CRISC Online Practice Questions and Answers

Which of the following assets are the examples of intangible assets of an enterprise? Each correct answer represents a complete solution. Choose two.

A. Customer trust

B. Information

C. People

D. Infrastructure

You are the project manager of your enterprise. You have identified several risks. Which of the following responses to risk is considered the MOST appropriate?

A. Any of the above

B. Insuring

C. Avoiding

D. Accepting

You are a project manager for your organization and you're working with four of your key stakeholders. One of the stakeholders is confused as to why you're not discussing the current problem in the project during the risk identification meeting. Which one of the following statements best addresses when a project risk actually happens?

A. Project risks are uncertain as to when they will happen.

B. Risks can happen at any time in the project.

C. Project risks are always in the future.

D. Risk triggers are warning signs of when the risks will happen.

Which of the following is MOST helpful in determining the effectiveness of an organization's IT risk mitigation efforts?

A. Assigning identification dates for risk scenarios in the risk register

B. Updating impact assessments for risk scenario

C. Verifying whether risk action plans have been completed

D. Reviewing key risk indicators (KRIS)

When defining thresholds for control key performance indicators (KPIs). it is MOST helpful to align:

A. information risk assessments with enterprise risk assessments.

B. key risk indicators (KRIs) with risk appetite of the business.

C. the control key performance indicators (KPIs) with audit findings.

D. control performance with risk tolerance of business owners.

Which of the following presents the GREATEST challenge to managing an organization's end-user devices?

A. Incomplete end-user device inventory

B. Unsupported end-user applications

C. Incompatible end-user devices

D. Multiple end-user device models

Which of the following activities BEST facilitates effective risk management throughout the organization?

A. Reviewing risk-related process documentation

B. Conducting periodic risk assessments

C. Performing a business impact analysis (BIA)

D. Performing frequent audits

Who should be PRIMARILY responsible for establishing an organization's IT risk culture?

A. Business process owner

B. Executive management

C. Risk management

D. IT management

Which of the following is MOST important to compare against the corporate risk profile?

A. Industry benchmarks

B. Risk tolerance

C. Risk appetite

D. Regulatory compliance

Which of the following is the BEST recommendation to senior management when the results of a risk and control assessment indicate a risk scenario can only be partially mitigated?

A. Implement controls to bring the risk to a level within appetite and accept the residual risk.

B. Implement a key performance indicator (KPI) to monitor the existing control performance.

C. Accept the residual risk in its entirety and obtain executive management approval.

D. Separate the risk into multiple components and avoid the risk components that cannot be mitigated.

Which of the following will MOST improve stakeholders' understanding of the effect of a potential threat?

A. Establishing a risk management committee

B. Updating the organization's risk register to reflect the new threat

C. Communicating the results of the threat impact analysis

D. Establishing metrics to assess the effectiveness of the responses

Which of the following processes BEST enables a risk practitioner to gather evidence about the threat environment for further analysis?

A. Risk assessment

B. Threat modeling

C. Vulnerability scanning

D. Threat intelligence

Which of the following is MOST important for a risk practitioner to confirm when reviewing the disaster recovery plan (DRP)?

A. The DRP covers relevant scenarios.

B. The business continuity plan (BCP) has been documented.

C. Senior management has approved the DRP.

D. The DRP has been tested by an independent third party.

When assigning an IT risk owner, it is ESSENTIAL that the owner has:

A. ownership of the service where the risk exists.

B. authority to commit resources to manage the risk.

C. oversight of the IT function.

D. relevant experience with risk mitigation strategy.

What is the MOST important consideration when establishing key risk indicator (KRI) tolerance levels?

A. Aligning KRI thresholds with the organization's business operations

B. Aligning KRI thresholds with the organization's risk appetite

C. Identifying KRIs that track changes in the organization's risk profile

D. Establishing a reporting and escalation framework