CRISC Exam Question 466
Which of the following scenarios represents a threat?
Correct Answer: D
A virus transmitted on a USB thumb drive is a scenario that represents a threat, as it involves a malicious or harmful event that could compromise the confidentiality, integrity, or availability of an information system. A virus is a type of malware that can infect and damage files, programs, or devices by replicating itself and spreading to other systems or networks. A USB thumb drive is a portable storage device that can be used to transfer data between computers or devices. A virus transmitted on a USB thumb drive can occur when a user inserts an infected USB thumb drive into a computer or device, or when a user downloads or copies an infected file from a USB thumb drive to a computer or device. A virus transmitted on a USB thumb drive can pose a serious risk to the information system, as it can corrupt or delete data, disrupt or degrade performance, steal or leak information, or allow unauthorized access or control.
The other options are not scenarios that represent a threat, but rather vulnerabilities or weaknesses that could increase the likelihood or impact of a threat. Connecting a laptop to a free, open, wireless access point (hotspot) is a vulnerability, as it exposes the laptop to potential eavesdropping, interception, or manipulation by malicious actors on the same network. Visitors not signing in as per policy is a vulnerability, as it creates a gap in the physical security and access control of the premises, and could allow unauthorized or malicious visitors to enter or access sensitive areas or assets. Storing corporate data in unencrypted form on a laptop is a vulnerability, as it reduces the protection and security of the data, and could enable unauthorized or malicious access, disclosure, or modification of the data in case of loss, theft, or compromise of the laptop. References = What is a Computer Virus? | McAfee, What is a USB Flash Drive? | Kingston Technology, Threats, Vulnerabilities, and Exploits - oh my!
The other options are not scenarios that represent a threat, but rather vulnerabilities or weaknesses that could increase the likelihood or impact of a threat. Connecting a laptop to a free, open, wireless access point (hotspot) is a vulnerability, as it exposes the laptop to potential eavesdropping, interception, or manipulation by malicious actors on the same network. Visitors not signing in as per policy is a vulnerability, as it creates a gap in the physical security and access control of the premises, and could allow unauthorized or malicious visitors to enter or access sensitive areas or assets. Storing corporate data in unencrypted form on a laptop is a vulnerability, as it reduces the protection and security of the data, and could enable unauthorized or malicious access, disclosure, or modification of the data in case of loss, theft, or compromise of the laptop. References = What is a Computer Virus? | McAfee, What is a USB Flash Drive? | Kingston Technology, Threats, Vulnerabilities, and Exploits - oh my!
CRISC Exam Question 467
Which of the following is a risk practitioner's BEST course of action upon learning that a control under internal review may no longer be necessary?
Correct Answer: A
The best course of action for a risk practitioner upon learning that a control under internal review may no longer be necessary is to obtain approval to retire the control. This will help to ensure that the control is removed in a controlled and documented manner, and that the relevant stakeholders are informed and agree with the decision. Retiring unnecessary controls can also help to optimize the control environment, reduce costs and complexity, and improve efficiency and performance. Updating the status of the control as obsolete, consulting the internal auditor for a second opinion, and verifying the effectiveness of the original mitigation plan are not the best courses of action, as they may not address the root cause of the control's obsolescence, and may delay or complicate the control retirement process. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 3, Section 3.1.1.2, page 1071
1: ISACA Certified in Risk and Information Systems Control (CRISC) Exam Guide, Answer to Question
649.
1: ISACA Certified in Risk and Information Systems Control (CRISC) Exam Guide, Answer to Question
649.
CRISC Exam Question 468
Which element of an organization's risk register is MOST important to update following the commissioning of a new financial reporting system?
