ISACA CRISC Exam Questions

Page 1 of 25

1.

What tool is used as the basis for quantitative risk assessment?

  • Risk scenarios

  • Big data

  • Vulnerability assessment

  • Penetration test results

Correct answer: Risk scenarios

Risk scenarios document risk relative to business objectives. The scenario maps the risk to the impact on operations and facilitates the ability to quantify the impact.

Big data can inform risk assessments by providing extensive information and patterns, but is not the primary tool used specifically for quantitative risk assessment.

A vulnerability assessment identifies and evaluates weaknesses in systems but does not directly provide the quantitative measures required for risk assessment.

Penetration tests simulate attacks to find vulnerabilities, but the results are qualitative and need to be translated into quantitative measures for risk assessment purposes.

2.

As it relates to issue and exception management, which set of controls has to do with how the system is assembled and used as well as settings and parameters?

  • Configuration management

  • Release management

  • Exception management

  • Change management

Correct answer: Configuration management 

Configuration management is the set of activities and controls that determines how the system is planned, implemented, tested, and maintained. When these processes are standardized, risk is reduced.

Release management focuses on planning, scheduling, and controlling releases to production environments. 

Exception management involves handling deviations that occur when a system behaves outside of expected norms.

Change management concerns changes in systems and is broader than configuration management.

3.

The threat landscape can be internal or external. Which of the following threat categories is external?

  • Natural events

  • Disclosures of information

  • Unauthorized actions

  • Improperly defined business processes

Correct answer: Natural events

Natural events have to do with weather and forces of nature. The onset of natural events cannot be controlled by any internal factor within an organization. Natural events, such as earthquakes, floods, hurricanes, or other natural disasters, originate from external environmental factors beyond the control of an organization. 

Disclosures of information refers to the unauthorized release or exposure of sensitive information by individuals within the organization, whether intentional or unintentional, and typically stems from internal actions or lapses in security protocols rather than external factors. 

Unauthorized actions involve individuals within the organization engaging in activities or accessing resources without proper authorization. 

Improperly defined business processes relate to inefficiencies, errors, or vulnerabilities in the organization's internal processes or procedures.

4.

As it relates to risk management, what is the goal of assessing a potential risk event?

  • Understanding the consequences

  • Putting action plans in place

  • Defining the risk context

  • Mobilizing resources

Correct answer: Understanding the consequences

Risk events represent uncertainty. It is important for an organization to understand the consequences and implications, both qualitative and quantitative, ahead of time.

Putting action plans in place is done after the risk assessment to address identified risks.

Defining the risk context occurs before assessing specific risk events. 

Mobilizing resources is a response action taken after risks have been assessed and prioritized.

5.

Who is the primary individual ultimately responsible and accountable for how risk is addressed?

  • Risk owner

  • Risk analyst

  • Risk manager

  • Control steward

Correct answer: Risk owner

The risk owner has the bottom-line accountability for the enterprise risk program. This individual works with other stakeholders and experts to implement the program.

The risk analyst analyses, evaluates, and assesses threats.

The risk manager is responsible for ensuring that risk management functions are being carried out.

The control steward is responsible for routine management and maintenance of controls.

6.

When selecting a risk treatment plan, what is the primary parameter that guides the risk response?

  • Risk appetite

  • Risk budget

  • Risk impact

  • Risk probability

Correct answer: Risk appetite 

Risk appetite is the amount of risk that an organization can and will accept. This includes risk it must accept to conduct normal business operations.

The risk budget is important for resource allocation, but the risk budget is secondary to risk appetite in guiding the risk treatment plan.

The risk impact focuses on the consequences of the risk but does not guide the treatment plan as effectively as risk appetite.

The risk probability helps assess risk likelihood but does not directly guide the treatment plan compared to risk appetite.

7.

Under what circumstances might an organization choose NOT to be compliant with certain laws and regulations?

  • If the cost of compliance is greater than the consequences

  • If only a small percent of their business comes from those countries

  • If the cost of compliance brings the risk appetite lower

  • If the cost of compliance nullifies the requirements of compliance

Correct answer: If the cost of compliance is greater than the consequences

Compliance is a risk decision. Every organization has a risk appetite that is set by senior management. Depending on the penalties, an organization may willingly choose not to invest in compliance because the cost of doing so far outweighs the penalties. However, it's important to note that choosing not to comply with laws and regulations can pose legal, financial, reputational, and operational risks to the organization, and such decisions should be made carefully and with full consideration of the potential consequences.

