CRISC Free Study Guide! with New Update 1196 Exam Questions

Get up-to-date Real Exam Questions for CRISC UPDATED [2023]

The CRISC certification exam is designed to provide professionals with the knowledge and skills needed to identify, assess, and manage risks related to information systems. Certified in Risk and Information Systems Control certification is highly valued by employers as it demonstrates the individual’s ability to manage and mitigate risks associated with IT systems. It also demonstrates the individual’s commitment to professional development and their dedication to improving their skills and knowledge in the field.

To qualify for the CRISC certification exam, candidates must have at least three years of experience in the field of information systems control and risk management, with a minimum of one year of experience in each of the four domains. CRISC exam consists of 150 multiple-choice questions and is offered in English, Spanish, Chinese, and other languages. CRISC exam is administered by ISACA, a global nonprofit organization that helps professionals in the field of information systems audit, security, risk management, and governance.

To be eligible to take the exam, candidates must have at least three years of experience in the fields of risk management or information systems control, as well as a solid understanding of the principles and practices of these areas. Additionally, candidates must meet certain educational requirements and agree to abide by the ISACA Code of Professional Ethics.

 

NEW QUESTION # 263
An organization is considering allowing users to access company data from their personal devices. Which of the following is the MOST important factor when assessing the risk?

• A. Remote management capabilities
• B. Classification of the data
• C. Volume of data
• D. Type of device

Answer: A

Explanation:
Section: Volume D
Explanation

NEW QUESTION # 264
An organization has introduced risk ownership to establish clear accountability for each process. To ensure effective risk ownership, it is MOST important that:

• A. segregation of duties exists between risk and process owners.
• B. process ownership aligns with IT system ownership.
• C. senior management has oversight of the process.
• D. risk owners have decision-making authority.

Answer: C

NEW QUESTION # 265
Shawn is the project manager of the HWT project. In this project Shawn's team reports that they have found a way to complete the project work cheaply than what was originally estimated earlier. The project team presents a new software that will help to automate the project work. While the software and the associated training costs $25,000 it will save the project nearly $65,000 in total costs. Shawn agrees to the software and changes the project management plan accordingly. What type of risk response had been used by him?

• A. Exploiting
• B. Avoiding
• C. Accepting
• D. Enhancing

Answer: A

Explanation:
Explanation/Reference:
Explanation:
A risk event is being exploited so as to identify the opportunities for positive impacts. Exploit response is one of the strategies to negate risks or threats that appear in a project. This strategy may be selected for risks with positive impacts where the organization wishes to ensure that the opportunity is realized.
Exploiting a risk event provides opportunities for positive impact on a project. Assigning more talented resources to the project to reduce the time to completion is an example of exploit response.
Incorrect Answers:
A: To avoid a risk means to evade it altogether, eliminate the cause of the risk event, or change the project plan to protect the project objectives from the risk event.
B: Accepting is a risk response that is appropriate for positive or negative risk events. It does not pursue the risk, but documents the event and allows the risk to happen. Often acceptance is used for low probability and low impact risk events.
D: Enhancing is a positive risk response that aims to increase the probability and/or impact of the risk event.

NEW QUESTION # 266
Which of the following is the BEST course of action when risk is found to be above the acceptable risk appetite?

• A. Review risk tolerance levels.
• B. Maintain the current controls.
• C. Analyze the effectiveness of controls.
• D. Execute the risk response plan.

Answer: C

Explanation:
Section: Volume D

NEW QUESTION # 267
Which of the following BEST enables a proactive approach to minimizing the potential impact of unauthorized data disclosure?

• A. Cyber insurance
• B. Incident response plan
• C. Data backups
• D. Key risk indicators (KRIs)

Answer: B

NEW QUESTION # 268
Effective risk communication BEST benefits an organization by:

• A. assisting the development of a risk register
• B. helping personnel make better informed decisions
• C. increasing participation in the risk assessment process
• D. improving the effectiveness of IT controls

Answer: D

Explanation:
Section: Volume D
Explanation/Reference:

NEW QUESTION # 269
Jeff works as a Project Manager for www.company.com Inc. He and his team members are involved in the identify risk process. Which of the following tools & techniques will Jeff use in the identify risk process?
Each correct answer represents a complete solution. (Choose three.)

• A. Documentation reviews
• B. Risk categorization
• C. Checklist analysis
• D. Information gathering technique

Answer: A,C,D

Explanation:
Explanation/Reference:
Explanation:
The various tools & techniques used in the identify risk process are as follows:
Documentation reviews

Information gathering technique

Checklist analysis

Assumption analysis

Diagramming techniques

SWOT analysis

Expert judgment

NEW QUESTION # 270
You work as a project manager for BlueWell Inc. You have declined a proposed change request because of the risk associated with the proposed change request. Where should the declined change request be documented and stored?

