All About Approved CRISC exam question

CRISC Royal Pack Testengine pdf

100% Actual & Verified — 100% PASS

Unlimited access to the world's largest Dumps library! Try it Free Today!

Product Description:
Exam Number/Code: CRISC
Exam name: Certified in Risk and Information Systems Control
n questions with full explanations
Certification: Isaca Certification
Last updated on Global synchronizing

Free Certification Real IT CRISC Exam pdf Collection

Downloadable of CRISC real exam materials and practice exam for Isaca certification for IT candidates, Real Success Guaranteed with Updated CRISC pdf dumps vce Materials. 100% PASS Certified in Risk and Information Systems Control exam Today!

Q81.  - (Topic 2)

Which of the following process ensures that the risk response strategy remains active and that proposed controls are implemented according to schedule?

A. Risk management

B. Risk response integration

C. Risk response implementation

D. Risk response tracking

Answer: D


Risk response tracking tracks the ongoing status of risk mitigation processes as part of risk response process. This tracking ensures that the risk response strategy remains active and that proposed controls are implemented according to schedule. When an enterprise is conscious of a risk, but does not have an appropriate risk response strategy, then it lead to the increase of the liability of the organization to adverse publicity or even civil or criminal penalties.

Answer: C is incorrect. Implementation of risk response ensures that the risks analyzed in risk analysis process are being lowered to level that the enterprise can accept, by applying appropriate controls.

Answer: B is incorrect. Integrating risk response options to address more than one risk together, help in achieving greater efficiency.

The use of techniques that are versatile and enterprise-wide, rather than individual solutions provides better justification for risk response strategies and related costs. 

Answer: A is incorrect. Risk management provides an approach for individuals and groups to make a decision on how to deal with potentially harmful situations

Q82.  - (Topic 3)

You are the project manager of GHT project. Your hardware vendor left you a voicemail saying that the delivery of the equipment you have ordered would not arrive on time. You identified a risk response strategy for this risk and have arranged for a local company to lease you the needed equipment until yours arrives. This is an example of which risk response strategy?

A. Avoid

B. Transfer

C. Acceptance

D. Mitigate

Answer: D


Mitigation attempts to reduce the impact of a risk event in case it occurs. Making plans to arrange for the leased equipment reduces the consequences of the risk and hence this response in mitigation.

Answer:B is incorrect. Risk transfer means that impact of risk is reduced by transferring or otherwise sharing a portion of the risk with an external organization or another internal entity. Transfer of risk can occur in many forms but is most effective when dealing with financial risks. Insurance is one form of risk transfer.

Here there no such action is taken, hence it is not a risk transfer.

Answer:C is incorrect. Risk acceptance means that no action is taken relative to a particular risk; loss is accepted if it occurs. If an enterprise adopts a risk acceptance, it should carefully consider who can accept the risk. Risk should be accepted only by senior management in relationship with senior management and the board. There are two alternatives to the acceptance strategy, passive and active.

Passive acceptance means that enterprise has made no plan to avoid or mitigate the risk

but willing to accept the consequences of the risk.

Active acceptance is the second strategy and might include developing contingency plans and reserves to deal with risks.

Answer:A is incorrect. Risk avoidance means to evade risk altogether, eliminate the cause of the risk event, or change the project plan to protect the project objectives from the risk event. Risk avoidance is applied when the level of risk, even after the applying controls, would be greater than the risk tolerance level of the enterprise. Hence this risk response is adopted when:

There is no other cost-effective response that can successfully reduce the likelihood and magnitude below the defined thresholds for risk appetite.

The risk cannot be shared or transferred.

The risk is deemed unacceptable by management.

Q83.  - (Topic 2)

You are working in an enterprise. You project deals with important files that are stored on the computer. You have identified the risk of the failure of operations. To address this risk of failure, you have guided the system administrator sign off on the daily backup. This scenario is an example of which of the following?

