CRISC Exam Question 361
Which of the following is MOST helpful to review when identifying risk scenarios associated with the adoption of Internet of Things (loT) technology in an organization?
Correct Answer: B
* Risk scenarios: Narratives that describe potential risk events, their causes, consequences, and likelihood1.
* Internet of Things (IoT): A network of interconnected devices, software, sensors, and other things that communicate and exchange data without human intervention2.
* IoT threat landscape: The range and types of threats and attacks that target IoT devices, systems, and networks3.
The most helpful thing to review when identifying risk scenarios associated with the adoption of IoT technology in an organization is the IoT threat landscape. The IoT threat landscape provides a comprehensive and current overview of the potential sources, methods, and impacts of cyberattacks on IoT devices, systems, and networks. Reviewing the IoT threat landscape can help an organization to:
* Identify the most relevant and prevalent threats and vulnerabilities that affect IoT technology, such as weak passwords, insecure interfaces, insufficient data protection, poor device management, or lack of encryption4.
* Assess the likelihood and impact of different types of attacks, such as malware infections, denial-of-service attacks, data breaches, unauthorized access, or sabotage4.
* Prioritize the most critical and urgent risks that need to be addressed and mitigated.
* Develop realistic and plausible risk scenarios that reflect the actual IoT threat environment and the organization's specific context and objectives.
The other options are not as helpful as the IoT threat landscape when identifying risk scenarios associated with the adoption of IoT technology in an organization, because they do not provide a comprehensive and current view of the potential threats and attacks that target IoT technology. The business case for the use of IoT, which is the justification and rationale for adopting IoT technology based on the expected benefits, costs, and risks, may help to understand the value and purpose of IoT technology for the organization, but it does not provide detailed information on the specific threats and vulnerabilities that affect IoT technology. Policy development for IoT, which is the process of creating and implementing rules and guidelines for the governance, management, and security of IoT technology, may help to establish the standards and expectations for IoT technology within the organization, but it does not provide an overview of the external threats and attacks that target IoT technology. The network that IoT devices can access, which is the infrastructure and system that enables the connectivity and communication of IoT devices, may help to identify the potential entry points and attack vectors for IoT threats, but it does not provide a complete picture of the types and impacts of IoT threats.
References = Risk Scenarios Toolkit, What is the Internet of Things (IoT)? With Examples | Coursera, Top IoT security issues and challenges (2022) - Thales, 8 Internet of Things Threats and Security Risks - SecurityScorecard
* Internet of Things (IoT): A network of interconnected devices, software, sensors, and other things that communicate and exchange data without human intervention2.
* IoT threat landscape: The range and types of threats and attacks that target IoT devices, systems, and networks3.
The most helpful thing to review when identifying risk scenarios associated with the adoption of IoT technology in an organization is the IoT threat landscape. The IoT threat landscape provides a comprehensive and current overview of the potential sources, methods, and impacts of cyberattacks on IoT devices, systems, and networks. Reviewing the IoT threat landscape can help an organization to:
* Identify the most relevant and prevalent threats and vulnerabilities that affect IoT technology, such as weak passwords, insecure interfaces, insufficient data protection, poor device management, or lack of encryption4.
* Assess the likelihood and impact of different types of attacks, such as malware infections, denial-of-service attacks, data breaches, unauthorized access, or sabotage4.
* Prioritize the most critical and urgent risks that need to be addressed and mitigated.
* Develop realistic and plausible risk scenarios that reflect the actual IoT threat environment and the organization's specific context and objectives.
The other options are not as helpful as the IoT threat landscape when identifying risk scenarios associated with the adoption of IoT technology in an organization, because they do not provide a comprehensive and current view of the potential threats and attacks that target IoT technology. The business case for the use of IoT, which is the justification and rationale for adopting IoT technology based on the expected benefits, costs, and risks, may help to understand the value and purpose of IoT technology for the organization, but it does not provide detailed information on the specific threats and vulnerabilities that affect IoT technology. Policy development for IoT, which is the process of creating and implementing rules and guidelines for the governance, management, and security of IoT technology, may help to establish the standards and expectations for IoT technology within the organization, but it does not provide an overview of the external threats and attacks that target IoT technology. The network that IoT devices can access, which is the infrastructure and system that enables the connectivity and communication of IoT devices, may help to identify the potential entry points and attack vectors for IoT threats, but it does not provide a complete picture of the types and impacts of IoT threats.
References = Risk Scenarios Toolkit, What is the Internet of Things (IoT)? With Examples | Coursera, Top IoT security issues and challenges (2022) - Thales, 8 Internet of Things Threats and Security Risks - SecurityScorecard
CRISC Exam Question 362
Which of the following is the MOST useful information an organization can obtain from external sources about emerging threats?
