CRISC Exam Question 861
Which of the following is the PRIMARY risk management responsibility of the second line in the three lines model?
Correct Answer: C
The second line of defense in the Three Lines Model plays a risk oversight and monitoring role rather than operational execution.
According to ISACA's CRISC framework:
* The first line (operational management) owns and manages risk and implements controls.
* The second line (risk and compliance functions) provides risk oversight, guidance, and monitoring of risk responses and ensures adherence to policies and frameworks.
* The third line (internal audit) provides independent assurance regarding the overall effectiveness of controls.
Therefore, the primary responsibility of the second line is to monitor and evaluate risk responses implemented by the first line to ensure they are effective and aligned with enterprise risk appetite.
Supporting Extract:
CRISC study notes (Slides 127-134) state:
"The most significant benefit of using the three lines of defense model is that it clarifies essential roles of key stakeholders. The second line of defense provides oversight and monitoring of risk and control activities." Hence, the correct answer is C. Monitoring risk responses.
According to ISACA's CRISC framework:
* The first line (operational management) owns and manages risk and implements controls.
* The second line (risk and compliance functions) provides risk oversight, guidance, and monitoring of risk responses and ensures adherence to policies and frameworks.
* The third line (internal audit) provides independent assurance regarding the overall effectiveness of controls.
Therefore, the primary responsibility of the second line is to monitor and evaluate risk responses implemented by the first line to ensure they are effective and aligned with enterprise risk appetite.
Supporting Extract:
CRISC study notes (Slides 127-134) state:
"The most significant benefit of using the three lines of defense model is that it clarifies essential roles of key stakeholders. The second line of defense provides oversight and monitoring of risk and control activities." Hence, the correct answer is C. Monitoring risk responses.
CRISC Exam Question 862
An organization's stakeholders are unable to agree on appropriate risk responses. Which of the following would be the BEST course of action?
Correct Answer: A
Escalating to senior management is the best course of action when an organization's stakeholders are unable to agree on appropriate risk responses. This is because senior management has the authority and responsibility to make strategic decisions and resolve conflicts regarding risk management. Senior management can also provide guidance and direction on the risk appetite, tolerance, and criteria for the organization, as well as allocate resources and assign roles and responsibilities for risk response. According to the CRISC Review Manual 2022, one of the key risk response techniques is to escalate the risk to senior management when the risk exceeds the acceptable level or when there is a disagreement on the risk response1. According to the CRISC Review Questions, Answers & Explanations Manual 2022, escalating to senior management is the correct answer to this question2.
Identifying a risk transfer option, reassessing risk scenarios, and benchmarking with similar industries are not the best courses of action when an organization's stakeholders are unable to agree on appropriate risk responses. These are possible actions that can be taken as part of the risk response process, but they do not address the underlying issue of stakeholder disagreement. Identifying a risk transfer option can help reduce or share the risk with a third party, such as an insurance company or a vendor, but it may not be suitable or acceptable for all types of risks or stakeholders. Reassessing risk scenarios can help update the risk analysis and evaluation, but it may not change the risk level or the risk response options. Benchmarking with similar industries can help compare the risk performance and practices of the organization with its peers, but it may not reflect the organization's specific needs or risks.
Identifying a risk transfer option, reassessing risk scenarios, and benchmarking with similar industries are not the best courses of action when an organization's stakeholders are unable to agree on appropriate risk responses. These are possible actions that can be taken as part of the risk response process, but they do not address the underlying issue of stakeholder disagreement. Identifying a risk transfer option can help reduce or share the risk with a third party, such as an insurance company or a vendor, but it may not be suitable or acceptable for all types of risks or stakeholders. Reassessing risk scenarios can help update the risk analysis and evaluation, but it may not change the risk level or the risk response options. Benchmarking with similar industries can help compare the risk performance and practices of the organization with its peers, but it may not reflect the organization's specific needs or risks.
CRISC Exam Question 863
Which of the following BEST enables the timely detection of changes in the security control environment?
Correct Answer: A
Understanding the Question:
The question asks which method best enables timely detection of changes in the security control environment.
Analyzing the Options:
A). Control self-assessment (CSA):Allows for continuous monitoring and quick detection of any changes or deficiencies in controls.
B). Log analysis:Useful for detecting security incidents but not as comprehensive as CSA for overall control environment changes.
C). Security control reviews:Typically periodic and might not be as timely.
D). Random sampling checks:Not as systematic or comprehensive as CSA.
Control Self-Assessment (CSA):CSA involves regular, structured evaluations by internal staff to ensure controls are working effectively. It promotes early detection of issues by those directly responsible for the controls.
Timeliness:CSA is an ongoing process, making it more timely in identifying changes compared to periodic reviews or random checks.
References:
CRISC Review Manual, Chapter 3: Risk Response and Reporting, emphasizes the importance of CSA in maintaining and improving control environments.
The question asks which method best enables timely detection of changes in the security control environment.
Analyzing the Options:
A). Control self-assessment (CSA):Allows for continuous monitoring and quick detection of any changes or deficiencies in controls.