The statement that the cost of compliance has any effect on risk appetite is nonsensical. Risk appetite is the amount of risk that an entity is willing to accept in pursuit of its mission. It is necessary to manage risk within the appetite, and that could include being in compliance, or not. Attempting to circumvent compliance requirements through lobbying may be unethical and potentially illegal. Being in compliance with laws and regulations does not nullify the requirement of compliance; it fulfills the requirement of compliance.

8.

As it relates to risk response options, which option can be selected if an organization has a self-insurance model?

  • Risk acceptance

  • Risk elimination

  • Risk avoidance

  • Risk transfer

Correct answer: Risk acceptance

A self-insurance model is when an organization has access to sufficient resources to absorb the cost of impact. Consciously, they set aside the appropriate amount of resources should a risk event occur.

Risk elimination involves completely removing the risk, which is not aligned with the self-insurance model that accepts the potential for risk.

Risk avoidance involves eliminating the risk entirely by ceasing activities. 

Risk transfer involves shifting the risk to another party.

9.

Which of the following is NOT one of the four "AREs" of enterprise architecture?

  • Are we within budget?

  • Are we doing the right things?

  • Are we doing it the right way?

  • Are we seeing expected results?

Correct answer: Are we within budget? 

The AREs of enterprise architecture focus on what is being done and if the priority is correct. It also focuses on the delivered value and benefits. realization.

They include:

  • Are we doing the right things?
  • Are we getting them done well?
  • Are we doing it the right way?
  • Are we seeing expected results?

10.

Which risk management policy sets the guidelines for protecting corporate information and includes underlying infrastructure and supporting systems?

  • Information security policy

  • Privacy policy

  • Risk appetite/tolerance policy

  • Risk mitigation policy

Correct answer: Information security policy

An information security policy addresses the protection of all corporate data. Because data is stored on infrastructure and flows through the network from system to system, the school of information security policy also includes the underlying supporting infrastructure and systems.

Privacy policies focus primarily on the protection of personal data.

Risk appetite/tolerance policies define the organization's acceptance level of risk, not the specific controls to mitigate it.

Risk mitigation policies outline strategies to reduce risk, but do not encompass the overall protection of information systems.

11.

As it relates to risk, what is the scope of an IS audit?

  • Control environment

  • Application portfolio

  • Security tools

  • Network points

Correct answer: Control environment

An IS audit provides an independent and objective review of the effectiveness of the entire control environment. This includes all dimensions of risk control.

The IS audit scope is broader and not limited to just the application portfolio.

Security tools are part of the risk mitigation strategy but do not define the entire control environment.

Auditing network points may be part of a technical audit, but an IS audit has a broader scope, with a focus on the control environment rather than just specific network elements.

12.

Which key concept of data privacy ensures that only data that is relevant and expressly needed is captured and accumulated?

  • Minimization

  • Informed consent

  • Destruction

  • Privacy assessment

Correct answer: Minimization

Data minimization limits the amount of data that can be captured and stored. Minimizing data volumes is a best practice for increasing data privacy.

Informed consent refers to obtaining permission from individuals before collecting, processing, or using their personal data. 

Destruction involves the process of securely disposing of data that is no longer needed. It does not pertain to the collection of data but, rather, to its proper disposal.

A privacy assessment is a broader evaluation process to determine how personal data is handled and protected.

13.

Asset valuation is the process by which the risk management program calculates the value an asset provides. The outcome of this calculation can be expressed either quantitively or qualitatively. 

Which risk scenario is concerned with the value an asset brings to an organization's credibility?

  • Damage to reputation

  • Breach of contract

  • Violation of privacy

  • Legal noncompliance

Correct answer: Damage to reputation

Damage to reputation impacts an organization's brand. A strong brand is a competitive advantage that has a significant financial impact. When valuing assets that are used to develop and maintain an organization's brand, the risk management program would be concerned about potential damage to reputation.

While a breach of contract can certainly have financial and reputational consequences, it is primarily concerned with the failure to meet the terms agreed upon in a legal contract rather than the organization's credibility. 

