Which control type is primarily focused on identifying that a risk event has occurred?
Detective controls identify that an event has occurred, e.g., logs, IDS.
Why this answer
Detective controls are designed to detect incidents after they happen.
982 questions total · 14pages · All types, answers revealed
Which control type is primarily focused on identifying that a risk event has occurred?
Detective controls identify that an event has occurred, e.g., logs, IDS.
Why this answer
Detective controls are designed to detect incidents after they happen.
A multinational corporation has deployed a centralized log management system that collects security events from all subsidiaries. The CRO notices that the number of critical alerts from the Asia-Pacific region has dropped significantly over the past week. Upon investigation, the log source status shows that 30% of the devices in that region have not sent any logs in 48 hours. What is the MOST likely cause?
Misconfigured log forwarders are a common cause of log loss.
Why this answer
Option C is correct because a configuration change to the log forwarder agent (e.g., syslog-ng, rsyslog, or a proprietary agent) is the most plausible cause for a sudden, sustained drop in log volume from a subset of devices. Unlike network segmentation (Option D), which would affect all traffic, or a DDoS (Option B), which would cause intermittent or total loss, an agent misconfiguration selectively stops log generation while the device remains online. The 48-hour window and 30% device impact align with a staged or partial rollout of a faulty agent configuration.
Exam trap
The trap here is that candidates confuse a reduction in alerts (Option A) with a loss of raw logs, or assume a network change (Option D) is the root cause without considering that a configuration change to the log forwarder agent is a more targeted and common failure mode in centralized logging architectures.
How to eliminate wrong answers
Option A is wrong because a new log suppression rule filtering low-severity events would reduce alert volume but not stop log transmission entirely; the log source status would still show recent heartbeats or connectivity. Option B is wrong because a DDoS attack overwhelming the log collection infrastructure would cause a widespread, not regional, loss of logs, and the log source status would likely show intermittent connectivity or timeouts, not a clean 48-hour gap. Option D is wrong because a network segmentation change blocking log traffic (e.g., UDP 514 or TCP 6514) would affect all devices in the affected subnet, not a specific 30% subset, and would typically be detected by network monitoring tools.
Which TWO of the following are valid triggers for initiating a risk assessment outside the regular cycle? (Select 2)
Changes introduce new risks and require reassessment.
Why this answer
A significant change in IT infrastructure (Option B) is a classic trigger for ad-hoc risk assessment because it introduces new vulnerabilities, alters the attack surface, or changes the effectiveness of existing controls. For example, migrating from on-premises servers to a cloud environment (e.g., AWS, Azure) changes network segmentation, identity management, and data residency, requiring a fresh risk evaluation to identify and treat new threats before they are exploited.
Exam trap
ISACA often tests the distinction between routine, scheduled activities (like training, audits, or patching) and genuine change events that alter the risk profile, tricking candidates into selecting familiar operational tasks as triggers.
Refer to the exhibit. What is the most likely risk indicated by this error log?
The error line contains a SQL injection payload (' OR 1=1 --), indicating an attempt to exploit a SQL injection vulnerability.
Why this answer
The error log shows a SQL query with a single quote (') in the input, which is a classic indicator of a SQL injection attempt. The query 'SELECT * FROM users WHERE username = 'admin' OR '1'='1'' is attempting to manipulate the SQL statement to bypass authentication or extract data. This directly corresponds to SQL injection (option B), as the attacker is injecting malicious SQL code through user input.
Exam trap
The trap here is that candidates may confuse SQL injection with cross-site scripting because both involve input manipulation, but the key distinction is the context: SQL injection targets the database layer via SQL queries, while XSS targets the browser via HTML/JavaScript rendering.
How to eliminate wrong answers
Option A (Buffer overflow) is wrong because the error log shows a SQL query, not a memory corruption or overflow of a buffer; buffer overflows typically involve stack or heap corruption from excessive input, not SQL syntax errors. Option C (Denial of service) is wrong because the log shows a single malformed query, not a flood of requests or resource exhaustion that would cause a denial of service; DoS attacks aim to overwhelm the system, not inject SQL. Option D (Cross-site scripting) is wrong because the input is being used in a SQL query, not rendered in a web page; XSS involves injecting client-side scripts (e.g., JavaScript) into a browser, not server-side SQL statements.
During a risk assessment, the risk practitioner discovers that a critical database does not have an active failover solution. The database is used by multiple business applications. Which of the following factors should be given the HIGHEST weight when determining the inherent risk level?
Inherent risk is based on the asset's value and exposure; business criticality determines impact.
Why this answer
The inherent risk level is determined by the potential impact and likelihood of a threat exploiting a vulnerability, without considering controls. The criticality of the database to business operations directly drives the impact severity—if the database fails, multiple business applications could be disrupted, leading to significant operational and financial damage. This makes option A the highest-weighted factor because it defines the worst-case consequence, which is the foundation of inherent risk.
Exam trap
The trap here is that candidates confuse inherent risk with residual risk, and incorrectly weigh compensating controls or recovery costs as primary factors for inherent risk, when they only apply after controls are considered.
How to eliminate wrong answers
Option B is wrong because compensating controls are considered when assessing residual risk, not inherent risk; inherent risk assumes no controls are in place. Option C is wrong because the frequency of vulnerability scans is a control activity that reduces risk, not a factor that increases or defines inherent risk. Option D is wrong because the cost to restore from backup is a recovery metric (RTO/RPO) that influences residual risk or risk treatment decisions, not the inherent risk level, which focuses on the raw exposure before any mitigation.
An organization wants to promote a risk-aware culture. Which TWO of the following initiatives are most effective for achieving this?
Training educates employees on risk responsibilities.
Why this answer
Regular security awareness training directly educates employees on their role in risk management, reinforcing desired behaviors and decision-making aligned with the organization's risk appetite. This initiative operationalizes a risk-aware culture by embedding risk considerations into daily activities, making it a foundational element of the risk response strategy.
Exam trap
The trap here is that candidates often mistake a blame-free reporting system or financial incentives as cultural drivers, but the CRISC exam emphasizes that culture is shaped by leadership example and continuous education, not by reactive or transactional mechanisms.
Which of the following threat actors is MOST likely to be motivated by ideology rather than financial gain?
Why this answer
Hacktivists are typically motivated by political or social causes, not financial profit. Nation-state APTs may have strategic motives, organized crime is financially driven, script kiddies seek notoriety.
A quantitative risk analysis for a data breach yields an Annualized Loss Expectancy (ALE) of $500,000. The Single Loss Expectancy (SLE) is $100,000. What is the Annualized Rate of Occurrence (ARO)?
Correct. ARO = ALE / SLE = 5.
Why this answer
The Annualized Loss Expectancy (ALE) is calculated as Single Loss Expectancy (SLE) multiplied by the Annualized Rate of Occurrence (ARO). Given ALE = $500,000 and SLE = $100,000, the ARO is $500,000 / $100,000 = 5. This means the data breach is expected to occur 5 times per year.
Exam trap
The trap here is that candidates often confuse the formula and incorrectly divide SLE by ALE (yielding 0.2) instead of dividing ALE by SLE, or they misplace decimal points when calculating the rate.
How to eliminate wrong answers
Option B (50) is wrong because it would result from incorrectly multiplying SLE by 10 or misplacing a decimal, not from the correct division of ALE by SLE. Option C (0.2) is wrong because it represents the inverse calculation (SLE divided by ALE), which would imply the breach occurs once every 5 years, not 5 times per year. Option D (500,000) is wrong because it simply repeats the ALE value, ignoring the need to divide by SLE to derive the ARO.