B). Log analysis:Useful for detecting security incidents but not as comprehensive as CSA for overall control environment changes.
C). Security control reviews:Typically periodic and might not be as timely.
D). Random sampling checks:Not as systematic or comprehensive as CSA.
Control Self-Assessment (CSA):CSA involves regular, structured evaluations by internal staff to ensure controls are working effectively. It promotes early detection of issues by those directly responsible for the controls.
Timeliness:CSA is an ongoing process, making it more timely in identifying changes compared to periodic reviews or random checks.
References:
CRISC Review Manual, Chapter 3: Risk Response and Reporting, emphasizes the importance of CSA in maintaining and improving control environments.
CRISC Exam Question 864
Which of the following BEST helps to mitigate risk associated with users inputting incorrect data into a system?
Correct Answer: D
The correct answer isDbecauseallowed valuesis the best control to mitigate the risk of users entering incorrect data into a system. Allowed values are an input validation control that restricts entries to predefined acceptable data, preventing invalid or improper inputs at the point of entry.
The other options are less effective:
* A. Sequence checkis useful for detecting missing or duplicate sequence items, but not for general incorrect input values.
* B. Tool tipsmay guide users, but they do not enforce correct input.
* C. User traininghelps reduce errors, but it is weaker than an automated preventive input control.
Exact Extracts supporting the answer:
* "In reviewing transaction data for fraudulent activity the concept of data validation that is MOST likely to be of value to enterprises is reasonableness."
* "To validate data integrity during processing in multiple applications the BEST assurance for maintaining data integrity is provided by range checking."
* "The vulnerability that makes a web application MOST susceptible to a SQL injection attack is inadequate validation of input."
* "The attack that occurs PRIMARILY because user input is not properly validated is cross-site scripting." These extracts support that the strongest mitigation for incorrect user input isinput validation, and among the choices,allowed valuesis the best preventive control.
The other options are less effective:
* A. Sequence checkis useful for detecting missing or duplicate sequence items, but not for general incorrect input values.
* B. Tool tipsmay guide users, but they do not enforce correct input.
* C. User traininghelps reduce errors, but it is weaker than an automated preventive input control.
Exact Extracts supporting the answer:
* "In reviewing transaction data for fraudulent activity the concept of data validation that is MOST likely to be of value to enterprises is reasonableness."
* "To validate data integrity during processing in multiple applications the BEST assurance for maintaining data integrity is provided by range checking."
* "The vulnerability that makes a web application MOST susceptible to a SQL injection attack is inadequate validation of input."
* "The attack that occurs PRIMARILY because user input is not properly validated is cross-site scripting." These extracts support that the strongest mitigation for incorrect user input isinput validation, and among the choices,allowed valuesis the best preventive control.
CRISC Exam Question 865
Which of the following is the BEST way to identify changes to the risk landscape?
Correct Answer: C
The risk landscape is the set of internal and external factors and conditions that may affect the organization's objectives and operations, and create or influence the risks that the organization faces. The risk landscape is dynamic and complex, and it may change over time due to various drivers or events, such as technological innovations, market trends, regulatory changes, customer preferences, competitor actions, environmental issues, etc.
The best way to identify changes to the risk landscape is threat modeling, which is the process of identifying, analyzing, and prioritizing the potential threats or sources of harm that may exploit the vulnerabilities or weaknesses in the organization's assets, processes, or systems, and cause adverse impacts or consequences for the organization. Threat modeling can help the organization to anticipate and prepare for the changes in the risk landscape, and to design and implement appropriate controls or countermeasures to mitigate or prevent the threats.
Threat modeling can be performed using various techniques, such as brainstorming, scenario analysis, attack trees, STRIDE, DREAD, etc. Threat modeling can also be integrated with the risk management process, and aligned with the organization's objectives and risk appetite.
The other options are not the best ways to identify changes to the risk landscape, because they do not provide the same level of proactivity, comprehensiveness, and effectiveness of identifying and addressing the potential threats or sources of harm that may affect the organization.
Internal audit reports are the documents that provide the results and findings of the internal audits that are performed to assess and evaluate the adequacy and effectiveness of the organization's governance, risk management, and control functions. Internal audit reports can provide useful information and recommendations on the current state and performance of the organization, and identify the issues or gaps that need to be addressed or improved, but they are not the best way to identify changes to the risk landscape, because they areusually retrospective and reactive, and they may not cover all the relevant or emerging threats or sources of harm that may affect the organization.
Access reviews are the processes of verifying and validating the access rights and privileges that are granted to the users or entities that interact with the organization's assets, processes, orsystems, and ensuring that they are appropriate and authorized. Access reviews can provide useful information and feedback on the security and compliance of the organization's access management, and identify and revoke any unauthorized or unnecessary access rights or privileges, but they are not the best way to identify changes to the risk landscape, because they are usually periodic and specific, and they may not cover all the relevant or emerging threats or sources of harm that may affect the organization.
