CRISC Exam Question 21
An assessment of information security controls has identified ineffective controls. Which of the following should be the risk practitioner's FIRST course of action?
Correct Answer: A
The risk practitioner's first course of action when an assessment of information security controls has identified ineffective controls should be A. Determine whether the impact is outside the risk appetite1 According to the CRISC Review Manual, risk appetite is the amount and type of risk that an organization is willing to accept in pursuit of its objectives. Risk appetite reflects the organization's risk culture, strategy, and values2 When an assessment of information security controls has identified ineffective controls, it means that the controls are not providing the expected level of protection or assurance for the information assets or processes. This may result in increased exposure or vulnerability to threats, or reduced ability to achieve objectives. Therefore, the risk practitioner should first determine whether the impact of the ineffective controls is outside the risk appetite, as this would indicate the need for urgent action or escalation3 The other options are not the first course of action when an assessment of information security controls has identified ineffective controls, because:
*B. Requesting a formal acceptance of risk from senior management may be appropriate if the impact of the ineffective controls is within the risk appetite, and the organization decides to accept the risk as it is.
However, this should not be the first course of action, as it may not address the root cause of the ineffective controls, or the potential consequences or opportunities for improvement4
*C. Reporting the ineffective control for inclusion in the next audit report may be part of the risk communication and reporting process, but it should not be the first course of action, as it may delay the resolution or mitigation of the issue, or the implementation of corrective actions. Moreover, the next audit report may not be timely or relevant for the decision-makers or stakeholders who need to be informed of the ineffective controls5
*D. Deploying a compensating control to address the identified deficiencies may be a possible risk response option, but it should not be the first course of action, as it may require further analysis, evaluation, and approval. Moreover, deploying a compensating control may not be the most effective or efficient solution, as it may introduce additional complexity, cost, or risk.
1: CRISC Review Questions, Answers & Explanations Database, Question ID: 100003 2: CRISC Review Manual, 7th Edition, page 28 3: CRISC Review Manual, 7th Edition, page 223 4: CRISC Review Manual, 7th Edition, page 224 5: CRISC Review Manual, 7th Edition, page 225 : CRISC Review Manual, 7th Edition, page 226
*B. Requesting a formal acceptance of risk from senior management may be appropriate if the impact of the ineffective controls is within the risk appetite, and the organization decides to accept the risk as it is.
However, this should not be the first course of action, as it may not address the root cause of the ineffective controls, or the potential consequences or opportunities for improvement4
*C. Reporting the ineffective control for inclusion in the next audit report may be part of the risk communication and reporting process, but it should not be the first course of action, as it may delay the resolution or mitigation of the issue, or the implementation of corrective actions. Moreover, the next audit report may not be timely or relevant for the decision-makers or stakeholders who need to be informed of the ineffective controls5
*D. Deploying a compensating control to address the identified deficiencies may be a possible risk response option, but it should not be the first course of action, as it may require further analysis, evaluation, and approval. Moreover, deploying a compensating control may not be the most effective or efficient solution, as it may introduce additional complexity, cost, or risk.
1: CRISC Review Questions, Answers & Explanations Database, Question ID: 100003 2: CRISC Review Manual, 7th Edition, page 28 3: CRISC Review Manual, 7th Edition, page 223 4: CRISC Review Manual, 7th Edition, page 224 5: CRISC Review Manual, 7th Edition, page 225 : CRISC Review Manual, 7th Edition, page 226
CRISC Exam Question 22
An organization recently configured a new business division Which of the following is MOST likely to be affected?
