We provide real CRISC exam questions and answers braindumps in two formats. Download PDF & Practice Tests. Pass Isaca CRISC Exam quickly & easily. The CRISC PDF type is available for reading and printing. You can print more and practice many times. With the help of our Isaca CRISC dumps pdf and vce product and material, you can easily pass the CRISC exam.

Q46.  - (Topic 1)

What type of policy would an organization use to forbid its employees from using organizational e-mail for personal use?

A. Anti-harassment policy

B. Acceptable use policy

C. Intellectual property policy

D. Privacy policy

Answer: B


An acceptable use policy is a set of rules applied by the owner/manager of a network, website or large computer system that restrict the ways in which the network site or system may be used. Acceptable Use Policies are an integral part of the framework of information security policies.

Answer: D is incorrect. Privacy policy is a statement or a legal document (privacy law) that discloses some or all of the ways a party gathers, uses, discloses and manages a customer or client's data.

Answer: C and A are incorrect. These two policies are not related to Information system security.

Q47.  - (Topic 4)

How are the potential choices of risk based decisions are represented in decision tree analysis?

A. End node

B. Root node

C. Event node

D. Decision node

Answer: D


The potential choices of risk based decisions are represented in decision tree analysis via. Decision node, as decision nodes refers to the available choices.

Answer:B is incorrect. Root nodes represent the start of a decision tree.

Answer:A is incorrect. End nodes are the final outcomes of the entire decision tree framework, especially in multilayered decision-making situations.

Answer:C is incorrect. Event nodes represents the possible uncertain outcomes of the decision, and not the available choices.

Q48.  - (Topic 1)

What is the process for selecting and implementing measures to impact risk called?

A. Risk Treatment

B. Control

C. Risk Assessment

D. Risk Management

Answer: A


The process for selecting and implementing measures for impacting risk in the environment is called risk treatment.

Answer: A is incorrect. Risk management is the coordinated activities for directing and controlling the treatment of risk in the organization.

Answer: C is incorrect. The process of analyzing and evaluating risk is called risk assessment.

Q49.  - (Topic 3)

Which among the following acts as a trigger for risk response process?

A. Risk level increases above risk appetite

B. Risk level increase above risk tolerance

C. Risk level equates risk appetite

D. Risk level equates the risk tolerance

Answer: B


The risk response process is triggered when a risk exceeds the enterprise's risk tolerance level. The acceptable variation relative to the achievement of an objective is termed as risk tolerance. In other words, risk tolerance is the acceptable deviation from the level set by the risk appetite and business objectives.

Risk tolerance is defined at the enterprise level by the board and clearly communicated to all stakeholders. A process should be in place to review and approve any exceptions to such standards.

Answer: C and A are incorrect. Risk appetite level is not relevant in triggering of risk response process. Risk appetite is the amount of risk a company or other entity is willing to accept in pursuit of its mission. This is the responsibility of the board to decide risk appetite of an enterprise. When considering the risk appetite levels for the enterprise, the followingtwo major factors should be taken into account:

The enterprise's objective capacity to absorb loss, e.g., financial loss, reputation damage, etc.

The culture towards risk taking-cautious or aggressive. In other words, the amount of loss the enterprise wants to accept in pursue of its objective fulfillment.

Answer: D is incorrect. Risk response process is triggered when the risk level increases the risk tolerance level of the enterprise, and not when it just equates the risk tolerance level.

Q50.  - (Topic 4)

What are the functions of the auditor while analyzing risk?

Each correct answer represents a complete solution. Choose three.

A. Aids in determining audit objectives

B. Identify threats and vulnerabilities to the information system

C. Provide information for evaluation of controls in audit planning

D. Supporting decision based on risks

Answer: A,C,D


A risk analysis involves identifying the most probable threats to an organization and analyzing the related vulnerabilities of the organization to these threats. A risk from an organizational perspective consists of:

Threats to various processes of organization. Threats to physical and information assets. Likelihood and frequency of occurrence from threat. Impact on assets from threat and vulnerability.

Risk analysis allows the auditor to do the following tasks : Threats to various processes of organization.

Threats to physical and information assets. Likelihood and frequency of occurrence from threat. Impact on assets from threat and vulnerability.

Risk analysis allows the auditor to do the following tasks :

Identify threats and vulnerabilities to the enterprise and its information system. Provide information for evaluation of controls in audit planning.

Aids in determining audit objectives. Supporting decision based on risks.

Answer:B is incorrect. Auditors identify threats and vulnerability not only in the IT but the whole enterprise as well.

Q51.  - (Topic 3)

You are the project manager of your enterprise. You have introduced an intrusion detection system for the control. You have identified a warning of violation of security policies of your enterprise. What type of control is an intrusion detection system (IDS)?

A. Detective

B. Corrective

C. Preventative

D. Recovery

Answer: A


An intrusion detection system (IDS) is a device or software application that monitors network and/or system activities for malicious activities or policy violations and produces reports to a Management Station. Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system. Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents, logging information about them, and reporting attempts. In addition, organizations use IDPS for other purposes, such as identifying problems with security policies, documenting existing threats, and deterring individuals from violating security policies.

