Our Isaca CRISC practice questions and answers are composed in substantial standards regarding technical accuracy. Actualtests provides you with CRISC exam questions using verified and corrected answers which reflect the Isaca CRISC exam syllabus. Our own chief purpose: spend much less money and have more valuable Isaca Isaca certification study components for our customers. Comparing with other vendor from the market, you can find our value is affordable and products helpful. Acquire certified and download Isaca CRISC braindumps in your computer right now! All of us keep presenting totally free updated Isaca study components since the actual date of acquire. Our team will be at your command should you encounter a number of difficulties. Retain visiting our site so that you can keep abreast of the availability with the Isaca CRISC updates.
2021 Nov CRISC download
Q91. - (Topic 1)
Which of the following controls is an example of non-technical controls?
A. Access control
B. Physical security
C. Intrusion detection system
Physical security is an example of non-technical control. It comes under the family of operational controls.
Answer: C, A, and D are incorrect. Intrusion detection system, access control, and encryption are the safeguards that are incorporated into computer hardware, software or firmware, hence they refer to as technical controls.
Q92. - (Topic 1)
Your project team has completed the quantitative risk analysis for your project work. Based on their findings, they need to update the risk register with several pieces of information. Which one of the following components is likely to be updated in the risk register based on their analysis?
A. Listing of risk responses
B. Risk ranking matrix
C. Listing of prioritized risks
D. Qualitative analysis outcomes
The outcome of quantitative analysis can create a listing of prioritized risks that should be updated in the risk register. The project team will create and update the risk register with fourkey components: probabilistic analysis of the project, probability of achieving time and cost objectives, list of quantified risks, and trends in quantitative risk analysis.
Answer: D, B, and A are incorrect. These subjects are not updated in the risk register as a result of quantitative risk analysis.
Q93. - (Topic 2)
Which of the following are external risk factors?
Each correct answer represents a complete solution. Choose three.
A. Geopolitical situation
B. Complexity of the enterprise
These three are external risk factors as they lie outside the enterprise's control.
Answer: B is incorrect. This includes geographic spread and value chain coverage (for example, in a manufacturing environment). That is why it is internal risk factor.
Q94. - (Topic 3)
You are the project manager of the QPS project. You and your project team have identified a pure risk. You along with the key stakeholders, decided to remove the pure risk from the project by changing the project plan altogether. What is a pure risk?
A. It is a risk event that only has a negative side and not any positive result.
B. It is a risk event that is created by the application of risk response.
C. It is a risk event that is generated due to errors or omission in the project work.
D. It is a risk event that cannot be avoided because of the order of the work.
A pure risk has only a negative effect on the project. Pure risks are activities that are dangerous to complete and manage such as construction, electrical work, or manufacturing. It is a class of risk in which loss is the only probable result and there is no positive result.
Pure risk is associated to the events that are outside the risk-taker's control.
Answer:D is incorrect. This in not valid definition of pure risk.
Answer:B is incorrect. The risk event created by the application of risk response is called secondary risk.
Answer:C is incorrect. A risk event that is generated due to errors or omission in the project work is not necessarily pure risk.
Q95. - (Topic 1)
What are the requirements of monitoring risk?
Each correct answer represents a part of the solution. Choose three.
A. Information of various stakeholders
B. Preparation of detailed monitoring plan
C. Identifying the risk to be monitored
D. Defining the project's scope
It is important to first understand the risk to be monitored, prepare a detailed plan and define the project's scope for monitoring risk. In the case of a monitoring project, this step should involve process owners, data owners, system custodians and other process stakeholders.
Answer: A is incorrect. Data regarding stakeholders of the project is not required in any phase of risk monitoring.
Up to the immediate present CRISC practice test:
Q96. - (Topic 1)
You are the project manager of the GHY Project for your company. You need to complete a project management process that will be on the lookout for new risks, changing risks, and risks that are now outdated. Which project management process is responsible for these actions?