A multinational corporation is developing a new e-commerce platform using microservices architecture. The security team is conducting a threat modeling exercise to identify potential application-level threats. Which TWO threat modeling methodologies are most appropriate for this DevSecOps environment?
STRIDE is a threat modeling technique commonly used to identify application threats such as spoofing, tampering, and information disclosure.
Why this answer
PASTA is a risk-focused threat modeling methodology that aligns with business objectives, and STRIDE is a classic approach for identifying application threats. VAST is tailored for Agile/DevSecOps but is less common; TRIKE is requirements-based but not as widely used for DevSecOps.
A company uses cyber insurance to cover losses from data breaches. This is an example of which risk treatment?
Insurance transfers financial risk to the insurer.
Why this answer
Transfer shifts risk to a third party, such as an insurance company.
Which TWO risk identification techniques are most appropriate for identifying emerging risks from new technologies?
Scenario analysis explores potential future risks from new technologies.
Why this answer
Scenario analysis is correct because it involves constructing plausible future states to explore how new technologies might introduce unforeseen risks, making it ideal for emerging technologies where historical data is absent. Threat intelligence feeds are correct because they provide real-time, external data on vulnerabilities, exploits, and attack patterns targeting new technologies, enabling proactive risk identification.
Exam trap
The trap here is that candidates often choose historical incident review or peer benchmarking because they seem data-driven, but they fail to recognize that emerging technologies lack the historical data or peer maturity needed for these methods to be effective.
After a security incident, an organization discovers that a critical database was accessed by an unauthorized user due to weak authentication controls. As part of the IT risk assessment process, which step should have identified this vulnerability?
Risk identification is the step that identifies vulnerabilities.
Why this answer
Risk identification is the step in the IT risk assessment process where potential vulnerabilities, such as weak authentication controls, are systematically discovered and documented. In this scenario, the weak authentication that allowed unauthorized database access should have been identified during risk identification, which involves cataloging assets, threats, and existing controls. This step precedes any treatment, monitoring, or evaluation activities.
Exam trap
The trap here is that candidates confuse risk identification with risk evaluation or risk treatment, mistakenly thinking that evaluating the impact of a weak control or treating it after discovery is the same as initially finding the vulnerability.
How to eliminate wrong answers
Option A is wrong because risk treatment involves selecting and implementing controls to mitigate identified risks, not discovering vulnerabilities; the weak authentication would have already needed to be known before treatment could occur. Option B is wrong because risk monitoring is a continuous process of tracking identified risks and control effectiveness over time, not the initial step to find a vulnerability like weak authentication. Option D is wrong because risk evaluation compares the level of risk against risk criteria to prioritize treatment, but it assumes the vulnerability has already been identified; it does not discover new vulnerabilities.
A company's risk management policy requires a risk register to be maintained. Which of the following is the primary purpose of a risk register?
This is the core function of a risk register.
Why this answer
The primary purpose of a risk register is to serve as a central repository for documenting and tracking all identified risks, their assessments (including likelihood and impact), and the corresponding risk response strategies. This ensures that risk management activities are transparent, auditable, and actionable throughout the risk lifecycle, aligning with the ISACA CRISC framework.
Exam trap
The trap here is that candidates confuse the risk register with other operational logs (e.g., audit findings or asset inventories) or assume its primary purpose is financial quantification, whereas the CRISC exam emphasizes its role as a comprehensive tracking and documentation tool for the entire risk management process.
How to eliminate wrong answers
Option A is wrong because assigning financial values to risks is a specific activity within risk analysis (e.g., quantitative risk assessment using ALE/SLE), not the primary purpose of the risk register itself; the register may include such values but is not limited to them. Option C is wrong because audit findings are recorded in audit reports or issue logs, not the risk register; the risk register focuses on forward-looking risk identification and treatment, not retrospective audit results. Option D is wrong because a list of all IT assets is typically maintained in an asset inventory or configuration management database (CMDB), not the risk register; the risk register only includes assets relevant to identified risks.
An organization is implementing a new data loss prevention (DLP) solution. The risk manager is identifying potential risks related to the DLP solution itself. Which of the following is a risk that should be considered?
False positives are a common risk with DLP implementations.
Why this answer
Option A is correct because a DLP solution may generate false positives, leading to alert fatigue and missed detections. Option B is a benefit, not a risk. Option C is a control.
Option D is a desired outcome.
An organization is implementing a continuous monitoring program for its critical IT processes. Which TWO of the following are key indicators that should be included to effectively monitor control performance?
KPIs measure process effectiveness and efficiency.
Why this answer
KPIs are correct because they measure the efficiency and effectiveness of control operations over time, directly indicating whether a control is performing as intended. In continuous monitoring, KPIs such as processing error rates or system uptime percentages provide real-time visibility into control health.
Exam trap
The trap here is that candidates confuse KRIs (which measure risk exposure) with KPIs (which measure control performance), or they mistakenly think audit findings or SLAs are suitable for real-time monitoring when they are retrospective or contractual in nature.
A company uses a DevOps approach with a continuous integration/continuous deployment (CI/CD) pipeline. Which risk identification technique is best suited for detecting code vulnerabilities early in the development lifecycle?
Automated scanning integrates seamlessly with CI/CD, providing immediate vulnerability detection.
Why this answer
Automated security scanning integrated into the CI/CD pipeline is best suited for detecting code vulnerabilities early because it runs continuously on every code commit, providing immediate feedback to developers. This aligns with the DevOps principle of shifting security left, catching issues like SQL injection or insecure dependencies before they reach production. Unlike periodic tests, this technique ensures vulnerabilities are identified at the moment of introduction, minimizing remediation cost and risk.
Exam trap
The trap here is that candidates may choose threat modeling (Option C) because it is a recognized risk identification technique, but they fail to recognize that it is not designed to detect code-level vulnerabilities early in the development lifecycle, which requires continuous, automated scanning within the pipeline.
How to eliminate wrong answers
Option A is wrong because quarterly penetration testing is a periodic, point-in-time assessment that occurs long after code is deployed, failing to detect vulnerabilities early in the development lifecycle. Option C is wrong because threat modeling of system architecture is a design-phase technique that identifies high-level threats and attack surfaces, not specific code-level vulnerabilities like buffer overflows or injection flaws. Option D is wrong because manual code review, while valuable, is slower, less consistent, and cannot scale to the frequency of commits in a CI/CD pipeline, making it impractical for early and continuous detection.
During a risk assessment of a web application, the risk owner identifies that the application uses outdated encryption algorithms. What is the most appropriate next step?
Proper documentation ensures the risk is tracked and addressed.
Why this answer
Option C is correct because the risk owner has identified a specific vulnerability (outdated encryption algorithms) that must be formally recorded in the risk register. The next step is to document the finding and assign a remediation timeline, which aligns with the risk assessment process of treating identified risks. This ensures the issue is tracked, prioritized, and addressed within the organization's risk management framework, rather than being escalated, ignored, or patched without analysis.
Exam trap
The trap here is that candidates may confuse the immediate need to patch (Option D) with the proper risk management process, which requires documentation and analysis before any remediation action is taken.
