Q.No.1 Which of the following is MOST important for an organization that wants to reduce IT
operational risk?
A. Increasing senior management's understanding of IT operations
B. Increasing the frequency of data backups
C. Minimizing complexity of IT infrastructure
D. Decentralizing IT infrastructure
Q.No.2 Deviation from a mitigation action plan's completion date should be determined by
which of the following?
A. Benchmarking analysis with similar completed projects
B. Change management as determined by a change control board
C. The risk owner as determined by risk management processes
D. Project governance criteria as determined by the project office
Q.No.3 A business unit has decided to accept the risk of implementing an off-the-shelf,
commercial software package that uses weak password controls. What is the BEST course of
action?
A. Continue the implementation with no changes.
B. Obtain management approval for policy exception.
C. Select another application with strong password controls.
D. Develop an improved password software routine.
Q.No.4 Which of the following is the PRIMARY reason to have the risk management process
reviewed by a third party?
A. Validate the threat management process.
B. Obtain objective assessment of the control environment
C. Ensure the risk profile is defined and communicated.
D. Obtain an objective view of process gaps and systemic errors.
Q.No.5 In an organization dependent on data analytics to drive decision-making, which of the
following would BEST help to minimize the risk associated with inaccurate data?
A. Periodically reviewing big data strategies
B. Evaluating each of the data sources for vulnerabilities
C. Establishing an intellectual property agreement
D. Benchmarking to industry best practice
Q.No.6 Which of the following is MOST appropriate to prevent unauthorized retrieval of
confidential information stored in a business application system?
A. Implement segregation of duties.
B. Enforce an internal data access policy.
C. Apply single sign-on for access control.
D. Enforce the use of digital signatures.
,Q.No.7 The GREATEST concern when maintaining a risk register is that:
A. significant changes in risk factors are excluded.
B. impacts are recorded in qualitative terms.
C. executive management does not perform periodic reviews.
D. IT risk is not linked with IT assets,
Q.No.8 Which of the following will BEST help in communicating strategic risk priorities?
A. Heat map
B. Business impact analysis (BIA)
C. Balanced Scorecard
D. Risk register
Q.No.9 Which of the following is the BEST indicator of the effectiveness of a control action
plan's implementation?
A. Stakeholder commitment
B. Increased risk appetite
C. Reduced risk level
D. Increased number of controls
Q.No.10 Which of the following is the BEST method for identifying vulnerabilities?
A. Batch job failure monitoring
B. Periodic network scanning
C. Risk assessments
D. Annual penetration testing
Q.No.11 Which of the following will BEST ensure that information security risk factors are
mitigated when developing in-house applications?
A. Design key performance indicators (KPIs) for security in system specifications.
B. Include information security control specifications in business cases.
C. Identify key risk indicators (KRIs) as process output
D. Identify information security controls in the requirements analysis
Q.No.12 A management team is on an aggressive mission to launch a new product to
penetrate new markets and overlooks IT risk factors, threats, and vulnerabilities. This scenario
BEST demonstrates an organization's risk:
A. Tolerance.
B. culture.
C. Management.
D. analysis.
Q.No.13 During a control review, the control owner states that an existing control has
deteriorated over time. What is the BEST recommendation to the control owner?
A. Discuss risk mitigation options with the risk owner.
, B. Escalate the issue to senior management
C. Implement compensating controls to reduce residual risk.
D. Certify the control after documenting the concern.
Q.No.14 Which of the following is the BEST approach for determining whether a risk action
plan is effective?
A. Assessing changes in residual risk
B. Comparing the remediation cost against budget
C. Assessing the inherent risk
D. Monitoring changes of key performance indicators (KPIs)
Q.No.15 Who is responsible for IT security controls that are outsourced to an external service
provider?
A. Organization's information security manager
B. Organization's risk function
C. Service provider's IT management
D. Service provider's information security manager
Q.No.16 Which of the following approaches will BEST help to ensure the effectiveness of risk
awareness training?
A. Piloting courses with focus groups
B. Using reputable third-party training programs
C. Reviewing content with senior management
D. Creating modules for targeted audiences
Q.No.17 A PRIMARY advantage of involving business management in evaluating and
managing risk is that management:
A. is more objective than risk management
B. better understands the system architecture.
C. can balance technical and business risk.
D. can make better-informed business decisions.
Q.No.18 When reviewing a risk response strategy, senior management's PRIMARY focus
should be placed on the:
A. cost-benefit analysis.
B. key performance indicators (KPIs).
C. investment portfolio
D. alignment with risk appetite.
Q.No.19 The effectiveness of a control has decreased. What is the MOST likely effect on the
associated risk?
