Finding Renewal CRISC testing software

Proper study guides for Down to date Isaca Certified in Risk and Information Systems Control certified begins with Isaca CRISC preparation products which designed to deliver the Actual CRISC questions by making you pass the CRISC test at your first time. Try the free CRISC demo right now.

2021 Jan CRISC answers

Q51.  - (Topic 1)

What are the two MAJOR factors to be considered while deciding risk appetite level? Each correct answer represents a part of the solution. Choose two.

A. The amount of loss the enterprise wants to accept

B. Alignment with risk-culture

C. Risk-aware decisions

D. The capacity of the enterprise's objective to absorb loss.

Answer: A,D


Risk appetite is the amount of risk a company or other entity is willing to accept in pursuit of its mission. This is the responsibility of the board to decide risk appetite of an enterprise. When considering the risk appetite levels for the enterprise, the following two major factors should be taken into account:

The enterprise's objective capacity to absorb loss, e.g., financial loss, reputation damage, etc.

The culture towards risk taking-cautious or aggressive. In other words, the amount of loss the enterprise wants to accept in pursue of its objective fulfillment.

Answer: B is incorrect. Alignment with risk-culture is also one of the factors but is not as important as these two.

Answer: C is incorrect. Risk aware decision is not the factor, but is the result which uses risk appetite information as its input.

Q52.  - (Topic 3)

Which of the following is the BEST defense against successful phishing attacks?

A. Intrusion detection system

B. Application hardening

C. End-user awareness

D. Spam filters

Answer: C


Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. Phishing attacks are a type of to social engineering attack and are best defended by end- user awareness training.

Answer:B is incorrect. Application hardening does not protect against phishing attacks since phishing attacks generally use e-mail as the attack vector, with the end-user as the vulnerable point, not the application.

Answer:D is incorrect. Certain highly specialized spam filters can reduce the number of phishing e-mails that reach the inboxes of user, but they are not as effective in addressing phishing attack as end-user awareness.

Answer:A is incorrect. An intrusion detection system does not protect against phishing attacks since phishing attacks usually do not have a particular pattern or unique signature.

Q53.  - (Topic 3)

What are the PRIMARY objectives of a control?

A. Detect, recover, and attack

B. Prevent, respond, and log

C. Prevent, control, and attack

D. Prevent, recover, and detect

Answer: D


Controls are the policies, procedures, practices and guidelines designed to provide appropriate assurance that business objectives are achieved and undesired events are detected, prevented, and corrected. Controls, or countermeasures, will reduce or neutralize threats or vulnerabilities.

Controls have three primary objectives: Prevent



Answer:C, B, and A are incorrect. One or more objectives stated in these choices is not correct objective of control.

Q54.  - (Topic 2)

You are the project manager for BlueWell Inc. You have noticed that the risk level in your project increases above the risk tolerance level of your enterprise. You have applied several risk response. Now you have to update the risk register in accordance to risk response process. All of the following are included in the risk register except for which item?

A. Risk triggers

B. Agreed-upon response strategies

C. Network diagram analysis of critical path activities

D. Risk owners and their responsibility

Answer: C


The risk register does not examine the network diagram and the critical path. There may be risks associated with the activities on the network diagram, but it does not address the

network diagram directly.

The risk register is updated at the end of the plan risk response process with the information that was discovered during the process. The response plans are recorded in the risk register. In the risk register, risk is stated in order of priority, i.e., those with the highest potential for threat or opportunity first. Some risks might not require response plans at all, but then too they should be put on a watch list and monitored throughout the project. Following elements should appear in the risk register:

List of identified risks, including their descriptions, root causes, and how the risks impact the project objectives

Risk owners and their responsibility

Outputs from the Perform Qualitative Analysis process Agreed-upon response strategies

Risk triggers

Cost and schedule activities needed to implement risk responses Contingency plans

Fallback plans, which are risk response plans that are executed when the initial risk response plan proves to be ineffective

Contingency reserves

Residual risk, which is a leftover risk that remains after the risk response strategy has been implemented Secondary risks, which are risks that come about as a result of implementing a risk response

Q55.  - (Topic 1)

Which of the following BEST describes the utility of a risk?

A. The finance incentive behind the risk

B. The potential opportunity of the risk

C. The mechanics of how a risk works

D. The usefulness of the risk to individuals or groups

Answer: D


The utility of the risk describes the usefulness of a particular risk to an individual. Moreover, the same risk can be utilized by two individuals in different ways. Financial outcomes are one of the methods for measuring potential value for taking a risk. For example, if the individual's economic wealth increases, the potential utility of the risk will decrease. 

