CRISC Exam Question 81
Which of the following is the GREATEST risk associated with an environment that lacks documentation of the architecture?
Correct Answer: A
Architecture is the design and structure of a system or a process, such as an IT system or a business process.
Architecture documentation is the document that describes and explains the architecture, such as its components, functions, relationships, requirements, constraints, orstandards. Architecture documentation can help to understand, communicate, and improve the system or the process1.
An environment that lacks documentation of the architecture faces a great risk of unknown vulnerabilities, which are the weaknesses or flaws in the system or the process that could be exploited by threats or attackers, but are not identified or addressed by the organization. Unknown vulnerabilities can pose a serious risk to the organization, because they can:
Compromise the confidentiality, integrity, and availability of the system or the process, and the information or resources that it handles or supports Cause financial, operational, reputational, or legal damages or losses to the organization, such as data breaches, fraud, errors, delays, or fines Remain undetected or unresolved for a long time, and increase the exposure or impact of the risk over time Require more resources or efforts to mitigate or recover from the risk, and reduce the efficiency or effectiveness of the risk management process23 Lack of documentation of the architecture can increase the risk of unknown vulnerabilities, because it can:
Prevent or hinder the identification and assessment of the vulnerabilities, and the evaluation and prioritization of the risks Impede or delay the implementation and enforcement of the controls or safeguards to prevent or reduce the vulnerabilities, and the monitoring and reporting of the risk status and progress Obstruct or limit the communication and coordination among the stakeholders, and the awareness and accountability of the risk owners and users Restrict or hamper the review and improvement of the system or the process, and the learning and feedback of the risk management4 The other options are not the greatest risks associated with an environment that lacks documentation of the architecture, but rather some of the possible causes or consequences of it.Legacy technology systems are outdated or obsolete systems that are still in use by the organization, but are no longer supported or maintained by the vendors or developers. Legacy technology systems can be a cause of lack of documentation of the architecture, as they may have been developed or acquired without proper documentation, or the documentation may have been lost or discarded over time. Network isolation is the separation or segregation of a network or a system from other networks or systems, either physically or logically, to prevent or limit the access or communication between them. Network isolation can be a consequence of lack of documentation of the architecture, as it may result from the inability or difficulty to integrate or connect the system or the process with other systems or processes. Overlapping threats are threats that affect more than one system or process, or have similar or related sources or causes, such as natural disasters, cyberattacks, or human errors.
Overlapping threats can be a consequence of lack of documentation of the architecture, as they may arise from the lack of understanding or coordination of the system or the process with other systems or processes. References = Architecture Documentation - ISACA Vulnerability - ISACA The Risks of Not Having a Vulnerability Management Program The Importance of Architecture Documentation - ISACA
[The Risk of Poor Document Control - ComplianceBridge]
[CRISC Review Manual, 7th Edition]
Architecture documentation is the document that describes and explains the architecture, such as its components, functions, relationships, requirements, constraints, orstandards. Architecture documentation can help to understand, communicate, and improve the system or the process1.
An environment that lacks documentation of the architecture faces a great risk of unknown vulnerabilities, which are the weaknesses or flaws in the system or the process that could be exploited by threats or attackers, but are not identified or addressed by the organization. Unknown vulnerabilities can pose a serious risk to the organization, because they can:
Compromise the confidentiality, integrity, and availability of the system or the process, and the information or resources that it handles or supports Cause financial, operational, reputational, or legal damages or losses to the organization, such as data breaches, fraud, errors, delays, or fines Remain undetected or unresolved for a long time, and increase the exposure or impact of the risk over time Require more resources or efforts to mitigate or recover from the risk, and reduce the efficiency or effectiveness of the risk management process23 Lack of documentation of the architecture can increase the risk of unknown vulnerabilities, because it can:
Prevent or hinder the identification and assessment of the vulnerabilities, and the evaluation and prioritization of the risks Impede or delay the implementation and enforcement of the controls or safeguards to prevent or reduce the vulnerabilities, and the monitoring and reporting of the risk status and progress Obstruct or limit the communication and coordination among the stakeholders, and the awareness and accountability of the risk owners and users Restrict or hamper the review and improvement of the system or the process, and the learning and feedback of the risk management4 The other options are not the greatest risks associated with an environment that lacks documentation of the architecture, but rather some of the possible causes or consequences of it.Legacy technology systems are outdated or obsolete systems that are still in use by the organization, but are no longer supported or maintained by the vendors or developers. Legacy technology systems can be a cause of lack of documentation of the architecture, as they may have been developed or acquired without proper documentation, or the documentation may have been lost or discarded over time. Network isolation is the separation or segregation of a network or a system from other networks or systems, either physically or logically, to prevent or limit the access or communication between them. Network isolation can be a consequence of lack of documentation of the architecture, as it may result from the inability or difficulty to integrate or connect the system or the process with other systems or processes. Overlapping threats are threats that affect more than one system or process, or have similar or related sources or causes, such as natural disasters, cyberattacks, or human errors.