• A. Project document updates
• B. Lessons learned
• C. Change request log
• D. Project archives

Answer: C

Explanation:
Explanation/Reference:
Explanation:
The change request log records the status of all change requests, approved or declined.
The change request log is used as an account for change requests and as a means of tracking their disposition on a current basis. The change request log develops a measure of consistency into the change management process. It encourages common inputs into the process and is a common estimation approach for all change requests. As the log is an important component of project requirements, it should be readily available to the project team members responsible for project delivery. It should be maintained in a file with read-only access to those who are not responsible for approving or disapproving project change requests.
Incorrect Answers:
B: The project archive includes all project documentation and is created through the close project or phase process. It is not the best choice for this question.
C: Lessons learned are not the correct place to document the status of a declined, or approved, change request.
D: The project document updates is not the best choice for this to be fleshed into the project documents, but the declined changes are part of the change request log.

NEW QUESTION # 271
Prudent business practice requires that risk appetite not exceed:

• A. residual risk.
• B. risk capacity.
• C. risk tolerance.
• D. inherent risk.

Answer: C

NEW QUESTION # 272
You are the project manager for your organization to install new workstations, servers, and cabling throughout a new building, where your company will be moving into. The vendor for the project informs you that the cost of the cabling has increased due to the some reason. This new cost will cause the cost of your project to increase by nearly eight percent. What change control system should the costs be entered into for review?

• A. Contract change control system
• B. Cost change control system
• C. Scope change control system
• D. Only changes to the project scope should pass through a change control system.

Answer: B

Explanation:
Explanation/Reference:
Explanation:
Because this change deals with the change of the deliverable, it should pass through the cost change control system. The cost change control system reviews the reason why the change has happened, what the cost affects, and how the project should respond.
Incorrect Answers:
B: This is not a contract change. According to the evidence that a contract exists or that the cost of the materials is outside of the terms of a contract if one existed. Considered a time and materials contract where a change of this nature could be acceptable according to the terms of the contract. If the vendor wanted to change the terms of the contract then it would be appropriate to enter the change into the contract change control system.
C: The scope of the project will not change due to the cost of the materials.
D: There are four change control systems that should always be entertained for change: schedule, cost, scope, and contract.

NEW QUESTION # 273
An organization has four different projects competing for funding to reduce overall IT risk. Which project should management defer?

• A. Project Bravo
• B. Project Delta
• C. Project Alpha
• D. Project Charlie

Answer: D

NEW QUESTION # 274
Which of the following processes addresses the risks by their priorities, schedules the project management plan as required, and inserts resources and activities into the budget?

• A. Identify Risks
• B. Monitor and Control Risk
• C. Plan risk response
• D. Qualitative Risk Analysis

Answer: C

Explanation:
Explanation/Reference:
Explanation:
The plan risk response project management process aims to reduce the threats to the project objectives and to increase opportunities. It follows the perform qualitative risk analysis process and perform quantitative risk analysis process. Plan risk response process includes the risk response owner to take the job for each agreed-to and funded risk response. This process addresses the risks by their priorities, schedules the project management plan as required, and inserts resources and activities into the budget.
The inputs to the plan risk response process are as follows:
Risk register
Risk management plan
Incorrect Answers:
A: Monitor and Control Risk is the process of implementing risk response plans, tracking identified risks, monitoring residual risk, identifying new risks, and evaluating risk process effectiveness throughout the project. It can involve choosing alternative strategies, executing a contingency or fallback plan, taking corrective action, and modifying the project management plan.
C: Identify Risks is the process of determining which risks may affect the project. It also documents risks' characteristics. The Identify Risks process is part of the Project Risk Management knowledge area. As new risks may evolve or become known as the project progresses through its life cycle, Identify Risks is an iterative process. The process should involve the project team so that they can develop and maintain a sense of ownership and responsibility for the risks and associated risk response actions. Risk Register is the only output of this process.
D: Qualitative analysis is the definition of risk factors in terms of high/medium/low or a numeric scale (1

to 10). Hence it determines the nature of risk on a relative scale.
Some of the qualitative methods of risk analysis are:

Scenario analysis- This is a forward-looking process that can reflect risk for a given point in time.

Risk Control Self -assessment (RCSA) - RCSA is used by enterprises (like banks) for the identification

and evaluation of operational risk exposure. It is a logical first step and assumes that business owners and managers are closest to the issues and have the most expertise as to the source of the risk. RCSA is a constructive process in compelling business owners to contemplate, and then explain, the issues at hand with the added benefit of increasing their accountability.

