C Certs Club
Home
Oracle SAP Microsoft Cisco CompTIA Fortinet Salesforce Nutanix Linux Foundation Amazon View All Vendors →
Login Register

ISACA CRISC - Certified in Risk and Information Systems Control Certification Exam

Download Exam View Entire Exam
Page: 1 / 2
Question #1 (Topic: Demo Questions)

Which of the following is the MOST important reason to link an effective key control indicator (KCI) to relevant key risk indicators(KRIs)?

A.
To monitor changes in the risk environment
B.
To provide input to management for the adjustment of risk appetite
C.
To monitor the accuracy of threshold levels in metrics
D.
To obtain business buy-in for investment in risk mitigation measures
Correct Answer: A
Explanation:
Key control indicators (KCIs) are metrics that measure how well a specific control is performing in reducing the causes, consequences, or likelihood of a risk1. Key risk indicators (KRIs) are metrics that measure changes in the risk exposure or the potential impact of a risk2. By linkingan effective KCI to relevant KRIs, the organization can monitor changes in the risk environment and assess how the control is influencing the risk level3. This can help the organization to: Identify emerging or escalating risks and take timely and appropriate actions Evaluate the effectiveness and efficiency of the control and make improvements if needed Align the control with the risk appetite and tolerance of the organization Communicate the risk and control status to stakeholders and regulators
Reference = Risk and Information Systems Control Study Manual, Chapter 6: Risk Response and Mitigation4 
Question #2 (Topic: Demo Questions)

While reviewing an organization's monthly change management metrics, a risk practitioner notes that the number of emergency changes has increased substantially Which of the following would be the BEST approach for the risk practitioner to take? 

A.
Temporarily suspend emergency changes. 
B.
Document the control deficiency in the risk register.
C.
Conduct a root cause analysis.
D.
Continue monitoring change management metrics. 
Correct Answer: C
Explanation:
According to the CRISC Review Manual, a root cause analysis is a technique that identifies the underlying causes of an event or a problem. It helps to determine the most effective actions to prevent or mitigate the recurrence of the event or problem. A root cause analysis is the best approach for the risk practitioner to take in this scenario, because it will help to understand why the number of emergency changes has increased substantially and what can be done to address the issue. The other options are not the best approaches, because they do not address the underlying causes of the problem. Temporarily suspending emergency changes may disrupt the business operations and create more risks. Documenting the control deficiency in the risk register is a passive action that does not resolve the problem. Continuing monitoring change management metrics is an ongoing activity that does not provide any insight into the problem.
Reference = CRISC Review Manual, 7th Edition, Chapter 3, Section 3.2.4, page 130.
Question #3 (Topic: Demo Questions)

An organization plans to implement a new Software as a Service (SaaS) speech-to-text solution Which of the following is MOST important to mitigate risk associated with data privacy? 

A.
Secure encryption protocols are utilized.
B.
Multi-factor authentication is set up for users.
C.
The solution architecture is approved by IT.
D.
A risk transfer clause is included in the contact
Correct Answer: A
Explanation:
Utilizing secure encryption protocols is the most important factor to mitigate risk associated with data privacy when implementing a new Software as a Service (SaaS) speech-to-text solution, as it ensures that the data is protected from unauthorized access, interception, or modification during the transmission and storage in the cloud. Setting up multi-factor authentication for users, approving the solution architecture by IT, and including a risk transfer clause in the contract are not the most important factors, as they may not address the data privacy issue, but rather the data access, quality, or liability issue, respectively.
Reference = CRISC Review Manual, 7th Edition, page 153.
Question #4 (Topic: Demo Questions)

A risk practitioner is defining metrics for security threats that were not identified by antivirus software. Which type of metric is being developed?

A.
Key control indicator (KCI)
B.
Key risk indicator (KRI)
C.
Operational level agreement (OLA)
D.
Service level agreement (SLA)
Correct Answer: B
Explanation:
A KRI is a measure used by an organization to measure the health of a particular risk. In this case, the risk practitioner is developing a metric to measure the risk associated with security threats that were not identified by antivirus software12.
References
1Standardized Scoring for Security and Risk Metrics - ISACA
2Key Performance Indicators for Security Governance, Part 1 - ISACA
Question #5 (Topic: Demo Questions)

When a high number of approved exceptions are observed during a review of a control procedure, an organization should FIRST initiate a review of the:

A.
Relevant policies.
B.
Threat landscape.
C.
Awareness program.
D.
Risk heat map.
Next Question
Correct Answer: A
Explanation:
A high number of exceptions often indicate misalignment between policies and business needs. Reviewing policies helps determine if they are overly restrictive or need adjustments to reduce exceptions while maintaining security.