CRISC Exam Question 356
When establishing leading indicators for the information security incident response process it is MOST important to consider the percentage of reported incidents:
Correct Answer: D
When establishing leading indicators for the information security incident response process, it is most important to consider the percentage of reported incidents that are resolved within the service level agreement (SLA). A leading indicator is a metric that can predict or influence the future performance or outcome of a process or activity. A leading indicator for the information security incident response process should measure how well the process is achieving its objectives, such as minimizing the impact of incidents, restoring normal operations as quickly as possible, and preventing recurrence of incidents. The percentage of reported incidents that are resolved within the SLA is a leading indicator that reflects the efficiency and effectiveness of the information security incident response process. It shows how well the process is meeting the expectations and requirements of the stakeholders, such as the business units, customers, and regulators. It also shows how well the process is managing the resources, such as time, budget, and personnel, that are allocated for incident response. A high percentage of reported incidents that are resolved within the SLA indicates that the information security incident response process is performing well and delivering value to the organization. A low percentage of reported incidents that are resolved within the SLA indicates that the information security incident response process is facing challenges and needs improvement. The percentage of reported incidents that are resolved within the SLA can also help identify the root causes of incidents, the gaps in the process, and the areas for improvement. For example, if the percentage of reported incidents that are resolved within the SLA is low, it may indicate that the process has issues with the following aspects: - Incident detection and reporting: The process may not have adequate tools, techniques, or procedures to detect and report incidents in a timely and accurate manner. - Incident prioritization and classification: The process may not have clear and consistent criteria to prioritize and classify incidents based on their severity, impact, and urgency. - Incident analysis and investigation: The process may not have sufficient skills, knowledge, or evidence to analyze and investigate the incidents and determine their root causes, scope, and consequences. - Incident containment and eradication: The process may not have effective methods or measures to contain and eradicate the incidents and prevent them from spreading or escalating. - Incident recovery and restoration: The process may not have reliable backup and recovery plans or systems to restore the normal operations and functionality of the affected systems or services. - Incident communication and escalation: The process may not have proper communication and escalation channels or protocols to inform and involve the relevant stakeholders, such as the management, the users, the vendors, or the authorities. - Incident documentation and closure: The process may not have adequate documentation and closure procedures to record and report the incidents and their resolution. - Incident review and improvement: The process may not have regular review and improvement activities to evaluate and enhance the process and its performance. Therefore, the percentage of reported incidents that are resolved within the SLA is the most important leading indicator for the information security incident response process, as it can provide valuable insights and feedback for the process and its improvement. References = Information Security Incident Response | Process Street1, Key Performance Indicators (KPIs) for Security Operations and Incident Response2, 7 Incident Response Metrics and How to Use Them3
CRISC Exam Question 357
What is MOST important for the risk practitioner to understand when creating an initial IT risk register?
Correct Answer: D
The most important factor for the risk practitioner to understand when creating an initial IT risk register is the organizational objectives. The organizational objectives are the specific, measurable, achievable, relevant, and time-bound (SMART) goals that the organization aims to accomplish. The organizational objectives should be aligned with the organization's vision, mission, and strategy, as well as the stakeholder expectations and needs. The organizational objectives should also reflect the desired outcomes and benefits of the organization, such as increasing revenue, reducing costs, improving quality, or enhancing customer satisfaction.