A. The risk impact changes.
operational risk?
A. Increasing senior management's understanding of IT operations
B. Increasing the frequency of data backups
C. Minimizing complexity of IT infrastructure
D. Decentralizing IT infrastructure
Q.No.2 Deviation from a mitigation action plan's completion date should be determined by
which of the following?
A. Benchmarking analysis with similar completed projects
B. Change management as determined by a change control board
C. The risk owner as determined by risk management processes
D. Project governance criteria as determined by the project office
Q.No.3 A business unit has decided to accept the risk of implementing an off-the-shelf,
commercial software package that uses weak password controls. What is the BEST course of
action?
A. Continue the implementation with no changes.
B. Obtain management approval for policy exception.
C. Select another application with strong password controls.
D. Develop an improved password software routine.
Q.No.4 Which of the following is the PRIMARY reason to have the risk management process
reviewed by a third party?
A. Validate the threat management process.
B. Obtain objective assessment of the control environment
C. Ensure the risk profile is defined and communicated.
D. Obtain an objective view of process gaps and systemic errors.
Q.No.5 In an organization dependent on data analytics to drive decision-making, which of the
following would BEST help to minimize the risk associated with inaccurate data?
A. Periodically reviewing big data strategies
B. Evaluating each of the data sources for vulnerabilities
C. Establishing an intellectual property agreement
D. Benchmarking to industry best practice
Q.No.6 Which of the following is MOST appropriate to prevent unauthorized retrieval of
confidential information stored in a business application system?
A. Implement segregation of duties.
B. Enforce an internal data access policy.
C. Apply single sign-on for access control.
D. Enforce the use of digital signatures.
,Q.No.7 The GREATEST concern when maintaining a risk register is that:
A. significant changes in risk factors are excluded.
B. impacts are recorded in qualitative terms.
C. executive management does not perform periodic reviews.
D. IT risk is not linked with IT assets,
Q.No.8 Which of the following will BEST help in communicating strategic risk priorities?
A. Heat map
B. Business impact analysis (BIA)
C. Balanced Scorecard
D. Risk register
Q.No.9 Which of the following is the BEST indicator of the effectiveness of a control action
plan's implementation?
A. Stakeholder commitment
B. Increased risk appetite
C. Reduced risk level
D. Increased number of controls
Q.No.10 Which of the following is the BEST method for identifying vulnerabilities?
A. Batch job failure monitoring
B. Periodic network scanning
C. Risk assessments
D. Annual penetration testing
Q.No.11 Which of the following will BEST ensure that information security risk factors are
mitigated when developing in-house applications?
A. Design key performance indicators (KPIs) for security in system specifications.
B. Include information security control specifications in business cases.
C. Identify key risk indicators (KRIs) as process output
D. Identify information security controls in the requirements analysis
Q.No.12 A management team is on an aggressive mission to launch a new product to
penetrate new markets and overlooks IT risk factors, threats, and vulnerabilities. This scenario
BEST demonstrates an organization's risk:
A. Tolerance.
B. culture.
C. Management.
D. analysis.
Q.No.13 During a control review, the control owner states that an existing control has
deteriorated over time. What is the BEST recommendation to the control owner?
A. Discuss risk mitigation options with the risk owner.
, B. Escalate the issue to senior management
C. Implement compensating controls to reduce residual risk.
D. Certify the control after documenting the concern.
Q.No.14 Which of the following is the BEST approach for determining whether a risk action
plan is effective?
A. Assessing changes in residual risk
B. Comparing the remediation cost against budget
C. Assessing the inherent risk
D. Monitoring changes of key performance indicators (KPIs)
Q.No.15 Who is responsible for IT security controls that are outsourced to an external service
provider?
A. Organization's information security manager
B. Organization's risk function
C. Service provider's IT management
D. Service provider's information security manager
Q.No.16 Which of the following approaches will BEST help to ensure the effectiveness of risk
awareness training?
A. Piloting courses with focus groups
B. Using reputable third-party training programs
C. Reviewing content with senior management
D. Creating modules for targeted audiences
Q.No.17 A PRIMARY advantage of involving business management in evaluating and
managing risk is that management:
A. is more objective than risk management
B. better understands the system architecture.
C. can balance technical and business risk.
D. can make better-informed business decisions.
Q.No.18 When reviewing a risk response strategy, senior management's PRIMARY focus
should be placed on the:
A. cost-benefit analysis.
B. key performance indicators (KPIs).
C. investment portfolio
D. alignment with risk appetite.
Q.No.19 The effectiveness of a control has decreased. What is the MOST likely effect on the
associated risk?
A. The risk impact changes.