A. Risk avoidance

B. Risk transference

C. Risk acceptance

D. Risk mitigation

Answer: D


Mitigation is the strategy that provides for the definition and implementation of controls to address the risk described. Here in this scenario, you are trying to reduce the risk of operation failure by guiding administrator to take daily backup, hence it is risk mitigation. Risk mitigation attempts to reduce the probability of a risk event and its impacts to an acceptable level. Risk mitigation can utilize various forms of control carefully integrated together. The main control types are:


Technical (e.g., tools such as firewalls and intrusion detection systems) Operational (e.g., procedures, separation of duties)

Preparedness activities

Answer: B is incorrect. The scenario does not describe the sharing of risk. Transference is the strategy that provides for sharing risk with partners or taking insurance coverage. 

Answer: A is incorrect. The scenario does not describe risk avoidance. Avoidance is a strategy that provides for not implementing certain activities or processes that would incur risk.

Answer: C is incorrect. The scenario does not describe risk acceptance, Acceptance is a strategy that provides for formal acknowledgement of the existence of a risk and the monitoring of that risk.

Q84.  - (Topic 4)

You are the project manager of GHT project. A risk event has occurred in your project and you have identified it. Which of the following tasks you would do in reaction to risk event occurrence? Each correct answer represents a part of the solution. Choose three.

A. Monitor risk

B. Maintain and initiate incident response plans

C. Update risk register

D. Communicate lessons learned from risk events

Answer: A,B,D


When the risk events occur then following tasks have to done to react to it: Maintain incident response plans

Monitor risk

Initiate incident response

Communicate lessons learned from risk events

Answer:C is incorrect. Risk register is updated after applying appropriate risk response and at the time of risk event occurrence.

Q85.  - (Topic 2)

You are the project manager of GHT project. During the data extraction process you evaluated the total number of transactions per year by multiplying the monthly average by twelve. This process of evaluating total number of transactions is known as?

A. Duplicates test

B. Controls total

C. Simplistic and ineffective

D. Reasonableness test

Answer: D


Reasonableness tests make certain assumptions about the information as the basis for more elaborate data validation tests.

Answer: A is incorrect. The duplicate test does not identify duplicate transactions; rather it identifies and confirms the validity of duplicates.

Answer: C is incorrect. As compared to simplistic, the reasonableness test is a valid foundation for more elaborate data validation tests.

Answer: B is incorrect. The control total test does not ensure that all transactions have been extracted, but only ensures that the data are complete.

Q86.  - (Topic 2)

Which of the following are sub-categories of threat?

Each correct answer represents a complete solution. Choose three.

A. Natural and supernatural

B. Computer and user

C. Natural and man-made

D. Intentional and accidental

E. External and internal

Answer: C,D,E


A threat is any event which have the potential to cause a loss. In other word, it is any activity that represents a possible danger. The loss or danger is directlyrelated to one of the following:

Loss of confidentiality- Someone sees a password or a company's secret formula, this is referred to as loss of confidentiality. Loss of integrity- An e-mail message is modified in transit, a virus infects a file, or someone makes unauthorized changes to a Web site is referred to as loss of integrity.

Loss of availability- An e-mail server is down and no one has e-mail access, or a file server is down so data files aren't available comes under loss of availability.

Threat identification is the process of creating a list of threats. This list attempts to identify all the possible threats to an organization. The list can be extensive.

Threats are often sub-categorized as under:

External or internal- External threats are outside the boundary of the organization. They can also be thought of as risks that are outside the control of the organization. While internal threats are within the boundary of the organization. They could be related to employees or other personnel who have access to company resources. Internal threats can be related to any hardware or software controlled by the business.

Natural or man-made- Natural threats are often related to weather such as hurricanes, tornadoes, and ice storms. Natural disasters like earthquakes and tsunamis are also natural threats. A human or man-made threat is any threat which is caused by a person. Any attempt to harm resources is a man-made threat. Fire could be man-made or natural depending on how the fire is started. Intentional or accidental- An attempt to compromise confidentiality, integrity, or availability is intentional. While employee mistakes or user errors are accidental threats. A faulty application that corrupts data could also be considered accidental.

