D486 ITAS 5225 Governance, Risk, &
Compliance
Objective Assessment Review
(Questions & Solutions)
2025
1
, 1. Case:
A multinational enterprise adopts ISO 31000 as the basis for its risk
management program.
Question: Which of the following best describes the primary focus
of ISO 31000?
a) Providing detailed technical controls for IT systems
b) Establishing principles, framework, and processes for risk
management across the organization
c) Ensuring regulatory compliance through specific procedural
checklists
d) Delivering encryption standards for data protection
Correct ANS: b
Rationale: ISO 31000 is a risk management standard that focuses
on establishing a framework, principles, and processes to help
organizations manage risk holistically rather than prescribing detailed
technical controls.
---
2. Case:
A company is implementing a new GRC program and establishes a
board-level risk committee.
Question: What is the main role of this risk committee?
a) To manage day-to-day IT operations
b) To set the organization’s risk appetite and oversee enterprise‑wide
risk management
c) To implement corrective actions during a security breach
d) To configure technical security controls on network devices
Correct ANS: b
2
, Rationale: A board-level risk committee is primarily responsible for
setting risk appetite, defining frameworks, and providing oversight of
enterprise‑wide risk management, ensuring alignment with strategic
objectives.
---
3. Case:
An organization aligns its information security program with the NIST
Cybersecurity Framework.
Question: Which core function of the NIST Framework focuses on
understanding the organization’s risk context?
a) Protect
b) Identify
c) Respond
d) Recover
Correct ANS: b
Rationale: The “Identify” function is foundational; it focuses on
understanding the business context, asset inventory, risk
assessments, and the overall threat landscape, all of which are
essential for informed decision‑making.
---
4. Case:
A regulated financial institution implements Basel III measures in its
risk management strategy.
Question: What is the primary objective of applying Basel III in a
GRC program?
a) Enhancing encryption protocols for data security
b) Measuring capital adequacy and managing financial risk
c) Ensuring IT asset inventory accuracy
d) Standardizing external audit processes exclusively
3
, Correct ANS: b
Rationale: Basel III is designed to improve the banking sector’s
ability to absorb shocks by focusing on capital adequacy and risk
management, which is critical for a regulated financial environment.
---
5. Case:
An organization develops a risk treatment plan after conducting its
risk assessment.
Question: Which of the following options is not considered a
standard risk treatment strategy?
a) Risk elimination
b) Risk transference
c) Risk mitigation
d) Risk acceptance
Correct ANS: a
Rationale: Standard strategies include risk transference, mitigation,
and acceptance. Although "risk avoidance" is common, "risk
elimination" is often impractical because some risk always remains.
---
6. Case:
A company must manage third-party risks in its supply chain within its
GRC program.
Question: Which method is most effective for managing these
risks?
a) Conducting periodic vendor risk assessments and incorporating
contractual security requirements
b) Limiting communication with vendors entirely
c) Relying solely on internal audit findings
d) Outsourcing all IT functions to external providers
4
Compliance
Objective Assessment Review
(Questions & Solutions)
2025
1
, 1. Case:
A multinational enterprise adopts ISO 31000 as the basis for its risk
management program.
Question: Which of the following best describes the primary focus
of ISO 31000?
a) Providing detailed technical controls for IT systems
b) Establishing principles, framework, and processes for risk
management across the organization
c) Ensuring regulatory compliance through specific procedural
checklists
d) Delivering encryption standards for data protection
Correct ANS: b
Rationale: ISO 31000 is a risk management standard that focuses
on establishing a framework, principles, and processes to help
organizations manage risk holistically rather than prescribing detailed
technical controls.
---
2. Case:
A company is implementing a new GRC program and establishes a
board-level risk committee.
Question: What is the main role of this risk committee?
a) To manage day-to-day IT operations
b) To set the organization’s risk appetite and oversee enterprise‑wide
risk management
c) To implement corrective actions during a security breach
d) To configure technical security controls on network devices
Correct ANS: b
2
, Rationale: A board-level risk committee is primarily responsible for
setting risk appetite, defining frameworks, and providing oversight of
enterprise‑wide risk management, ensuring alignment with strategic
objectives.
---
3. Case:
An organization aligns its information security program with the NIST
Cybersecurity Framework.
Question: Which core function of the NIST Framework focuses on
understanding the organization’s risk context?
a) Protect
b) Identify
c) Respond
d) Recover
Correct ANS: b
Rationale: The “Identify” function is foundational; it focuses on
understanding the business context, asset inventory, risk
assessments, and the overall threat landscape, all of which are
essential for informed decision‑making.
---
4. Case:
A regulated financial institution implements Basel III measures in its
risk management strategy.
Question: What is the primary objective of applying Basel III in a
GRC program?
a) Enhancing encryption protocols for data security
b) Measuring capital adequacy and managing financial risk
c) Ensuring IT asset inventory accuracy
d) Standardizing external audit processes exclusively
3
, Correct ANS: b
Rationale: Basel III is designed to improve the banking sector’s
ability to absorb shocks by focusing on capital adequacy and risk
management, which is critical for a regulated financial environment.
---
5. Case:
An organization develops a risk treatment plan after conducting its
risk assessment.
Question: Which of the following options is not considered a
standard risk treatment strategy?
a) Risk elimination
b) Risk transference
c) Risk mitigation
d) Risk acceptance
Correct ANS: a
Rationale: Standard strategies include risk transference, mitigation,
and acceptance. Although "risk avoidance" is common, "risk
elimination" is often impractical because some risk always remains.
---
6. Case:
A company must manage third-party risks in its supply chain within its
GRC program.
Question: Which method is most effective for managing these
risks?
a) Conducting periodic vendor risk assessments and incorporating
contractual security requirements
b) Limiting communication with vendors entirely
c) Relying solely on internal audit findings
d) Outsourcing all IT functions to external providers
4
