Nest 0 Cart
Nest Account
Popular Exams
All Categories...
Nest
Nest 0
Contact
Log In / Sign Up
Copyright 2024 © store. All rights reserved.
Home ISACA CRISC

ISACA CRISC Exam Practice Questions (P. 2)

  • Full Access (1896 questions)
  • Six months of Premium Access
  • Access to one million comments
  • Seamless ChatGPT Integration
  • Ability to download PDF files
  • Anki Flashcard files for revision
  • No Captcha & No AdSense
  • Advanced Exam Configuration
Get Contributor Access
Question #11
You are the project manager of GHT project. Your project team is in the process of identifying project risks on your current project. The team has the option to use all of the following tools and techniques to diagram some of these potential risks EXCEPT for which one?
  1. A
    Process flowchart
  2. B
    Ishikawa diagram
  3. C
    Influence diagram
  4. D
    Decision tree diagram

Correct Answer:
D
Decision tree diagrams are used during the Quantitative risk analysis process and not in risk identification.
Incorrect Answers:
A, B, C: All these options are diagrammatical techniques used in the Identify risks process.

Question #12
Which of the following BEST describes the utility of a risk?
  1. A
    The finance incentive behind the risk
  2. B
    The potential opportunity of the risk
  3. C
    The mechanics of how a risk works
  4. D
    The usefulness of the risk to individuals or groups

Correct Answer:
D
The utility of the risk describes the usefulness of a particular risk to an individual. Moreover, the same risk can be utilized by two individuals in different ways.
Financial outcomes are one of the methods for measuring potential value for taking a risk. For example, if the individual's economic wealth increases, the potential utility of the risk will decrease.
Incorrect Answers:
A: Determining financial incentive is one of the method to measure the potential value for taking a risk, but it is not the valid definition for utility of risk.
B: It is not the valid definition.
C: It is not the valid definition.

Question #13
Which of the following aspect of monitoring tool ensures that the monitoring tool has the ability to keep up with the growth of an enterprise?
  1. A
    Scalability
  2. B
    Customizability
  3. C
    Sustainability
  4. D
    Impact on performance

Correct Answer:
A
Monitoring tools have to be able to keep up with the growth of an enterprise and meet anticipated growth in process, complexity or transaction volumes; this is ensured by the scalability criteria of the monitoring tool.
Incorrect Answers:
B: For software to be effective, it must be customizable to the specific needs of an enterprise. Hence customizability ensures that end users can adapt the software.
C: It ensures that monitoring software is able to change at the same speed as technology applications and infrastructure to be effective over time.
D: The impact on performance has nothing related to the ability of monitoring tool to keep up with the growth of enterprise.

Question #14
You are the project manager in your enterprise. You have identified risk that is noticeable failure threatening the success of certain goals of your enterprise. In which of the following levels do this identified risk exists?
  1. A
    Moderate risk
  2. B
    High risk
  3. C
    Extremely high risk
  4. D
    Low risk

Correct Answer:
A
Moderate risks are noticeable failure threatening the success of certain goals.
Incorrect Answers:
B: High risk is the significant failure impacting in certain goals not being met.
C: Extremely high risk are the risks that has large impact on enterprise and are most likely results in failure with severe consequences.
D: Low risks are the risk that results in certain unsuccessful goals.

Question #15
Courtney is the project manager for her organization. She is working with the project team to complete the qualitative risk analysis for her project. During the analysis Courtney encourages the project team to begin the grouping of identified risks by common causes. What is the primary advantage to group risks by common causes during qualitative risk analysis?
  1. A
    It helps the project team realize the areas of the project most laden with risks.
  2. B
    It assist in developing effective risk responses.
  3. C
    It saves time by collecting the related resources, such as project team members, to analyze the risk events.
  4. D
    It can lead to the creation of risk categories unique to each project.

Correct Answer:
B
By grouping the risks by categories the project team can develop effective risk responses. Related risk events often have common causal factors that can be addressed with a single risk response.

Question #16
Which of the following processes is described in the statement below?
"It is the process of exchanging information and views about risks among stakeholders, such as groups, individuals, and institutions."
  1. A
    Risk governance
  2. B
    Risk identification
  3. C
    Risk response planning
  4. D
    Risk communication

Correct Answer:
D
Risk communication is the process of exchanging information and views about risks among stakeholders, such as groups, individuals, and institutions. Risk communication is mostly concerned with the nature of risk or expressing concerns, views, or reactions to risk managers or institutional bodies for risk management. The key plan to consider and communicate risk is to categorize and impose priorities, and acquire suitable measures to reduce risks. It is important throughout any crisis to put across multifaceted information in a simple and clear manner.
Risk communication helps in switching or allocating the information concerning risk among the decision-maker and the stakeholders. Risk communication can be explained more clearly with the help of the following definitions:
✑ It defines the issue of what a group does, not just what it says.
✑ It must take into account the valuable element in user's perceptions of risk.
✑ It will be more valuable if it is thought of as conversation, not instruction.
Risk communication is a fundamental and continuing element of the risk analysis exercise, and the involvement of the stakeholder group is from the beginning. It makes the stakeholders conscious of the process at each phase of the risk assessment. It helps to guarantee that the restrictions, outcomes, consequence, logic, and risk assessment are undoubtedly understood by all the stakeholders.
Incorrect Answers:
C: A risk response ensures that the residual risk is within the limits of the risk appetite and tolerance of the enterprise. Risk response is process of selecting the correct, prioritized response to risk, based on the level of risk, the enterprise's risk tolerance and the cost and benefit of the particular risk response option.
Risk response ensures that management is providing accurate reports on:
The level of risk faced by the enterprise