Overlapping threats can be a consequence of lack of documentation of the architecture, as they may arise from the lack of understanding or coordination of the system or the process with other systems or processes. References = Architecture Documentation - ISACA Vulnerability - ISACA The Risks of Not Having a Vulnerability Management Program The Importance of Architecture Documentation - ISACA
[The Risk of Poor Document Control - ComplianceBridge]
[CRISC Review Manual, 7th Edition]
CRISC Exam Question 82
An organization's senior management is considering whether to acquire cyber insurance. Which of the following is the BEST way for the risk practitioner to enable management's decision?
Correct Answer: A
Acost-benefit analysisevaluates the financial implications of acquiring cyber insurance versus the potential loss exposure. This approach enables informed decision-making by comparing the insurance cost with the potential savings from covered risks.
CRISC Exam Question 83
A migration from an in-house developed system to an external cloud-based solution is affecting a previously rated key risk scenario related to payroll processing. Which part of the risk register should be updated FIRST?
Correct Answer: B
Payroll system risk mitigation plans are the actions that are taken to reduce or eliminate the risk associated with payroll processing. When a migration from an in-house developed system to an external cloud-based solution is affecting a previously rated key risk scenario related to payroll processing, the first part of the risk register that should be updated is the payroll system risk mitigation plans. This is because the migration may introduce new risks or change the existing risks, and the risk mitigation plans may need to be revised or replaced accordingly. Updating the payroll system risk mitigation plans can help ensure that the risk level is acceptable and the payroll process is secure and reliable. According to the CRISC Review Manual 2022, one of the key risk treatment techniques is to update the risk action plan, which is a document that outlines the risk mitigation plans1. According to the CRISC Review Questions, Answers & Explanations Manual 2022, updating the risk mitigation plans is the correct answer to this question2.
Payroll system risk factors, payroll process owner, and payroll administrative controls are not the first part of the risk register that should be updated when a migration is affecting a key risk scenario. Payroll system risk factors are the sources or causes of risk, such as threats, vulnerabilities, or uncertainties. Payroll process owner is the person who is responsible for the payroll process and its outcomes. Payroll administrative controls are the policies, procedures, or guidelines that govern the payroll process. These parts of the risk register may also need to be updated, but they are not as urgent or critical as the risk mitigation plans.
Updating the risk factors, process owner, and administrative controls can help identify, assess, and monitor the risk, but they do not directly address the risk response. The risk response is the most important part of the risk management process, as it determines how the risk is handled and controlled.
Payroll system risk factors, payroll process owner, and payroll administrative controls are not the first part of the risk register that should be updated when a migration is affecting a key risk scenario. Payroll system risk factors are the sources or causes of risk, such as threats, vulnerabilities, or uncertainties. Payroll process owner is the person who is responsible for the payroll process and its outcomes. Payroll administrative controls are the policies, procedures, or guidelines that govern the payroll process. These parts of the risk register may also need to be updated, but they are not as urgent or critical as the risk mitigation plans.
Updating the risk factors, process owner, and administrative controls can help identify, assess, and monitor the risk, but they do not directly address the risk response. The risk response is the most important part of the risk management process, as it determines how the risk is handled and controlled.
CRISC Exam Question 84
Prudent business practice requires that risk appetite not exceed:
Correct Answer: C
Risk appetite is the amount and type of risk that an organization is willing to accept in order to achieve its objectives. Risk appetite reflects the organization's risk attitude and its willingness to take on risk in specific scenarios. Risk appetite is usually expressed in a qualitative statement approved by the board of directors1.
Risk capacity is the maximum amount of risk that an organization can responsibly take on without jeopardizing its financial stability or other key objectives. Risk capacity is determined by objective factors like income, assets, liabilities, debts, insurance coverage, dependents, and time horizon. Risk capacity is usually expressed in a quantitative measure that sets the limit of how much risk the organization can handle2.
Prudent business practice requires that risk appetite not exceed risk capacity, because this would mean that the organization is taking on more risk than it can afford or sustain. If the risk appetite is higher than the risk capacity, the organization may face serious consequences such as insolvency, bankruptcy, reputational damage, legal liability, or regulatory sanctions. Therefore, the organization should align its risk appetite with its risk capacity, and ensure that its risk exposure is within its risk tolerance3.