How to eliminate wrong answers
Option A is wrong because escalating to senior management for risk acceptance is premature; the risk must first be documented and assessed for impact and likelihood before any acceptance decision. Option B is wrong because accepting the risk without action ignores the fact that outdated encryption algorithms (e.g., DES, RC4, or 3DES) are known to be vulnerable to attacks (e.g., brute force, cryptanalysis) and can lead to data breaches, making encryption critical for confidentiality. Option D is wrong because immediately patching without further analysis bypasses the risk assessment process; a patch could introduce compatibility issues or fail to address the root cause, and a proper change management process is required.
An organization has identified a new vulnerability in its web application that could allow SQL injection attacks. Which of the following sources would MOST likely have been used to identify this vulnerability?
SAST scans source code for security flaws such as SQL injection.
Why this answer
SAST (Static Application Security Testing) analyzes source code for vulnerabilities like SQL injection before deployment, making it a key tool for identifying application vulnerabilities.
A risk practitioner is updating the risk register and needs to categorize risks. Which TWO of the following are standard risk categories used in IT risk management?
Strategic risk relates to high-level business goals.
Why this answer
Strategic and operational are standard risk categories. Financial and reputational are also common, but the question asks for the two that are standard in IT risk management frameworks. Both strategic and operational are universally recognized.
An organization is developing a vendor risk management program. Which THREE activities should be included in the initial onboarding assessment for a high-risk vendor?
Ensures contractual security obligations are met.
Why this answer
Evaluating contract compliance requirements is a critical initial onboarding activity for a high-risk vendor because it ensures the vendor's service level agreements (SLAs), data protection clauses, and regulatory obligations (e.g., GDPR, PCI DSS) are formally documented and enforceable. This step establishes the legal and operational baseline for risk acceptance and ongoing monitoring, directly supporting the risk response strategy within the vendor risk management program.
Exam trap
The trap here is that candidates often confuse 'initial onboarding' with 'ongoing monitoring' and select activities like onsite inspections or financial analysis, which are typically performed later in the vendor lifecycle, not during the initial risk assessment phase.
When prioritizing risk treatment actions, which of the following should be the primary consideration?
Correct; prioritize high risk with favorable cost-benefit.
Why this answer
Risk prioritization should balance the risk level (high vs low) and the cost-benefit of controls. High risks with cost-effective controls should be prioritized.
An organization is implementing a new control to address a high-risk vulnerability. Which TWO factors are MOST important to consider during the control implementation planning phase?
Ensures adequate funding and staff.
Why this answer
Resource requirements (budget, personnel) and a clear implementation plan are critical to successful deployment.
An organization is implementing a quantitative risk assessment for its customer database. Which TWO elements are essential for calculating the annualized loss expectancy (ALE)?
ARO is directly multiplied by SLE to derive ALE.
Why this answer
The annualized loss expectancy (ALE) is calculated by multiplying the single loss expectancy (SLE) by the annualized rate of occurrence (ARO). SLE itself is derived from the asset value (AV) multiplied by the exposure factor (EF), making AV the second essential element. Without both ARO and AV, you cannot compute the expected monetary loss over a one-year period for the customer database.
Exam trap
The trap here is that candidates often confuse the components of SLE (AV and EF) with the ALE formula itself, mistakenly thinking control effectiveness or inherent risk scores are direct multipliers in the ALE calculation, when in fact they are separate risk assessment inputs.
An organization has a risk culture where employees are hesitant to report security incidents due to fear of blame. Which of the following initiatives would MOST effectively promote a risk-aware culture?
This directly reduces fear and encourages reporting.
Why this answer
To encourage incident reporting, the organization should foster a no-blame culture. Implementing an anonymous reporting mechanism removes fear of reprisal and encourages employees to report incidents without fear of blame.
A company is identifying risks associated with a new cloud-based CRM. Which of the following is the MOST effective method for identifying potential threats?
Threat modeling workshops are systematic and collaborative, effectively identifying threats specific to the CRM.
Why this answer
Threat modeling workshops with stakeholders are the most effective method because they leverage diverse expertise to systematically identify threats specific to the cloud-based CRM architecture, including misconfigurations in IAM roles, API vulnerabilities, and data residency issues. This collaborative approach aligns with the CRISC focus on proactive risk identification by considering business context, technical constraints, and regulatory requirements early in the lifecycle.
Exam trap
The trap here is that candidates often choose penetration testing (Option C) because it is a familiar technical activity, but the question asks for the 'most effective method for identifying potential threats' in a new system, where proactive collaboration (threat modeling) outperforms reactive testing.
How to eliminate wrong answers
Option B is wrong because reviewing industry standards only provides a baseline of known controls but fails to capture organization-specific threats, such as custom CRM integrations or unique data flows. Option C is wrong because conducting penetration testing alone is a reactive, point-in-time validation that may miss logical threats (e.g., privilege escalation via business logic flaws) and does not involve stakeholder input for comprehensive threat enumeration. Option D is wrong because analyzing historical security incidents from similar organizations offers hindsight but cannot predict novel attack vectors or misconfigurations unique to the company's cloud deployment model (e.g., SaaS vs.
PaaS).
Which standard is specifically designed for industrial automation and control systems security and provides a framework for addressing security in IACS?
Correct. IEC 62443 is the standard for IACS security.
Why this answer
IEC 62443 is the international standard for industrial automation and control systems security, covering security for IACS across multiple levels.
The exhibit shows a warning from a control monitoring system. Based on the log, which of the following is the MOST likely control deficiency?
The 'Approver: not assigned' indicates a control failure in the approval process.
Why this answer
The log indicates that a transaction exceeding the 50,000 USD threshold was initiated by user JSmith but no approval was recorded. The control deficiency is the absence of an assigned approver for transactions that exceed the limit, which directly violates the segregation of duties principle. Without a designated approver, the control fails to prevent or detect unauthorized high-value transactions, making this the most likely root cause.
Exam trap
The trap here is that candidates may focus on the user's authority or the threshold value, but the core control deficiency is the missing approver assignment, which is a common oversight in segregation of duties controls.
How to eliminate wrong answers
Option B is wrong because the threshold of 50,000 USD is not inherently too high; the deficiency is the lack of an approver, not the threshold value itself, and a lower threshold would still require an approver to be effective. Option C is wrong because the log shows a genuine transaction exceeding the limit without approval, not a false positive; the monitoring system correctly flagged the event. Option D is wrong because the log does not indicate that JSmith lacks authority to initiate such transactions; the issue is that no approver is assigned, not that the initiator's authority is invalid.
In a quantitative risk analysis, the annualized loss expectancy (ALE) is calculated as $1 million. If the organization implements a control that reduces the ARO from 0.5 to 0.1, and the SLE remains constant at $2 million, what is the new ALE?
Correct: $2M × 0.1 = $200,000.
Why this answer
The annualized loss expectancy (ALE) is calculated as SLE × ARO. With SLE constant at $2 million and the new ARO reduced to 0.1, the new ALE is $2,000,000 × 0.1 = $200,000. This reflects the residual risk after the control is implemented.
Exam trap
The trap here is that candidates may mistakenly apply the reduction to the ALE itself (e.g., subtracting 0.4 of $1 million) instead of recalculating ALE with the new ARO, or they may confuse ARO with a percentage and incorrectly compute $2 million × 0.1 = $200,000 as 'too small' and pick a larger wrong value.