Correct Answer: A
A risk profile is a summary of the nature and level of risk that an organization faces. It includes information such as the sources, causes, and consequences of the risks, their likelihood and impact, their interrelationships and dependencies, and their alignment with the risk appetite and tolerance. A risk profile is influenced by various factors, such as the organization's objectives, strategies, activities, processes, resources, capabilities, culture, etc. When an organization configures a new business division, the factor that is most likely to be affected is the risk profile, as the new business division may introduce new or change existing risks, opportunities, and uncertainties that may affect the achievement of the organization's objectives. Therefore, the organization should update its risk profile to reflect the current and potential risks associated with the new business division, and implement the appropriate risk management actions to optimize the risk exposure and performance. References = 4
CRISC Exam Question 23
The risk associated with a high-risk vulnerability in an application is owned by the:
Correct Answer: B
A high-risk vulnerability in an application is a system flaw or weakness in the application's code that can be exploited by a malicious actor, potentially leading to a security breach. The risk associated with a high-risk vulnerability in an application is the possibility and impact of such a breach occurring. The risk owner of a high-risk vulnerability in an application is the person or entity who has the authority and responsibility for managing the risk. The risk owner should be able to define the risk appetite, assess the risk level, select and implement the risk response, monitor and report the risk status, and ensure the risk alignment with the business objectives and strategy. The risk owner of a high-risk vulnerability in an application is the business unit, which is the organizational unit that operates the application and derives value from it. The businessunit understands the business needs and expectations of the application, and the potential consequences of a security breach. The business unit also has the resources and incentives to address the risk effectively and efficiently. Therefore, the business unit is the most appropriate risk owner of a high-risk vulnerability in an application. References = Why Assigning a Risk Owner is Important and How to Do It Right, CRISC 351-
400 topic3, Foundations of Project Management : Week 2.
400 topic3, Foundations of Project Management : Week 2.
CRISC Exam Question 24
Which of the following is the PRIMARY objective of the three lines model for risk management?
Correct Answer: C
The Three Lines Model (formerly "three lines of defense") is a governance concept used in CRISC and other ISACA frameworks. Its primary objective is to clarify who does what in risk management:
* First line - operational management: owns and manages risk, operates controls.
* Second line - risk management/compliance: provides expertise, support, and monitoring for risk and controls.
* Third line - internal audit: provides independent assurance on the effectiveness of governance, risk management, and control.
CRISC-related notes on the three lines state that:
* The most significant benefit of using the three lines model is that it clarifies essential roles of key stakeholders.
* Risk owner is a risk management role that is part of the first line of defense.
* Establishing a risk management framework is a direct responsibility of the second line.
* Operational management is the function that manages risk according to the three lines model.
So the core of the model is role and responsibility clarity, which directly supports effective governance and accountability for risk.
Why the other options are incorrect:
* A. Oversight and monitoring are important outcomes, but they are consequences of properly defined roles rather than the model's primary objective.
* B. "Only employees are responsible" is false; accountability spans board, senior management, management, staff, and independent assurance.
* **D. Senior management does have key responsibilities, but the model explicitly distributes risk roles across multiple lines, not just senior management.
Therefore, the PRIMARY objective is correctly captured by C: providing clear delineation of roles and responsibilities for managing IT risk.
* First line - operational management: owns and manages risk, operates controls.
* Second line - risk management/compliance: provides expertise, support, and monitoring for risk and controls.
* Third line - internal audit: provides independent assurance on the effectiveness of governance, risk management, and control.
CRISC-related notes on the three lines state that:
* The most significant benefit of using the three lines model is that it clarifies essential roles of key stakeholders.
* Risk owner is a risk management role that is part of the first line of defense.
* Establishing a risk management framework is a direct responsibility of the second line.
* Operational management is the function that manages risk according to the three lines model.
So the core of the model is role and responsibility clarity, which directly supports effective governance and accountability for risk.
Why the other options are incorrect:
* A. Oversight and monitoring are important outcomes, but they are consequences of properly defined roles rather than the model's primary objective.
* B. "Only employees are responsible" is false; accountability spans board, senior management, management, staff, and independent assurance.
* **D. Senior management does have key responsibilities, but the model explicitly distributes risk roles across multiple lines, not just senior management.
Therefore, the PRIMARY objective is correctly captured by C: providing clear delineation of roles and responsibilities for managing IT risk.
CRISC Exam Question 25
The risk to an organization's reputation due to a recent cybersecurity breach is PRIMARILY considered to be:
Correct Answer: D
Understanding Strategic Risk:
Strategic risk refers to the potential losses that can arise from adverse business decisions, improper implementation of decisions, or lack of responsiveness to changes in the business environment.
