Is this exam completely free?

Examcademy offers a free preview for every exam, covering around 20% of the total questions. Full access is available with a paid upgrade.

Can I practice IT certification exams from Microsoft, AWS, or CompTIA?

Yes! Examcademy supports a wide range of IT certification exams including Microsoft Azure, AWS Cloud Practitioner, and CompTIA A+ and Security+.

How accurate are the mock exams?

Our mock exams are built and reviewed with the help of AI and community contributions, staying aligned with real-world exam objectives.

Free preview mode

Enjoy the free questions and consider upgrading to gain full access!

CRISCFree trial

By isaca

Verified

25Q per page

Question 101

A new risk practitioner finds that decisions for implementing risk response plans are not being made. Which of the following would MOST likely explain this situation?

A: The organization's risk awareness program is ineffective.
B: The organization has a high level of risk appetite.
C: Risk ownership is not being assigned properly.
D: Risk management procedures are outdated.

—

Question 102

Which of the following is the BEST indicator of executive management's support for IT risk mitigation efforts?

A: The number of executives attending IT security awareness training
B: The percentage of incidents presented to the board
C: The percentage of corporate budget allocated to IT risk activities
D: The number of stakeholders involved in IT risk identification workshops

—

Question 103

The BEST metric to demonstrate that servers are configured securely is the total number of servers:

A: experiencing hardware failures
B: exceeding availability thresholds
C: exceeding current patching standards
D: meeting the baseline for hardening.

—

Question 104

Which of the following is the MOST important goal of a security awareness program?

A: To enforce consequences related to the organization's security policy
B: To reduce costs associated with security incidents
C: To strengthen the security culture by changing user behavior
D: To strengthen control performance related to regulatory requirements

—

Question 105

A recent big data project has resulted in the creation of an application used to support important investment decisions. Which of the following should be of
GREATEST concern to the risk practitioner?

A: Data redundancy
B: Maintenance costs
C: Data quality
D: System integration

—

Question 106

You are the project manager of GHT project. Your project team is in the process of identifying project risks on your current project. The team has the option to use all of the following tools and techniques to diagram some of these potential risks EXCEPT for which one?

A: Process flowchart
B: Ishikawa diagram
C: Influence diagram
D: Decision tree diagram

—

Question 107

An organization has initiated quarterly briefings for executive management with a focus on increasing risk awareness. Which of the following is MOST relevant to include in this briefing?

A: The risk register
B: Risk management best practices
C: Updates to security policies
D: Recent security incidents

—

Question 108

During a risk assessment, a key external technology supplier refuses to provide control design and effectiveness information, citing confidentiality concerns. What should the risk practitioner do NEXT?

A: Escalate the non-cooperation to management
B: Exclude applicable controls from the assessment
C: Review the supplier's contractual obligations
D: Request risk acceptance from the business process owner

—

Question 109

When implementing a key performance indicator (KPI) for control performance monitoring, it is MOST important to:

A: define the unit of measurement
B: define the target or planned value
C: benchmark the target value against an industry standard
D: define data sources and reporting frequency

—

Question 110

The PRIMARY reason for defining risk ownership in an organization is to ensure:

A: responsibility for risk treatment
B: accountability for risk management
C: responsibility for risk assessments
D: accountability for risk register updates

—

Question 111

Which of the following is the MOST important step to ensure regulatory requirements are adequately addressed within an organization?

A: Employ IT solutions that meet regulatory requirements
B: Perform a gap analysis against regulatory requirements
C: Obtain necessary resources to address regulatory requirements
D: Develop a policy framework that addresses regulatory requirements

—

Question 112

A large organization is replacing its enterprise resource planning (ERP) system and has decided not to deploy the payroll module of the new system. Instead, the current payroll system will continue to be used. Of the following, who should own the risk if the ERP and payroll systems fail to operate as expected?

A: The ERP administrator
B: The business owner
C: The project steering committee
D: The IT project manager

—

Question 113

Which of the following BEST enables risk-based decision making in support of a business continuity plan (BCP)?

A: Control analysis
B: Root cause analysis
C: Threat analysis
D: Impact analysis

—

Question 114

A process maturity model is MOST useful to the risk management process because it helps:

A: reduce audit and regulatory findings
B: determine the cost of control improvements
C: benchmark maturity against industry standards
D: determine the gap between actual and desired state

—

Question 115

When evaluating a number of potential controls for treating risk, it is MOST important to consider:

A: risk tolerance and control complexity
B: inherent risk and control effectiveness
C: risk appetite and control efficiency
D: residual risk and cost of control

—

Question 116

A recent vulnerability assessment of a web-facing application revealed several weaknesses. Which of the following should be done NEXT to determine the risk exposure?

A: Gap assessment
B: Business impact analysis (BIA)
C: Code review
D: Penetration test

—

Question 117

You are the risk official of your enterprise. You have just completed risk analysis process. You noticed that the risk level associated with your project is less than risk tolerance level of your enterprise. Which of following is the MOST likely action you should take?

A: Apply risk response
B: Update risk register
C: No action
D: Prioritize risk response options

—

Question 118

Which of the following is MOST useful when performing a quantitative risk assessment?

A: Management support
B: RACI matrix
C: Industry benchmarking
D: Financial models

—

Question 119

Following an acquisition, the acquiring company's risk practitioner has been asked to update the organization's IT risk profile. What is the MOST important information to review from the acquired company to facilitate this task?

A: Risk assessment and risk register
B: Risk disclosures in financial statements
C: Business objectives and strategies
D: Internal and external audit reports

—

Question 120

Which of the following provides the MOST mitigation value for an organization implementing new Internet of Things (IoT) devices?

A: Implementing key risk indicators (KRIs) for IoT devices
B: Designing IoT architecture with IT security controls from the start
C: Performing a vulnerability assessment on the IoT devices
D: Creating an IoT-specific risk register

—

Question 121

Which of the following is the BEST control to minimize the risk associated with scope creep in software development?

A: An established process for project change management
B: Business management's review of functional requirements
C: Segregation between development, test, and production
D: Retention of test data and results for review purposes

—

Question 122

An organization is reviewing a contract for a Software as a Service (SaaS) sales application with a 99.9% uptime service level agreement (SLA). Which of the following BEST describes ownership of availability risk?

A: The liability for the risk is owned by the cloud provider
B: The liability for the risk is owned by the sales department
C: The risk is transferred to the cloud provider
D: The risk is shared by both organizations

—

Question 123

During an acquisition, which of the following would provide the MOST useful input to the parent company's risk practitioner when developing risk scenarios for the post-acquisition phase?

A: IT balanced scorecard of each company
B: Most recent internal audit findings from both companies
C: Risk registers of both companies
D: Risk management framework adopted by each company

—

Question 124

Which of the following should a risk practitioner recommend be done prior to disposal of server hardware containing confidential data?

A: Update the asset inventory
B: Encrypt the backup
C: Remove all user access
D: Destroy the hard drives

—

Question 125

A vendor's planned maintenance schedule will cause a critical application to temporarily lose failover capabilities. Of the following, who should approve this proposed schedule?

A: Business application owner
B: IT infrastructure manager
C: Chief risk officer (CRO)
D: Business continuity manager

—

Page 5 of 58 • Questions 101-125 of 1430

←

3 4 5 6 7

→

Free preview mode

Enjoy the free questions and consider upgrading to gain full access!