How to eliminate wrong answers
Option B ($500,000) is wrong because it incorrectly uses the original ARO (0.5) with the new ALE calculation, or it misapplies the reduction factor as a simple subtraction rather than multiplication. Option C ($100,000) is wrong because it likely results from dividing SLE by the new ARO (2,000,000 / 0.1 = 20,000,000) and then misplacing a decimal, or from confusing ARO with a percentage reduction. Option D ($1 million) is wrong because it represents the original ALE (2,000,000 × 0.5 = 1,000,000) and ignores the control's effect on ARO.
An organization has a policy requiring all sensitive data to be encrypted at rest. During an audit, it is found that encryption keys are stored in plaintext on the same server. Which risk response is MOST appropriate?
Encrypting the keys protects them, reducing the risk of unauthorized decryption.
Why this answer
Storing encryption keys in plaintext on the same server as the encrypted data defeats the purpose of encryption, as an attacker who gains access to the server can easily decrypt the data. The most appropriate risk response is to mitigate by encrypting the key file itself, typically using a key-encryption key (KEK) or a hardware security module (HSM), which protects the keys even if the server is compromised. This directly addresses the vulnerability without removing the data or transferring the risk.
Exam trap
The trap here is that candidates mistakenly believe that simply having encryption applied (option C) is sufficient, overlooking the critical requirement that encryption keys must be protected separately from the data they encrypt—a fundamental principle of cryptographic security.
How to eliminate wrong answers
Option A is wrong because removing the data is an extreme measure that disrupts business operations and is unnecessary when a simpler, less costly mitigation (encrypting the key file) exists. Option C is wrong because accepting the risk ignores the fact that plaintext keys on the same server render the encryption ineffective, creating a high-likelihood, high-impact vulnerability that violates the organization's policy. Option D is wrong because transferring the risk to a cloud provider does not inherently solve the problem—if the keys remain in plaintext on the same server, the same vulnerability persists regardless of who manages the infrastructure.
A risk assessment team is calculating the Annual Loss Expectancy (ALE) for a critical server. The Single Loss Expectancy (SLE) is $50,000 and the Annual Rate of Occurrence (ARO) is estimated to be 2. The team is considering implementing a new backup solution costing $40,000 per year. Which TWO of the following statements are true regarding the cost-benefit analysis? (Select TWO.)
Cost-effectiveness is determined by comparing risk reduction to cost.
Why this answer
Option B is correct because a cost-benefit analysis for a risk mitigation measure like a backup solution requires that the reduction in ALE (the benefit) exceed the annual cost of the control. Here, the current ALE is $100,000 (SLE $50,000 × ARO 2). If the backup reduces the ALE by more than $40,000 per year, it is cost-effective.
Option E is correct because the current ALE without backup is indeed $50,000 × 2 = $100,000.
Exam trap
The trap here is that candidates mistakenly assume the backup cost is subtracted directly from the current ALE to get a net benefit, ignoring that the control reduces but does not eliminate the risk, and that the payback period requires knowing the actual annual benefit.
Which TWO of the following are primary factors that determine how often a risk assessment should be performed?
Higher change rate requires more frequent assessments.
Why this answer
The rate of change in the IT environment directly impacts the risk landscape; frequent changes (e.g., new applications, infrastructure updates, cloud migrations) introduce new vulnerabilities and alter existing threat vectors, requiring more frequent assessments to ensure controls remain effective. Inherent risk level of critical assets determines priority—higher inherent risk (e.g., systems processing PII or financial transactions) demands more frequent assessments because the potential impact of exploitation is greater, aligning with the ISACA risk assessment scheduling principle.
Exam trap
The trap here is that candidates confuse operational constraints (budget, staff count) or reactive metrics (past incidents) with the proactive, risk-driven factors that ISACA emphasizes for determining assessment frequency, leading them to select budget or incident count instead of change rate and inherent risk.
A healthcare organization is subject to strict regulatory requirements regarding patient data privacy. The organization has a control that requires all access to patient records to be logged and reviewed weekly by the compliance team. The review is currently performed manually by sampling 10% of the logs. The compliance team reports that the review takes 20 hours per week and they are often unable to complete it on time. As a result, some suspicious access patterns are detected weeks after they occur. The risk manager needs to propose an improvement to the monitoring process. The organization's risk appetite for undetected unauthorized access is very low. Which of the following is the MOST effective recommendation?
UBA provides continuous, automated monitoring and immediate alerts.
Why this answer
Option B is correct because implementing user behavior analytics (UBA) automates the detection of anomalous access patterns, reducing manual effort and improving detection speed. Option A is wrong increasing sample size does not address the timeliness issue. Option C is wrong hiring more staff is costly and may not scale.
Option D is wrong reducing frequency would delay detection further, increasing risk.
A large e-commerce company uses several key risk indicators (KRIs) to monitor credit card fraud. The risk committee noticed that one KRI has been trending above the threshold for three consecutive months, yet no risk response was initiated. Which of the following is the MOST likely root cause?
Without automated triggering, the breach may go unnoticed despite being detected.
Why this answer
The most likely root cause is that the risk response workflow was not triggered automatically. In a mature risk monitoring environment, KRIs should be linked to automated workflows that initiate a response when thresholds are breached. Since the KRI has been above threshold for three consecutive months without any action, it indicates a failure in the automated triggering mechanism, not in the KRI's accuracy or the threshold's leniency.
Exam trap
The trap here is that candidates may focus on data quality or threshold settings (options A, C, D) instead of recognizing that the core issue is the failure of the automated response mechanism, which is a process/control design flaw, not a data or measurement problem.
How to eliminate wrong answers
Option A is wrong because if the KRI were not validated for accuracy, the data might be unreliable, but the question states the KRI has been trending above the threshold, implying the data is consistent and likely accurate; the issue is the lack of response, not data quality. Option C is wrong because a threshold set too lenient would mean the KRI rarely or never triggers, but here it has been above threshold for three months, indicating the threshold is actually being breached; the problem is the absence of a response, not the threshold's strictness. Option D is wrong because if the monitoring tool failed to capture data, the KRI would not show a trend at all, but the question explicitly states the KRI has been trending above the threshold, meaning data capture is functioning correctly.
A risk assessment team is evaluating the effectiveness of existing controls for a critical application. Which of the following approaches best determines whether controls are operating as intended?
Provides direct evidence of effectiveness.
Why this answer
Option C is correct because walkthroughs and testing provide direct, empirical evidence that controls are functioning as designed. For a critical application, this approach validates actual control execution (e.g., verifying that an automated access control list (ACL) on a database server actually blocks unauthorized queries), rather than relying on secondhand accounts or static documentation. Testing confirms operational effectiveness in real-time, which is essential for accurate risk assessment.
Exam trap
The trap here is that candidates often confuse 'design effectiveness' (confirmed by documentation and interviews) with 'operating effectiveness' (confirmed only by walkthroughs and testing), leading them to choose Option B or A when the question explicitly asks whether controls are operating as intended.
How to eliminate wrong answers
Option A is wrong because interviewing the control owner only yields subjective, self-reported information about how controls are supposed to work, not objective proof of actual operation; control owners may overstate effectiveness or omit failures. Option B is wrong because reviewing control documentation (e.g., policy documents, configuration guides) shows intended design but cannot reveal whether controls are consistently applied or have degraded over time (e.g., a documented firewall rule may have been inadvertently disabled). Option D is wrong because analyzing historical audit findings provides evidence of past issues but does not confirm current control operation; controls may have been remediated or new gaps may have emerged since the last audit.