Correct Answer: C
The most important element of an organization's risk register to update following the commissioning of a new financial reporting system is the risk rating of affected financial processes. A risk rating is a measure of the level and nature of the risk exposure, based on the impact and likelihood of the risk events. A risk rating can help to prioritize and respond to the risks, and to monitor and report the risk status. A new financial reporting system may introduce new or different risks, or change the existing risks, that could affect the financial processes of the organization, such as data quality, accuracy, timeliness, compliance, or security. Therefore, the risk rating of affected financial processes should be updated to reflect the current risk situation and to ensure that the risk register is accurate and complete. Key risk indicators (KRIs), the owner of the financial reporting process, and the list of relevant financial controls are not as important as the risk rating of affected financial processes, as they are not directly affected by the commissioning of a new financial reporting system, and they do not measure the risk exposure and impact of the financial processes. References = CRISC Review Manual, 6th Edition, ISACA, 2015, page 48.
CRISC Exam Question 469
Which of the following BEST enables the identification of trends in risk levels?
Correct Answer: A
Key risk indicators (KRIs) are metrics or measures that provide information on the current or potential exposure and performance of an organization in relation to specific risks. KRIs can help to monitor and track the changes or trends in the risk level and the risk response over time, identify and alert the risk issues or events that require attention or action, evaluate and report the effectiveness and efficiency of the risk management processes and practices, and support and inform the risk decision making and improvement1.
The best way to enable the identification of trends in risk levels is to ensure that the correlation between risk levels and KRIs is positive, because it means that the KRIs are aligned with and reflective of the risk levels, and that they can capture and indicate the variations or movements in the risk levels accurately and reliably. A positive correlation between risk levels and KRIs can be achieved by:
Selecting and defining the KRIs that are relevant and appropriate for the specific risks that the organization faces, and that are consistent and comparable across different domains and contexts Collecting and analyzing the data and information that are reliable and sufficient for the KRIs, and that are sourced from various methods and sources, such as risk assessments, audits, monitoring, alerts, or incidents Applying and using the tools and techniques that are suitable and feasible for the KRIs, such as risk matrices, risk registers, risk indicators, or risk models Reviewing and updating the KRIs periodically or as needed, and ensuring that they reflect the current or accurate risk levels, which may change over time or due to external factors23 The other options are not the best ways to enable the identification of trends in risk levels, but rather some of the factors or aspects of KRIs. Measurements for KRIs are repeatable is a factor that can enhance the reliability and validity of the KRIs, as it means that the KRIs can produce the same or similar results under the same or similar conditions. However, repeatability does not necessarily imply accuracy or sensitivity, and it may not capture or reflect the changes or trends in the risk levels. Quantitative measurements are used for KRIs is an aspect that can improve the objectivity and precision of the KRIs, as it means that the KRIs are expressed in numerical or measurable values, such as percentages, probabilities, or monetary amounts.
However, quantitative measurements may not be suitable or feasible for all types of risks or KRIs, and they may not capture or reflect the complexity or uncertainty of the risk levels. Qualitative definitions for KRIs are used is an aspect that can enhance the understanding and communication of the KRIs, as it means that the KRIs are expressed in descriptive or subjective terms, such as high, medium, or low, based on criteria such as likelihood, impact, or severity. However, qualitative definitions may not be consistent or comparable across different risks or KRIs, and they may not capture or reflect the magnitude or variation of the risk levels. References = Key Risk Indicators: What They Are and How to Use Them Key Risk Indicators: A Practical Guide | SafetyCulture Key Risk Indicators: Types and Examples
[CRISC Review Manual, 7th Edition]
The best way to enable the identification of trends in risk levels is to ensure that the correlation between risk levels and KRIs is positive, because it means that the KRIs are aligned with and reflective of the risk levels, and that they can capture and indicate the variations or movements in the risk levels accurately and reliably. A positive correlation between risk levels and KRIs can be achieved by:
Selecting and defining the KRIs that are relevant and appropriate for the specific risks that the organization faces, and that are consistent and comparable across different domains and contexts Collecting and analyzing the data and information that are reliable and sufficient for the KRIs, and that are sourced from various methods and sources, such as risk assessments, audits, monitoring, alerts, or incidents Applying and using the tools and techniques that are suitable and feasible for the KRIs, such as risk matrices, risk registers, risk indicators, or risk models Reviewing and updating the KRIs periodically or as needed, and ensuring that they reflect the current or accurate risk levels, which may change over time or due to external factors23 The other options are not the best ways to enable the identification of trends in risk levels, but rather some of the factors or aspects of KRIs. Measurements for KRIs are repeatable is a factor that can enhance the reliability and validity of the KRIs, as it means that the KRIs can produce the same or similar results under the same or similar conditions. However, repeatability does not necessarily imply accuracy or sensitivity, and it may not capture or reflect the changes or trends in the risk levels. Quantitative measurements are used for KRIs is an aspect that can improve the objectivity and precision of the KRIs, as it means that the KRIs are expressed in numerical or measurable values, such as percentages, probabilities, or monetary amounts.
