the organization cannot identify inherent risks like unauthorized data access, service downtime, or regulatory non-compliance specific to the third-party environment.

Exam trap

The trap here is that candidates confuse risk identification activities (like vendor assessments) with risk mitigation controls (like MFA) or contractual reviews (like SLAs), leading them to select a control or document review instead of the foundational assessment needed to uncover risks.

How to eliminate wrong answers

Option B is wrong because penetration testing on the SaaS application is typically prohibited by the provider's terms of service and would require explicit contractual permission; it is a technical control validation step, not a risk identification activity. Option C is wrong because reviewing the SLA identifies contractual remedies and uptime guarantees but does not uncover underlying security vulnerabilities, data handling practices, or third-party dependencies that constitute IT risks. Option D is wrong because implementing MFA is a risk mitigation control, not a risk identification activity; it reduces the likelihood of unauthorized access but does not help identify what risks exist in the first place.

303
MCQhard

After a control self-assessment (CSA) workshop, business units reported that 80% of controls are operating effectively. However, internal audit's recent testing indicates a 30% control failure rate. What is the BEST explanation for this discrepancy?

A.The audit was conducted three months after the CSA, and controls may have degraded.
B.CSA participants may have a biased perception of control effectiveness, while audit uses objective evidence.
C.CSA participants lacked adequate training on what constitutes a control failure.
D.The CSA covered a different scope of controls than the audit.
AnswerB

Subjective bias and objective testing commonly cause such discrepancies.

Why this answer

Option B is correct because CSA participants often overestimate control effectiveness due to subjective assessment, while audit applies objective testing. Option A is wrong because the scope difference (all controls vs. sample) could contribute but is less likely to cause such a large gap. Option C is wrong because timeliness might explain small differences, not a 50% gap.

Option D is wrong because training alone rarely causes such a large discrepancy.

304
MCQhard

An organization uses a third-party vendor for critical data processing. The vendor has experienced two minor security incidents in the past year with no data loss. The risk manager is updating the vendor risk assessment. Which approach best aligns with ISACA's guidance?

A.Initiate a formal reassessment of the vendor's security controls and contractual protections.
B.Increase the frequency of vendor audits to quarterly.
C.Request a copy of the vendor's SOC 2 report from last year.
D.Accept the risk because the incidents did not result in data loss.
AnswerA

Recurring incidents warrant a full reassessment to determine if the vendor's risk profile has changed.

Why this answer

ISACA's guidance emphasizes that even minor security incidents without data loss indicate potential control weaknesses that require reassessment. A formal reassessment (A) ensures the vendor's security controls and contractual protections are re-evaluated to address underlying risks, aligning with the principle of continuous risk monitoring and response.

Exam trap

The trap here is that candidates assume no data loss means no risk, but ISACA requires proactive reassessment of controls after any incident to prevent escalation, not passive acceptance or superficial monitoring.

How to eliminate wrong answers

Option B is wrong because increasing audit frequency to quarterly does not address the root cause of the incidents; it only increases oversight without reassessing the effectiveness of existing controls. Option C is wrong because a SOC 2 report from last year is historical and may not reflect current control effectiveness after two incidents; it provides a point-in-time assessment rather than a dynamic response. Option D is wrong because accepting risk solely because no data loss occurred ignores the potential for future incidents with more severe consequences; ISACA requires risk treatment based on likelihood and impact, not just past outcomes.

305
MCQhard

An organization has recently suffered a ransomware attack that encrypted critical files. During the post-incident review, the risk team is identifying key risk indicators (KRIs) to improve early detection. Which of the following KRIs would be MOST effective in detecting similar attacks in the future?

A.Frequency of antivirus signature updates.
B.Number of unauthorized remote access attempts.
C.Percentage of employees who completed security awareness training.
D.Time to patch critical vulnerabilities.
AnswerB

Direct indicator of possible ransomware entry.

Why this answer

Option A is correct because unauthorized remote access attempts are a direct indicator of potential ransomware vectors. Option B is important but not the most direct for detection. Option C is preventive, not detective.

Option D is corrective.

306
Multi-Selecteasy

Which THREE of the following are indicators of potential IT risk in an organization? (Select exactly THREE.)

Select 3 answers
A.Strong password policy
B.Regular patching cycles
C.High employee turnover in IT
D.Frequent changes to firewall rules
E.Increasing number of help desk tickets
AnswersC, D, E

Leads to loss of institutional knowledge and potential operational gaps.

Why this answer

High employee turnover in IT is a risk indicator because it can lead to loss of institutional knowledge, inconsistent security practices, and increased likelihood of misconfigurations or unpatched systems. When experienced staff leave, remaining or new employees may lack the context to properly manage firewall rules, access controls, or incident response, creating vulnerabilities.

Exam trap

The trap here is confusing risk indicators (conditions that signal potential risk) with risk controls (actions that reduce risk), leading candidates to select strong password policies or patching cycles as risk indicators instead of recognizing them as mitigations.

307
MCQhard

A global organization is consolidating risk data from multiple business units into a single enterprise risk management (ERM) system. The risk practitioner notices that KRIs for the same risk type (e.g., cybersecurity) are calculated differently across units. What is the BEST approach to ensure consistent and reliable risk monitoring and reporting?

A.Require all units to adopt a common set of key performance indicators for their control environment.
B.Allow each business unit to maintain its own KRI definitions but report explanations for variances.
C.Establish a common definition and calculation methodology for each KRI across all business units.
D.Implement automated data feeds from each unit's system to the ERM system without changing the KRI definitions.
AnswerC

Standardization is key to reliable aggregation.

Why this answer

Option A is correct because defining standardized KRI definitions and calculation formulas ensures consistency across units, enabling accurate consolidation. Option B is wrong because accepting unit-specific KRIs prevents meaningful aggregation. Option C is wrong because using automated data feeds does not address the definition inconsistency.

Option D is wrong because a common KPI set for controls does not solve the risk metric inconsistency.

308
MCQeasy

During a risk assessment, the risk manager identifies a vulnerability in a web application that could allow SQL injection. The development team states they will fix it in the next release, which is six months away. What should the risk manager do?

A.Implement a web application firewall (WAF) as a compensating control.
B.Accept the risk due to the low likelihood of exploitation.
C.Document the risk and defer action to the next assessment.
D.Request an immediate emergency patch deployment.
AnswerA

WAF can block SQL injection attacks until the fix is deployed.

Why this answer

A web application firewall (WAF) is the appropriate compensating control because it can inspect and block SQL injection payloads at the HTTP/HTTPS layer without modifying the application code. This provides immediate risk reduction while the development team works on the permanent fix, aligning with the principle of defense-in-depth and the risk manager's responsibility to treat unacceptable risk during the remediation window.

Exam trap

The trap here is that candidates may assume accepting risk (Option B) is valid because the fix is scheduled, but CRISC emphasizes that risk acceptance requires formal sign-off and cannot be used as a default for unmitigated critical vulnerabilities; the correct response is to implement a compensating control to reduce residual risk to an acceptable level.

How to eliminate wrong answers

Option B is wrong because the risk manager cannot simply accept the risk based on an unsubstantiated assumption of low likelihood; SQL injection is a well-known, actively exploited vulnerability with high impact, and acceptance requires formal approval and documented justification. Option C is wrong because deferring action to the next assessment ignores the current exposure and violates the risk treatment requirement to address identified vulnerabilities in a timely manner, especially when a compensating control like a WAF is available. Option D is wrong because requesting an immediate emergency patch deployment is impractical for a six-month release cycle and may introduce instability; the development team has already committed to a scheduled fix, and the risk manager should implement a temporary control rather than demand an unrealistic patch.

309
MCQhard

Refer to the exhibit. A risk analyst is reviewing an AWS S3 bucket policy. What is the MOST significant control monitoring gap in this policy?

A.The policy does not restrict access to specific internal IPs.
B.The policy allows HTTPS access from any internal IP.
C.The policy denies non-HTTPS access but does not enforce encryption for allowed access.
D.The policy lacks auditing or logging of access attempts.
AnswerD

Monitoring requires logs to detect violations.

Why this answer

Option D is correct because the policy only restricts to internal IP range and requires HTTPS, but it does not log access attempts. Without logging, unauthorized attempts cannot be monitored. Option A is wrong because HTTPS is required.

Option B is wrong because internal IP range is allowed. Option C is wrong because Deny for non-HTTPS is present, but logging is missing.

310
Multi-Selecthard

Which THREE of the following are key components of an effective risk reporting framework?

Select 3 answers
A.Automated collection of risk data from all sources.
B.Consistent risk metrics across the organization.
C.Clear definition of risk appetite and tolerance levels.
D.Defined escalation paths for exceeding thresholds.
E.Statistical models for predicting future risks.
AnswersB, C, D

Enables aggregation and comparison.

Why this answer

Consistent risk metrics across the organization (Option B) are a key component of an effective risk reporting framework because they ensure that risk data is comparable and aggregated meaningfully across different business units and systems. Without standardized metrics, reports would be inconsistent, making it impossible to assess overall risk posture or identify trends reliably.

Exam trap

The trap here is that candidates often mistake operational enablers (like automated data collection or predictive models) for core framework components, but the CRISC exam emphasizes that the framework must define what is measured, how it is compared, and how responses are triggered, not just how data is gathered or analyzed.

311
Multi-Selecteasy

Which THREE of the following are valid risk response options according to the ISACA risk management framework? (Select 3)

Select 3 answers
A.Enhance the risk to gain strategic advantage
B.Mitigate the risk through controls
C.Avoid the risk
D.Monitor the risk without taking action
E.Transfer the risk via insurance
AnswersB, C, E

Reducing likelihood or impact.

Why this answer

Option B is correct because risk mitigation involves implementing controls to reduce the likelihood or impact of a risk to an acceptable level. In the ISACA framework, this is a primary risk response option, often achieved through technical controls like firewalls, encryption, or access management systems.

Exam trap

The trap here is that candidates may confuse 'monitor the risk' as a valid response option, but ISACA requires a specific action (avoid, mitigate, transfer, accept) rather than a passive monitoring activity.

312
MCQhard

Based on the exhibit, which risk is most likely present and what is the most appropriate risk response?

A.Risk of cost; set a budget alert
B.Risk of data exposure; apply a deny rule to restrict access
C.Risk of availability; implement backup
D.No risk; the policy is standard
AnswerB

The policy allows public read access, risking data leakage. A deny rule would mitigate.