An organization is evaluating the risk of a data breach using the FAIR framework. The threat event frequency is estimated at 10 per year, the vulnerability is 0.2, and the loss magnitude is $500,000 per event. What is the annualized loss expectancy (ALE)?
Correct calculation: ALE = (10 × 0.2) × $500,000 = $1,000,000.
Why this answer
ALE = ARO × SLE. In FAIR, LEF = TEF × Vulnerability = 10 × 0.2 = 2 events per year. SLE is the loss magnitude per event, $500,000.
ALE = 2 × $500,000 = $1,000,000.
An organization is reviewing its enterprise architecture to identify risks. In which IT architecture layer would a risk related to data classification and data sovereignty be primarily addressed?
Correct. Data architecture addresses data classification, storage, and sovereignty.
Why this answer
Data classification and sovereignty concerns are primarily data-related, falling under the data architecture layer. The data layer defines how data is stored, classified, and managed, including sovereignty requirements.
Which of the following best describes the purpose of a risk heat map in an IT risk report?
Correct: heat maps plot likelihood vs. impact.
Why this answer
A risk heat map visually displays risks based on likelihood and impact, helping to prioritize and communicate risk levels.
Which THREE of the following are key components of an IT risk assessment report as per ISACA guidelines?
Risk scenarios and levels are core to the assessment report.
Why this answer
Option C is correct because an IT risk assessment report, per ISACA guidelines, must include identified risk scenarios and their associated risk levels. This is a core component that documents the specific threats, vulnerabilities, and the resulting inherent risk ratings (e.g., using a 5x5 risk matrix) to provide a clear picture of the risk landscape.
Exam trap
The trap here is that candidates often confuse the risk assessment report with the risk treatment plan or control testing report, leading them to select options like cost-benefit analysis or detailed control testing results, which are not core components of the risk assessment report per ISACA guidelines.
A security team is using the STRIDE threat modeling methodology for a new web application. Which threat type under STRIDE would be MOST relevant to a SQL injection vulnerability?
Tampering involves malicious modification of data or code.
Why this answer
SQL injection allows an attacker to tamper with data, violating integrity. STRIDE includes Tampering as the threat that involves unauthorized modification of data.
A company uses a third-party SaaS application for payroll processing. What is the most important activity to identify IT risks associated with this service?
Vendor risk assessment systematically identifies and evaluates risks from third-party services.
Why this answer
A vendor risk assessment is the most important activity because it systematically evaluates the third-party SaaS provider's security controls, compliance posture, and operational resilience before and during service use. For a payroll SaaS, this includes reviewing data protection measures for sensitive employee PII, understanding the provider's SOC 2 Type II report, and assessing their incident response capabilities. Without this assessment, the organization cannot identify inherent risks like unauthorized data access, service downtime, or regulatory non-compliance specific to the third-party environment.
Exam trap
The trap here is that candidates confuse risk identification activities (like vendor assessments) with risk mitigation controls (like MFA) or contractual reviews (like SLAs), leading them to select a control or document review instead of the foundational assessment needed to uncover risks.
How to eliminate wrong answers
Option B is wrong because penetration testing on the SaaS application is typically prohibited by the provider's terms of service and would require explicit contractual permission; it is a technical control validation step, not a risk identification activity. Option C is wrong because reviewing the SLA identifies contractual remedies and uptime guarantees but does not uncover underlying security vulnerabilities, data handling practices, or third-party dependencies that constitute IT risks. Option D is wrong because implementing MFA is a risk mitigation control, not a risk identification activity; it reduces the likelihood of unauthorized access but does not help identify what risks exist in the first place.
A risk practitioner is developing a risk scenario for a potential ransomware attack. Using the ISACA risk scenario template, which element describes the entity that initiates the attack?
Actor is the entity that performs the threat action.
Why this answer
In the ISACA risk scenario template, the 'Actor' element specifically identifies the entity that initiates or perpetrates the attack. For a ransomware attack, the actor could be an external hacker, a malicious insider, or a cybercriminal group, making option C the correct choice.
Exam trap
The trap here is confusing 'Actor' with 'Threat type' because both relate to the threat, but the Actor is the who (initiator) while Threat type is the what (category of threat).
How to eliminate wrong answers
Option A is wrong because 'Event' describes the specific incident or occurrence (e.g., ransomware encryption of files), not the initiating entity. Option B is wrong because 'Threat type' categorizes the nature of the threat (e.g., malware, social engineering), not the actor behind it. Option D is wrong because 'Asset/Resource' refers to the target or affected component (e.g., database, server), not the entity that launches the attack.
Which of the following is a key component of the NIST Cybersecurity Framework's 'Identify' function?
Risk assessment is a core component of Identify.
Why this answer
The Identify function includes asset management, risk assessment, and governance to understand the organization's risk posture.
A company is adopting a DevSecOps approach and wants to conduct threat modeling early in the development lifecycle. Which threat modeling methodology is BEST suited for this environment due to its focus on agile and continuous integration?
VAST is Visual, Agile, and Simple, tailored for DevSecOps.
Why this answer
VAST is designed for DevSecOps as it integrates with agile development and provides visual, actionable threat models that can be continuously updated.
After a control self-assessment (CSA) workshop, business units reported that 80% of controls are operating effectively. However, internal audit's recent testing indicates a 30% control failure rate. What is the BEST explanation for this discrepancy?
Subjective bias and objective testing commonly cause such discrepancies.
Why this answer
Option B is correct because CSA participants often overestimate control effectiveness due to subjective assessment, while audit applies objective testing. Option A is wrong because the scope difference (all controls vs. sample) could contribute but is less likely to cause such a large gap. Option C is wrong because timeliness might explain small differences, not a 50% gap.
Option D is wrong because training alone rarely causes such a large discrepancy.
An organization uses a third-party vendor for critical data processing. The vendor has experienced two minor security incidents in the past year with no data loss. The risk manager is updating the vendor risk assessment. Which approach best aligns with ISACA's guidance?
Recurring incidents warrant a full reassessment to determine if the vendor's risk profile has changed.
Why this answer
ISACA's guidance emphasizes that even minor security incidents without data loss indicate potential control weaknesses that require reassessment. A formal reassessment (A) ensures the vendor's security controls and contractual protections are re-evaluated to address underlying risks, aligning with the principle of continuous risk monitoring and response.
Exam trap
The trap here is that candidates assume no data loss means no risk, but ISACA requires proactive reassessment of controls after any incident to prevent escalation, not passive acceptance or superficial monitoring.
How to eliminate wrong answers
Option B is wrong because increasing audit frequency to quarterly does not address the root cause of the incidents; it only increases oversight without reassessing the effectiveness of existing controls. Option C is wrong because a SOC 2 report from last year is historical and may not reflect current control effectiveness after two incidents; it provides a point-in-time assessment rather than a dynamic response. Option D is wrong because accepting risk solely because no data loss occurred ignores the potential for future incidents with more severe consequences; ISACA requires risk treatment based on likelihood and impact, not just past outcomes.
An organization has recently suffered a ransomware attack that encrypted critical files. During the post-incident review, the risk team is identifying key risk indicators (KRIs) to improve early detection. Which of the following KRIs would be MOST effective in detecting similar attacks in the future?
Direct indicator of possible ransomware entry.
Why this answer
Option A is correct because unauthorized remote access attempts are a direct indicator of potential ransomware vectors. Option B is important but not the most direct for detection. Option C is preventive, not detective.
Option D is corrective.
