ISACA-CRISC

An organization's risk profile indicates that residual risk levels have fallen significantly below management's risk appetite. Which of the following is the BEST course of action?

A multinational company needs to implement a new centralized security system. The risk practitioner has identified a conflict between the organization's data-handling policy and local privacy regulations. Which of the following would be the BEST recommendation?

In addition to the risk exposure, which of the following is MOST important for senior management to understand prior to approving the use of artificial intelligence (AI) solutions?

Which of the following BEST enables an organization to mitigate ethical risk?

A risk practitioner is performing a risk assessment of recent external advancements in quantum computing. Which of the following would pose the GREATEST concern for the risk practitioner?

Which of the following is MOST important for developing effective key risk indicators (KRIs)?

Which of the following is BEST to use as a basis for developing a comprehensive list of IT risk scenarios?

Which of the following practices MOST effectively safeguards the processing of personal data?

An organization is moving its critical assets to the cloud. Which of the following is the MOST important key performance indicator (KPI) to include in the service level agreement (SLA)?

Which of the following should be the PRIMARY consideration when assessing tools for automated control monitoring?

When reporting to senior management on changes in trends related to IT risk, which of the following is MOST important?

Which of the following BEST demonstrates that an implemented control is effective in mitigating the intended risk?

An organization uses a web application hosted by a cloud service that is populated by data sent to the vendor via email on a monthly basis. Which of the following should be the FIRST consideration when analyzing the risk associated with the application?

Which of the following is MOST important for management to consider when deciding whether to invest in an IT initiative that exceeds management's risk appetite?

Which of me following groups would provide the MOST relevant perspective when reporting loss exposure based on a risk analysis exercise?

When a risk practitioner is developing a set of risk scenarios, the scenarios MUST include information about:

A risk assessment has revealed that the probability of a successful cybersecurity attack is increasing. The potential loss could exceed the organization’s risk appetite. Which of the following would be the MOST effective course of action?

Which of the following is the PRIMARY reason to obtain independent reviews of risk assessment and response mechanisms?

Which of the following is the MOST important criteria for selecting key risk indicators (KRIs)?

A data privacy regulation has been revised to incorporate more stringent requirements on personal data protection. Which of the following will provide the MOST important input to help ensure compliance with the revised regulation?

Which of the following should be the FIRST course of action if the risk associated with a new technology is found to be increasing?

Who should be responsible for approving the cost of controls to be :mplemented for mitigating risk?

Which of the following should be of MOST concern to a risk practitioner reviewing the system development life cycle (SDLC)?

Which of the following would MOST likely cause senior management to lower the risk tolerance level?

A Software as a Service (SaaS) company wants to use aggregated data from its clients to improve its services via a machine learning model. However, its contracts do not clearly allow this use of aggregated data. What should the organization do NEXT?

Who is BEST suited to own an IT risk scenario in an organization where only one IT support person knows how to maintain a core business application?

Which of the following will be MOST effective in helping to ensure control failures are appropriately managed?

A risk practitioner has implemented a key risk indicator (KRI) that triggers a warning when the number of untreated IT control deficiencies exceeds a given threshold. Which of the following should be the GREATEST concern regarding the design of this KRI?

Which of the following would be MOST effective in promoting a risk-aware culture within an organization?

An organization has outsourced its backup and recovery procedures to a third-party cloud provider. Which of the following should be the risk practitioner's NEXT course of action?