Why this answer

Option A is correct because the policy allows anyone to read objects, leading to data exposure; the appropriate response is to apply a deny rule or restrict access.

313
MCQhard

A large e-commerce company is assessing the risk of a distributed denial-of-service (DDoS) attack on its web applications. The company has experienced three DDoS attacks in the past year, each causing significant downtime and revenue loss. The current mitigation strategy relies on an on-premise appliance that can handle up to 10 Gbps of attack traffic. Recent industry reports indicate that DDoS attacks are growing in volume and sophistication, with some exceeding 100 Gbps. The company's risk appetite for availability is moderate. The security team has proposed migrating to a cloud-based DDoS protection service that scales to 200 Gbps, but it will increase annual operational costs by 40%. The business is concerned about the cost increase. Which of the following is the BEST risk treatment decision?

A.Transfer the risk by purchasing business interruption insurance that covers revenue loss during outages.
B.Accept the risk because the company has survived previous attacks and the cost of mitigation is high.
C.Reduce the risk by implementing the cloud-based DDoS protection service, accepting the cost increase.
D.Reduce the risk by upgrading the on-premise appliance to handle up to 50 Gbps, which is within budget.
AnswerC

Scalable solution matches risk appetite.

Why this answer

Option C is correct because the current on-premise appliance (10 Gbps capacity) is insufficient against modern DDoS attacks that can exceed 100 Gbps, as noted in industry reports. Migrating to a cloud-based DDoS protection service that scales to 200 Gbps directly reduces the risk to a level aligned with the company's moderate risk appetite for availability, despite the 40% cost increase. The business concern about cost is secondary to the necessity of mitigating a risk that could cause catastrophic revenue loss, and the cloud service provides elastic scalability that an on-premise upgrade cannot match.

Exam trap

The trap here is that candidates may choose Option D (upgrading to 50 Gbps) because it appears to be a cost-effective risk reduction, but they overlook that it still leaves the organization exposed to attacks exceeding 50 Gbps, which is a common scenario given the trend toward 100+ Gbps attacks, and fails to meet the moderate risk appetite for availability.

How to eliminate wrong answers

Option A is wrong because transferring risk via business interruption insurance does not prevent downtime or revenue loss; it only provides financial compensation after the fact, which does not address the company's moderate risk appetite for availability or the operational impact of repeated outages. Option B is wrong because accepting the risk ignores the clear trend of increasing attack volumes (up to 100+ Gbps) and the fact that the company has already suffered significant downtime and revenue loss from three attacks; the high cost of mitigation does not justify continued exposure when the risk exceeds the risk appetite. Option D is wrong because upgrading the on-premise appliance to 50 Gbps is still far below the 100+ Gbps attack volumes reported, leaving the company vulnerable to larger attacks; it also lacks the elastic scaling and global scrubbing capacity of a cloud-based service, making it an inadequate risk reduction measure.

314
Multi-Selecteasy

Which TWO of the following are examples of detective controls?

Select 2 answers
A.Review of access logs for unauthorized access.
B.Backup and recovery procedures.
C.Firewall rules blocking unauthorized traffic.
D.Separation of duties in financial systems.
E.Intrusion detection system (IDS) alerts.
AnswersA, E

Detects unauthorized access after the fact.

Why this answer

A is correct because reviewing access logs for unauthorized access is a detective control. It involves examining historical records of system access events to identify security incidents or policy violations after they have occurred. This is a classic example of monitoring and analysis, not prevention or correction.

Exam trap

ISACA often tests the distinction between preventive and detective controls by presenting security technologies that have both capabilities (e.g., a firewall with logging), but the trap here is that candidates confuse the control's primary function (e.g., firewall rules are preventive, even if logs are used for detection).

315
MCQmedium

A company has identified a risk of data breach due to weak encryption. The current controls include encryption at rest but not in transit. The risk assessment team calculates inherent risk as high and residual risk as high. What should the team recommend FIRST?

A.Implement encryption in transit to reduce likelihood
B.Transfer the risk by purchasing cyber insurance
C.Avoid the risk by discontinuing data transmission
D.Accept the risk because it is already high
AnswerA

Directly mitigates the root cause.

Why this answer

The risk assessment team should first recommend implementing encryption in transit because the current controls only address data at rest, leaving data vulnerable during transmission. Since both inherent and residual risks are high, the most direct and effective control to reduce likelihood is to apply a technical safeguard like TLS 1.3 for data in transit, which directly addresses the identified gap.

Exam trap

The trap here is that candidates may think accepting high residual risk is acceptable if inherent risk is also high, but CRISC emphasizes that risk should be reduced to an acceptable level using controls before considering acceptance or transfer.

How to eliminate wrong answers

Option B is wrong because transferring risk via cyber insurance does not reduce the likelihood or impact of a data breach; it only provides financial compensation after an incident, which is not a first-line recommendation when a technical control is missing. Option C is wrong because avoiding the risk by discontinuing data transmission is an extreme measure that would halt business operations, and it is not the first recommendation when a feasible technical control (encryption in transit) exists. Option D is wrong because accepting a high residual risk when a cost-effective control is available violates the principle of risk reduction; acceptance should only be considered after all reasonable mitigation options have been evaluated.

316
MCQhard

A risk assessor is evaluating a third-party cloud service provider. Which of the following is the MOST important factor to consider when assessing the risk of data exfiltration?

A.The provider's data portability and exit process
B.The provider's service level agreement (SLA) for uptime
C.The number of security certifications held by the provider
D.The provider's encryption standards for data at rest and in transit
AnswerD

Encryption is key to protecting data.

Why this answer

Data exfiltration risk is primarily mitigated by strong encryption standards for data at rest and in transit. Even if a provider has robust access controls, weak encryption (e.g., using TLS 1.0 or AES-128-CBC with predictable IVs) can allow an attacker to intercept or decrypt data during transfer or storage. Encryption directly prevents unauthorized extraction of readable data, making it the most critical factor.

Exam trap

The trap here is that candidates often choose 'security certifications' (Option C) as a proxy for security, but CRISC emphasizes that certifications are process-based and do not guarantee technical controls like encryption strength, which directly addresses the exfiltration threat.

How to eliminate wrong answers

Option A is wrong because data portability and exit process address vendor lock-in and migration, not the active prevention of data theft during normal operations. Option B is wrong because SLA uptime guarantees availability, not confidentiality; a provider with 99.999% uptime could still have weak encryption enabling exfiltration. Option C is wrong because security certifications (e.g., ISO 27001, SOC 2) indicate a baseline of controls but do not guarantee the strength or implementation of encryption; a provider can hold many certifications yet use outdated cipher suites like RC4.

317
Multi-Selectmedium

An organization recently experienced a significant security incident that was not detected by existing monitoring controls. The risk team is reviewing the effectiveness of the control monitoring framework. Which THREE of the following are key factors that should be evaluated to improve detection capabilities?

Select 3 answers
A.The correlation rules between different monitoring tools
B.The existence of an incident response plan
C.The timeliness of data collection from sources
D.The level of automation in incident response
E.The coverage of monitoring across all high-risk assets
AnswersA, C, E

Correlation reduces false positives and identifies complex patterns.

Why this answer

Timely data collection, correlation rules, and coverage across high-risk assets are critical. Automation level and incident response plans, while important, are not primary detection factors.

318
Drag & Dropmedium

Put the steps for developing an information security policy in order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Policy development starts with gap analysis, drafting, stakeholder review, approval, and communication.

319
MCQmedium

Based on the exhibit, what is the PRIMARY risk associated with this S3 bucket policy?

A.The policy allows access to all S3 buckets in the account
B.The policy denies access to legitimate users from outside the subnet
C.The policy permits unauthenticated access to sensitive data
D.The policy uses an incorrect IP range that blocks all traffic
AnswerC

The principal is '*', meaning any user (including unauthenticated) can access if from the allowed IP range.

Why this answer

The S3 bucket policy includes a `Principal: "*"` statement that grants public access to the bucket. Combined with an `Effect: Allow` and `Action: s3:GetObject`, this permits any unauthenticated user on the internet to read objects in the bucket. This is the primary risk because it exposes sensitive data to anyone without requiring AWS credentials or any form of authentication.

Exam trap

The trap here is that candidates may focus on the IP range or subnet details mentioned in the options, but the actual policy lacks any IP restriction and instead grants full public access via `Principal: "*"`, making unauthenticated access the primary risk.

How to eliminate wrong answers

Option A is wrong because the policy uses a `Resource` ARN that specifies a single bucket (e.g., `arn:aws:s3:::example-bucket/*`), not all buckets in the account. Option B is wrong because the policy does not contain a `Deny` effect or a `Condition` block restricting access based on source IP or VPC subnet; it allows all principals without any network restriction. Option D is wrong because the policy does not include any IP address condition (such as `aws:SourceIp`) that could be misconfigured; the risk is about unauthenticated access, not an IP range error.

320
MCQhard

A large bank has implemented a sophisticated risk and control monitoring system with multiple dashboards and automated reporting for key risk indicators (KRIs). However, the board of directors has been receiving conflicting KRI reports from different business units (e.g., retail banking, corporate lending, and wealth management). For example, the fraud KRI shows a high risk in retail but low risk in wealth management, yet both units use the same underlying data source. The chief risk officer (CRO) is concerned that the board is losing confidence in the risk reporting. An investigation reveals that each business unit defines and calculates KRIs differently, uses different thresholds, and reports on different schedules. What is the most likely root cause and the best remediation?

A.The reporting frequency is inadequate; monthly reports should be weekly.
B.The data sources for KRIs are inconsistent across business units.
C.The board members are misinterpreting the KRI reports due to lack of training.
D.The KRI definitions and calculation methods are not standardized across business units.
AnswerD

Standardizing definitions and calculation methods will produce consistent reports and restore board confidence.

Why this answer

The root cause is that KRI definitions are not standardized across business units, causing inconsistent reporting. Standardizing KRI definitions and calculation methods ensures comparability. Options A (data sources) is not the issue since they use the same source; B (board interpretation) is secondary; C (reporting frequency) is not the core problem.

321
MCQhard

A risk practitioner is conducting a threat modeling exercise for a new cloud-based application using the STRIDE methodology. Which of the following is the PRIMARY benefit of using STRIDE over a simple checklist?

A.It requires less expertise to perform
B.It automatically quantifies risk levels
C.It ensures consistent application of controls
D.It identifies threats by category, reducing the chance of missing key threat types
AnswerD

STRIDE's categories (Spoofing, Tampering, etc.) help ensure comprehensive threat identification.