Which THREE of the following are indicators of potential IT risk in an organization? (Select exactly THREE.)
Leads to loss of institutional knowledge and potential operational gaps.
Why this answer
High employee turnover in IT is a risk indicator because it can lead to loss of institutional knowledge, inconsistent security practices, and increased likelihood of misconfigurations or unpatched systems. When experienced staff leave, remaining or new employees may lack the context to properly manage firewall rules, access controls, or incident response, creating vulnerabilities.
Exam trap
The trap here is confusing risk indicators (conditions that signal potential risk) with risk controls (actions that reduce risk), leading candidates to select strong password policies or patching cycles as risk indicators instead of recognizing them as mitigations.
A global organization is consolidating risk data from multiple business units into a single enterprise risk management (ERM) system. The risk practitioner notices that KRIs for the same risk type (e.g., cybersecurity) are calculated differently across units. What is the BEST approach to ensure consistent and reliable risk monitoring and reporting?
Standardization is key to reliable aggregation.
Why this answer
Option C is correct because consistent risk monitoring and reporting requires a standardized definition and calculation methodology for each KRI across all business units. Without this common baseline, the aggregated risk data in the ERM system will be incomparable and unreliable, leading to flawed decision-making. Establishing common definitions ensures that the same risk type (e.g., cybersecurity) is measured uniformly, enabling accurate trend analysis and risk aggregation.
Exam trap
The trap here is that candidates often confuse KRIs with KPIs (option A) or believe that automated data feeds (option D) solve consistency issues, when in fact the core problem is the lack of a standardized measurement definition, not the data collection method.
How to eliminate wrong answers
Option A is wrong because key performance indicators (KPIs) measure control effectiveness, not risk levels; requiring KPIs does not address the inconsistency in KRI calculations, which are the direct inputs for risk monitoring. Option B is wrong because allowing each unit to maintain its own KRI definitions with variance explanations introduces subjectivity and makes it impossible to aggregate risk data consistently across the enterprise; the explanations do not resolve the underlying calculation differences. Option D is wrong because implementing automated data feeds without changing KRI definitions merely accelerates the ingestion of inconsistent data into the ERM system, perpetuating the problem of unreliable risk reporting.
During a risk assessment, the risk manager identifies a vulnerability in a web application that could allow SQL injection. The development team states they will fix it in the next release, which is six months away. What should the risk manager do?
WAF can block SQL injection attacks until the fix is deployed.
Why this answer
A web application firewall (WAF) is the appropriate compensating control because it can inspect and block SQL injection payloads at the HTTP/HTTPS layer without modifying the application code. This provides immediate risk reduction while the development team works on the permanent fix, aligning with the principle of defense-in-depth and the risk manager's responsibility to treat unacceptable risk during the remediation window.
Exam trap
The trap here is that candidates may assume accepting risk (Option B) is valid because the fix is scheduled, but CRISC emphasizes that risk acceptance requires formal sign-off and cannot be used as a default for unmitigated critical vulnerabilities; the correct response is to implement a compensating control to reduce residual risk to an acceptable level.
How to eliminate wrong answers
Option B is wrong because the risk manager cannot simply accept the risk based on an unsubstantiated assumption of low likelihood; SQL injection is a well-known, actively exploited vulnerability with high impact, and acceptance requires formal approval and documented justification. Option C is wrong because deferring action to the next assessment ignores the current exposure and violates the risk treatment requirement to address identified vulnerabilities in a timely manner, especially when a compensating control like a WAF is available. Option D is wrong because requesting an immediate emergency patch deployment is impractical for a six-month release cycle and may introduce instability; the development team has already committed to a scheduled fix, and the risk manager should implement a temporary control rather than demand an unrealistic patch.
A risk assessment report includes both inherent and residual risk ratings. The inherent risk for a process is rated as 'high' based on a 5×5 heat map. After applying a set of controls, the residual risk is rated as 'medium'. What does this indicate about the control effectiveness?
The risk dropped from high to medium, showing partial effectiveness.
Why this answer
The reduction from high to medium indicates that controls are partially effective in reducing risk, but not completely.
A risk manager is designing a third-party risk management program. Which THREE factors should be considered when determining the risk tier of a vendor?
Data sensitivity is a primary factor.
Why this answer
Data access, service criticality, and the vendor's security posture are key factors in risk tiering.
An organization is implementing a new cloud-based CRM system. The risk manager is reviewing the solution architecture for security risks. Which architectural layer should be evaluated to ensure data encryption at rest and in transit?
Data architecture defines how data is stored, managed, and protected, including encryption controls.
Why this answer
Data architecture defines how data is stored, processed, and transmitted, including encryption policies. To ensure data encryption at rest (e.g., AES-256 for stored CRM records) and in transit (e.g., TLS 1.2/1.3 for API calls), the risk manager must evaluate the data architecture layer, which specifies encryption standards, key management, and data flow controls.
Exam trap
The trap here is that candidates often confuse 'infrastructure architecture' with data security controls, but encryption policies and data flow protections are explicitly part of the data architecture layer, not the underlying hardware or network layer.
How to eliminate wrong answers
Option A is wrong because application architecture focuses on software components, APIs, and business logic, not on encryption mechanisms for data at rest or in transit. Option C is wrong because infrastructure architecture covers hardware, networks, and virtualization layers, but encryption policies and data flow security are defined at the data architecture level. Option D is wrong because business architecture addresses organizational goals, processes, and governance, not technical encryption controls.
Which THREE of the following are common consequences in an IT risk scenario?
Direct monetary impact.
Why this answer
Financial loss, regulatory penalty, and reputational damage are typical consequences in risk scenarios.
A risk manager is integrating risk management with IT governance. Which of the following are key elements of an IT risk management programme design? (Choose TWO.)
A methodology ensures consistent risk assessment.
Why this answer
A risk register and a risk assessment methodology are core components of an IT risk management programme design.
An architecture review board (ARB) is evaluating a new solution architecture that processes sensitive data. Which of the following should the ARB review to ensure security risks are addressed before implementation?
Threat modeling helps identify and mitigate security risks in the architecture.
Why this answer
The ARB must ensure that security risks are identified and mitigated before implementation. A threat model systematically identifies potential threats (e.g., STRIDE) and maps them to security controls, ensuring that sensitive data is protected against attacks like injection, disclosure, or tampering. Without this review, the architecture could be deployed with unaddressed vulnerabilities.
Exam trap
The trap here is that candidates confuse project governance artifacts (UAT plan, business case, timeline) with security-specific risk assessment deliverables, leading them to select a generic project management option instead of the threat model that directly addresses security risks.
How to eliminate wrong answers
Option A is wrong because a user acceptance test plan validates functional requirements and usability, not security risks or threat mitigation. Option B is wrong because the business case and ROI analysis focus on financial justification and cost-benefit, not on identifying or addressing security threats. Option D is wrong because the project timeline and budget are project management artifacts that track schedule and cost, not security risk assessment or control validation.
A company is prioritizing risk treatment actions. Which THREE factors should be considered when prioritizing risks?
Cost-benefit helps determine which treatments provide the best value.
Why this answer
Option B is correct because cost-benefit analysis ensures that the resources invested in controls are justified by the reduction in risk, which is a core principle of risk management. Without this analysis, an organization might over-invest in low-impact risks or under-invest in high-impact ones, leading to inefficient allocation of budget and effort.
