CRISC Exam -Questions with Correct Answers/ Latest Update/ 100% Pass
An enterprise recently developed a breakthrough technology that could provide a significant
competitive edge. Which of the following FIRST governs how this information is to be
protected from within the enterprise?
A. The data classification policy
B. The acceptable use policy
C. Encryption standards
D. The access control policy - ✔✔A. Data classification policy describes the data
classification categories; levels of protection to be provided for each category of data; and
roles and responsibilities of potential users, including data owners
Which of the following is the BEST way to ensure that an accurate risk register is maintained
over time?
A. Monitor KRIs and record findings in the risk register
B. Publish the risk register centrally with workflow features that periodically poll risk
assessors
C. Distribute the risk register to business process owners for review and updating
D. Utilize audit personnel to perform regular audits and to maintain the risk register - ✔✔B.
Centrally publishing the risk register and enabling periodic polling of risk assessors through
workflow features will ensure accuracy of content. A knowledge management platform with
workflow and polling features will automate the process of maintaining the risk register
Which of the following is the MOST important requirement for setting up an information
security infrastructure for a new system?
A. Performing a BIA
B. Considering personal devices as part of the security policy
C. Basing the information security infrastructure on a risk assessment
D. Initiating IT security training and familiarization - ✔✔C. The information security
infrastructure should be based on a risk assessment
,The MAIN objective of IT risk management is to:
A. prevent loss of IT assets
B. provide timely management reports
C. ensure regulatory compliance
D. enable risk-aware business decisions - ✔✔D. IT risk management should be conducted as
part of enterprise risk management (ERM), the ultimate objective of which is to enable risk-
aware business decisions
Which of the following is the PRIMARY reason that a risk practitioner determines the
security boundary prior to conducting a risk assessment?
A. To determine which laws and regulations apply
B. To determine the scope of the risk assessment
C. To determine the business owner(s) of the system
D. To decide between conducting a quantitative or qualitative analysis - ✔✔B. The primary
reason for determining the security boundary is to establish what systems and components
are included in the risk assessment
The PRIMARY advantage of creating and maintaining a risk register is to:
A. ensure than an inventory of potential risk is maintained
B. record all risk scenarios considered during the risk identification process
C. collect similar data on all risk identified within the organization
D. run reports based on various risk scenarios - ✔✔A. Once important assets and the risk
that may impact these assets are identified, the risk register is used as an inventory of that
risk. The risk register can help enterprises accelerate their risk decision making and establish
accountability for specific risk
The board of directors of a one-year-old start-up company has asked their CIO to create all
of the enterprise's IT policies and procedures. Which of the following should the CIO create
FIRST?
, A. The strategic IT plan
B. The data classification scheme
C. The information architecture document
D. The technology infrastructure plan - ✔✔A. The strategic IT plan is the first policy to be
created when setting up an enterprise's governance model
A BIA is primarily used to:
A. estimate the resources required to resume and return to normal operations after a
disruption
B. evaluate the impact of a disruption to an enterprise's ability to operate over time
C. calculate the likelihood and impact of known threats on specific functions
D. evaluate high-level business requirements - ✔✔B
Which of the following is the BIGGEST concern for a CISO regarding interconnections with
systems outside of the enterprise?
A. Requirements to comply with each other's contractual security requirements
B. Uncertainty that the other system will be available as needed
C. The ability to perform risk assessments on the other system
D. Ensuring that communication between the two systems is encrypted through a VPN -
✔✔A
Which of the following BEST determines compliance with the risk appetite of an enterprise?
A. Balance between preventive and detective controls
B. Inherent risk and acceptable risk level
C. Residual risk level and acceptable risk level
D. Balance between countermeasures and preventive controls - ✔✔C
An enterprise recently developed a breakthrough technology that could provide a significant
competitive edge. Which of the following FIRST governs how this information is to be
protected from within the enterprise?
A. The data classification policy
B. The acceptable use policy
C. Encryption standards
D. The access control policy - ✔✔A. Data classification policy describes the data
classification categories; levels of protection to be provided for each category of data; and
roles and responsibilities of potential users, including data owners
Which of the following is the BEST way to ensure that an accurate risk register is maintained
over time?
A. Monitor KRIs and record findings in the risk register
B. Publish the risk register centrally with workflow features that periodically poll risk
assessors
C. Distribute the risk register to business process owners for review and updating
D. Utilize audit personnel to perform regular audits and to maintain the risk register - ✔✔B.
Centrally publishing the risk register and enabling periodic polling of risk assessors through
workflow features will ensure accuracy of content. A knowledge management platform with
workflow and polling features will automate the process of maintaining the risk register
Which of the following is the MOST important requirement for setting up an information
security infrastructure for a new system?
A. Performing a BIA
B. Considering personal devices as part of the security policy
C. Basing the information security infrastructure on a risk assessment
D. Initiating IT security training and familiarization - ✔✔C. The information security
infrastructure should be based on a risk assessment
,The MAIN objective of IT risk management is to:
A. prevent loss of IT assets
B. provide timely management reports
C. ensure regulatory compliance
D. enable risk-aware business decisions - ✔✔D. IT risk management should be conducted as
part of enterprise risk management (ERM), the ultimate objective of which is to enable risk-
aware business decisions
Which of the following is the PRIMARY reason that a risk practitioner determines the
security boundary prior to conducting a risk assessment?
A. To determine which laws and regulations apply
B. To determine the scope of the risk assessment
C. To determine the business owner(s) of the system
D. To decide between conducting a quantitative or qualitative analysis - ✔✔B. The primary
reason for determining the security boundary is to establish what systems and components
are included in the risk assessment
The PRIMARY advantage of creating and maintaining a risk register is to:
A. ensure than an inventory of potential risk is maintained
B. record all risk scenarios considered during the risk identification process
C. collect similar data on all risk identified within the organization
D. run reports based on various risk scenarios - ✔✔A. Once important assets and the risk
that may impact these assets are identified, the risk register is used as an inventory of that
risk. The risk register can help enterprises accelerate their risk decision making and establish
accountability for specific risk
The board of directors of a one-year-old start-up company has asked their CIO to create all
of the enterprise's IT policies and procedures. Which of the following should the CIO create
FIRST?
, A. The strategic IT plan
B. The data classification scheme
C. The information architecture document
D. The technology infrastructure plan - ✔✔A. The strategic IT plan is the first policy to be
created when setting up an enterprise's governance model
A BIA is primarily used to:
A. estimate the resources required to resume and return to normal operations after a
disruption
B. evaluate the impact of a disruption to an enterprise's ability to operate over time
C. calculate the likelihood and impact of known threats on specific functions
D. evaluate high-level business requirements - ✔✔B
Which of the following is the BIGGEST concern for a CISO regarding interconnections with
systems outside of the enterprise?
A. Requirements to comply with each other's contractual security requirements
B. Uncertainty that the other system will be available as needed
C. The ability to perform risk assessments on the other system
D. Ensuring that communication between the two systems is encrypted through a VPN -
✔✔A
Which of the following BEST determines compliance with the risk appetite of an enterprise?
A. Balance between preventive and detective controls
B. Inherent risk and acceptable risk level
C. Residual risk level and acceptable risk level
D. Balance between countermeasures and preventive controls - ✔✔C
