Tips to Pass CRISC Exam (81 to 90)

Proper study guides for Replace Isaca Certified in Risk and Information Systems Control certified begins with Isaca CRISC preparation products which designed to deliver the Realistic CRISC questions by making you pass the CRISC test at your first time. Try the free CRISC demo right now.

2021 Feb CRISC exam fees

Q81.  - (Topic 2)

What are the various outputs of risk response?

A. Risk Priority Number

B. Residual risk

C. Risk register updates

D. Project management plan and Project document updates

E. Risk-related contract decisions

Answer: C,D,E


The outputs of the risk response planning process are:

Risk Register Updates: The risk register is written in detail so that it can be related to the priority ranking and the planned response.

Risk Related Contract Decisions: Risk related contract decisions are the decisions to transmit risk, such as services, agreements for insurance, and other items as required. It provides a means for sharing risks.

Project Management Plan Updates: Some of the elements of the project management plan updates are:

Schedule management plan Cost management plan Quality management plan

Procurement management plan Human resource management plan Work breakdown structure Schedule baseline

Cost performance baseline

Project Document Updates: Some of the project documents that can be updated includes: Assumption log updates

Technical documentation updates

Answer: B is incorrect. Residual risk is not an output of risk response. Residual risk is the risk that remains after applying controls. It is not feasible to eliminate all risks from an organization. Instead, measures can be taken to reduce risk to an acceptable level. The risk that is left is residual risk.


Risk = Threat Vulnerabilityand

Total risk = Threat Vulnerability Asset Value

Residual risk can be calculated with the following formula: Residual Risk = Total Risk - Controls

Senior management is responsible for any losses due to residual risk. They decide whether a risk should be avoided, transferred, mitigated or accepted. They also decide what controls to implement. Any loss due to their decisions falls on their sides.

Residual risk assessments are conducted after mitigation to determine the impact of the risk on the enterprise. For risk assessment, the effect and frequency is reassessed and the impact is recalculated.

Answer: A is incorrect. Risk priority number is not an output for risk response but instead it is done before applying response. Hence it act as one of the inputs of risk response and is not the output of it.

Q82.  - (Topic 3)

You are elected as the project manager of GHT project. You are in project initialization phase and are busy in defining requirements for your project. While defining requirements you are describing how users will interact with a system. Which of the following requirements are you defining here?

A. Technical requirement

B. Project requirement

C. Functional requirement

D. Business requirement

Answer: C


While defining requirements, there is need to define three requirements of the project- Business requirement, Functional requirement, and

Technical requirement

Functional requirements and use case models describe how users will interact with a system. Therefore here in this stem you are defining the functional requirement of the project.

Answer:D is incorrect. Business requirements contain descriptions of what a system should do.

Answer:A is incorrect. Technical requirements and design specifications and coding specifications describe how the system will interact, conditions under which the system will operate and the information criteria the system should meet.

Answer:B is incorrect. Business requirement, Functional requirement, and Technical requirement come under project requirement. In this stem it is particular defining the functional requirement, hence this is not the best answer.

Q83.  - (Topic 1)

Which of the following are the principles of access controls?

Each correct answer represents a complete solution. Choose three.

A. Confidentiality

B. Availability

C. Reliability

D. Integrity

Answer: A,B,D


The principles of access controls focus on availability, integrity, and confidentiality, as loss or danger is directly related to these three:

Loss of confidentiality- Someone sees a password or a company's secret formula, this is referred to as loss of confidentiality.

Loss of integrity- An e-mail message is modified in transit, a virus infects a file, or someone makes unauthorized changes to a Web site is referred to as loss of integrity.

Loss of availability- An e-mail server is down and no one has e-mail access, or a file server is down so data files aren't available comes under loss of availability.

Q84.  - (Topic 4)

Which of the following is NOT true for Key Risk Indicators?

A. They are selected as the prime monitoring indicators for the enterprise

B. They help avoid having to manage and report on an excessively large number of risk indicators

C. The complete set of KRIs should also balance indicators for risk, root causes and business impact.

D. They are monitored annually

Answer: D


They are monitored on regular basis as they indicate high probability and high impact risks. As risks change over time, hence KRIs should also be monitored regularly for its effectiveness on these changing risks.

Answer:A, B, and C are incorrect. These all are true for KRIs. Key Risk Indicators are the prime monitoring indicators of the enterprise. KRIs are highly relevant and possess a high probability of predicting or indicating important risk. KRIs help in avoiding excessively large number of risk indicators to manage and report that a large enterprise may have.

The complete set of KRIs should also balance indicators for risk, root causes and business impact, so as to indicate the risk and its impact completely.

Q85.  - (Topic 2)

Beth is a project team member on the JHG Project. Beth has added extra features to the project and this has introduced new risks to the project work. The project manager of the JHG project elects to remove the features Beth has added. The process of removing the extra features to remove the risks is called what?