Exam trap
The trap here is that candidates confuse 'number of vulnerabilities' (a technical count) with 'risk level' (which incorporates impact and likelihood), leading them to select Option E instead of recognizing that risk level is the primary driver for prioritization.
Refer to the exhibit. A risk analyst is reviewing an AWS S3 bucket policy. What is the MOST significant control monitoring gap in this policy?
Monitoring requires logs to detect violations.
Why this answer
Option D is correct because the policy only restricts to internal IP range and requires HTTPS, but it does not log access attempts. Without logging, unauthorized attempts cannot be monitored. Option A is wrong because HTTPS is required.
Option B is wrong because internal IP range is allowed. Option C is wrong because Deny for non-HTTPS is present, but logging is missing.
When implementing a new access control system, which activity is essential during the change management process?
Documentation updates are a key step in change management.
Why this answer
Updating relevant documentation ensures that the change is properly recorded and that operational procedures remain accurate.
Which THREE of the following are key components of an effective risk reporting framework?
Enables aggregation and comparison.
Why this answer
Consistent risk metrics across the organization (Option B) are a key component of an effective risk reporting framework because they ensure that risk data is comparable and aggregated meaningfully across different business units and systems. Without standardized metrics, reports would be inconsistent, making it impossible to assess overall risk posture or identify trends reliably.
Exam trap
The trap here is that candidates often mistake operational enablers (like automated data collection or predictive models) for core framework components, but the CRISC exam emphasizes that the framework must define what is measured, how it is compared, and how responses are triggered, not just how data is gathered or analyzed.
A critical infrastructure organization is enhancing its threat identification capabilities. The risk team wants to leverage threat intelligence sources to identify emerging threats. Which THREE sources are most relevant for obtaining actionable threat intelligence?
OSINT includes publicly available information such as forums, social media, and threat reports, providing broad threat visibility.
Why this answer
OSINT provides open-source threat data, ISACs offer sector-specific intelligence, and government advisories (e.g., CISA KEV) provide authoritative information on exploited vulnerabilities. Commercial feeds are useful but not always actionable or free.
A financial institution is considering adopting a new AI/ML model for credit scoring. The model uses customer demographic data and transaction history. Which of the following risks is MOST likely to cause regulatory penalties if not addressed?
Model bias can violate fair lending laws and result in regulatory fines and reputational damage.
Why this answer
Regulators require explainability for credit decisions to ensure fairness and compliance with regulations like ECOA and GDPR. Model bias can lead to discriminatory outcomes, resulting in significant penalties.
Which THREE of the following are valid risk response options according to the ISACA risk management framework? (Select 3)
Reducing likelihood or impact.
Why this answer
Option B is correct because risk mitigation involves implementing controls to reduce the likelihood or impact of a risk to an acceptable level. In the ISACA framework, this is a primary risk response option, often achieved through technical controls like firewalls, encryption, or access management systems.
Exam trap
The trap here is that candidates may confuse 'monitor the risk' as a valid response option, but ISACA requires a specific action (avoid, mitigate, transfer, accept) rather than a passive monitoring activity.
Based on the exhibit, which risk is most likely present and what is the most appropriate risk response?
The policy allows public read access, risking data leakage. A deny rule would mitigate.
Why this answer
The exhibit shows an S3 bucket policy that allows public access to objects via a Principal of '*' and an Effect of 'Allow'. This directly exposes data to the internet, creating a risk of unauthorized data exposure. The most appropriate risk response is to apply a deny rule to restrict access, such as adding a condition to block public access or removing the wildcard principal.
Exam trap
The trap here is that candidates may confuse a permissive policy with a standard configuration, overlooking the severe security implication of a wildcard principal allowing public access.
How to eliminate wrong answers
Option A is wrong because the risk is not about cost; setting a budget alert does not address the security vulnerability of public data exposure. Option C is wrong because the risk is not about availability; implementing backup does not mitigate the unauthorized access risk. Option D is wrong because the policy is not standard; allowing public access via a wildcard principal is a well-known misconfiguration that violates the principle of least privilege.
A large e-commerce company is assessing the risk of a distributed denial-of-service (DDoS) attack on its web applications. The company has experienced three DDoS attacks in the past year, each causing significant downtime and revenue loss. The current mitigation strategy relies on an on-premise appliance that can handle up to 10 Gbps of attack traffic. Recent industry reports indicate that DDoS attacks are growing in volume and sophistication, with some exceeding 100 Gbps. The company's risk appetite for availability is moderate. The security team has proposed migrating to a cloud-based DDoS protection service that scales to 200 Gbps, but it will increase annual operational costs by 40%. The business is concerned about the cost increase. Which of the following is the BEST risk treatment decision?
Scalable solution matches risk appetite.
Why this answer
Option C is correct because the current on-premise appliance (10 Gbps capacity) is insufficient against modern DDoS attacks that can exceed 100 Gbps, as noted in industry reports. Migrating to a cloud-based DDoS protection service that scales to 200 Gbps directly reduces the risk to a level aligned with the company's moderate risk appetite for availability, despite the 40% cost increase. The business concern about cost is secondary to the necessity of mitigating a risk that could cause catastrophic revenue loss, and the cloud service provides elastic scalability that an on-premise upgrade cannot match.
Exam trap
The trap here is that candidates may choose Option D (upgrading to 50 Gbps) because it appears to be a cost-effective risk reduction, but they overlook that it still leaves the organization exposed to attacks exceeding 50 Gbps, which is a common scenario given the trend toward 100+ Gbps attacks, and fails to meet the moderate risk appetite for availability.
How to eliminate wrong answers
Option A is wrong because transferring risk via business interruption insurance does not prevent downtime or revenue loss; it only provides financial compensation after the fact, which does not address the company's moderate risk appetite for availability or the operational impact of repeated outages. Option B is wrong because accepting the risk ignores the clear trend of increasing attack volumes (up to 100+ Gbps) and the fact that the company has already suffered significant downtime and revenue loss from three attacks; the high cost of mitigation does not justify continued exposure when the risk exceeds the risk appetite. Option D is wrong because upgrading the on-premise appliance to 50 Gbps is still far below the 100+ Gbps attack volumes reported, leaving the company vulnerable to larger attacks; it also lacks the elastic scaling and global scrubbing capacity of a cloud-based service, making it an inadequate risk reduction measure.
Which TWO of the following are examples of detective controls?
Detects unauthorized access after the fact.
Why this answer
A is correct because reviewing access logs for unauthorized access is a detective control. It involves examining historical records of system access events to identify security incidents or policy violations after they have occurred. This is a classic example of monitoring and analysis, not prevention or correction.
Exam trap
ISACA often tests the distinction between preventive and detective controls by presenting security technologies that have both capabilities (e.g., a firewall with logging), but the trap here is that candidates confuse the control's primary function (e.g., firewall rules are preventive, even if logs are used for detection).
A company has identified a risk of data breach due to weak encryption. The current controls include encryption at rest but not in transit. The risk assessment team calculates inherent risk as high and residual risk as high. What should the team recommend FIRST?
Directly mitigates the root cause.
Why this answer
The risk assessment team should first recommend implementing encryption in transit because the current controls only address data at rest, leaving data vulnerable during transmission. Since both inherent and residual risks are high, the most direct and effective control to reduce likelihood is to apply a technical safeguard like TLS 1.3 for data in transit, which directly addresses the identified gap.
Exam trap
The trap here is that candidates may think accepting high residual risk is acceptable if inherent risk is also high, but CRISC emphasizes that risk should be reduced to an acceptable level using controls before considering acceptance or transfer.