Correct Answer: C
*External sources of emerging threats are sources that provide information about the latest cyberattacks, hacking techniques, malware, and vulnerabilities that can affect an organization's IT systems and data.
Examples of external sources are security blogs, forums, newsletters, reports, and alerts from reputable organizations such as ISACA, Imperva, Aura, and BitSight123.
*The most useful information an organization can obtain from external sources is the indicators for detecting the presence of threats. Indicators are observable signs or patterns that can help identify, prevent, or mitigate cyberattacks. Examples of indicators are IP addresses, domain names, file hashes, network traffic, system logs, and user behavior4.
*Indicators for detecting the presence of threats are more useful than the other options because they can help an organization to:
oMonitor and analyze its IT environment for any suspicious or malicious activity oRespond quickly and effectively to any potential or actual incidents oReduce the impact and damage of cyberattacks oImprove its security posture and resilience
*Solutions for eradicating emerging threats are not the most useful information because they may not be applicable or effective for every organization, depending on its specific context, needs, and resources.
Moreover, solutions may not be available or known for some new or sophisticated threats.
*Cost to mitigate the risk resulting from threats is not the most useful information because it does not help an organization to identify or prevent cyberattacks. Cost is only one factor to consider when deciding how to manage IT risk, and it may not reflect the true value or impact of the threats.
*Source and identity of attackers are not the most useful information because they may not be relevant or accurate for every organization. Source and identity of attackers are often difficult to trace or verify, and they may not affect the organization's risk level or response strategy.
References =
*Risk and Information Systems Control Study Manual, 7th Edition, ISACA, 2020, Chapter 2: IT Risk Assessment, Section 2.3: Risk Identification, pp. 83-84
*Risk and Information Systems Control Review Questions, Answers & Explanations Database, 12 Month Subscription, ISACA, 2020, Question ID: 100000
Examples of external sources are security blogs, forums, newsletters, reports, and alerts from reputable organizations such as ISACA, Imperva, Aura, and BitSight123.
*The most useful information an organization can obtain from external sources is the indicators for detecting the presence of threats. Indicators are observable signs or patterns that can help identify, prevent, or mitigate cyberattacks. Examples of indicators are IP addresses, domain names, file hashes, network traffic, system logs, and user behavior4.
*Indicators for detecting the presence of threats are more useful than the other options because they can help an organization to:
oMonitor and analyze its IT environment for any suspicious or malicious activity oRespond quickly and effectively to any potential or actual incidents oReduce the impact and damage of cyberattacks oImprove its security posture and resilience
*Solutions for eradicating emerging threats are not the most useful information because they may not be applicable or effective for every organization, depending on its specific context, needs, and resources.
Moreover, solutions may not be available or known for some new or sophisticated threats.
*Cost to mitigate the risk resulting from threats is not the most useful information because it does not help an organization to identify or prevent cyberattacks. Cost is only one factor to consider when deciding how to manage IT risk, and it may not reflect the true value or impact of the threats.
*Source and identity of attackers are not the most useful information because they may not be relevant or accurate for every organization. Source and identity of attackers are often difficult to trace or verify, and they may not affect the organization's risk level or response strategy.
References =
*Risk and Information Systems Control Study Manual, 7th Edition, ISACA, 2020, Chapter 2: IT Risk Assessment, Section 2.3: Risk Identification, pp. 83-84
*Risk and Information Systems Control Review Questions, Answers & Explanations Database, 12 Month Subscription, ISACA, 2020, Question ID: 100000
CRISC Exam Question 363
Which of the following should be the PRIMARY objective of promoting a risk-aware culture within an organization?
Correct Answer: C
The primary objective of promoting a risk-aware culture within an organization is enabling risk-based decision making, because this helps the organization to achieve its goals and objectives while managing its risks effectively and efficiently. A risk-aware culture is one where everyone understands the organization's approach to risk, takes personal responsibility to manage risk in everything they do, and encourages others to follow their example. A risk-aware culture also fosters communication, collaboration, and learning about risk across the organization. By promoting a risk-aware culture, the organization can empower its employees to make informed and balanced decisions that consider both the potential benefits and the potential risks of their actions. This can enhance the organization's performance, resilience, and competitiveness in a dynamic and uncertain environment. References = Risk IT Framework, ISACA, 2022, p. 17
CRISC Exam Question 364
Of the following, who should be responsible for determining the inherent risk rating of an application?