A. Detective control

B. Preventive control

C. Corrective control

D. Scope creep

Answer: B


This is an example of a preventive control as the problem is not yet occurred, only it is detected and are accounted for. By removing the scope items from the project work, the project manager is aiming to remove the added risk events, hence it is a preventive control. Preventive control is a type of internal control that is used to avoid undesirable events, errors and other occurrences, which an organization has determined could have a negative material effect on a process or end product.

Answer: C is incorrect. Corrective actions are steps to bring the future performance of the project work in line with the project management plan. These controls make effort to reduce the impact of a threat from problems discovered by detective controls. They first identify thecause of the problems, then take corrective measures and modify the systems to minimize the future occurrences of the problem. Hence an incident should take place before corrective controls come in action.

Answer: A is incorrect. Detective controls simply detect and report on the occurrence of problems. They identify specific symptoms to potential problems.

Answer: D is incorrect. Scope creep refers to small undocumented changes to the project scope.

Renovate CRISC testing engine:

Q86.  - (Topic 2)

Thomas is a key stakeholder in your project. Thomas has requested several changes to the project scope for the project you are managing.

Upon review of the proposed changes, you have discovered that these new requirements are laden with risks and you recommend to the change control board that the changes be excluded from the project scope. The change control board agrees with you. What component of the change control system communicates the approval or denial of a proposed change request?

A. Configuration management system

B. Integrated change control

C. Change log

D. Scope change control system

Answer: B


Integrated change control is responsible for facilitating, documenting, and dispersing information on a proposed change to the project scope.

Integrated change control is a way to manage the changes incurred during a project. It is a method that manages reviewing the suggestions for changes and utilizing the tools and techniques to evaluate whether the change should be approved or rejected. Integrated change control is a primary component of the project's change control system that examines the affect of a proposed change on the entire project.

Answer: D is incorrect. The scope change control system controls changes that are permitted to the project scope.

Answer: A is incorrect. The configuration management system controls and documents changes to the project's product

Answer: C is incorrect. The change log documents approved changes in the project scope.

Q87.  - (Topic 4)

In which of the following conditions business units tend to point the finger at IT when projects are not delivered on time?

A. Threat identification in project

B. System failure

C. Misalignment between real risk appetite and translation into policies

D. Existence of a blame culture

Answer: D


In a blame culture, business units tend to point the finger at IT when projects are not delivered on time or do not meet expectations. In doing so, they fail to realize how the business unit's involvement up front affects project success. In extreme cases, the business unit may assign blame for a failure to meet the expectations that the unit never clearly communicated.

Answer:B, C, and A are incorrect. These are not relevant to the pointing of finger at IT when projects are not delivered on time.

Q88.  - (Topic 2)

You are the risk professional in Bluewell Inc. A risk is identified and enterprise wants to quickly implement control by applying technical solution that deviates from the company's policies. What you should do?

A. Recommend against implementation because it violates the company's policies

B. Recommend revision of the current policy

C. Recommend a risk assessment and subsequent implementation only if residual risk is accepted

D. Conduct a risk assessment and allow or disallow based on the outcome

Answer: C


If it is necessary to quickly implement control by applying technical solution that deviates from the company's policies, then risk assessment should be conducted to clarify the risk. It is up to the management to accept the risk or to mitigate it.

Answer: D is incorrect. Risk professional can only recommend the risk assessment if the company's policies is violating, but it can only be conducted when the management allows. 

Answer: A is incorrect. As in this case it is important to mitigate the risk, hence risk professional should once recommend a risk assessment. Though the decision for the conduction of risk assessment in case of violation of company's policy, is taken by management.

Answer: B is incorrect. The recommendation to revise the current policy should not be triggered by a single request.

Q89.  - (Topic 1)

You and your project team are identifying the risks that may exist within your project. Some of the risks are small risks that won't affect your project much if they happen. What should you do with these identified risk events?

A. These risks can be dismissed.

B. These risks can be accepted.

C. These risks can be added to a low priority risk watch list.

D. All risks must have a valid, documented risk response.

Answer: C


Low-impact, low-probability risks can be added to the low priority risk watch list.

Answer: B is incorrect. While these risks may be accepted, they should be documented on the low priority risk watch list. This list will be periodically reviewed and the status of the risks may change.

Answer: A is incorrect. These risks are not dismissed; they are still documented on the low priority risk watch list.

Answer: D is incorrect. Not every risk demands a risk response, so this choice is incorrect.

Q90.  - (Topic 2)

NIST SP 800-53 identifies controls in three primary classes. What are they?

A. Technical, Administrative, and Environmental

B. Preventative, Detective, and Corrective

C. Technical, Operational, and Management

D. Administrative, Technical, and Operational

Answer: C


NIST SP 800-53 is used to review security in any organization, that is, in reviewing physical

security. The Physical and Environmental Protection family includes 19 different controls. Organizations use these controls for better physical security. These controls are reviewed to determine if they are relevant to a particular organization or not. Many of the controls described include additional references that provide more details on how to implement them. The National Institute of Standards and Technology (NIST) SP 800-53 rev 3 identifies 18 families of controls. It groups these controls into three classes:

Technical Operational Management

see more CRISC dumps