The Secret of CRISC exam answers

Isaca Isaca CRISC exam questions and answers update freely inside 120 days. Your CRISC analyze engine software will certainly check along with download the updated Isaca review materials routinely for you. Each of our professionals renovate the Isaca Isaca braindumps frequently and upgrade the particular CRISC exam questions and answers instantly any time new questions included with the Isaca real exam. You will find any Isaca practice questions in our demos.

2021 Oct CRISC exam price

Q101.  - (Topic 1)

You are the project manager of RFT project. You have identified a risk that the enterprise's IT system and application landscape is so complex that, within a few years, extending capacity will become difficult and maintaining software will become very expensive. To overcome this risk the response adopted is re-architecture of the existing system and purchase of new integrated system. In which of the following risk

prioritization options would this case be categorized?

A. Deferrals

B. Quick win

C. Business case to be made

D. Contagious risk

Answer: C


This is categorized as a Business case to be made because the project cost is very large. The response to be implemented requires quite large investment. Therefore it comes under business case to be made.

Answer: B is incorrect. Quick win is very effective and efficient response that addresses medium to high risk. But in this the response does not require large investments. 

Answer: A is incorrect. It addresses costly risk response to a low risk. But here the response is less costly than that of business case to be made.

Answer: D is incorrect. This is not risk response prioritization option, instead it is a type of risk that happen with the several of the enterprise's business partners within a very short time frame.

Q102.  - (Topic 1)

What are the requirements for creating risk scenarios? Each correct answer represents a part of the solution. Choose three.

A. Determination of cause and effect

B. Determination of the value of business process at risk

C. Potential threats and vulnerabilities that could cause loss

D. Determination of the value of an asset

Answer: B,C,D


Creating a scenario requires determination of the value of an asset or a business process at risk and the potential threats and vulnerabilities that could cause loss. The risk scenario should be assessed for relevance and realism, and then entered into the risk register if found to be relevant.

In practice following steps are involved in risk scenario development: First determine manageable set of scenarios, which include: Frequently occurring scenarios in the industry or product area.

Scenarios representing threat sources that are increasing in count or severity level. Scenarios involving legal and regulatory requirements applicable to the business.

After determining manageable risk scenarios, perform a validation against the business objectives of the entity.

Based on this validation, refine the selected scenarios and then detail them to a level in line with the criticality of the entity.

Lower down the number of scenarios to a manageable set. Manageable does not signify a fixed number, but should be in line with the overall importance and criticality of the unit. Risk factors kept in a register so that they can be reevaluated in the next iteration and included for detailed analysis if they have become relevant at that time.

Risk factors kept in a register so that they can be reevaluated in the next iteration and included for detailed analysis if they have become relevant at that time.

Include an unspecified event in the scenarios, that is, address an incident not covered by other scenarios.

Answer: A is incorrect. Cause-and-effect analysis is a predictive or diagnostic analytical tool used to explore the root causes or factors that contribute to positive or negative effects or outcomes. It is used during the process of exposing risk factors.

Q103.  - (Topic 3)

Which of the following is true for risk management frameworks, standards and practices? Each correct answer represents a part of the solution. Choose three.

A. They act as a guide to focus efforts of variant teams.

B. They result in increase in cost of training, operation and performance improvement.

C. They provide a systematic view of "things to be considered" that could harm clients or an enterprise.

D. They assist in achieving business objectives quickly and easily.

Answer: A,D


Frameworks, standards and practices are necessary as:

They provide a systematic view of "things to be considered" that could harm clients or an enterprise.

They act as a guide to focus efforts of variant teams.

They save time and revenue, such as training costs, operational costs and performance improvement costs.

They assist in achieving business objectives quickly and easily.

Q104.  - (Topic 1)

The only output of qualitative risk analysis is risk register updates. When the project manager updates the risk register he will need to include several pieces of information including all of the following except for which one?

A. Trends in qualitative risk analysis

B. Risk probability-impact matrix

C. Risks grouped by categories

D. Watchlist of low-priority risks

Answer: B


The risk matrix is not included as part of the risk register updates. There are seven things that can be updated in the risk register as a result of qualitative risk analysis: relating ranking of project risks, risks grouped by categories, causes of risks, list of near-term risks, risks requiring additional analysis, watchlist of low-priority risks, trends in qualitative risk analysis.

Answer: C is incorrect. Risks grouped by categories are part of the risk register updates. 

Answer: D is incorrect. Watchlist of low-priority risks is part of the risk register updates. 

Answer: A is incorrect. Trends in qualitative risk analysis are part of the risk register updates.

Q105.  - (Topic 2)

Which of the following is the HIGHEST risk of a policy that inadequately defines data and system ownership?

A. User management coordination does not exists

B. Audit recommendations may not be implemented

C. Users may have unauthorized access to originate, modify or delete data

D. Specific user accountability cannot be established

Answer: C


There is an increased risk without a policy defining who has the responsibility for granting access to specific data or systems, as one could gain system access without a justified business needs. There is better chance that business objectives will be properly supported when there is appropriate ownership.

Answer: A, B, and D are incorrect. These risks are not such significant as compared to unauthorized access.

Up to the minute CRISC download:

Q106.  - (Topic 4)

How are the potential choices of risk based decisions are represented in decision tree analysis?

A. End node

B. Root node

C. Event node

D. Decision node

Answer: D


The potential choices of risk based decisions are represented in decision tree analysis via. Decision node, as decision nodes refers to the available choices.