The other options are not correct. Inherent risk is the level of risk that exists in the absence of controls or mitigations. It is the natural level of risk inherent in a process or activity. Residual risk is the level of riskthat remains after the controls or mitigations have been applied. It is the remaining risk after the risk response has been implemented. Risk tolerance is the acceptable variation in the outcomes related to specific objectives or risks. It is the range of risk exposure that the organization is prepared to accept4. None of these concepts are directly comparable to risk appetite, and none of them represent the limit of how much risk the organization can take on. References = Risk Appetite vs. Risk Tolerance: What is the Difference? - ISACA What Is the Difference Between Risk Tolerance and Risk Capacity? - Investopedia Risk Management: Understanding Risk Capacity, Appetite, and Tolerance - Consulting Edge
[CRISC Review Manual, 7th Edition]
Risk capacity is the maximum amount of risk that an organization can responsibly take on without jeopardizing its financial stability or other key objectives. Risk capacity is determined by objective factors like income, assets, liabilities, debts, insurance coverage, dependents, and time horizon. Risk capacity is usually expressed in a quantitative measure that sets the limit of how much risk the organization can handle2.
Prudent business practice requires that risk appetite not exceed risk capacity, because this would mean that the organization is taking on more risk than it can afford or sustain. If the risk appetite is higher than the risk capacity, the organization may face serious consequences such as insolvency, bankruptcy, reputational damage, legal liability, or regulatory sanctions. Therefore, the organization should align its risk appetite with its risk capacity, and ensure that its risk exposure is within its risk tolerance3.
The other options are not correct. Inherent risk is the level of risk that exists in the absence of controls or mitigations. It is the natural level of risk inherent in a process or activity. Residual risk is the level of riskthat remains after the controls or mitigations have been applied. It is the remaining risk after the risk response has been implemented. Risk tolerance is the acceptable variation in the outcomes related to specific objectives or risks. It is the range of risk exposure that the organization is prepared to accept4. None of these concepts are directly comparable to risk appetite, and none of them represent the limit of how much risk the organization can take on. References = Risk Appetite vs. Risk Tolerance: What is the Difference? - ISACA What Is the Difference Between Risk Tolerance and Risk Capacity? - Investopedia Risk Management: Understanding Risk Capacity, Appetite, and Tolerance - Consulting Edge
[CRISC Review Manual, 7th Edition]
CRISC Exam Question 85
Which of the following BEST measures the impact of business interruptions caused by an IT service outage?
Correct Answer: A
The best measure of the impact of business interruptions caused by an IT service outage is the sustained financial loss. This is the amount of money that the enterprise loses due to the disruption of its normal operations, such as lost revenue, increased expenses, or reduced profits. Sustained financial loss reflects the extent and severity of the business interruption, and the effect on the enterprise's objectives and performance.
Sustained financial loss also helps to determine the recovery objectives and priorities, and to justify the investment in risk mitigation and business continuity strategies. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 2, Section 2.2.2, page 691
Sustained financial loss also helps to determine the recovery objectives and priorities, and to justify the investment in risk mitigation and business continuity strategies. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 2, Section 2.2.2, page 691
- Other Version
- 1694ISACA.CRISC.v2026-03-31.q857
- 2040ISACA.CRISC.v2026-01-15.q649
- 4966ISACA.CRISC.v2025-09-26.q726
- 4172ISACA.CRISC.v2025-08-27.q675
- 6021ISACA.CRISC.v2025-01-04.q999
- 2992ISACA.CRISC.v2024-06-13.q683
- 4246ISACA.CRISC.v2024-04-02.q999
- 4138ISACA.CRISC.v2023-07-10.q544
- 6727ISACA.CRISC.v2022-05-25.q338
- 76ISACA.Actual4dump.CRISC.v2022-04-12.by.newman.349q.pdf
- 6360ISACA.CRISC.v2022-02-22.q349
- 6622ISACA.CRISC.v2021-10-27.q295
- 42ISACA.Updatedumps.CRISC.v2021-09-05.by.bonnie.114q.pdf
- Latest Upload
- 190CompTIA.SY0-701.v2026-07-15.q325
- 532ISACA.CRISC.v2026-07-15.q907
- 222NISM.NISM-Series-VII.v2026-07-14.q164
- 202PECB.ISO-IEC-27001-Lead-Implementer.v2026-07-14.q147
- 162API.API-510.v2026-07-13.q47
- 327Microsoft.AZ-400.v2026-07-13.q294
- 207Scrum.PSM-I.v2026-07-13.q135
- 170Avaya.71301T.v2026-07-13.q59
- 176NVIDIA.NCP-AIN.v2026-07-10.q30
- 237HP.HPE0-S59.v2026-07-10.q77
[×]
Download PDF File
Enter your email address to download ISACA.CRISC.v2026-07-15.q907 Practice Test