Why this answer

The STRIDE methodology categorizes threats into six specific types (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege). This structured approach ensures that the threat modeling exercise systematically covers each category, reducing the likelihood of overlooking entire classes of threats that a simple checklist might miss. For a cloud-based application, this is critical because threats like elevation of privilege or information disclosure can manifest in unique ways across shared infrastructure, and STRIDE forces the practitioner to consider each category explicitly.

Exam trap

The trap here is that candidates often confuse a structured methodology like STRIDE with a simple checklist, assuming any structured approach automatically ensures control consistency or risk quantification, when in fact STRIDE's primary benefit is its categorical coverage that reduces blind spots.

How to eliminate wrong answers

Option A is wrong because STRIDE requires a solid understanding of each threat category and how to map them to system components, often demanding more expertise than a simple checklist. Option B is wrong because STRIDE is a qualitative categorization framework and does not automatically quantify risk levels; risk quantification requires separate analysis (e.g., using CVSS scores or likelihood/impact ratings). Option C is wrong because while STRIDE can promote consistency in identifying threat types, it does not ensure consistent application of controls; controls are designed and implemented independently based on the identified threats.

322
MCQhard

A company faces a risk of data loss due to untrained staff. They implement mandatory training and quarterly phishing simulations. This is:

A.Risk Avoidance
B.Risk Acceptance
C.Risk Mitigation
D.Risk Transfer
AnswerC

Training reduces the probability of incidents, thus mitigating risk.

Why this answer

Option C is correct because training reduces the likelihood of human error, which is a mitigation technique.

323
MCQeasy

Which of the following is the primary purpose of a risk and control monitoring program?

A.To identify new risks as they emerge.
B.To provide ongoing assurance that controls are operating effectively.
C.To reduce the frequency of internal audits.
D.To calculate key risk indicators.
AnswerB

Core objective of monitoring.

Why this answer

The primary purpose of a risk and control monitoring program is to provide ongoing assurance that controls are operating effectively. This is achieved through continuous or periodic testing, observation, and analysis of control activities to confirm they are designed correctly and functioning as intended to mitigate risks. Without this ongoing assurance, an organization cannot reliably know whether its risk responses remain effective over time.

Exam trap

The trap here is that candidates often confuse the primary purpose of a monitoring program (ongoing assurance) with its components or secondary benefits, such as identifying new risks (A) or calculating KRIs (D), leading them to select a narrower or derivative function instead of the core objective.

How to eliminate wrong answers

Option A is wrong because identifying new risks as they emerge is the purpose of a risk identification process or a risk assessment, not the primary goal of a control monitoring program; monitoring focuses on existing controls, not discovering new risks. Option C is wrong because reducing the frequency of internal audits is a potential secondary benefit of a strong monitoring program, but it is not the primary purpose; the core objective is assurance on control effectiveness, not audit reduction. Option D is wrong because calculating key risk indicators (KRIs) is a specific monitoring technique that may be used within a monitoring program, but it is not the primary purpose; the program's goal is broader assurance, not just the calculation of metrics.

324
MCQeasy

For a risk with very low likelihood and low impact, what is the typical risk response?

A.Mitigate
B.Transfer
C.Avoid
D.Accept
AnswerD

Acceptance is the default for low risks.

Why this answer

Option D is correct because such risks are usually accepted as the cost of response would outweigh the benefit. Options A, B, and C are excessive.

325
MCQhard

Refer to the exhibit. Based on the exhibit, what is the most appropriate action regarding the control OWF?

A.The control is effective because the traffic was blocked.
B.The control is ineffective because alerts indicate potential malware.
C.The control should be reviewed because the alert frequency is approaching the threshold.
D.No action is needed because the threshold has not been reached.
AnswerC

Proactive review can prevent reaching the threshold and identify root causes.

Why this answer

Option C is correct because the alert frequency is approaching the threshold (4 alerts in the past hour), which indicates a potential issue that should be reviewed before it escalates. Option A is wrong because while the block was successful, the increasing trend is concerning. Option B is wrong because the control blocked the traffic, so it is effective in blocking, but the frequency warrants investigation.

Option D is wrong because being below threshold does not mean no action is needed; proactive review is better.

326
MCQeasy

What is the primary purpose of a control self-assessment (CSA)?

A.To involve process owners in evaluating control effectiveness.
B.To replace external audits.
C.To automate monitoring.
D.To generate compliance reports.
AnswerA

CSA empowers process owners to assess and improve controls.

Why this answer

CSA involves process owners in evaluating control effectiveness, increasing ownership and awareness. Option B is correct. Options A, C, and D are not primary purposes.

327
MCQmedium

During a risk assessment, a risk practitioner identifies that a legacy application uses a deprecated encryption protocol. The application is critical for business operations and cannot be patched. Which of the following is the BEST approach to assess the risk?

A.Replace the application with a modern alternative
B.Analyze the threat landscape and existing compensating controls to determine residual risk
C.Assign a high inherent risk score without further analysis
D.Immediately escalate to senior management for an exception
AnswerB

Proper assessment involves analyzing threats and compensating controls to estimate residual risk.

Why this answer

The best approach is to consider the compensating controls in place. The risk should be evaluated in context of existing controls; if controls reduce likelihood/impact, residual risk may be acceptable. Option A is too extreme without analysis; option B is not a complete assessment; option D is premature.

328
MCQmedium

A retail company monitors its key risk indicator (KRI) for credit card transaction fraud. The KRI has exceeded the established threshold for three consecutive days, but the weekly control performance report shows all fraud detection controls operating effectively. What should the risk practitioner do FIRST?

A.Immediately enhance the fraud detection controls.
B.Report the KRI breach to the board and recommend risk acceptance.
C.Adjust the KRI threshold to align with current control performance.
D.Investigate the data source of the KRI to ensure accuracy and timeliness.
AnswerD

Verifying data integrity is the logical first step before any other action.

Why this answer

Option A is correct because the discrepancy between the KRI and control performance indicates a potential data integrity issue or misalignment; verifying the KRI data source is the first step. Option B is wrong because adjusting the threshold without investigation could mask a real risk. Option C is wrong because enhancing controls before understanding the root cause may be premature.

Option D is wrong because ignoring the KRI violates monitoring principles.

329
MCQmedium

You are the IT risk manager at a multinational corporation that recently migrated its customer database to a cloud-based platform. The database contains personally identifiable information (PII) subject to GDPR. During a routine vulnerability scan, you discover that the database is accessible from the internet without encryption (port 1433 open). The cloud provider's shared responsibility model indicates that securing the database configuration is the customer's responsibility. You have identified the risk as high likelihood and high impact. The business owner argues that the database is only accessible to a limited IP range and that encryption would degrade performance. Which course of action should you recommend to treat the risk?

A.Transfer the risk by purchasing cyber insurance
B.Close the port or implement a VPN, and enforce encryption
C.Accept the risk because the IP restriction reduces likelihood
D.Implement a web application firewall (WAF) to monitor traffic
AnswerB

This directly mitigates the vulnerability and ensures compliance.

Why this answer

Option D is correct because closing the port or implementing a VPN is the most effective way to eliminate the direct exposure, and encryption should be applied to protect data in transit. Option A is wrong because accepting risk without compensating controls violates GDPR requirements. Option B is wrong because a compensating control (WAF) does not address the lack of encryption.

Option C is wrong because transferring risk via cyber insurance does not reduce the actual exposure.

330
MCQhard

A financial institution is evaluating the risk of a new mobile payment application. The risk team calculates the Annual Loss Expectancy (ALE) as $500,000 based on a single loss expectancy (SLE) of $100,000 and an annual rate of occurrence (ARO) of 5. After implementing a new encryption control at a cost of $150,000 per year, the ALE is reduced to $200,000. What is the residual risk in terms of ALE after one year of control operation?

A.$200,000
B.$500,000
C.$350,000
D.$300,000
AnswerA

This is the post-control ALE, representing residual risk.

Why this answer

The residual risk is the remaining Annual Loss Expectancy (ALE) after controls are applied. Since the ALE after implementing the encryption control is explicitly stated as $200,000, that is the residual risk after one year of control operation. The control cost of $150,000 is a separate cost-of-control figure and does not reduce the ALE further; it is used for cost-benefit analysis, not for calculating residual risk.

Exam trap

The trap here is that candidates mistakenly subtract the control cost from the original or reduced ALE, thinking residual risk equals ALE minus control expenditure, when in fact residual risk is simply the post-control ALE as stated.

How to eliminate wrong answers

Option B ($500,000) is wrong because it represents the original ALE before any controls were implemented, ignoring the risk reduction from the encryption control. Option C ($350,000) is wrong because it incorrectly subtracts the control cost ($150,000) from the original ALE ($500,000), confusing cost of control with risk reduction. Option D ($300,000) is wrong because it incorrectly subtracts the control cost from the reduced ALE ($200,000), which is not how residual risk is calculated; residual risk is the remaining ALE after controls, not net of control costs.

331
MCQeasy

A company has implemented a new control to detect unauthorized access attempts. What is the PRIMARY purpose of monitoring this control?

A.To provide evidence for regulatory audits.
B.To reduce the number of unauthorized access attempts.
C.To confirm the control is working effectively.
D.To calculate the residual risk level.
AnswerC

Ensures the control functions as designed.

Why this answer

The primary purpose of monitoring a detective control, such as one that detects unauthorized access attempts, is to confirm that the control is operating effectively as designed. Monitoring provides ongoing assurance that the control is correctly identifying and logging unauthorized access events, which is essential for maintaining the security posture and for timely incident response.

Exam trap

The trap here is confusing the purpose of monitoring a control (verifying its effectiveness) with the purpose of the control itself (detecting or preventing incidents), leading candidates to choose a benefit like audit evidence or risk calculation instead.

How to eliminate wrong answers

Option A is wrong because while monitoring logs can provide evidence for audits, that is a secondary benefit, not the primary purpose of monitoring a detective control. Option B is wrong because a detective control does not reduce the number of unauthorized access attempts; it only detects them after they occur. Option D is wrong because calculating residual risk is a risk assessment activity that uses control effectiveness data, but the immediate purpose of monitoring is to verify control operation, not to compute risk levels.

332
MCQeasy

A database error log shows repeated login failures followed by a successful authentication. Which control failure is MOST likely?