Understanding the organizational objectives is the most important factor when creating an initial IT risk register, because it provides the context, scope, and criteria for identifying, analyzing, and prioritizing the IT risks that may affect or be affected by the organizational objectives. Understanding the organizational objectives also helps to align the IT risk management process with the organizational risk management process, and to communicate the value and impact of the IT risks and the IT risk responses to the senior management and other stakeholders. The other options are not the most important factor, although they may be relevant or influential to the IT risk register. Enterprise architecture (EA) is a conceptual blueprint that defines the structure and operation of an organization. EA describes the current and future state of the organization in terms of its business processes, information systems, and technology infrastructure, and the relationships and dependencies among them. EA also provides the principles, standards, and guidelines for designing, developing, and implementing the organization's solutions and services. EA can help to understand the IT risk sources, causes, and effects, as well as the IT risk mitigation options and opportunities, but it does not define the purpose or the scope of the IT risk register. Control environment is the set of policies, procedures, and mechanisms that ensure the reliability, security, and quality of the organization's activities and information. Control environment includes the tone and culture at the top, the roles and responsibilities for governance and oversight, the internal control framework and methodology, and the monitoring and reporting systems. Control environment can help to assess the IT risk levels and the IT risk responses, as well as to ensure the compliance and accountability of the IT risk management process, but it does not provide the context or the criteria for the IT risk register. IT objectives are the specific, measurable, achievable, relevant, and time-bound (SMART) goals that the IT function aims to accomplish. IT objectives should be aligned and consistent with the organizational objectives, as well as the IT strategy and IT governance. IT objectives should also reflect the expected outcomes and benefits of the IT function, such as delivering value, enabling innovation, or supporting transformation. IT objectives can help to identify and prioritize the IT risks that may affect or be affected by the IT objectives, but they are not the same as or more important than the organizational objectives. References = Three Steps to Creating a Simple IT Risk Register - Gartner, Risk Register Template and Examples | Prioritize and Manage Risk, IT Resources | Knowledge & Insights | ISACA
Understanding the organizational objectives is the most important factor when creating an initial IT risk register, because it provides the context, scope, and criteria for identifying, analyzing, and prioritizing the IT risks that may affect or be affected by the organizational objectives. Understanding the organizational objectives also helps to align the IT risk management process with the organizational risk management process, and to communicate the value and impact of the IT risks and the IT risk responses to the senior management and other stakeholders. The other options are not the most important factor, although they may be relevant or influential to the IT risk register. Enterprise architecture (EA) is a conceptual blueprint that defines the structure and operation of an organization. EA describes the current and future state of the organization in terms of its business processes, information systems, and technology infrastructure, and the relationships and dependencies among them. EA also provides the principles, standards, and guidelines for designing, developing, and implementing the organization's solutions and services. EA can help to understand the IT risk sources, causes, and effects, as well as the IT risk mitigation options and opportunities, but it does not define the purpose or the scope of the IT risk register. Control environment is the set of policies, procedures, and mechanisms that ensure the reliability, security, and quality of the organization's activities and information. Control environment includes the tone and culture at the top, the roles and responsibilities for governance and oversight, the internal control framework and methodology, and the monitoring and reporting systems. Control environment can help to assess the IT risk levels and the IT risk responses, as well as to ensure the compliance and accountability of the IT risk management process, but it does not provide the context or the criteria for the IT risk register. IT objectives are the specific, measurable, achievable, relevant, and time-bound (SMART) goals that the IT function aims to accomplish. IT objectives should be aligned and consistent with the organizational objectives, as well as the IT strategy and IT governance. IT objectives should also reflect the expected outcomes and benefits of the IT function, such as delivering value, enabling innovation, or supporting transformation. IT objectives can help to identify and prioritize the IT risks that may affect or be affected by the IT objectives, but they are not the same as or more important than the organizational objectives. References = Three Steps to Creating a Simple IT Risk Register - Gartner, Risk Register Template and Examples | Prioritize and Manage Risk, IT Resources | Knowledge & Insights | ISACA
CRISC Exam Question 358
What is the BEST information to present to business control owners when justifying costs related to controls?
Correct Answer: D
The best information to present to business control owners when justifying costs related to controls is the return on IT security-related investments, because this shows the value and benefits of the controls in relation to their costs. Return on IT security-related investments is a metric that measures the effectiveness and efficiency of IT security controls by comparing the amount of money saved or gained from preventing or mitigating IT-related risks with the amount of money spent on implementing and maintaining the controls. By presenting this information, business control owners can see how the controls contribute to the achievement of the business objectives, such as reducing losses, increasing revenues, enhancing customer satisfaction, or improving compliance. This information can also help business control owners to prioritize and allocate resources for the most critical and beneficial controls, and to optimize the balance between risk and return. References = Cost Control: How Businesses Use It to Increase Profits
CRISC Exam Question 359
Which of the following provides the MOST up-to-date information about the effectiveness of an organization
' s overall IT control environment?
' s overall IT control environment?
Correct Answer: D
The IT control environment is the set of standards, processes, and structures that provide the basis for carrying out IT internal control across the organization1. The IT control environment comprises the IT governance, IT policies and procedures, IT organizational structure, IT roles and responsibilities, IT competencies and training, and IT culture and ethics2. The effectiveness of the IT control environment can be measured by how well it supports the achievement of the organization's IT objectives, such as IT reliability, security, compliance, and performance3.