As IDS detects and gives warning when the violation of security policies of the enterprise occurs, it is a detective control.

Answer: C is incorrect. As IDS only detects the problem when it occurs and not prior of its occurrence, it is not preventive control.

Answer: B is incorrect. These controls make effort to reduce the impact of a threat from problems discovered by detective controls.

As IDS only detects but nt reduce the impact, hence it is not a corrective control.

Answer: D is incorrect. : These controls make efforts to overcome the impact of the incident on the business, hence IDS is not a recovery control.

Q52.  - (Topic 2)

Which of the following is NOT true for risk governance?

A. Risk governance is based on the principles of cooperation, participation, mitigation and sustainability, and is adopted to achieve more effective risk management.

B. Risk governance requires reporting once a year.

C. Risk governance seeks to reduce risk exposure and vulnerability by filling gaps in risk policy.

D. Risk governance is a systemic approach to decision making processes associated to natural and technological risks.

Answer: B


Risk governance is a continuous life cycle that requires regular reporting and ongoing review, not once a year.

Answer: D, A, and C are incorrect. These are true for risk governace.

Q53. - (Topic 1)

Stephen is the project manager of the GBB project. He has worked with two subject matter experts and his project team to complete the risk assessment technique. There are approximately 47 risks that have a low probability and a low impact on the project. Which of the following answers best describes what Stephen should do with these risk events?

A. Because they are low probability and low impact, Stephen should accept the risks.

B. The low probability and low impact risks should be added to a watchlist for future monitoring.

C. Because they are low probability and low impact, the risks can be dismissed.

D. The low probability and low impact risks should be added to the risk register.

Answer: B


The low probability and low impact risks should be added to a watchlist for future monitoring.

Answer: A is incorrect. The risk response for these events may be to accept them, but the best answer is to first add them to a watchlist.

Answer: C is incorrect. Risks are not dismissed; they are at least added to a watchlist for monitoring.

Answer: D is incorrect. While the risks may eventually be added to the register, the best answer is to first add them to the watchlist for monitoring.

Q54.  - (Topic 3)

While considering entity-based risks, which dimension of the COSO ERM framework is being referred?

A. Organizational levels

B. Risk components

C. Strategic objectives

D. Risk objectives

Answer: A


The organizational levels of the COSO ERM framework describe the subsidiary, business unit, division, and entity-levels of aspects of risk solutions.

Answer:C is incorrect. Strategic objectives includes strategic, operational, reporting, and compliance risks; and not entity-based risks.

Answer:B is incorrect. Risk components includes Internal Environment, Objectives settings, Event identification, Risk assessment,Risk response, Control activities, Information and communication, and monitoring.

Answer:D is incorrect. This is not valid answer.

Q55.  - (Topic 2)

Which of the following phases is involved in the Data Extraction, Validation, Aggregation and Analysis?

A. Risk response and Risk monitoring

B. Requirements gathering, Data access, Data validation, Data analysis, and Reporting and corrective action

C. Data access and Data validation

D. Risk identification, Risk assessment, Risk response and Risk monitoring

Answer: B


The basic concepts related to data extraction, validation, aggregation and analysis is important as KRIs often rely on digital information from diverse sources. The phases which are involved in this are:

Requirements gathering: Detailed plan and project's scope is required for monitoring risks. In the case of a monitoring project, this step should involve process owners, data owners, system custodians and other process stakeholders.

Data access: In the data access process, management identifies which data are available and how they can be acquired in a format that can be used for analysis. There are two options for data extraction:

Extracting data directly from the source systems after system owner approval Receiving data extracts from the system custodian (IT) after system owner approval Direct extraction is preferred, especially since this involves management monitoring its own controls, instead of auditors/third parties monitoring management's controls. If it is not feasible to get direct access, a data access request form should be submitted to the data owners that detail the appropriate data fields to be extracted. The request should specify the method of delivery for the file.

Data validation: Data validation ensures that extracted data are ready for analysis. One of its important objective is to perform tests examining the data quality to ensure data are valid complete and free of errors. This may also involve making data from different sources suitable for comparative analysis. Following concepts should be considered while validating data:

Ensure the validity, i.e., data match definitions in the table layout Ensure that the data are complete

Ensure that extracted data contain only the data requested Identify missing data, such as gaps in sequence or blank records Identify and confirm the validity of duplicates

Identify the derived values

Check if the data given is reasonable or not Identify the relationship between table fields

Record, in a transaction or detail table, that the record has no match in a master table  Data analysis: Analysis of data involves simple set of steps or complex combination of commands and other functionality. Data analysis is designed in such a way to achieve the stated objectives from the project plan. Although this may be applicable to any monitoring activity, it would be beneficial to consider transferability and scalability. This may include robust documentation, use of software development standards and naming conventions. Reporting and corrective action: According to the requirements of the monitoring objectives and the technology being used, reporting structure and distribution are decided. Reporting procedures indicate to whom outputs from the automated monitoring process are

distributed so that they are directed to the right people, in the right format, etc. Similar to the data analysis stage, reporting may also identify areas in which changes to the sensitivity of the reporting parameters or the timing and frequency of the monitoring activity may be required.