A.Account lockout policy is not enforced
B.No multi-factor authentication
C.Insufficient failed login monitoring
D.Weak password policy
AnswerA

Account should have been locked after a few failures.

Why this answer

The correct answer is D. The pattern suggests a brute force attack that succeeded because the account lockout threshold was not configured (or too high). Option A is possible but less direct; B is about failed attempts detection, but the control failure is the lack of lockout.

C is about password complexity, not the cause of multiple attempts.

333
MCQmedium

Refer to the exhibit. During a risk identification exercise for the internal network, the risk manager reviews this firewall log entry. Which of the following risks is MOST directly suggested by this log entry?

A.Sensitive data is being exfiltrated via SMB.
B.An attacker could use SMB to move laterally from a compromised workstation to the server.
C.The workstation may be accessing the internet via the server.
D.The organization is vulnerable to a distributed denial-of-service (DDoS) attack.
AnswerB

SMB is commonly used for lateral movement in attacks.

Why this answer

The firewall log shows an inbound SMB connection (port 445) from a workstation (10.0.0.5) to a server (10.0.0.10). SMB is commonly used for file sharing and remote administration, and if the workstation is compromised, an attacker can leverage SMB to move laterally to the server, potentially gaining access to sensitive data or escalating privileges. This aligns with the risk of lateral movement, which is a primary concern in internal network segmentation.

Exam trap

The trap here is that candidates may focus on the protocol (SMB) and assume data exfiltration (Option A) without considering the direction of traffic (inbound to the server) and the typical use of SMB for lateral movement in internal networks.

How to eliminate wrong answers

Option A is wrong because SMB is a protocol for file sharing and remote administration, not typically used for exfiltration; exfiltration often uses HTTP/S, FTP, or DNS tunneling, and the log shows a single inbound connection, not a sustained outbound data transfer. Option C is wrong because the log shows traffic from the workstation to the server (inbound to the server), not the workstation accessing the internet via the server; internet access would typically involve outbound traffic to external IPs, not internal SMB connections. Option D is wrong because a DDoS attack requires a flood of traffic from multiple sources to overwhelm a target, and this log shows a single connection from one workstation to one server, with no indication of volume or distributed sources.

334
MCQeasy

After a risk assessment, the risk owner states that the residual risk for a specific asset is within the organization's risk tolerance. Which of the following BEST describes the action that should be taken?

A.Transfer the risk to a third party
B.Implement additional controls to reduce risk further
C.Formally accept the risk and document the decision
D.Reassess the risk using a quantitative method
AnswerC

Acceptance is appropriate when residual risk is within tolerance.

Why this answer

When the risk owner confirms that residual risk is within the organization's risk tolerance, the appropriate action is to formally accept the risk and document the decision. This is a standard risk treatment option (risk acceptance) under the ISACA Risk IT Framework, where no further controls are needed because the residual risk level is already acceptable. Documenting the acceptance ensures auditability and accountability for the decision.

Exam trap

The trap here is that candidates often confuse 'residual risk within tolerance' with a need to 'transfer' or 'mitigate further,' failing to recognize that risk acceptance is the correct treatment when the risk level is already acceptable.

How to eliminate wrong answers

Option A is wrong because transferring the risk (e.g., via cyber insurance or outsourcing) is unnecessary when the residual risk is already within tolerance; transfer would introduce additional cost and complexity without benefit. Option B is wrong because implementing additional controls would over-engineer the risk response, wasting resources on reducing risk below the accepted tolerance level, which violates the principle of cost-effective risk management. Option D is wrong because reassessing the risk using a quantitative method is not required; the risk has already been assessed and the residual risk is within tolerance—reassessment would be redundant and delay the decision.

335
Multi-Selecteasy

Which TWO are primary objectives of IT risk identification?

Select 2 answers
A.Assign risk owners
B.Determine risk appetite
C.Identify threats and vulnerabilities
D.Inventory assets
E.Implement controls
AnswersC, D

This is the direct objective of risk identification.

Why this answer

Option C is correct because IT risk identification primarily involves cataloging threats (e.g., malware, insider misuse) and vulnerabilities (e.g., unpatched CVEs, misconfigured firewalls) that could exploit weaknesses in assets. This step is foundational to building a risk register and precedes any analysis or treatment. Without identifying specific threats and vulnerabilities, subsequent risk assessment and mitigation efforts would lack a factual basis.

Exam trap

The trap here is that candidates confuse the outputs of risk identification (threats, vulnerabilities, assets) with later-stage activities like assigning ownership or implementing controls, leading them to select options A or E incorrectly.

336
MCQmedium

An organization is using the OCTAVE method for risk identification. Which activity is typically performed FIRST?

A.Identify threats
B.Identify critical assets
C.Identify vulnerabilities
D.Establish risk measurement criteria
AnswerD

OCTAVE starts with establishing criteria to frame the assessment.

Why this answer

In the OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) method, the first phase is 'Build Asset-Based Threat Profiles,' which begins with establishing risk measurement criteria (e.g., impact scales, likelihood definitions) to guide subsequent asset prioritization and threat identification. This ensures that all later activities are aligned with the organization's risk appetite and tolerance levels.

Exam trap

ISACA often tests the misconception that asset identification is always the first step in any risk assessment methodology, but OCTAVE specifically requires establishing risk measurement criteria first to provide a consistent evaluation framework.

How to eliminate wrong answers

Option A is wrong because identifying threats occurs later in the OCTAVE process, after critical assets and risk measurement criteria have been established to provide context for threat analysis. Option B is wrong while identifying critical assets is an early step, it is performed after risk measurement criteria are defined to ensure assets are evaluated consistently against organizational risk thresholds. Option C is wrong because identifying vulnerabilities is part of the later 'Identify Vulnerabilities' phase, which depends on prior asset and threat identification to focus vulnerability analysis on relevant areas.

337
Multi-Selectmedium

A risk manager is facilitating a risk identification workshop for a new cloud migration initiative. Which TWO techniques are most effective for identifying potential IT risks at this stage?

Select 2 answers
A.Calculating the annualized loss expectancy (ALE) for each identified risk
B.Interviewing business unit managers and IT architects
C.Conducting a cost-benefit analysis of security controls
D.Reviewing post-incident reports from previous cloud migrations
E.Performing a vulnerability scan on the existing infrastructure
AnswersB, D

Stakeholder interviews elicit operational threats and business concerns.

Why this answer

Interviewing business unit managers and IT architects (Option B) is effective because it leverages domain expertise to surface operational and technical risks specific to the cloud migration, such as data residency constraints, API dependencies, or shared responsibility model gaps. This qualitative technique captures tacit knowledge that quantitative methods or automated scans cannot, making it ideal for the early identification stage.

Exam trap

The trap here is confusing risk identification (discovering what could go wrong) with risk analysis (quantifying likelihood/impact) or risk evaluation (comparing against criteria), leading candidates to select ALE calculation or cost-benefit analysis as identification techniques.

338
MCQhard

A multinational corporation uses a common identity management system (IdM) across all subsidiaries. During a risk assessment, it is discovered that the IdM system has a critical vulnerability that could allow privilege escalation. The patch requires a 4-hour downtime. The risk manager must decide the best course of action considering the organization's risk appetite of 'low' and the fact that the IdM system is critical for business operations. Which of the following is the BEST approach?

A.Implement a compensating control and delay patching.
B.Schedule the patch during the next maintenance window.
C.Apply the patch immediately during business hours.
D.Accept the risk and postpone patching indefinitely.
AnswerB

This minimizes disruption while addressing the vulnerability in a timely manner.

Why this answer

Option B is correct because scheduling the patch during the next maintenance window aligns with the organization's low risk appetite by addressing the critical vulnerability in a controlled manner, while minimizing operational disruption. The IdM system is critical for business operations, so applying the patch immediately during business hours (Option C) would cause unacceptable downtime, and delaying indefinitely (Option D) would violate the low risk appetite. A 4-hour downtime is typical for identity management systems like Active Directory or LDAP, where patching requires a reboot or service restart, and a planned maintenance window allows for proper testing and rollback procedures.

Exam trap

The trap here is that candidates may choose Option C (immediate patching) thinking it is the most secure response, but they overlook the criticality of the IdM system and the unacceptable operational impact of a 4-hour downtime during business hours, which violates the organization's low risk appetite by prioritizing security over business continuity.

How to eliminate wrong answers

Option A is wrong because implementing a compensating control (e.g., additional monitoring or access restrictions) delays patching and does not eliminate the root cause of the privilege escalation vulnerability, which could still be exploited if the compensating control fails; this approach is typically used when patching is not immediately feasible, but here a maintenance window is available. Option C is wrong because applying the patch immediately during business hours would cause a 4-hour downtime for a critical IdM system, disrupting authentication for all subsidiaries and potentially violating business continuity requirements; this is not aligned with a low risk appetite that prioritizes operational stability. Option D is wrong because accepting the risk and postponing patching indefinitely directly contradicts the organization's low risk appetite, as it leaves a critical privilege escalation vulnerability unmitigated, increasing the likelihood of a security breach that could compromise the entire identity infrastructure.

339
Multi-Selectmedium

Which TWO of the following are effective risk mitigation strategies for reducing the likelihood of a ransomware attack?

Select 2 answers
A.Installing intrusion detection systems
B.Conducting periodic vulnerability scans
C.Regularly backing up critical data
D.Deploying network segmentation
E.Implementing user awareness training
AnswersD, E

Segmentation limits the spread of ransomware, reducing likelihood of widespread infection.

Why this answer

Deploying network segmentation (D) reduces the likelihood of a ransomware attack by limiting lateral movement. If an endpoint is compromised, segmentation using VLANs or firewall rules (e.g., 802.1Q, ACLs) prevents the ransomware from spreading to critical systems, thereby reducing the attack surface and the probability of widespread encryption. User awareness training (E) directly reduces likelihood by teaching users to recognize phishing emails and malicious attachments, which are the primary initial vectors for ransomware delivery.

Exam trap

The trap here is that candidates confuse recovery controls (backups) with likelihood-reducing mitigations, or they mistake detective controls (IDS, vulnerability scans) for preventive measures that lower the probability of an attack.

340
MCQeasy

A company has implemented a new cloud-based customer relationship management (CRM) system. The IT risk manager is tasked with identifying risks related to this system. Which of the following is the MOST important risk identification technique to use initially?

A.Conducting a series of interviews with key users of the CRM
B.Performing a penetration test on the CRM environment
C.Facilitating a risk workshop with IT, business, and security stakeholders
D.Automated vulnerability scanning of the CRM system
AnswerC

A risk workshop enables comprehensive identification of risks across people, process, and technology.