Correct Answer: C
Inherent risk rating is a measure of the natural level of risk that is part of an application, before any controls are applied1. Inherent risk rating helps to identify and prioritize the applications that pose the highest risk to the organization and require the most attention and resources for risk management2. The responsibility for determining the inherent risk rating of an application should belong to the risk practitioner, as they have the expertise and knowledge to perform a comprehensive and consistent risk assessment of the application, using a standard methodology and criteria3. The risk practitioner should also communicate and report the inherent risk rating of the application to the relevant stakeholders, such as the application owner, senior management, and business process owner, and provide recommendations for risk mitigation4. The application owner, senior management, and business process owner are not the best choices for determining the inherent risk rating of an application, as they may not have the same level of skill and objectivity as the risk practitioner. The application owner is the person who has the authority and accountability for the application and its performance5. The application owner may be involved in providing input and feedback to the risk practitioner during the risk assessment process, but they may not be able to assess the inherent risk rating of the application independently and impartially, as they may have a vested interest in the application's success and reputation6. Senior management is the group of executives who set the strategic direction and objectives of the organization and oversee its performance7. Senior management may be involved in approving and endorsing the risk assessment process and its results, but they may not be able to assess the inherent risk rating of the application in detail and depth, as they may have a broader and higher-level perspective of the organization's risk profile and priorities8. The business process owner is the person who has the authority and accountability for a business process that is supported or enabled by the application. The business process owner may be involved in providing input and feedback to the risk practitioner during the risk assessment process, but they may not be able to assess the inherent risk rating of the application accurately and comprehensively, as they may have a limited and specific view of the application's functionality and value. References = 2: Introduction toapplication risk rating & assessment | Infosec3: Application Security Risk: Assessment and Modeling - ISACA4: Risk and Information Systems Control Study Manual, Chapter 4:
Risk and Control Monitoring and Reporting, Section 4.2: Risk Monitoring, pp. 189-191.1: Inherent Risk Rating - Shared Assessments - Third Party Risk Management5: [Application Owner - Gartner IT Glossary] 6: Perform Inherent Risk Analysis - Oracle7: [Senior Management - Definition, Roles and Responsibilities] 8: Rating Inherent and Residual Risk - Barn Owl : [Business Process Owner - Gartner IT Glossary] : [Business Process Owner - Roles and Responsibilities]
Risk and Control Monitoring and Reporting, Section 4.2: Risk Monitoring, pp. 189-191.1: Inherent Risk Rating - Shared Assessments - Third Party Risk Management5: [Application Owner - Gartner IT Glossary] 6: Perform Inherent Risk Analysis - Oracle7: [Senior Management - Definition, Roles and Responsibilities] 8: Rating Inherent and Residual Risk - Barn Owl : [Business Process Owner - Gartner IT Glossary] : [Business Process Owner - Roles and Responsibilities]
CRISC Exam Question 365
When performing a risk assessment of a new service to support a ewe Business process. which of the following should be done FRST10 ensure continuity of operations?
Correct Answer: A
The first step to ensure continuity of operations when performing a risk assessment of a new service to support a new business process is to identify the conditions that may cause disruptions to the service or the process. This is because identifying the potential sources, causes, and scenarios of disruptions helps to determine the impact and likelihood of the risks, and to select the appropriate risk responses and recovery strategies. The other options are not the first steps, although they may also be part of the risk assessment process. Reviewing incident response procedures, evaluating the probability of risk events, and defining metrics for restoring availability are examples of subsequent steps that depend on the identification of the conditions that may cause disruptions. References = CRISC: Certified in Risk & Information Systems Control Sample Questions
- Other Version
- 1717ISACA.CRISC.v2026-03-31.q857
- 2086ISACA.CRISC.v2026-01-15.q649
- 4994ISACA.CRISC.v2025-09-26.q726
- 4208ISACA.CRISC.v2025-08-27.q675
- 6056ISACA.CRISC.v2025-01-04.q999
- 3013ISACA.CRISC.v2024-06-13.q683
- 4273ISACA.CRISC.v2024-04-02.q999
- 4154ISACA.CRISC.v2023-07-10.q544
- 6742ISACA.CRISC.v2022-05-25.q338
- 76ISACA.Actual4dump.CRISC.v2022-04-12.by.newman.349q.pdf
- 6369ISACA.CRISC.v2022-02-22.q349
- 6629ISACA.CRISC.v2021-10-27.q295
- 42ISACA.Updatedumps.CRISC.v2021-09-05.by.bonnie.114q.pdf
- Latest Upload
- 234Microsoft.AZ-900.v2026-07-16.q224
- 124Microsoft.AB-730.v2026-07-16.q19
- 177Google.Professional-Cloud-DevOps-Engineer.v2026-07-16.q92
- 177ACFE.CFE-Investigation.v2026-07-16.q87
- 219CompTIA.SY0-701.v2026-07-15.q325
- 634ISACA.CRISC.v2026-07-15.q907
- 251NISM.NISM-Series-VII.v2026-07-14.q164
- 224PECB.ISO-IEC-27001-Lead-Implementer.v2026-07-14.q147
- 180API.API-510.v2026-07-13.q47
- 363Microsoft.AZ-400.v2026-07-13.q294
[×]
Download PDF File
Enter your email address to download ISACA.CRISC.v2026-07-15.q907 Practice Test