✑ The incidents' type that have occurred
✑ Any alteration in the enterprise's risk profile based on changes in the risk environment

Question #17
You are an experienced Project Manager that has been entrusted with a project to develop a machine which produces auto components. You have scheduled meetings with the project team and the key stakeholders to identify the risks for your project. Which of the following is a key output of this process?
  1. A
    Risk Register
  2. B
    Risk Management Plan
  3. C
    Risk Breakdown Structure
  4. D
    Risk Categories

Correct Answer:
A
The primary outputs from Identify Risks are the initial entries into the risk register. The risk register ultimately contains the outcomes of other risk management processes as they are conducted, resulting in an increase in the level and type of information contained in the risk register over time.
Incorrect Answers:
B, C, D: All these are outputs from the "Plan Risk Management" process, which happens prior to the starting of risk identification.

Question #18
Which of the following components of risk scenarios has the potential to generate internal or external threat on an enterprise?
  1. A
    Timing dimension
  2. B
    Events
  3. C
    Assets
  4. D
    Actors

Correct Answer:
D
Components of risk scenario that are needed for its analysis are:
✑ Actor: Actors are those components of risk scenario that has the potential to generate the threat that can be internal or external, human or non-human. Internal actors are within the enterprise like staff, contractors, etc. On the other hand, external actors include outsiders, competitors, regulators and the market.
✑ Threat type: Threat type defines the nature of threat, that is, whether the threat is malicious, accidental, natural or intentional.
✑ Event: Event is an essential part of a scenario; a scenario always has to contain an event. Event describes the happenings like whether it is a disclosure of confidential information, or interruption of a system or project, or modification, theft, destruction, etc.
✑ Asset: Assets are the economic resources owned by business or company. Anything tangible or intangible that one possesses, usually considered as applicable to the payment of one's debts, is considered an asset. An asset can also be defined as a resource, process, product, computing infrastructure, and so forth that an organization has determined must be protected. Tangible asset: Tangible are those asset that has physical attributes and can be detected with the senses, e.g., people, infrastructure, and finances. Intangible asset: Intangible are those assets that has no physical attributes and cannot be detected with the senses, e.g., information, reputation and customer trust.
✑ Timing dimension: The timing dimension is the application of the scenario to detect time to respond to or recover from an event. It identifies if the event occurs at a critical moment and its duration. It also specifies the time lag between the event and the consequence, that is, if there an immediate consequence (e.g., network failure, immediate downtime) or a delayed consequence (e.g., wrong IT architecture with accumulated high costs over a long period of time).

Question #19
You are the project manager of GHT project. You have planned the risk response process and now you are about to implement various controls. What you should do before relying on any of the controls?
  1. A
    Review performance data
  2. B
    Discover risk exposure
  3. C
    Conduct pilot testing
  4. D
    Articulate risk

Correct Answer:
AC
Pilot testing and reviewing of performance data to verify operation against design are done before relying on control.
Incorrect Answers:
B: Discovering risk exposure helps in identifying the severity of risk, but it does not play any role in specifying the reliability of control.
D: Articulating risk is the first phase in the risk response process to ensure that information on the true state of exposures and opportunities are made available in a timely manner and to the right people for appropriate response. But it does not play any role in identifying whether any specific control is reliable or not.

Question #20
Which of the following is NOT true for risk management capability maturity level 1?
  1. A
    There is an understanding that risk is important and needs to be managed, but it is viewed as a technical issue and the business primarily considers the downside of IT risk
  2. B
    Decisions involving risk lack credible information
  3. C
    Risk appetite and tolerance are applied only during episodic risk assessments
  4. D
    Risk management skills exist on an ad hoc basis, but are not actively developed

Correct Answer:
B
The enterprise with risk management capability maturity level 0 makes decisions without having much knowledge about the risk credible information. In level 1, enterprise takes decisions on the basis of risk credible information.
Incorrect Answers:
A, C, D: An enterprise's risk management capability maturity level is 1 when:
✑ There is an understanding that risk is important and needs to be managed, but it is viewed as a technical issue and the business primarily considers the downside of IT risk.
✑ Any risk identification criteria vary widely across the enterprise.
✑ Risk appetite and tolerance are applied only during episodic risk assessments.
✑ Enterprise risk policies and standards are incomplete and/or reflect only external requirements and lack defensible rationale and enforcement mechanisms.
✑ Risk management skills exist on an ad hoc basis, but are not actively developed.
✑ Ad hoc inventories of controls that are unrelated to risk are dispersed across desktop applications.

Previous Questions Next Questions

All Pages