Why this answer

Option B is correct because a risk workshop brings together stakeholders (IT, business, security) to identify risks collaboratively, which is effective for a new system. Option A (automated scanning) is useful for known vulnerabilities but not for business process risks. Option C (penetration testing) is for security validation, not initial identification.

Option D (interviewing key users) is less comprehensive than a workshop.

341
Multi-Selecthard

Which THREE of the following are key indicators that a risk identification process is effective? (Choose three.)

Select 3 answers
A.The process identifies all known vulnerabilities
B.The process covers all critical business processes
C.The process involves input from key stakeholders across the organization
D.The process is repeated at regular intervals or triggered by significant changes
E.The process is completed within budget
AnswersB, C, D

Ensures comprehensive risk identification.

Why this answer

Option B is correct because an effective risk identification process must cover all critical business processes to ensure that risks are identified across the entire value chain. Without this coverage, significant risks in core operations could be missed, leading to incomplete risk assessments and potential business disruptions. This aligns with the CRISC focus on aligning IT risk management with business objectives.

Exam trap

The trap here is that candidates confuse project management metrics (like budget or schedule) with risk management effectiveness indicators, leading them to select 'completed within budget' instead of recognizing that coverage, stakeholder input, and timeliness are the true measures of a robust risk identification process.

342
MCQmedium

The exhibit shows a log entry from a GRC system. Which of the following is the MOST significant concern regarding this risk score update?

A.The control effectiveness status was not updated alongside the risk score
B.The inherent risk score decreased without any change in the business environment
C.The comment does not provide sufficient detail on the mitigation project
D.The risk owner was not notified of the change
AnswerA

Without updating control effectiveness, residual risk cannot be accurately assessed.

Why this answer

Option B is correct because the control effectiveness status was not updated, which is critical for accurate residual risk calculation. Option A is wrong because inherent risk can change due to mitigation. Option C is wrong because the comment provides a plausible reason.

Option D is wrong because the risk owner is identified.

343
MCQmedium

A security control failed to prevent unauthorized access to a sensitive database. The risk owner has been notified. What should the risk practitioner do NEXT?

A.Recalculate the residual risk level and update the risk register
B.Escalate the issue to the board of directors
C.Apply a patch to the database system immediately
D.Perform a root cause analysis on the control failure
AnswerA

Control failure changes residual risk; must reassess and document.

Why this answer

The correct answer is B. After a control failure, the risk practitioner should first assess the impact on the risk level by recalculating residual risk, then update the risk register. A is wrong because immediate patching may introduce new vulnerabilities without analysis.

C is wrong because escalation to senior management is premature before impact assessment. D is wrong because control testing is done after risk assessment.

344
MCQmedium

A manufacturing company uses IoT sensors on the factory floor to monitor equipment performance. The sensors transmit data to a central server via Wi-Fi. During a risk identification workshop, the operations manager reveals that some sensors are operating on outdated firmware with known vulnerabilities. The IT director proposes replacing all sensors at a high cost. The risk team notes that a breach could cause production downtime but the sensors only collect non-sensitive operational data. The company has a low tolerance for downtime. What should the risk team identify as the most critical risk?

A.Operational disruption from a potential cyber attack exploiting sensor vulnerabilities.
B.Legal liability from non-compliance with safety standards.
C.Reputational damage from a data leak.
D.Financial loss from replacing sensors.
AnswerA

Downtime is a key impact for the company.

Why this answer

The most critical risk is operational disruption from a cyber attack exploiting the known vulnerabilities in the outdated IoT sensor firmware. Since the company has a low tolerance for downtime, any breach that causes production stoppage directly impacts business continuity, outweighing the non-sensitive nature of the data collected. The sensors' Wi-Fi connectivity provides an attack surface for lateral movement or denial-of-service, making exploitation a high-probability, high-impact event.

Exam trap

The trap here is that candidates focus on data sensitivity (reputation or legal liability) instead of operational impact, failing to recognize that for a manufacturing company with low downtime tolerance, production disruption is the most critical risk even if the data is non-sensitive.

How to eliminate wrong answers

Option B is wrong because the scenario does not mention any safety standards or regulatory compliance requirements; the sensors collect non-sensitive operational data, not safety-critical parameters. Option C is wrong because the sensors only collect non-sensitive operational data, so a data leak would not cause reputational damage; the risk is operational, not data confidentiality. Option D is wrong because the financial loss from replacing sensors is a cost of mitigation, not a risk; the risk is the potential operational disruption, and the high replacement cost is a factor in risk treatment decisions, not the risk itself.

345
MCQeasy

An organization defines its risk appetite as 'no more than one major security incident per year.' During the year, a major incident occurs. The monitoring team reports this to the risk committee. What should be the NEXT step?

A.Immediately change the risk appetite to tolerate two incidents per year.
B.Review the incident to determine if risk appetite needs adjustment.
C.Report the breach to the board of directors.
D.Accept the incident and continue with current controls.
AnswerB

Appropriate escalation and review.

Why this answer

Option C is correct because the risk committee should review the incident and consider whether to adjust risk appetite or implement additional controls. Option A is wrong because reporting to board is premature without analysis. Option B is wrong because accepting without analysis is passive.

Option D is wrong because change may not be needed; appetite may be reaffirmed.

346
MCQmedium

A mid-sized retail company operates 50 stores across three regions. Each store uses a point-of-sale (POS) system that transmits credit card transactions to a centralized payment processor. The company recently deployed a new SaaS-based inventory management application that connects to the POS system via API. The IT department has no formal process for tracking third-party connections. The risk manager suspects that unknown or unauthorized connections may exist. During a risk identification review, the risk manager discovers that the POS vendor's API documentation was shared with the inventory SaaS provider without a non-disclosure agreement (NDA). Additionally, the API keys for the POS system are stored in plain text configuration files on the inventory SaaS application server. The company's security policy requires encryption of all sensitive data in transit and at rest. Which of the following should the risk manager prioritize as the HIGHEST risk scenario to document in the risk register?

A.Exposure of POS system API keys stored in plain text on the inventory SaaS server
B.The POS system may not be PCI DSS compliant due to API sharing without NDA
C.No formal process for tracking third-party connections
D.The lack of an NDA with the inventory SaaS provider
AnswerA

Direct exposure of credentials that access payment systems, leading to high risk of data breach.

Why this answer

The plain-text storage of API keys on the inventory SaaS server represents an active, exploitable vulnerability that directly violates the company's encryption-at-rest policy. Unlike the other options, this is a confirmed technical control failure that could allow an attacker to impersonate the POS system, intercept or manipulate credit card transactions, and compromise the entire payment processing pipeline. The risk is immediate and high-impact because the keys are already exposed, not merely a procedural gap or missing legal agreement.

Exam trap

The trap here is that candidates often prioritize procedural or compliance gaps (like missing NDAs or lack of formal processes) over a concrete, exploitable technical vulnerability, failing to recognize that a realized risk with immediate impact must be documented before addressing root causes.

How to eliminate wrong answers

Option B is wrong because PCI DSS compliance is a regulatory requirement, not a risk scenario; the lack of an NDA does not automatically make the POS system non-compliant, and PCI DSS focuses on technical controls (e.g., encryption, access control) rather than contractual agreements. Option C is wrong because the absence of a formal process for tracking third-party connections is a governance weakness, not a specific, realized risk scenario with a clear threat and vulnerable asset; it is a root cause, not a risk event to document. Option D is wrong because the lack of an NDA is a legal and contractual gap, not a technical risk; while it may lead to intellectual property exposure, it does not directly expose sensitive data or systems to immediate compromise like the plain-text API keys do.

347
MCQmedium

A global company uses a critical third-party vendor for data processing. The inherent risk is high, but the vendor has implemented robust controls. However, due to recent geopolitical instability, the vendor's physical location is at risk. The risk owner recommends purchasing a business continuity insurance policy. Which risk response is being applied?

A.Transfer
B.Avoid
C.Accept
D.Mitigate
AnswerA

Insurance transfers the risk to a third party.

Why this answer

Option A is correct because purchasing insurance transfers the financial risk to the insurer. Options B, C, and D do not describe transfer via insurance.

348
MCQhard

After a major system upgrade, the control testing team reports that a critical automated control failed intermittently. The control owner states it's a temporary glitch. What is the best course of action?

A.Replace the control with a manual one.
B.Perform a root cause analysis before deeming it effective.
C.Increase frequency of monitoring.
D.Accept the risk and document the finding.
AnswerB

Root cause analysis helps determine if the failure is transient or indicative of a systemic issue.

Why this answer

Intermittent failures require root cause analysis to determine if the control is truly effective. Option B is correct. Option A accepts risk prematurely.

Option C replaces without analysis. Option D increases frequency but does not address the failure.

349
MCQmedium

After a significant cybersecurity incident, the board requests a report on the effectiveness of the security controls that were in place. Which reporting approach would BEST demonstrate the controls' performance?

A.List all controls and their test results
B.Show the number of vulnerabilities patched
C.Provide a summary of the incident timeline
D.Compare control test results against defined KRIs and risk appetite
AnswerD

This links control outcomes to risk tolerance, demonstrating effectiveness.

Why this answer

Option C is correct because comparing test results against KRIs and risk appetite shows how well controls mitigate risks. Option A is too granular and lacks context. Option B focuses on the incident rather than controls.

Option D shows a metric but not control effectiveness.

350
Multi-Selectmedium

An organization is migrating on-premises applications to a public cloud. Which THREE of the following should be considered as key risk identification activities?

Select 3 answers
A.Mapping network security group rules to existing firewall policies.
B.Performing a cost-benefit analysis of the migration.
C.Calculating the total cost of ownership.
D.Identifying data residency and compliance requirements.
E.Assessing shared responsibility model gaps.
AnswersA, D, E

Network mapping identifies potential access control risks.

Why this answer

Mapping network security group (NSG) rules to existing firewall policies is a key risk identification activity because it ensures that security controls are correctly translated to the cloud environment. Misconfigured NSG rules can lead to unintended network exposure, such as open ports or overly permissive access, which directly increases the attack surface. This mapping identifies gaps between on-premises security postures and cloud-native security constructs, a critical step in risk identification during migration.

Exam trap

The trap here is that candidates often confuse financial analysis activities (like cost-benefit analysis or TCO) with risk identification, but CRISC focuses on identifying threats, vulnerabilities, and control gaps, not cost optimization.