How to eliminate wrong answers
Option B is wrong because transferring risk via cyber insurance does not reduce the likelihood or impact of a data breach; it only provides financial compensation after an incident, which is not a first-line recommendation when a technical control is missing. Option C is wrong because avoiding the risk by discontinuing data transmission is an extreme measure that would halt business operations, and it is not the first recommendation when a feasible technical control (encryption in transit) exists. Option D is wrong because accepting a high residual risk when a cost-effective control is available violates the principle of risk reduction; acceptance should only be considered after all reasonable mitigation options have been evaluated.
A project manager is identifying risks for a new software development project using Agile methodology. Which THREE threat modeling techniques are BEST suited for Agile/DevSecOps environments?
VAST is designed for Agile and DevSecOps.
Why this answer
STRIDE is lightweight and can be used in Agile. PASTA is more comprehensive but can be adapted. VAST is specifically designed for Agile and DevSecOps.
TRIKE is more requirements-heavy and less suited for Agile.
A risk assessor is evaluating a third-party cloud service provider. Which of the following is the MOST important factor to consider when assessing the risk of data exfiltration?
Encryption is key to protecting data.
Why this answer
Data exfiltration risk is primarily mitigated by strong encryption standards for data at rest and in transit. Even if a provider has robust access controls, weak encryption (e.g., using TLS 1.0 or AES-128-CBC with predictable IVs) can allow an attacker to intercept or decrypt data during transfer or storage. Encryption directly prevents unauthorized extraction of readable data, making it the most critical factor.
Exam trap
The trap here is that candidates often choose 'security certifications' (Option C) as a proxy for security, but CRISC emphasizes that certifications are process-based and do not guarantee technical controls like encryption strength, which directly addresses the exfiltration threat.
How to eliminate wrong answers
Option A is wrong because data portability and exit process address vendor lock-in and migration, not the active prevention of data theft during normal operations. Option B is wrong because SLA uptime guarantees availability, not confidentiality; a provider with 99.999% uptime could still have weak encryption enabling exfiltration. Option C is wrong because security certifications (e.g., ISO 27001, SOC 2) indicate a baseline of controls but do not guarantee the strength or implementation of encryption; a provider can hold many certifications yet use outdated cipher suites like RC4.
An organization recently experienced a significant security incident that was not detected by existing monitoring controls. The risk team is reviewing the effectiveness of the control monitoring framework. Which THREE of the following are key factors that should be evaluated to improve detection capabilities?
Correlation reduces false positives and identifies complex patterns.
Why this answer
Correlation rules between different monitoring tools (Option A) are critical because they define how alerts from disparate sources (e.g., SIEM, IDS/IPS, endpoint detection) are combined to identify complex attack patterns. Without well-tuned correlation rules, the organization may miss multi-stage attacks that span multiple systems, as no single tool alone provides the full picture. Evaluating and refining these rules directly improves the detection of incidents that existing controls failed to catch.
Exam trap
Cisco often tests the distinction between detection improvement and response improvement; the trap here is that candidates confuse the incident response plan (Option B) or automation (Option D) with detection capabilities, when they are actually post-detection activities that do not address why the incident was missed in the first place.
An organization is evaluating whether to accept a risk. Which TWO conditions must be met for risk acceptance to be appropriate?
Correct; formal sign-off is required.
Why this answer
Acceptance requires that the risk is within the organization's risk appetite and that the risk owner formally documents and signs off the acceptance. It is not appropriate if controls are available or if the risk exceeds appetite.
An organization is evaluating cyber insurance to cover potential losses from ransomware attacks. The insurer requires that the organization have multi-factor authentication (MFA) on all remote access systems. This requirement is an example of which factor influencing insurance premiums?
Correct. Security controls like MFA are key factors in premium calculation.
Why this answer
Insurers assess the organization's security controls to determine risk level; MFA is a control that reduces risk, thus affecting premiums positively.
A risk manager is evaluating IoT device risks for a smart building project. Which TWO of the following are significant IoT security risks?
IoT devices often lack automatic update mechanisms.
Why this answer
IoT devices often have limited security capabilities, leading to expanded attack surface and difficulty in applying firmware updates. These are common IoT risks.
Based on the exhibit, what is the PRIMARY risk associated with this S3 bucket policy?
The principal is '*', meaning any user (including unauthenticated) can access if from the allowed IP range.
Why this answer
The S3 bucket policy includes a `Principal: "*"` statement that grants public access to the bucket. Combined with an `Effect: Allow` and `Action: s3:GetObject`, this permits any unauthenticated user on the internet to read objects in the bucket. This is the primary risk because it exposes sensitive data to anyone without requiring AWS credentials or any form of authentication.
Exam trap
The trap here is that candidates may focus on the IP range or subnet details mentioned in the options, but the actual policy lacks any IP restriction and instead grants full public access via `Principal: "*"`, making unauthenticated access the primary risk.
How to eliminate wrong answers
Option A is wrong because the policy uses a `Resource` ARN that specifies a single bucket (e.g., `arn:aws:s3:::example-bucket/*`), not all buckets in the account. Option B is wrong because the policy does not contain a `Deny` effect or a `Condition` block restricting access based on source IP or VPC subnet; it allows all principals without any network restriction. Option D is wrong because the policy does not include any IP address condition (such as `aws:SourceIp`) that could be misconfigured; the risk is about unauthenticated access, not an IP range error.
A large bank has implemented a sophisticated risk and control monitoring system with multiple dashboards and automated reporting for key risk indicators (KRIs). However, the board of directors has been receiving conflicting KRI reports from different business units (e.g., retail banking, corporate lending, and wealth management). For example, the fraud KRI shows a high risk in retail but low risk in wealth management, yet both units use the same underlying data source. The chief risk officer (CRO) is concerned that the board is losing confidence in the risk reporting. An investigation reveals that each business unit defines and calculates KRIs differently, uses different thresholds, and reports on different schedules. What is the most likely root cause and the best remediation?
Standardizing definitions and calculation methods will produce consistent reports and restore board confidence.
Why this answer
The root cause is that KRI definitions are not standardized across business units, causing inconsistent reporting. Standardizing KRI definitions and calculation methods ensures comparability. Options A (data sources) is not the issue since they use the same source; B (board interpretation) is secondary; C (reporting frequency) is not the core problem.
Which of the following is an example of a leading Key Risk Indicator (KRI) for IT risk?
This is a leading indicator of potential future exploits.
Why this answer
A leading Key Risk Indicator (KRI) predicts future risk events by measuring conditions that precede incidents. Missing critical patches on systems directly indicate a higher likelihood of exploitation, making it a leading indicator. In contrast, lagging KRIs like incident counts or costs measure outcomes after the fact.
Exam trap
The trap here is confusing leading indicators (which predict risk) with lagging indicators (which measure past events), leading candidates to pick options like the number of security incidents or audit findings resolved, which are reactive rather than predictive.
How to eliminate wrong answers
Option B is wrong because the number of audit findings resolved is a lagging indicator that measures remediation activity after issues have been identified, not a predictor of future risk. Option C is wrong because the number of security incidents this quarter is a lagging KRI that reports past events, not a leading indicator of impending risk. Option D is wrong because the total cost of security incidents is a lagging financial metric that quantifies damage after incidents occur, offering no forward-looking risk prediction.
Practice CRISC by domain
Target a specific domain to shore up weak areas.