Answer: D is incorrect. These are the phases that are involved in risk management.

Q56.  - (Topic 2)

What are the various outputs of risk response?

A. Risk Priority Number

B. Residual risk

C. Risk register updates

D. Project management plan and Project document updates

E. Risk-related contract decisions

Answer: C,D,E


The outputs of the risk response planning process are:

Risk Register Updates: The risk register is written in detail so that it can be related to the priority ranking and the planned response.

Risk Related Contract Decisions: Risk related contract decisions are the decisions to transmit risk, such as services, agreements for insurance, and other items as required. It provides a means for sharing risks.

Project Management Plan Updates: Some of the elements of the project management plan updates are:

Schedule management plan Cost management plan Quality management plan

Procurement management plan Human resource management plan Work breakdown structure Schedule baseline

Cost performance baseline

Project Document Updates: Some of the project documents that can be updated includes: Assumption log updates

Technical documentation updates

Answer: B is incorrect. Residual risk is not an output of risk response. Residual risk is the risk that remains after applying controls. It is not feasible to eliminate all risks from an organization. Instead, measures can be taken to reduce risk to an acceptable level. The risk that is left is residual risk.


Risk = Threat Vulnerabilityand

Total risk = Threat Vulnerability Asset Value

Residual risk can be calculated with the following formula: Residual Risk = Total Risk - Controls

Senior management is responsible for any losses due to residual risk. They decide whether a risk should be avoided, transferred, mitigated or accepted. They also decide what controls to implement. Any loss due to their decisions falls on their sides.

Residual risk assessments are conducted after mitigation to determine the impact of the risk on the enterprise. For risk assessment, the effect and frequency is reassessed and the impact is recalculated.

Answer: A is incorrect. Risk priority number is not an output for risk response but instead it is done before applying response. Hence it act as one of the inputs of risk response and is not the output of it.

Q57.  - (Topic 4)

Which of the following is the greatest risk to reporting?

A. Integrity of data

B. Availability of data

C. Confidentiality of data

D. Reliability of data

Answer: D


Reporting risks are caused due to wrong reporting which leads to bad decision. This bad decision due to wrong report hence causes a risk on the functionality of the organization. Therefore, the greatest risk to reporting is reliability of data. Reliability of data refers to the accuracy, robustness, and timing of the data.

Answer:A, B, and C are incorrect. Integrity, availability, and confidentiality of data are also important, but these three in combination comes under reliability itself.

Q58.  - (Topic 2)

Which of the following is the most accurate definition of a project risk?

A. It is an unknown event that can affect the project scope.

B. It is an uncertain event or condition within the project execution.

C. It is an uncertain event that can affect the project costs.

D. It is an uncertain event that can affect at least one project objective.

Answer: D


Risk is an uncertain event or condition that, if it occurs, has an effect on at least one project objective.

Project risk is concerned with the expected value of one or more results of one or more future events in a project. It is an uncertain condition that, if it occurs, has an effect on at least one project objective. Objectives can be scope, schedule, cost, and quality. Project risk is always in the future.

Answer: A is incorrect. Risk is not unknown, it is uncertain; in addition, the event can affect at least one project objective - not just the project scope.

Answer: B is incorrect. This statement is almost true, but the event does not have to happen within project execution.

Answer: C is incorrect. Risks can affect time, costs, or scope, rather affecting only cost.

Q59.  - (Topic 1)

You are the risk official of your enterprise. Your enterprise takes important decisions without considering risk credential information and is also unaware of external requirements for risk management and integration with enterprise risk management. In which of the following risk management capability maturity levels does your enterprise exists?

A. Level 1

B. Level 0

C. Level 5

D. Level 4

Answer: B


0 nonexistent: An enterprise's risk management capability maturity level is 0 when: The enterprise does not recognize the need to consider the risk management or the business impact from IT risk.

Decisions involving risk lack credible information.

Awareness of external requirements for risk management and integration with enterprise risk management (ERM) do not exists.

Answer:A, C, and D are incorrect.

These all are much higher levels of the risk management capability maturity model and in all these enterprise do take decisions considering the risk credential information. Moreover, in these levels enterprise is aware of external requirements for risk management and integrate with ERM.

Q60.  - (Topic 1)

Which of the following are the principles of access controls?

Each correct answer represents a complete solution. Choose three.

A. Confidentiality

B. Availability

C. Reliability

D. Integrity

Answer: A,B,D


The principles of access controls focus on availability, integrity, and confidentiality, as loss or danger is directly related to these three:

Loss of confidentiality- Someone sees a password or a company's secret formula, this is referred to as loss of confidentiality.

Loss of integrity- An e-mail message is modified in transit, a virus infects a file, or someone makes unauthorized changes to a Web site is referred to as loss of integrity.

Loss of availability- An e-mail server is down and no one has e-mail access, or a file server is down so data files aren't available comes under loss of availability.