351
MCQeasy

During an IT risk assessment, a risk analyst discovers that a server contains sensitive customer data but is not included in the organization's vulnerability scanning program. What should the analyst do first?

A.Add the server to the high-risk register immediately.
B.Notify the vulnerability scan administrator to include the server in the next scan.
C.Perform a manual vulnerability assessment on the server.
D.Request an exception from management for the server to be exempt from scanning.
AnswerB

Direct action to include the server is the most immediate and effective response.

Why this answer

The analyst should report the missing server to the scan administrator to ensure it is included (Option B), as the immediate need is to close the scanning gap.

352
MCQeasy

A retail company is planning to launch a mobile payment app. The risk team is identifying potential risks related to payment card industry (PCI) compliance. The app will process credit card numbers. The development team has implemented tokenization to replace card numbers with tokens, but the token vault is located on-premises. The network architect proposes exposing the token vault to the internet for mobile app access. The compliance officer is concerned about PCI DSS requirements. The risk manager needs to identify the highest risk related to this setup. What is the primary risk?

A.Potential loss of tokens due to hardware failure.
B.Exposure of the token vault to the internet may violate PCI DSS requirements and lead to a data breach.
C.Increased latency due to tokenization.
D.High cost of tokenization infrastructure.
AnswerB

Direct exposure to internet is a major security and compliance risk.

Why this answer

The primary risk is that exposing the token vault to the internet directly violates PCI DSS Requirement 3.4, which mandates that stored cardholder data must be rendered unreadable. While tokenization replaces PANs with tokens, the vault itself contains the sensitive PAN-to-token mapping. Internet exposure of this vault creates an attack surface for unauthorized access, potentially leading to a massive data breach and non-compliance penalties.

Exam trap

The trap here is that candidates may focus on operational risks like latency or cost, but the CRISC exam emphasizes that PCI DSS compliance and data breach exposure are the highest risks when cardholder data or its mapping is exposed to the internet.

How to eliminate wrong answers

Option A is wrong because hardware failure is a general availability risk, not the highest risk here; PCI DSS focuses on data protection, not hardware redundancy. Option C is wrong because increased latency from tokenization is a performance concern, not a compliance or security risk that could lead to a breach. Option D is wrong because cost is a business risk, not the primary security or compliance risk; PCI DSS does not mandate cost efficiency.

353
MCQmedium

A risk manager notices that a key risk indicator (KRI) has been consistently above the threshold for three months. What should be the first action?

A.Adjust the threshold to a higher value.
B.Implement additional controls immediately.
C.Review the KRI definition and data source for accuracy.
D.Escalate to senior management immediately.
AnswerC

Ensuring the KRI is correctly measured and sourced is fundamental before any action.

Why this answer

Before escalating, it is important to verify the accuracy of the KRI data and definition. Option B is correct because data integrity issues are a common cause of false alarms. Option A is premature without verification.

Option C incorrectly adjusts the threshold. Option D is reactive without understanding the root cause.

354
MCQeasy

An organization is conducting a business impact analysis (BIA) for its core banking system. Which of the following is the PRIMARY metric used to determine the urgency of recovery?

A.Service Level Agreement (SLA)
B.Recovery Time Objective (RTO)
C.Maximum Tolerable Downtime (MTD)
D.Recovery Point Objective (RPO)
AnswerC

MTD defines the maximum acceptable downtime before severe impact.

Why this answer

The Maximum Tolerable Downtime (MTD) is the primary metric for determining the urgency of recovery because it defines the total duration a business process can be unavailable before causing irreparable harm. For a core banking system, MTD directly reflects the maximum acceptable outage period from the business perspective, driving all recovery planning priorities.

Exam trap

The trap here is confusing RTO with MTD: candidates often pick RTO because it directly relates to recovery speed, but MTD is the business-driven ceiling that defines the urgency, while RTO is merely a derived target.

How to eliminate wrong answers

Option A is wrong because a Service Level Agreement (SLA) is a contractual commitment for normal operations, not a metric for recovery urgency during a disaster. Option B is wrong because Recovery Time Objective (RTO) is a target derived from MTD, not the primary determinant of urgency; it specifies the time within which recovery must occur but is subordinate to the business's maximum tolerable downtime. Option D is wrong because Recovery Point Objective (RPO) measures acceptable data loss (time between backups), not the urgency of system recovery after an outage.

355
MCQhard

A company calculates the annualized loss expectancy (ALE) for a server outage as $75,000. The cost to implement a high-availability solution is $200,000 with a lifespan of 5 years and annual maintenance of $10,000. What is the residual risk if the solution reduces outage likelihood by 90%?

A.$50,000
B.$7,500
C.$42,500
D.$57,500
AnswerB

Residual risk is the ALE after control implementation: $75,000 * 0.1 = $7,500.

Why this answer

The correct answer is B: $7,500. The annualized loss expectancy (ALE) before mitigation is $75,000. The high-availability solution reduces outage likelihood by 90%, so the residual ALE is 10% of $75,000 = $7,500.

The cost of the solution ($200,000 capital with $10,000 annual maintenance over 5 years) is used to calculate the cost-benefit or net present value, but does not directly affect the residual risk figure, which is purely the remaining expected loss after controls are applied.

Exam trap

The trap here is that candidates often mistakenly include the cost of the control (annualized or total) in the residual risk calculation, confusing residual risk (the remaining expected loss) with the net financial benefit or cost of the solution.

How to eliminate wrong answers

Option A ($50,000) is wrong because it incorrectly subtracts the annualized cost of the solution (e.g., $40,000 annualized capital plus $10,000 maintenance = $50,000) from the original ALE, confusing residual risk with net benefit. Option C ($42,500) is wrong because it likely results from subtracting only the capital cost annualized ($40,000) from the original ALE, ignoring the 90% reduction factor. Option D ($57,500) is wrong because it appears to subtract the annual maintenance ($10,000) and a partial capital cost from the original ALE, or mistakenly applies the 90% reduction to the cost instead of the likelihood.

356
Multi-Selecteasy

Which THREE of the following are examples of risk mitigation controls? (Select THREE.)

Select 3 answers
A.Firewall
B.Outsourcing IT helpdesk
C.Encryption
D.Security awareness training
E.Cyber insurance
AnswersA, C, D

Firewalls reduce the likelihood of network attacks.

Why this answer

A firewall is a risk mitigation control because it enforces network security policies by filtering traffic based on rules, thereby reducing the likelihood of unauthorized access or attacks. It directly reduces the probability of a threat exploiting a vulnerability, which is the essence of mitigation.

Exam trap

The trap here is confusing risk mitigation (which reduces likelihood or impact) with risk transfer (which shifts the financial burden to another party), leading candidates to incorrectly select outsourcing or insurance as mitigation controls.

357
MCQeasy

You are the risk manager for a healthcare provider. A risk assessment identified that patient data is transmitted over unencrypted connections between clinics and the data center. The existing controls include strong network perimeter defenses. The risk is rated as high. Management is concerned about the cost of implementing encryption. You have proposed a control that encrypts data in transit. However, the network team argues that the perimeter controls are sufficient. What is the MOST appropriate response?

A.Transfer the risk to a third party by outsourcing data transmission.
B.Accept the risk because perimeter controls are in place.
C.Reduce the risk rating to medium since perimeter controls provide compensating security.
D.Implement encryption as recommended because it addresses the vulnerability directly.
AnswerD

Provides necessary protection for data in transit.

Why this answer

Option D is correct because encrypting data in transit directly addresses the vulnerability of unencrypted connections, which is the root cause of the high risk. Perimeter controls like firewalls and IDS/IPS do not protect the confidentiality of data once it leaves the protected network boundary, as they cannot prevent interception on the wire. Implementing encryption (e.g., TLS 1.2/1.3 or IPsec) ensures end-to-end confidentiality regardless of perimeter strength.

Exam trap

The trap here is that candidates may overestimate the effectiveness of perimeter controls (e.g., firewalls) as a compensating control for data-in-transit encryption, failing to recognize that they operate at different OSI layers and cannot prevent interception of unencrypted traffic after it leaves the network boundary.

How to eliminate wrong answers

Option A is wrong because transferring risk to a third party does not eliminate the vulnerability; the third party would still need to encrypt data in transit, and outsourcing introduces additional risks like vendor management and data sovereignty. Option B is wrong because accepting the risk ignores the high-risk rating and the fact that perimeter controls do not protect data in transit from eavesdropping attacks such as packet sniffing or man-in-the-middle (MITM) exploits. Option C is wrong because reducing the risk rating based on compensating controls is a subjective adjustment that violates risk assessment principles; perimeter controls do not compensate for the lack of encryption, as they operate at different layers (network vs. transport/application).

358
MCQmedium

A company relies on a third-party cloud provider for critical data processing. As part of its vendor risk management program, the company wants to implement continuous monitoring of the provider's controls. Which of the following is the BEST approach?

A.Monitor the provider's service level agreements (SLAs) for uptime
B.Conduct monthly manual attestation surveys with the provider
C.Require the provider to perform quarterly penetration tests
D.Obtain and review the provider's SOC 2 Type II report on an ongoing basis
AnswerD

SOC 2 reports provide continuous assurance over relevant controls.

Why this answer

Option C is correct because SOC 2 reports provide independent assurance over controls like security and availability. Option A is wrong because annual penetration tests do not cover all controls continuously. Option B is wrong because SLAs typically measure performance, not control effectiveness.

Option D is wrong because manual attestation is less reliable and not continuous.

359
MCQeasy

Which of the following BEST describes inherent risk?

A.The risk level before any controls are applied
B.The level of risk after implementing controls
C.The amount of risk the organization is willing to accept
D.The risk level that remains after considering existing controls
AnswerA

Inherent risk is the gross risk without mitigation.

Why this answer

Inherent risk is defined as the level of risk that exists in the absence of any controls or mitigations. It represents the raw, untreated risk exposure that an organization faces from a specific threat-vulnerability pair, such as the risk of data exfiltration from an unpatched web server before any firewall rules, intrusion detection systems, or encryption are applied.

Exam trap

The trap here is confusing inherent risk with residual risk, as many candidates mistakenly think that 'risk after controls' is the starting point, but CRISC defines inherent risk as the risk level before any controls are applied.

How to eliminate wrong answers

Option B is wrong because it describes residual risk, which is the risk level after controls are implemented. Option C is wrong because it defines risk appetite, the amount of risk an organization is willing to accept, not inherent risk. Option D is wrong because it also describes residual risk, which is the risk remaining after considering existing controls, not the baseline before controls.