One of the best ways to provide the most up-to-date information about the effectiveness of the organization's overall IT control environment is to perform periodic penetrationtesting. Penetration testing is the process of simulating real-world cyberattacks on the organization's IT systems, networks, and applications, to identify and exploit any vulnerabilities, weaknesses, or gaps in the IT control environment4. Penetration testing can help to:
Evaluate the current state and maturity of the IT control environment and its alignment with the organization's risk appetite and tolerance Detect and prioritize the most critical and urgent IT risks and threats that may compromise the organization's IT objectives or assets Test and validate the effectiveness and efficiency of the existing IT controls and their ability to prevent, detect, or respond to cyberattacks Provide recommendations and feedback for improving the IT control environment and enhancing the IT security posture and resilience of the organization References = COSO - Control Environment - Deloitte, How to use COSO to assess IT controls - Journal of Accountancy, What is Penetration Testing?, [Penetration Testing: A Guide for Business Leaders]
One of the best ways to provide the most up-to-date information about the effectiveness of the organization's overall IT control environment is to perform periodic penetrationtesting. Penetration testing is the process of simulating real-world cyberattacks on the organization's IT systems, networks, and applications, to identify and exploit any vulnerabilities, weaknesses, or gaps in the IT control environment4. Penetration testing can help to:
Evaluate the current state and maturity of the IT control environment and its alignment with the organization's risk appetite and tolerance Detect and prioritize the most critical and urgent IT risks and threats that may compromise the organization's IT objectives or assets Test and validate the effectiveness and efficiency of the existing IT controls and their ability to prevent, detect, or respond to cyberattacks Provide recommendations and feedback for improving the IT control environment and enhancing the IT security posture and resilience of the organization References = COSO - Control Environment - Deloitte, How to use COSO to assess IT controls - Journal of Accountancy, What is Penetration Testing?, [Penetration Testing: A Guide for Business Leaders]
CRISC Exam Question 360
Which of the following is the BEST Key control indicator KCO to monitor the effectiveness of patch management?
Correct Answer: B
The percentage of servers receiving automatic patches is the best key control indicator (KCI) to monitor the effectiveness of patch management, because it measures how well the patch management process is ensuring that the servers are updated with the latest security patches and fixes. A high percentage of servers receiving automatic patches indicates that the patch management process is effective and efficient, and that the servers are protected from known vulnerabilities and threats. The other options are not the best KCIs, because they do not directly measure the effectiveness of patch management. The percentage of legacy servers out of support, the number of unpatched vulnerabilities, and the number of intrusion attempts are examples of risk indicators or consequence indicators that measure the exposure or impact of the lack of patch management, but not the performance or outcome of the patch management process. References = ISACA Certified in Risk and Information Systems Control (CRISC) Certification Exam Question and Answers
- Other Version
- 1717ISACA.CRISC.v2026-03-31.q857
- 2086ISACA.CRISC.v2026-01-15.q649
- 4994ISACA.CRISC.v2025-09-26.q726
- 4208ISACA.CRISC.v2025-08-27.q675
- 6055ISACA.CRISC.v2025-01-04.q999
- 3012ISACA.CRISC.v2024-06-13.q683
- 4273ISACA.CRISC.v2024-04-02.q999
- 4154ISACA.CRISC.v2023-07-10.q544
- 6742ISACA.CRISC.v2022-05-25.q338
- 76ISACA.Actual4dump.CRISC.v2022-04-12.by.newman.349q.pdf
- 6369ISACA.CRISC.v2022-02-22.q349
- 6629ISACA.CRISC.v2021-10-27.q295
- 42ISACA.Updatedumps.CRISC.v2021-09-05.by.bonnie.114q.pdf
- Latest Upload
- 233Microsoft.AZ-900.v2026-07-16.q224
- 124Microsoft.AB-730.v2026-07-16.q19
- 177Google.Professional-Cloud-DevOps-Engineer.v2026-07-16.q92
- 177ACFE.CFE-Investigation.v2026-07-16.q87
- 218CompTIA.SY0-701.v2026-07-15.q325
- 633ISACA.CRISC.v2026-07-15.q907
- 251NISM.NISM-Series-VII.v2026-07-14.q164
- 224PECB.ISO-IEC-27001-Lead-Implementer.v2026-07-14.q147
- 180API.API-510.v2026-07-13.q47
- 363Microsoft.AZ-400.v2026-07-13.q294
[×]
Download PDF File
Enter your email address to download ISACA.CRISC.v2026-07-15.q907 Practice Test
