ISACA-CRISC

Which of the following is MOST important to include in regulatory and risk updates when a new legal requirement affects the organization?

Who should be accountable for monitoring the control environment to ensure controls are effective?

Who is accountable for risk treatment?

Which of the following BEST enables the risk profile to serve as an effective resource to support business objectives?

The risk associated with a high-risk vulnerability in an application is owned by the:

Which of the following IT key risk indicators (KRIs) provides management with the BEST feedback on IT capacity?

The PRIMARY goal of a risk management program is to:

An organization's chief technology officer (CTO) has decided to accept the risk associated with the potential loss from a denial-of-service (DoS) attack. In this situation, the risk practitioner's BEST course of action is to:

The BEST metric to monitor the risk associated with changes deployed to production is the percentage of:

A global organization is planning to collect customer behavior data through social media advertising. Which of the following is the MOST important business risk to be considered?

Which of the following should be the PRIMARY objective of a risk awareness training program?

Which of the following is MOST important for evaluating the operational effectiveness of a newly implemented control?

An organization must implement changes as the result of new regulations. Which of the following should the risk practitioner do FIRST to prepare for these changes?

What should a risk practitioner do NEXT if an ineffective key control is identified on a critical system?

Performing a background check on a new employee candidate before hiring is an example of what type of control?

An organization has introduced risk ownership to establish clear accountability for each process. To ensure effective risk ownership, it is MOST important that:

Which of the following would MOST likely require a risk practitioner to update the risk register?

A peer review of a risk assessment finds that a relevant threat community was not included. Mitigation of the risk will require substantial changes to a software application. Which of the following is the BEST course of action?

Which of the following is MOST important when developing key risk indicators (KRIs)?

Which of the following provides the MOST up-to-date information about the effectiveness of an organization's overall IT control environment?

Which of the following MUST be assessed before considering risk treatment options for a scenario with significant impact?

Which of the following would be a risk practitioner's GREATEST concern related to the monitoring of key risk indicators (KRIs)?

The BEST key performance indicator (KPI) to measure the effectiveness of a vulnerability remediation program is the number of:

Which of the following is the PRIMARY purpose of analyzing log data collected from systems?

Which of the following BEST indicates the condition of a risk management program?

A risk practitioner has become aware of production data being used in a test environment. Which of the following should be the practitioner's PRIMARY concern?

An internal audit report reveals that not all IT application databases have encryption in place. Which of the following information would be MOST important for assessing the risk impact?

The PRIMARY purpose of IT control status reporting is to:

Which of the following is MOST important to ensure when continuously monitoring the performance of a client-facing application?

An organization has four different projects competing for funding to reduce overall IT risk. Which project should management defer?