360
MCQhard

Based on the exhibit, which control is most critical to address first to reduce the risk of unauthorized access?

A.Segregation of duties conflict resolution timeliness.
B.Privileged access review frequency.
C.User access recertification completion rate.
D.Terminated employee account disabling timeliness.
AnswerA

At 85% vs target 90%, unresolved SoD conflicts pose a significant risk of unauthorized transactions.

Why this answer

Option A is correct because segregation of duties (SoD) conflict resolution timeliness directly addresses the risk that unresolved conflicts could allow a single user to execute unauthorized actions across multiple systems. If SoD conflicts are not resolved promptly, a user might retain incompatible roles (e.g., both creating and approving purchase orders), enabling fraud or unauthorized access without detection. This control is foundational because it prevents the accumulation of excessive privileges that bypass other access controls.

Exam trap

ISACA often tests the misconception that reactive controls like access reviews or account disabling are more critical than proactive controls like SoD conflict resolution, but the question specifically targets the root cause of unauthorized access—accumulation of incompatible privileges—which only timeliness of SoD resolution can prevent in real time.

How to eliminate wrong answers

Option B is wrong because privileged access review frequency, while important, is a detective control that identifies excessive privileges after they have been granted; it does not prevent the initial accumulation of incompatible roles that enable unauthorized access. Option C is wrong because user access recertification completion rate focuses on periodic validation of existing access, but it does not address the real-time risk of unresolved SoD conflicts that can be exploited immediately. Option D is wrong because terminated employee account disabling timeliness is a critical control for removing access of ex-employees, but it does not mitigate the risk of current employees with conflicting roles that allow unauthorized actions within their legitimate sessions.

361
Multi-Selectmedium

Which TWO of the following are primary objectives of control monitoring?

Select 2 answers
A.To calculate the financial impact of control failures.
B.To provide assurance to stakeholders that controls are functioning.
C.To determine the design adequacy of controls.
D.To verify that controls are operating effectively.
E.To identify new risks that were not previously assessed.
AnswersB, D

Monitoring provides ongoing assurance.

Why this answer

Control monitoring's primary objectives are to provide assurance to stakeholders that controls are functioning as intended and to verify that controls are operating effectively on an ongoing basis. This aligns with the CRISC framework's emphasis on continuous assurance over control performance, not just periodic assessment.

Exam trap

The trap here is confusing the objectives of control monitoring with those of risk assessment or control design, leading candidates to select options about identifying new risks or calculating financial impact, which belong to separate CRISC domains.

362
MCQhard

You are a risk practitioner at a financial institution that is migrating its core banking system to a cloud provider. The migration plan includes a phased approach, with the first phase moving non-critical applications. However, during the second phase (moving customer-facing applications), the cloud provider experiences a major outage that lasts 6 hours. The outage was caused by a misconfiguration in the provider's network. The institution had conducted a risk assessment and identified cloud provider downtime as a risk, but the treatment plan only included a service level agreement (SLA) with financial penalties. The SLA does not cover the reputational damage and loss of customer trust. The risk register shows that the residual risk level was marked as 'low' before the incident. After the incident, senior management is demanding a review. Which of the following is the MOST appropriate action for the risk practitioner to take?

A.Negotiate a higher penalty in the SLA
B.Initiate a legal claim against the provider
C.Update the risk register to reflect the incident and accept the residual risk
D.Reassess the risk and recommend implementing a multi-cloud architecture for critical applications
AnswerD

Multi-cloud reduces dependency on a single provider and addresses the impact.

Why this answer

Option D is correct because the incident revealed that the existing risk treatment (SLA financial penalties) was insufficient to address the actual impact (reputational damage and loss of customer trust). The risk practitioner must reassess the risk with the new information and recommend a more robust mitigation strategy, such as multi-cloud architecture, to reduce the likelihood or impact of a single provider's outage affecting critical customer-facing applications.

Exam trap

The trap here is that candidates may think updating the risk register (Option C) is sufficient, but CRISC emphasizes that after a risk materializes with greater impact than assessed, the risk must be reassessed and the treatment plan revised, not just documented.

How to eliminate wrong answers

Option A is wrong because negotiating a higher penalty in the SLA still does not address the unmitigated reputational damage and loss of customer trust; financial penalties compensate for direct costs but not intangible impacts. Option B is wrong because initiating a legal claim is a reactive, punitive measure that does not improve future resilience and may be precluded by the SLA's limitation of liability clauses. Option C is wrong because simply updating the risk register to reflect the incident and accepting the residual risk ignores the need to reassess and improve controls after a realized risk that exceeded the accepted level.

363
MCQmedium

A risk practitioner is designing a monitoring dashboard for senior management. Which key performance indicator (KPI) would be MOST useful for tracking control effectiveness over time?

A.Number of security incidents reported.
B.Number of transactions processed per hour.
C.Value at Risk (VaR) for operational risk.
D.Percentage of controls passing automated tests.
AnswerD

Directly indicates control effectiveness.

Why this answer

Option D is correct because the percentage of controls passing automated tests directly measures the effectiveness of controls over time. A trend of increasing or stable high percentages indicates that controls are functioning as intended, while a decline signals degradation. This KPI is specifically designed for control monitoring, unlike metrics that measure activity or outcomes.

Exam trap

The trap here is that candidates confuse outcome-based metrics (like incident counts) with control effectiveness metrics, failing to recognize that a KPI for control effectiveness must directly measure control performance, not the consequences of control failure.

How to eliminate wrong answers

Option A is wrong because the number of security incidents reported is a lagging indicator of control failure, not a direct measure of control effectiveness; a low incident count could result from poor detection rather than strong controls. Option B is wrong because transactions processed per hour is a throughput metric for operational efficiency, not a measure of control effectiveness; it does not indicate whether controls on those transactions are working. Option C is wrong because Value at Risk (VaR) for operational risk is a statistical estimate of potential loss, not a real-time or trendable indicator of individual control performance; it aggregates risk rather than measuring control pass/fail rates.

364
MCQhard

Refer to the exhibit. Based on the control test results, which of the following is the most immediate risk?

A.Material misstatement in financial statements
B.Non-compliance with credit policy
C.Inefficient order processing
D.Fraud due to lack of segregation of duties
AnswerD

The failed control directly indicates that a user can both enter and approve orders, increasing the risk of fraudulent transactions.

Why this answer

The control test results show that the same individual can both create purchase orders and approve invoices, which violates segregation of duties. This lack of segregation creates an immediate risk of fraud because the employee could create fictitious orders and approve payments to themselves or accomplices without detection.

Exam trap

The trap here is that candidates often focus on the financial reporting impact (Option A) as the most immediate risk, but CRISC emphasizes that the control deficiency itself—the lack of segregation of duties—creates an immediate fraud exposure before any financial misstatement can occur.

How to eliminate wrong answers

Option A is wrong because material misstatement in financial statements is a downstream consequence that would occur only if fraudulent transactions are actually processed and recorded, not an immediate risk from the control weakness itself. Option B is wrong because non-compliance with credit policy relates to extending credit to customers, which is not directly impacted by the purchase-to-pay segregation issue described. Option C is wrong because inefficient order processing refers to operational delays or bottlenecks, whereas the control failure here is a deliberate fraud opportunity, not a process speed issue.

365
Multi-Selecthard

Which THREE of the following control monitoring techniques are considered continuous monitoring?

Select 3 answers
A.Quarterly internal control self-assessments
B.Automated logging and alerting from SIEM tools
C.Real-time validation of input data in applications
D.Annual penetration testing
E.Automated reconciliation of transactions at day end
AnswersB, C, E

Continuous real-time monitoring.

Why this answer

The correct options are A, C, and E. Continuous monitoring involves automated, ongoing techniques. Internal control self-assessments (B) are periodic, not continuous.

Penetration testing (D) is periodic/ad hoc.

366
MCQmedium

A retail company is identifying risks in its supply chain. Which approach is most effective for identifying previously unknown risks?

A.Scenario analysis with supply chain partners
B.Employee surveys
C.Financial audit reports
D.Review of standard risk checklists
AnswerA

Scenario analysis explores potential future events, uncovering previously unidentified risks.

Why this answer

Scenario analysis with supply chain partners is most effective for identifying previously unknown risks because it leverages collaborative brainstorming and 'what-if' thinking to uncover emergent threats that are not captured by historical data or static checklists. This approach is particularly valuable in supply chain contexts where interdependencies, third-party vulnerabilities, and novel disruptions (e.g., a new cyberattack vector targeting a logistics provider) can surface only through joint exploration of hypothetical events. It aligns with the CRISC emphasis on proactive risk identification beyond known patterns.

Exam trap

The trap here is that candidates often choose 'Review of standard risk checklists' because it seems efficient and structured, but CRISC tests the understanding that checklists are inherently limited to known risks and cannot identify novel or previously unencountered threats.

How to eliminate wrong answers

Option B is wrong because employee surveys are typically backward-looking and capture only known or perceived risks based on individual experience, making them ineffective for surfacing novel, systemic, or previously unencountered supply chain threats. Option C is wrong because financial audit reports focus on historical financial controls and compliance gaps, not on forward-looking identification of operational or strategic risks like supplier cyber incidents or geopolitical disruptions. Option D is wrong because standard risk checklists are static and based on known risk categories (e.g., vendor lock-in, natural disasters), so they inherently miss emerging or context-specific risks that have not been codified into the checklist.

367
MCQmedium

A regional bank uses a centralized GRC platform to monitor key risk indicators (KRIs) for operational risk. The chief risk officer (CRO) reviews the monthly risk report and notices that the KRI 'number of system outages exceeding 4 hours' has been consistently reported as 0 for the past six months. However, the IT incident log shows three such outages in the same period. The CRO suspects the KRI is not being accurately reported. What should the risk manager do next?

A.Add additional controls to reduce the likelihood of system outages
B.Update the risk register to reflect the recent outage incidents
C.Investigate the KRI calculation and data feed to identify why outages are not being captured
D.Increase the KRI threshold to 2 outages to align with historical data
AnswerC

Understanding the data integrity issue is the first step to ensure accurate monitoring and reporting.

Why this answer

The correct answer is C because the risk manager must first investigate the KRI calculation and data feed to determine why the IT incident log shows three outages but the KRI reports zero. Without understanding the root cause of the reporting discrepancy—whether it is a data integration error, a threshold misconfiguration, or a failure in the GRC platform's automated data collection—any subsequent action would be premature and could mask the underlying control monitoring failure.