Reputational Impact of Cybersecurity Breaches:
A cybersecurity breach can severely damage an organization's reputation, affecting customer trust, investor confidence, and market value.
Such impacts go beyond immediate financial losses and can have long-term strategic implications for the organization's competitive position and strategic objectives.
Classification of Risk:
Financial Risk:Direct financial losses due to a breach (e.g., fines, legal costs) but does not cover reputational impacts.
Data Risk:Focuses on the loss or compromise of data but not the broader strategic impact.
Operational Risk:Pertains to disruptions in business operations, while reputational damage influences the organization's strategic direction and goals.
Strategic Risk and Reputation:
Reputational damage from a cybersecurity breach can lead to a loss of customer base, reduced market share, and difficulties in strategic partnerships, all of which are strategic concerns.
Addressing reputational risk requires strategic planning, proactive communication, and long-term efforts to rebuild trust and credibility.
References:
The CRISC Review Manual highlights that reputational risk is a significant aspect of strategic risk, especially following cybersecurity incidents (CRISC Review Manual, Chapter 1: Governance, Section 1.1.3 Importance and Value of IT Risk Management).
Strategic risk refers to the potential losses that can arise from adverse business decisions, improper implementation of decisions, or lack of responsiveness to changes in the business environment.
Reputational Impact of Cybersecurity Breaches:
A cybersecurity breach can severely damage an organization's reputation, affecting customer trust, investor confidence, and market value.
Such impacts go beyond immediate financial losses and can have long-term strategic implications for the organization's competitive position and strategic objectives.
Classification of Risk:
Financial Risk:Direct financial losses due to a breach (e.g., fines, legal costs) but does not cover reputational impacts.
Data Risk:Focuses on the loss or compromise of data but not the broader strategic impact.
Operational Risk:Pertains to disruptions in business operations, while reputational damage influences the organization's strategic direction and goals.
Strategic Risk and Reputation:
Reputational damage from a cybersecurity breach can lead to a loss of customer base, reduced market share, and difficulties in strategic partnerships, all of which are strategic concerns.
Addressing reputational risk requires strategic planning, proactive communication, and long-term efforts to rebuild trust and credibility.
References:
The CRISC Review Manual highlights that reputational risk is a significant aspect of strategic risk, especially following cybersecurity incidents (CRISC Review Manual, Chapter 1: Governance, Section 1.1.3 Importance and Value of IT Risk Management).
- Other Version
- 1713ISACA.CRISC.v2026-03-31.q857
- 2074ISACA.CRISC.v2026-01-15.q649
- 4990ISACA.CRISC.v2025-09-26.q726
- 4202ISACA.CRISC.v2025-08-27.q675
- 6051ISACA.CRISC.v2025-01-04.q999
- 3010ISACA.CRISC.v2024-06-13.q683
- 4270ISACA.CRISC.v2024-04-02.q999
- 4151ISACA.CRISC.v2023-07-10.q544
- 6739ISACA.CRISC.v2022-05-25.q338
- 76ISACA.Actual4dump.CRISC.v2022-04-12.by.newman.349q.pdf
- 6367ISACA.CRISC.v2022-02-22.q349
- 6626ISACA.CRISC.v2021-10-27.q295
- 42ISACA.Updatedumps.CRISC.v2021-09-05.by.bonnie.114q.pdf
- Latest Upload
- 228Microsoft.AZ-900.v2026-07-16.q224
- 123Microsoft.AB-730.v2026-07-16.q19
- 169Google.Professional-Cloud-DevOps-Engineer.v2026-07-16.q92
- 176ACFE.CFE-Investigation.v2026-07-16.q87
- 194CompTIA.SY0-701.v2026-07-15.q325
- 598ISACA.CRISC.v2026-07-15.q907
- 246NISM.NISM-Series-VII.v2026-07-14.q164
- 218PECB.ISO-IEC-27001-Lead-Implementer.v2026-07-14.q147
- 177API.API-510.v2026-07-13.q47
- 360Microsoft.AZ-400.v2026-07-13.q294
[×]
Download PDF File
Enter your email address to download ISACA.CRISC.v2026-07-15.q907 Practice Test