NEW QUESTION # 275
To reduce costs, an organization is combining the second and third tines of defense in a new department that reports to a recently appointed C-level executive. Which of the following is the GREATEST concern with this situation?

• A. The independence of the internal third line of defense may be compromised.
• B. The new structure is not aligned to the organization's internal control framework.
• C. Cost reductions may negatively impact the productivity of other departments.
• D. The risk governance approach of the second and third lines of defense may differ.

Answer: A

NEW QUESTION # 276
Jane is the project manager of the NHJ Project for his company. He has identified several positive risk events within his project and he thinks these events can save the project time and money. Positive risk events, such as these within the NHJ Project are referred to as?

• A. Benefits
• B. Residual risk
• C. Opportunities
• D. Contingency risks

Answer: C

Explanation:
Explanation/Reference:
Explanation:
A positive risk event is also known as an opportunity. Opportunities within the project to save time and money must be evaluated, analyzed, and responded to.
Incorrect Answers:
A: A contingency risk is not a valid risk management term.
B: Benefits are the good outcomes of a project endeavor. Benefits usually have a cost factor associated with them.
C: Residual risk is the risk that remains after applying controls. It is not feasible to eliminate all risks from an organization. Instead, measures can be taken to reduce risk to an acceptable level. The risk that is left is residual risk.

NEW QUESTION # 277
During an acquisition, which of the following would provide the MOST useful input to the parent company's risk practitioner when developing risk scenarios for the post-acquisition phase?

• A. IT balanced scorecard of each company
• B. Most recent internal audit findings from both companies
• C. Risk management framework adopted by each company
• D. Risk registers of both companies

Answer: A

NEW QUESTION # 278
Which of the following are risk components of the COSO ERM framework?
Each correct answer represents a complete solution. Choose three.

• A. Risk response
• B. Business continuity
• C. Control activities
• D. Internal environment

Answer: A,C,D

Explanation:
Section: Volume A
Explanation
Explanation:
The risk components defined by the COSO ERM are internal environment, objective settings, event identification, risk assessment, risk response, control objectives, information and communication, and monitoring.
Incorrect Answers:
C: Business continuity is not considered as risk component within the ERM framework.

NEW QUESTION # 279
Which of the following would be the BEST justification to invest in the development of a governance, risk, and compliance (GRC) solution?

• A. Facilitating risk-aware decision making by stakeholders
• B. Ensuring compliance to industry standards
• C. Demonstrating management commitment to mitigate risk
• D. Closing audit findings on a timely basis

Answer: A

NEW QUESTION # 280
To mitigate the risk of using a spreadsheet to analyze financial data, IT has engaged a third-party vendor to deploy a standard application to automate the process. Which of the following parties should own the risk associated with calculation errors?

• A. Risk manager
• B. Third-party provider
• C. IT department
• D. business owner

Answer: D

NEW QUESTION # 281
You are the project manager for TTP project. You are in the Identify Risks process. You have to create the risk register. Which of the following are included in the risk register?
Each correct answer represents a complete solution. (Choose two.)

• A. List of key stakeholders
• B. List of identified risks
• C. List of mitigation techniques
• D. List of potential responses

Answer: B,D

Explanation:
Section: Volume C
Explanation:
Risk register primarily contains the following:
* List of identified risks: A reasonable description of the identified risks is noted in the risk register. The description includes event, cause, effect, impact related to the risks identified. In addition to the list of identified risks, the root causes of those risks may appear in the risk register.
* List of potential responses: Potential responses to a risk may be identified during the Identify Risks process.
These responses are useful as inputs to the Plan Risk Responses process.
Incorrect Answers:
B: This is not a valid content of risk register.
A risk register is an inventory of risks and exposure associated with those risks. Risks are commonly found in project management practices, and provide information to identify, analyze, and manage risks. Typically a risk register contains:
* A description of the risk
* The impact should this event actually occur
* The probability of its occurrence
* Risk Score (the multiplication of Probability and Impact)
* A summary of the planned response should the event occur
* A summary of the mitigation (the actions taken in advance to reduce the probability and/or impact of the event)
* Ranking of risks by Risk Score so as to highlight the highest priority risks to all involved.
C: Risk register do contain the summary of mitigation, but only after the applying risk response. Here in this scenario you are in risk identification phase, hence mitigation techniques cannot be documented at this situation.

NEW QUESTION # 282
A risk assessment has identified increased losses associated with an IT risk scenario. It is MOST important for the risk practitioner to:

• A. implement additional controls.
• B. reevaluate inherent risk.
• C. update the risk rating.
• D. develop new risk scenarios.

Answer: A

NEW QUESTION # 283
......

Pass ISACA CRISC Exam in First Attempt Guaranteed: https://www.testsimulate.com/CRISC-study-materials.html