Answer: C is incorrect. It is not the valid definition.

Answer: A is incorrect. Determining financial incentive is one of the method to measure the potential value for taking a risk, but it is not the valid definition for utility of risk.

Answer: B is incorrect. It is not the valid definition.

Up to date CRISC test preparation:

Q56.  - (Topic 1)

You are the project manager of GHT project. You have planned the risk response process and now you are about to implement various controls. What you should do before relying

on any of the controls?

A. Review performance data

B. Discover risk exposure

C. Conduct pilot testing

D. Articulate risk

Answer: A,C


Pilot testing and reviewing of performance data to verify operation against design are done before relying on control.

Answer: D is incorrect. Articulating risk is the first phase in the risk response process to ensure that information on the true state of exposures and opportunities are made available in a timely manner and to the right people for appropriate response.

But it does not play any role in identifying whether any specific control is reliable or not. 

Answer: B is incorrect. Discovering risk exposure helps in identifying the severity of risk, but it does not play any role in specifying the reliability of control.

Q57.  - (Topic 4)

Qualitative risk assessment uses which of the following terms for evaluating risk level? Each correct answer represents a part of the solution. Choose two.

A. Impact

B. Annual rate of occurrence

C. Probability

D. Single loss expectancy

Answer: A,C


Unlike the quantitative risk assessment, qualitative risk assessment does not assign dollar values. Rather, it determines risk's level based on the probability and impact of a risk. These values are determined by gathering the opinions of experts.

Probability- establishing the likelihood of occurrence and reoccurrence of specific risks, independently, and combined. The risk occurs when a threat exploits vulnerability. Scaling is done to define the probability that a risk will occur. The scale can be based on word values such as Low, Medium, or High. Percentage can also be assigned to these words, like 10% to low and 90% to high.

Impact- Impact is used to identify the magnitude of identified risks. The risk leads to some type of loss. However, instead of quantifying the loss as a dollar value, an impact assessment could use words such as Low, Medium, or High. Impact is expressed as a relative value. For example, low could be 10, medium could be 50, and high could be 100. Risk level= Probability*Impact

Answer:D and B are incorrect. These are used for calculating Annual loss expectancy (ALE) in quantitative risk assessment. Formula is given as follows:


Q58.  - (Topic 2)

What is the PRIMARY objective difference between an internal and an external risk management assessment reviewer?

A. In quality of work

B. In ease of access

C.  In profession

D. In independence

Answer: D


Independence is the freedom from conflict of interest and undue influence. By the mere fact that the external auditors belong to a different entity, their independence level is higher than that of the reviewer inside the entity for which they are performing a review. Independence is directly linked to objectivity.

Answer: C, A, and B are incorrect. These all choices vary subjectively.

Q59.  - (Topic 1)

You are the project manager of a HGT project that has recently finished the final compilation process. The project customer has signed off on the project completion and you have to do few administrative closure activities. In the project, there were several large risks that could have wrecked the project but you and your project team found some new methods to resolve the risks without affecting the project costs or project completion date. What should you do with the risk responses that you have identified during the project's monitoring and controlling process?

A. Include the responses in the project management plan.

B. Include the risk responses in the risk management plan.

C. Include the risk responses in the organization's lessons learned database.

D. Nothing. The risk responses are included in the project's risk register already.

Answer: C


The risk responses that do not exist up till then, should be included in the organization's lessons learned database so other project managers can use these responses in their project if relevant.

Answer: D is incorrect. If the new responses that were identified is only included in the project's risk register then it may not be shared with project managers working on some other project.

Answer: A is incorrect. The responses are not in the project management plan, but in the risk response plan during the project and they'll be entered into the organization's lessons learned database.

Answer: B is incorrect. The risk responses are included in the risk response plan, but after completing the project, they should be entered into the organization's lessons learned database.

Q60.  - (Topic 2)

Which of the following characteristics of risk controls answers the aspect about the control given below: "Will it continue to function as expressed over the time and adopts as changes or new elements are introduced to the environment"

A. Reliability

B. Sustainability

C. Consistency

D. Distinct

Answer: B


Sustainability ensures that the control continues to function as expressed over the time and adopts as changes or new elements are introduced to the environment.

Answer: C is incorrect. Consistent characteristic of the control tells whether the control can be applied in the same manner across the organization.

Answer: A is incorrect. Reliability of control ensures that it will serve its purpose under multiple circumstances.

Answer: D is incorrect. A control or countermeasure which does not overlap in its performance with another control or countermeasure is considered as distinct. Hence the separation of controls in the production environment rather than the separation in the design and implementation of the risk refers to distinct.

see more CRISC dumps