Is this exam completely free?

ExamCademy offers a free preview for every exam, covering around 20% of the total questions. Full access to all questions is available for free by signing up for an account. Optional supporters unlock AstroTutor (AI tutor) and advanced study modes.

Can I practice IT certification exams from Microsoft, AWS, or CompTIA?

Yes! ExamCademy supports a wide range of IT certification exams including Microsoft Azure, AWS Cloud Practitioner, and CompTIA A+ and Security+.

How accurate are the mock exams?

Our practice questions are community-created and moderator-reviewed to align with realistic exam objectives, style, and difficulty.

CRISC by ISACA - Page 1 | ExamCademy

Mode Selection

Question 1

Question 2

Question 3

Which of the following is the MOST important consideration when developing risk strategies?

A Long-term organizational goals
B Organization's industry sector
C Concerns of the business process owners
D History of risk events

Question 4

Which of the following would BEST facilitate the implementation of data classification requirements?

A Implementing technical controls over the assets
B Implementing a data loss prevention (DLP) solution
C Scheduling periodic audits
D Assigning a data owner

Question 5

An organization has used generic risk scenarios to populate its risk register. Which of the following presents the GREATEST challenge to assigning ownership of the associated risk entries?

A The volume of risk scenarios is too large.
B Risk scenarios are not applicable.
C The risk analysis for each scenario is incomplete.
D Risk aggregation has not been completed.

Question 6

An organization's business process requires the verbal verification of personal information in an environment where other customers may overhear this information. Which of the following is the MOST significant risk?

A The customer may view the process negatively.
B The information could be used for identity theft.
C The process could result in intellectual property theft.
D The process could result in compliance violations.

Question 7

An organization has initiated a project to launch an IT-based service to customers and take advantage of being the first to market. Which of the following should be of GREATEST concern to senior management?

A The project is likely to deliver the product late.
B More time has been allotted for testing.
C A new project manager is handling the project.
D The cost of the project will exceed the allotted budget.

Question 8

Which of the following is the MOST important objective of embedding risk management practices into the initiation phase of the project management life cycle?

A To deliver projects on time and on budget
B To assess inherent risk
C To assess risk throughout the project
D To include project risk in the enterprise-wide IT risk profile

Question 9

Which of the following is the MOST significant indicator of the need to perform a penetration test?

A An increase in the number of infrastructure changes
B An increase in the number of security incidents
C An increase in the number of high-risk audit findings
D An increase in the percentage of turnover in IT personnel

Question 10

Which of the following provides the MOST reliable information to ensure a newly acquired company has appropriate IT controls in place?

A Vulnerability assessment
B Information system audit
C Penetration testing
D IT risk assessment

Question 11

Print jobs containing confidential information are sent to a shared network printer located in a secure room. Which of the following is the BEST control to prevent the inappropriate disclosure of confidential information?

A Ensuring printer parameters are properly configured
B Using video surveillance in the printer room
C Using physical controls to access the printer room
D Requiring a printer access code for each user

Question 12

Which of the following would be MOST helpful when communicating roles associated with the IT risk management process?

A Skills matrix
B RACI chart
C Organizational chart
D Job descriptions

Question 13

Fred is the project manager of a large project in his organization. Fred needs to begin planning the risk management plan with the project team and key stakeholders. Which plan risk management process tool and technique should Fred use to plan risk management?

A Information gathering techniques
B Data gathering and representation techniques
C Planning meetings and analysis
D Variance and trend analysis

Question 14

The PRIMARY benefit of conducting a risk workshop using a top-down approach instead of a bottom-up approach is the ability to:

A incorporate subject matter expertise.
B identify specific project risk.
C understand risk associated with complex processes.
D obtain a holistic view of IT strategy risk.

Question 15

A bank recently incorporated blockchain technology with the potential to impact known risk within the organization. Which of the following is the risk practitioner's
BEST course of action?

A Analyze and update control assessments with the new processes.
B Conduct testing of the controls that mitigate the existing risk.
C Determine whether risk responses are still adequate.
D Analyze the risk and update the risk register as needed.

Question 16

Of the following, who is BEST suited to assist a risk practitioner in developing a relevant set of risk scenarios?

A Control owner
B Internal auditor
C Asset owner
D Finance manager

Question 17

The risk associated with an asset after controls are applied can be expressed as:

A the likelihood of a given threat.
B the magnitude of an impact.
C a function of the likelihood and impact.
D a function of the cost and effectiveness of controls.

Question 18

A risk practitioner notices a trend of noncompliance with an IT-related control. Which of the following would BEST assist in making a recommendation to management?

A Reviewing the IT policy with the risk owner
B Reviewing the roles and responsibilities of control process owners
C Assessing noncompliance with control best practices
D Assessing the degree to which the control hinders business objectives

Question 19

Which key performance indicator (KPI) BEST measures the effectiveness of an organization's disaster recovery program?

A Number of service level agreement (SLA) violations.
B Percentage of critical systems recovered within the recovery time objective (RTO).
C Percentage of recovery issues identified during the exercise.
D Number of total systems recovered within the recovery point objective (RPO).

Question 20

The PRIMARY advantage of involving end users in continuity planning is that they:

A can see the overall impact to the business.
B have a better understanding of specific business needs.
C can balance the overall technical and business concerns.
D are more objective than information security management.

Question 21

Which of the following is the PRIMARY risk management responsibility of the second line of defense?

A Applying risk treatments
B Providing assurance of control effectiveness
C Implementing internal controls
D Monitoring risk responses

Question 22

Which of the following is the BEST way to ensure ongoing control effectiveness?

A Periodically reviewing control design
B Establishing policies and procedures
C Measuring trends in control performance
D Obtaining management control attestations

Question 23

Who should have the authority to approve an exception to a control?

A Information security manager
B Risk manager
C Control owner
D Risk owner

Question 24

Which of the following is a responsibility of the second line of defense in the three lines of defense model?

A Owning risk scenarios and bearing the consequences of loss
B Alerting operational management to emerging issues
C Implementing corrective actions to address deficiencies
D Performing duties independently to provide assurance

Question 25

To mitigate the risk of using a spreadsheet to analyze financial data, IT has engaged a third-party vendor to deploy a standard application to automate the process. Which of the following parties should own the risk associated with calculation errors?

A Third-party provider
B Business owner
C IT department
D Risk manager

Page 1 of 58 • Questions 1-25 of 1430

1 2 3 4 5

→

Know a question that should be here? Contribute to this exam

Which of the following is the MOST important reason to maintain key risk indicators (KRIs)?

A In order to avoid risk
B Complex metrics require fine-tuning
C Risk reports need to be timely
D Threats and vulnerabilities change over time

Which of the following controls is an example of non-technical controls?

A Access control
B Physical security
C Intrusion detection system
D Encryption

CRISCPreview