Exam trap

The trap here is that candidates may confuse the need to remediate the reporting failure with the need to remediate the risk itself, leading them to choose an option that addresses the outages directly (like adding controls or updating the register) rather than first diagnosing the KRI data pipeline.

How to eliminate wrong answers

Option A is wrong because adding additional controls does not address the immediate issue of inaccurate KRI reporting; it assumes the problem is a lack of controls rather than a data integrity or calculation error. Option B is wrong because updating the risk register with the outage incidents is a record-keeping step that does not resolve the root cause of why the KRI failed to capture them; the risk register should reflect accurate data, but the priority is to fix the reporting mechanism. Option D is wrong because increasing the KRI threshold to 2 outages would simply hide the discrepancy by aligning the threshold with the observed data, thereby undermining the KRI's purpose as an early warning indicator and failing to correct the underlying reporting failure.

368
MCQmedium

During a risk identification workshop, the business process owner states that a key system has no documented dependencies. What is the BEST next step for the risk practitioner?

A.Ask the system administrator to provide a list after the workshop
B.Postpone the workshop until dependencies are mapped
C.Assume the system has no dependencies
D.Document the missing dependency information as a risk in the risk register
AnswerD

The absence of dependency data itself is a risk to accurate risk identification.

Why this answer

Option D is correct because undocumented dependencies represent an unknown risk that must be captured in the risk register to ensure visibility and subsequent analysis. By documenting the missing dependency information as a risk, the risk practitioner formally acknowledges the gap, enabling further investigation into potential single points of failure, cascading failures, or unmonitored interconnections that could impact system availability or integrity.

Exam trap

The trap here is that candidates may think the immediate priority is to gather the missing data (Option A) or halt the workshop (Option B), rather than recognizing that the risk practitioner's first duty is to formally record the identified gap as a risk to ensure it is tracked and managed.

How to eliminate wrong answers

Option A is wrong because asking the system administrator to provide a list after the workshop delays the identification process and does not immediately address the risk of unknown dependencies; the risk practitioner should capture the gap in the risk register first to ensure it is not forgotten. Option B is wrong because postponing the workshop halts the entire risk identification effort unnecessarily; the workshop can continue with other items while the dependency gap is noted and addressed later. Option C is wrong because assuming the system has no dependencies is a dangerous assumption that ignores the possibility of hidden integration points, shared infrastructure, or upstream/downstream services that could cause significant disruption if unaccounted for.

369
MCQeasy

Which of the following is the PRIMARY purpose of a risk register in the risk identification phase?

A.Assign risk owners
B.Document identified risks and their characteristics
C.Calculate risk scores
D.Track remediation progress
AnswerB

The primary purpose is to record risks for further analysis.

Why this answer

The primary purpose of a risk register during the risk identification phase is to systematically document each identified risk along with its key characteristics, such as the risk description, cause, impact, and potential triggers. This foundational record ensures that all risks are captured before any subsequent analysis or response planning occurs, aligning with the CRISC domain of IT Risk Identification.

Exam trap

The trap here is that candidates confuse the risk register's role in identification with later-phase activities like ownership assignment or scoring, leading them to select options that describe downstream processes rather than the immediate documentation purpose.

How to eliminate wrong answers

Option A is wrong because assigning risk owners is a governance activity that typically occurs after risks have been documented and analyzed, not during the initial identification phase. Option C is wrong because calculating risk scores is part of the risk analysis phase, which follows identification and relies on the documented characteristics in the register. Option D is wrong because tracking remediation progress belongs to the risk response and monitoring phases, long after the register has been populated with identified risks.

370
MCQmedium

An organization is designing a risk dashboard for senior management. Which of the following is the MOST important characteristic of the key risk indicators (KRIs) displayed?

A.They are updated in real-time.
B.They are directly linked to the risk appetite thresholds.
C.They are based on accurate historical data.
D.They are cost-effective to collect and maintain.
AnswerB

KRIs must reflect risk appetite so management can quickly assess risk status.

Why this answer

Option C is correct because KRIs should be aligned to the risk appetite to effectively communicate risk levels to management. Option A is wrong while timeliness is important, it is not the most important characteristic for management decision-making. Option B is wrong accuracy is crucial, but KRIs must first be relevant to risk appetite.

Option D is wrong cost-effectiveness is a consideration but not the primary characteristic for a management dashboard.

371
MCQhard

During a risk identification workshop, the team identifies a potential data leakage from a legacy system. What is the FIRST step the risk owner should take?

A.Implement encryption immediately
B.Document the risk and its source
C.Assign a risk score
D.Report to senior management
AnswerB

Documentation ensures the risk is properly captured for subsequent analysis.

Why this answer

The first step for the risk owner is to formally document the risk and its source. This ensures that the identified data leakage from the legacy system is captured in the risk register, establishing a baseline for analysis and treatment. Without documentation, subsequent steps like risk scoring, control implementation, or escalation cannot be properly justified or tracked.

Exam trap

The trap here is that candidates often jump to immediate remediation (like encryption) or escalation, forgetting that formal documentation is the mandatory first step to ensure traceability and compliance with risk management processes.

How to eliminate wrong answers

Option A is wrong because implementing encryption immediately is a premature control decision; the risk must first be documented and analyzed to determine if encryption is appropriate, feasible, and cost-effective for the legacy system. Option C is wrong because assigning a risk score occurs after the risk has been documented and its impact and likelihood have been assessed, not as the first step. Option D is wrong because reporting to senior management is an escalation step that typically follows risk analysis and prioritization, not the initial action upon identification.

372
MCQmedium

During a post-mortem of a security incident, the risk manager notes that the response team failed to execute the incident response plan correctly because the plan was outdated. Which of the following is the BEST corrective action?

A.Conduct a tabletop exercise with the updated plan
B.Add more detective controls
C.Update the risk register
D.Increase insurance coverage
AnswerA

Tabletop exercises test and improve the team's ability to execute the plan.

Why this answer

Option D is correct because conducting a tabletop exercise validates the updated plan and helps prepare the team.

373
MCQmedium

An IT risk manager is reviewing the results of a recent risk assessment. The organization has a risk appetite that allows for low residual risk. One identified risk has an inherent risk score of 15 (on a scale of 1-25) and currently has no controls. Which of the following is the BEST recommendation for this risk?

A.Accept the risk because the score is moderate.
B.Implement controls to reduce the residual risk to an acceptable level.
C.Transfer the risk via cyber insurance.
D.Avoid the risk by discontinuing the business process.
AnswerB

Controls are necessary to lower the residual risk to within appetite.

Why this answer

The inherent risk score of 15 (out of 25) is moderate, but the organization's risk appetite allows only low residual risk. Since there are currently no controls, the residual risk equals the inherent risk of 15, which exceeds the acceptable threshold. Therefore, implementing controls is the best recommendation to reduce the residual risk to a level that aligns with the risk appetite.

Exam trap

The trap here is that candidates see a moderate score (15 out of 25) and assume acceptance is appropriate, but they overlook the specific risk appetite constraint that requires low residual risk, making acceptance invalid without controls.

How to eliminate wrong answers

Option A is wrong because accepting the risk when the residual risk (currently 15) exceeds the low-risk appetite threshold violates the organization's risk tolerance policy; acceptance is only appropriate when residual risk is within appetite. Option C is wrong because transferring risk via cyber insurance does not reduce the inherent or residual risk score—it only provides financial compensation after a loss, and the organization's risk appetite requires low residual risk, not just financial coverage. Option D is wrong because avoiding the risk by discontinuing the business process is an extreme measure typically reserved for risks that cannot be mitigated to an acceptable level or where the cost of mitigation exceeds the benefit; here, controls can likely reduce the residual risk to an acceptable level without eliminating the business process.

374
MCQeasy

A risk practitioner is reviewing system logs and notices multiple failed login attempts from a foreign IP address. This observation is an example of which type of risk identification activity?

A.Control self-assessment
B.Threat intelligence gathering
C.Incident and event monitoring
D.Vulnerability scanning
AnswerC

Log review is a monitoring activity that identifies potential risks.

Why this answer

The observation of multiple failed login attempts from a foreign IP address is a direct result of reviewing system logs, which is a core component of incident and event monitoring. This activity involves the continuous surveillance of security events to detect anomalies, such as brute-force attacks, and is a reactive risk identification technique that identifies risks based on actual occurrences.

Exam trap

The trap here is that candidates confuse 'threat intelligence gathering' (which uses external feeds) with the internal log analysis of actual events, but the question specifically describes reviewing system logs, which is a direct example of incident and event monitoring.

How to eliminate wrong answers

Option A is wrong because control self-assessment is a proactive, internal review process where control owners evaluate the design and effectiveness of controls, not a log review of real-time events. Option B is wrong because threat intelligence gathering involves collecting and analyzing external data about emerging threats (e.g., from ISACs or threat feeds), not reviewing internal system logs for specific failed login attempts. Option D is wrong because vulnerability scanning is a scheduled, automated process that identifies known weaknesses in systems (e.g., missing patches or misconfigurations), not the detection of ongoing attack patterns like repeated failed logins.

375
MCQmedium

Refer to the exhibit. What is the MOST immediate risk identification action?

A.Document the vulnerability in the risk register
B.Update asset inventory
C.Check if the patch has been deployed
D.Validate the vulnerability manually
AnswerC

Determining patch status is critical to understand the actual risk.

Why this answer

The exhibit (not shown) likely presents a vulnerability scan result or a security advisory. The most immediate risk identification action is to verify whether the identified vulnerability has already been mitigated by deploying the vendor-supplied patch. This confirms the current exposure status before any further risk assessment or documentation steps are taken.

Exam trap

The trap here is that candidates often jump to documenting or validating the vulnerability without first checking the most obvious and efficient control—patch status—which is the immediate action to determine actual exposure.

How to eliminate wrong answers

Option A is wrong because documenting the vulnerability in the risk register is a subsequent step, performed after confirming the vulnerability is unpatched and poses actual risk. Option B is wrong because updating the asset inventory is a broader asset management task, not an immediate action to identify risk from a specific vulnerability. Option D is wrong because manual validation of the vulnerability is a secondary verification step that should occur only after checking patch deployment, as the patch status directly indicates whether the vulnerability is still present.

Page 4

Page 5 of 7

Page 6

All pages