Isaca CRISC Exam Practice Test Instant Access

Question 1

During the creation of an organization's IT risk management program, the BEST time to identify key risk indicators (KRIs) is while:

AInterviewing data owners

BReviewing risk response plans with internal audit

CDeveloping a risk monitoring process

DReviewing an external risk assessment

Answer : C

KRIs should be identified during the development of a risk monitoring process to ensure alignment with organizational objectives and effective risk tracking. This reflects Proactive Risk Monitoring.

Question 2

An organization recently implemented a cybersecurity awareness program that includes phishing simulation exercises for all employees. What type of control is being utilized?

APreventive

BCompensating

CDeterrent

DDetective

Answer : C

Phishing simulations serve as a deterrent by highlighting the consequences of risky behavior and reinforcing secure practices, reducing the likelihood of successful attacks. This supports Behavioral Risk Management.

Question 3

An organization has established a policy prohibiting ransom payments if subjected to a ransomware attack. Which of the following is the MOST effective control to support this policy?

AConducting periodic vulnerability scanning

BCreating immutable backups

CPerforming required patching

DImplementing continuous intrusion detection monitoring

Answer : B

Immutable backups ensure data recovery without paying ransom, supporting the organization's policy and reducing the impact of ransomware attacks. This aligns with Business Continuity and Recovery Controls.

Question 4

A business unit is updating a risk register with assessment results for a key project. Which of the following is MOST important to capture in the register?

AThe methodology used to perform the risk assessment

BAction plans to address risk scenarios requiring treatment

CDate and status of the last project milestone

DThe individuals assigned ownership of controls

Answer : B

Including action plans ensures that identified risks are appropriately addressed, providing clarity and accountability for treatment activities. This aligns with Risk Treatment and Reporting.

Question 5

Within the three lines of defense model, the PRIMARY responsibility for ensuring risk mitigation controls are properly configured belongs with:

ALine management

BThe IT risk function

CEnterprise compliance

DInternal audit

Answer : A

Line management owns the day-to-day responsibility for configuring and maintaining controls, ensuring they align with the organization's risk management strategy. This is central to Operational Risk Management.

Question 6

Concerned about system load capabilities during the month-end close process, management requires monitoring of the average time to complete tasks and monthly reporting of the findings. What type of measure has been established?

AService level agreement (SLA)

BCritical success factor (CSF)

CKey risk indicator (KRI)

DKey performance indicator (KPI)

Answer : D

Key performance indicators (KPIs) measure operational performance, such as the average time to complete tasks, providing insights into system efficiency during critical processes. This supports Performance Monitoring Practices.

Question 7

An organization has identified the need to implement an asset tiering model to establish the appropriate level of impact. Which of the following is the MOST effective risk assessment methodology for a risk practitioner to use for this initiative?

AQualitative method

BIndustry calibration method

CThreat-based method

DQuantitative method

Answer : D

A quantitative method provides objective metrics to establish impact levels, which is essential for tiering assets based on their criticality. This aligns with Risk Assessment Best Practices.

Isaca Certified in Risk and Information Systems Control Exam Practice Test