Root cause analysis is the process of identifying and understanding the underlying or fundamental causes or factors that contribute to or result in a problem or incident that has occurred or may occur in the organization.
Root cause analysis can provide useful insights and solutions on the origin and nature of the problem or incident, and prevent or reduce its recurrence or impact, but it is not the best way to identify changes to the risk landscape, because it is usually retrospective and reactive, and it may not cover all the relevant or emerging threats or sources of harm that may affect the organization. References = ISACA, CRISC Review Manual, 7th Edition, 2022, pp. 19-20, 23-24, 27-28, 31-32, 40-41, 47-48, 54-55, 58-
59, 62-63
ISACA, CRISC Review Questions, Answers & Explanations Database, 2022, QID 167 CRISC Practice Quiz and Exam Prep
The best way to identify changes to the risk landscape is threat modeling, which is the process of identifying, analyzing, and prioritizing the potential threats or sources of harm that may exploit the vulnerabilities or weaknesses in the organization's assets, processes, or systems, and cause adverse impacts or consequences for the organization. Threat modeling can help the organization to anticipate and prepare for the changes in the risk landscape, and to design and implement appropriate controls or countermeasures to mitigate or prevent the threats.
Threat modeling can be performed using various techniques, such as brainstorming, scenario analysis, attack trees, STRIDE, DREAD, etc. Threat modeling can also be integrated with the risk management process, and aligned with the organization's objectives and risk appetite.
The other options are not the best ways to identify changes to the risk landscape, because they do not provide the same level of proactivity, comprehensiveness, and effectiveness of identifying and addressing the potential threats or sources of harm that may affect the organization.
Internal audit reports are the documents that provide the results and findings of the internal audits that are performed to assess and evaluate the adequacy and effectiveness of the organization's governance, risk management, and control functions. Internal audit reports can provide useful information and recommendations on the current state and performance of the organization, and identify the issues or gaps that need to be addressed or improved, but they are not the best way to identify changes to the risk landscape, because they areusually retrospective and reactive, and they may not cover all the relevant or emerging threats or sources of harm that may affect the organization.
Access reviews are the processes of verifying and validating the access rights and privileges that are granted to the users or entities that interact with the organization's assets, processes, orsystems, and ensuring that they are appropriate and authorized. Access reviews can provide useful information and feedback on the security and compliance of the organization's access management, and identify and revoke any unauthorized or unnecessary access rights or privileges, but they are not the best way to identify changes to the risk landscape, because they are usually periodic and specific, and they may not cover all the relevant or emerging threats or sources of harm that may affect the organization.
Root cause analysis is the process of identifying and understanding the underlying or fundamental causes or factors that contribute to or result in a problem or incident that has occurred or may occur in the organization.
Root cause analysis can provide useful insights and solutions on the origin and nature of the problem or incident, and prevent or reduce its recurrence or impact, but it is not the best way to identify changes to the risk landscape, because it is usually retrospective and reactive, and it may not cover all the relevant or emerging threats or sources of harm that may affect the organization. References = ISACA, CRISC Review Manual, 7th Edition, 2022, pp. 19-20, 23-24, 27-28, 31-32, 40-41, 47-48, 54-55, 58-
59, 62-63
ISACA, CRISC Review Questions, Answers & Explanations Database, 2022, QID 167 CRISC Practice Quiz and Exam Prep
- Other Version
- 1713ISACA.CRISC.v2026-03-31.q857
- 2077ISACA.CRISC.v2026-01-15.q649
- 4990ISACA.CRISC.v2025-09-26.q726
- 4202ISACA.CRISC.v2025-08-27.q675
- 6051ISACA.CRISC.v2025-01-04.q999
- 3011ISACA.CRISC.v2024-06-13.q683
- 4271ISACA.CRISC.v2024-04-02.q999
- 4152ISACA.CRISC.v2023-07-10.q544
- 6740ISACA.CRISC.v2022-05-25.q338
- 76ISACA.Actual4dump.CRISC.v2022-04-12.by.newman.349q.pdf
- 6367ISACA.CRISC.v2022-02-22.q349
- 6627ISACA.CRISC.v2021-10-27.q295
- 42ISACA.Updatedumps.CRISC.v2021-09-05.by.bonnie.114q.pdf
- Latest Upload
- 233Microsoft.AZ-900.v2026-07-16.q224
- 123Microsoft.AB-730.v2026-07-16.q19
- 170Google.Professional-Cloud-DevOps-Engineer.v2026-07-16.q92
- 176ACFE.CFE-Investigation.v2026-07-16.q87
- 197CompTIA.SY0-701.v2026-07-15.q325
- 611ISACA.CRISC.v2026-07-15.q907
- 248NISM.NISM-Series-VII.v2026-07-14.q164
- 222PECB.ISO-IEC-27001-Lead-Implementer.v2026-07-14.q147
- 178API.API-510.v2026-07-13.q47
- 361Microsoft.AZ-400.v2026-07-13.q294
[×]
Download PDF File
Enter your email address to download ISACA.CRISC.v2026-07-15.q907 Practice Test