Q87.  - (Topic 1)

You are the risk official of your enterprise. Your enterprise takes important decisions without considering risk credential information and is also unaware of external requirements for risk management and integration with enterprise risk management. In which of the following risk management capability maturity levels does your enterprise exists?

A. Level 1

B. Level 0

C. Level 5

D. Level 4

Answer: B


0 nonexistent: An enterprise's risk management capability maturity level is 0 when: The enterprise does not recognize the need to consider the risk management or the business impact from IT risk.

Decisions involving risk lack credible information.

Awareness of external requirements for risk management and integration with enterprise risk management (ERM) do not exists.

Answer:A, C, and D are incorrect.

These all are much higher levels of the risk management capability maturity model and in all these enterprise do take decisions considering the risk credential information. Moreover, in these levels enterprise is aware of external requirements for risk management and integrate with ERM.

Q88.  - (Topic 4)

Which of the following is NOT true for Key Risk Indicators?

A. They are selected as the prime monitoring indicators for the enterprise

B. They help avoid having to manage and report on an excessively large number of risk indicators

C. The complete set of KRIs should also balance indicators for risk, root causes and business impact.

D. They are monitored annually

Answer: D


They are monitored on regular basis as they indicate high probability and high impact risks. As risks change over time, hence KRIs should also be monitored regularly for its effectiveness on these changing risks.

Answer:A, B, and C are incorrect. These all are true for KRIs. Key Risk Indicators are the prime monitoring indicators of the enterprise. KRIs are highly relevant and possess a high probability of predicting or indicating important risk. KRIs help in avoiding excessively large number of risk indicators to manage and report that a large enterprise may have.

The complete set of KRIs should also balance indicators for risk, root causes and business impact, so as to indicate the risk and its impact completely.

Q89.  - (Topic 4)

You are the risk official in Techmart Inc. You are asked to perform risk assessment on the impact of losing a server. For this assessment you need to calculate monetary value of the server. On which of the following bases do you calculate monetary value?

A. Cost to obtain replacement

B. Original cost to acquire

C. Annual loss expectancy

D. Cost of software stored

Answer: A


The monetary value of the server should be based on the cost of its replacement. However, the financial impact to the enterprise may be much broader, based on the function that the server performs for the business and the value it brings to the enterprise.

Answer:C, D, and B are incorrect. Cost of software is not been counted because it can be restored from the back-up media. On the other hand' Ale for all risk related to the server does not represent the server's value. Lastly, the original cost may be significantly different from the current cost and, therefore, not relevant to this.

Q90.  - (Topic 2)

Jane, the Director of Sales, contacts you and demands that you add a new feature to the software your project team is creating for the organization. In the meeting she tells you how

important the scope change would be. You explain to her that the software is almost finished and adding a change now could cause the deliverable to be late, cost additional funds, and would probably introduce new risks to the project. Jane stands up and says to you, "I am the Director of Sales and this change will happen in the project." And then she leaves the room. What should you do with this verbal demand for a change in the project?

A. Include the change in the project scope immediately.

B. Direct your project team to include the change if they have time.

C. Do not implement the verbal change request.

D. Report Jane to your project sponsor and then include the change.

Answer: C


This is a verbal change request, and verbal change requests are never implemented. They introduce risk and cannot be tracked in the project scope. Change requests are requests to expand or reduce the project scope, modify policies, processes, plans, or procedures, modify costs or budgets or revise schedules. These requests for a change can be direct or indirect, externally or internally initiated, and legally or contractually imposed or optional. A Project Manager needs to ensure that only formally documented requested changes are processed and only approved change requests are implemented.

Answer: A is incorrect. Including the verbal change request circumvents the project's change control system.

Answer: D is incorrect. You may want to report Jane to the project sponsor, but you are not obligated to include the verbal change request.

Answer: B is incorrect. Directing the project team to include the change request if they have time is not a valid option. The project manager and the project team will have all of the project team already accounted for so there is no extra time for undocumented, unapproved change requests.