Violation of privacy pertains to the failure in protecting personal or sensitive information per legal or regulatory standards. 

Legal noncompliance involves failing to adhere to laws and regulations governing the organization's operations.

14.

What is an example of an organizational measure that adjusts policies, processes, or procedures to reduce risk to an acceptable level?

  • Data retention

  • Encryption

  • File monitoring

  • Firewalls

Correct answer: Data retention

Data retention is a policy that determines how long an organization will keep and store its data. The longer data is stored, the larger the data volume is. This creates a situation where there could be a large amount of confidential information being stored. If there is a data breach, this would create a high risk to the organization.

Encryption, file monitoring, and firewalls are considered technical controls rather than organizational measures.

15.

Which of the following factors is the largest contributor to emerging risks?

  • New technologies

  • Legacy technologies

  • Established controls

  • Oversight board

Correct answer: New technologies

The pace of new technology introduction has increased significantly in the last several years. Each technology brings uncertainty, which can then impact risk to the organization.

While legacy technologies can present risks in terms of outdated security measures and incompatibility with modern systems, they are not typically the primary driver of emerging risks.

Established controls are designed to mitigate risks, not create them.

An oversight board is a governance mechanism that monitors and guides risk management practices.

16.

If an organization wants to mandate the way their staff complies with risk policies, what can they use or refer to in order to accomplish this?

  • Standards

  • Best practices

  • Guidelines

  • Regulations

Correct answer: Standards

A risk standard is a mandatory requirement, code of practice, or specification that is established and recognized by an external standards organization. External standards organizations are typically specific to an industry and have the background and credibility to create standards that organizations should follow.

Best practices are recommendations based on industry experience that suggest the most efficient way to achieve a goal but are not mandatory.

Guidelines provide general advice or recommendations on how to perform a task but are usually not enforceable.

Regulations are laws or rules set by a governing body that organizations must comply with.

17.

Governance frameworks establish accountability to protect which aspect of an organization?

  • Assets

  • Employees

  • Policies

  • Board of Directors

Correct answer: Assets

Assets are the tangible and non-tangible resources that an organization uses to conduct operations. Governance and accountability ensure that these assets are accounted for and leveraged according to business guidelines.

Governance frameworks might have policies that affect employee behavior, although the primary focus of governance is not directly on protecting employees but on overseeing overall management.

Governance frameworks include policies, but they do not primarily exist to protect the policies themselves. They establish policies to protect the organization's assets.

Governance frameworks ensure that the Board of Directors fulfills its duties, but they do not exist primarily to protect the Board itself.

18.

The goal of effective data management is to protect it in all states. 

When data is being transmitted from one system to another, what state is it in?

  • In transit

  • At rest

  • At risk

  • In use

Correct answer: In transit

Data in transit is being transmitted across the network. This transmission happens because systems and users are communicating with each other from multiple locations, and they all have need of the data.

Data at rest is data that has reached a destination and is not being accessed or used. 

Data in use is data that is actively being accessed.

At risk is not an accepted state of data.

19.

Who is responsible for setting the risk appetite of an organization?

  • Senior management

  • Middle management

  • Risk manager

  • Subject matter experts

Correct answer: Senior management

Setting the risk appetite of an organization is part of the strategic planning process. Therefore, senior management is responsible for this task.

Middle management is responsible for managing risks within their areas of responsibility according to the risk appetite set by senior management, but they do not typically set the risk appetite.

The risk manager is responsible for overseeing the risk management process, ensuring that risks are identified, assessed, and managed, but they do not typically set the risk appetite.

A subject matter expert provides specialized knowledge on specific risks but does not set the overall risk appetite for the organization.

20.

What risk model describes an evolutionary approach to risk improvement?

  • CMM

  • ISO

  • COBIT

  • NIST

Correct answer: CMM

The Capability Maturity Model (CMM) allows organizations to rank their risk processes from ad hoc to disciplined and mature. CMM is used to evolve and improve the strength of a risk program.

The International Organization for Standardization (ISO) provides guidelines for risk management but does not describe an evolutionary model of improvement.

COBIT is focused on governance and management of enterprise IT, not specifically on evolving risk management processes.

The National Institute of Standards and Technology (NIST) provides a variety of frameworks and standards but, like ISO, it is more focused on setting guidelines and best practices rather than describing an evolutionary risk improvement model.