A. Risk planning
B. Risk monitoring and controlling
C. Risk identification
D. Risk analysis
The risk monitoring and controlling is responsible for identifying new risks, determining the status of risks that may have changed, and determining which risks may be outdated in the project.
Answer: C is incorrect. Risk identification is a process that identifies risk events in the project.
Answer: A is incorrect. Risk planning creates the risk management plan and determines how risks will be identified, analyzed, monitored and controlled, and responded to.
Answer: D is incorrect. Risk analysis helps determine the severity of the risk events, the risks' priority, and the probability and impact of risks.
Q97. - (Topic 3)
Which of the following is the best reason for performing risk assessment?
A. To determine the present state of risk
B. To analyze the effect on the business
C. To satisfy regulatory requirements
D. To budget appropriately for the application of various controls
Risk assessment is a process of analyzing the identified risk, both quantitatively and qualitatively. Quantitative risk assessment requires calculations of two components of risk, the magnitude of the potential loss, and the probability that the loss will occur. While qualitatively risk assessment checks the severity of risk. Hence risk assessment helps in determining the present state of the risk.
Answer:D is incorrect. Budgeting appropriately is one the results of risk assessment but is not the reason for performing the risk assessment.
Answer:B is incorrect. Analyzing the effect of risk on an enterprise is the part of the process
while performing risk assessment, but is not the reason for doing it.
Answer:C is incorrect. Performing risk assessment may satisfy the regulatory requirements, but is not the reason to perform risk assessment.
Q98. - (Topic 3)
Which of the following are the common mistakes while implementing KRIs? Each correct answer represents a complete solution. Choose three.
A. Choosing KRIs that are difficult to measure
B. Choosing KRIs that has high correlation with the risk
C. Choosing KRIs that are incomplete or inaccurate due to unclear specifications
D. Choosing KRIs that are not linked to specific risk
A common mistake when implementing KRIs other than selecting too many KRIs includes choosing KRIs that are:
Not linked to specific risk
Incomplete or inaccurate due to unclear specifications Too generic
Difficult to aggregate, compare and interpret Difficult to measure
Answer:B is incorrect. For ensuring high reliability of the KRI, The indicator must possess a high correlation with the risk and be a good predictor or outcome measure. Hence KRIs are chosen that has high correlation with the risk.
Q99. - (Topic 1)
Which of the following statements are true for enterprise's risk management capability maturity level 3 ?
A. Workflow tools are used to accelerate risk issues and track decisions
B. The business knows how IT fits in the enterprise risk universe and the risk portfolio view
C. The enterprise formally requires continuous improvement of risk management skills, based on clearly defined personal and enterprise goals
D. Risk management is viewed as a business issue, and both the drawbacks and benefits of risk are recognized
An enterprise's risk management capability maturity level is 3 when:
Risk management is viewed as a business issue, and both the drawbacks and benefits of risk are recognized.
There is a selected leader for risk management, engaged with the enterprise risk committee, across the enterprise.
The business knows how IT fits in the enterprise risk universe and the risk portfolio view. Local tolerances drive the enterprise risk tolerance.
Risk management activities are being aligned across the enterprise. Formal risk categories are identified and described in clear terms.
Situations and scenarios are included in risk awareness training beyond specific policy and structures and promote a common language for communicating risk.
Defined requirements exist for a centralized inventory of risk issues. Workflow tools are used to accelerate risk issues and track decisions.
Answer: C is incorrect. Enterprise having risk management capability maturity level 5 requires continuous improvement of risk management skills, based on clearly defined personal and enterprise goals.
Q100. - (Topic 1)
What type of policy would an organization use to forbid its employees from using organizational e-mail for personal use?
A. Anti-harassment policy
B. Acceptable use policy
C. Intellectual property policy
An acceptable use policy is a set of rules applied by the owner/manager of a network, website or large computer system that restrict the ways in which the network site or system may be used. Acceptable Use Policies are an integral part of the framework of information security policies.
Answer: C and A are incorrect. These two policies are not related to Information system security.
see more CRISC dumps