Answer:B is incorrect. Root nodes represent the start of a decision tree.

Answer:A is incorrect. End nodes are the final outcomes of the entire decision tree framework, especially in multilayered decision-making situations.

Answer:C is incorrect. Event nodes represents the possible uncertain outcomes of the decision, and not the available choices.

Q107.  - (Topic 4)

Which of the following come under the management class of controls? Each correct answer represents a complete solution. Choose all that apply.

A. Risk assessment control

B. Audit and accountability control

C. Program management control

D. Identification and authentication control

Answer: A,C


The Management class of controls includes five families. These families include over 40 individual controls. Following is a list of each of the families in the Management class: Certification, Accreditation, and Security Assessment (CA): This family of controls addresses steps to implement a security and assessment program. It includes controls to ensure only authorized systems are allowed on a network. It includes details on important security concepts, such as continuous monitoring and a plan of action and milestones. Planning (PL): The PL family focuses on security plans for systems. It also covers Rules of Behaviour for users. Rules of Behaviour are also called an acceptable use policy.

Risk Assessment (RA): This family of controls provides details on risk assessments and vulnerability scanning.

System and Services Acquisition (SA): The SA family includes any controls related to the purchase of products and services. It also includes controls related to software usage and user installed software.

Program Management (PM): This family is driven by the Federal Information Security Management Act (FISMA). It provides controls to ensure compliance with FISMA. These controls complement other controls. They don't replace them.

Answer:D and B are incorrect. Identification and authentication, and audit and accountability control are technical class of controls.

Q108.  - (Topic 3)

You are the project manager of GHT project. Your hardware vendor left you a voicemail saying that the delivery of the equipment you have ordered would not arrive on time. You identified a risk response strategy for this risk and have arranged for a local company to lease you the needed equipment until yours arrives. This is an example of which risk response strategy?

A. Avoid

B. Transfer

C. Acceptance

D. Mitigate

Answer: D


Mitigation attempts to reduce the impact of a risk event in case it occurs. Making plans to arrange for the leased equipment reduces the consequences of the risk and hence this response in mitigation.

Answer:B is incorrect. Risk transfer means that impact of risk is reduced by transferring or otherwise sharing a portion of the risk with an external organization or another internal entity. Transfer of risk can occur in many forms but is most effective when dealing with financial risks. Insurance is one form of risk transfer.

Here there no such action is taken, hence it is not a risk transfer.

Answer:C is incorrect. Risk acceptance means that no action is taken relative to a particular risk; loss is accepted if it occurs. If an enterprise adopts a risk acceptance, it should carefully consider who can accept the risk. Risk should be accepted only by senior management in relationship with senior management and the board. There are two alternatives to the acceptance strategy, passive and active.

Passive acceptance means that enterprise has made no plan to avoid or mitigate the risk

but willing to accept the consequences of the risk.

Active acceptance is the second strategy and might include developing contingency plans and reserves to deal with risks.

Answer:A is incorrect. Risk avoidance means to evade risk altogether, eliminate the cause of the risk event, or change the project plan to protect the project objectives from the risk event. Risk avoidance is applied when the level of risk, even after the applying controls, would be greater than the risk tolerance level of the enterprise. Hence this risk response is adopted when:

There is no other cost-effective response that can successfully reduce the likelihood and magnitude below the defined thresholds for risk appetite.

The risk cannot be shared or transferred.

The risk is deemed unacceptable by management.

Q109.  - (Topic 4)

If one says that the particular control or monitoring tool is sustainable, then it refers to what ability?

A. The ability to adapt as new elements are added to the environment

B. The ability to ensure the control remains in place when it fails

C. The ability to protect itself from exploitation or attack

D. The ability to be applied in same manner throughout the organization

Answer: A


Sustainability of the controls or monitoring tools refers to its ability to function as expected over time or when changes are made to the environment.

Answer:D is incorrect. This is not valid definition for defining sustainability of al tool. 

Answer:B is incorrect. Sustainability ensures that controls changes with the conditions, so as not to fail in any circumstances. Hence this in not valid answer.

Answer:C is incorrect. This in not valid answer.

Q110.  - (Topic 2)

Suppose you are working in Techmart Inc. which sells various products through its website. Due to some recent losses, you are trying to identify the most important risks to the Website. Based on feedback from several experts, you have come up with a list. You now want to prioritize these risks. Now in which category you would put the risk concerning the modification of the Website by unauthorized parties.

A. Ping Flooding Attack

B. Web defacing

C. Denial of service attack

D. FTP Bounce Attack

Answer: B


Website defacing is an attack on a website by unauthorized party that changes the visual appearance of the site or a webpage. These are typically the work of system crackers, who break into a web server and replace the hosted website with one of their own.

Answer: D is incorrect. The FTP bounce attack is attack which slips past application-based firewalls. In this hacker uploads a file to the FTP server and then requests this file be sent to an internal server. This file may contain malicious software or a simple script that occupies the internal server and uses up all the memory and CPU resources.

Answer: A is incorrect. Ping Flooding is the extreme of sending thousands or millions of pings per second. Ping Flooding attack can make system slow or even shut down an entire site.

Answer: C is incorrect. A denial-of-service attack (DoS attack) is an attempt to make a computer or network resource unavailable to its intended users. One common method of attack involves saturating the target machine with external communications requests, such that it cannot respond to legitimate traffic, or responds so slowly as to be rendered effectively unavailable.

see more CRISC dumps