However, quantitative measurements may not be suitable or feasible for all types of risks or KRIs, and they may not capture or reflect the complexity or uncertainty of the risk levels. Qualitative definitions for KRIs are used is an aspect that can enhance the understanding and communication of the KRIs, as it means that the KRIs are expressed in descriptive or subjective terms, such as high, medium, or low, based on criteria such as likelihood, impact, or severity. However, qualitative definitions may not be consistent or comparable across different risks or KRIs, and they may not capture or reflect the magnitude or variation of the risk levels. References = Key Risk Indicators: What They Are and How to Use Them Key Risk Indicators: A Practical Guide | SafetyCulture Key Risk Indicators: Types and Examples
[CRISC Review Manual, 7th Edition]
CRISC Exam Question 470
Which of the following will BEST help to improve an organization's risk culture?
Correct Answer: B
A risk awareness program is a set of activities that aim to educate and inform employees about the organization's risk culture, policies, and procedures. A risk awareness program can help improve an organization's risk culture by enhancing the employees' understanding of risk, their roles and responsibilities in risk management, and the benefits of risk mitigation. A risk awareness program can also foster a culture of openness, trust, and collaboration among employees, managers, and stakeholders, which can improve the organization's risk performance and resilience.
Maintaining a documented risk register, rewarding employees for reporting security incidents, and allocating resources for risk remediation are also important aspects of risk management, but they do not directly address the organization's risk culture, which is the shared values, beliefs, and attitudes that influence how risk is perceived and handled within the organization.
Maintaining a documented risk register, rewarding employees for reporting security incidents, and allocating resources for risk remediation are also important aspects of risk management, but they do not directly address the organization's risk culture, which is the shared values, beliefs, and attitudes that influence how risk is perceived and handled within the organization.
- Other Version
- 1718ISACA.CRISC.v2026-03-31.q857
- 2090ISACA.CRISC.v2026-01-15.q649
- 5003ISACA.CRISC.v2025-09-26.q726
- 4213ISACA.CRISC.v2025-08-27.q675
- 6067ISACA.CRISC.v2025-01-04.q999
- 3018ISACA.CRISC.v2024-06-13.q683
- 4276ISACA.CRISC.v2024-04-02.q999
- 4154ISACA.CRISC.v2023-07-10.q544
- 6744ISACA.CRISC.v2022-05-25.q338
- 76ISACA.Actual4dump.CRISC.v2022-04-12.by.newman.349q.pdf
- 6372ISACA.CRISC.v2022-02-22.q349
- 6631ISACA.CRISC.v2021-10-27.q295
- 42ISACA.Updatedumps.CRISC.v2021-09-05.by.bonnie.114q.pdf
- Latest Upload
- 115Pegasystems.PEGACPDC25V1.v2026-07-17.q45
- 136CompTIA.N10-009.v2026-07-17.q230
- 121EMC.D-PDM-DY-23.v2026-07-17.q66
- 124Salesforce.ADM-201.v2026-07-17.q63
- 130PMI.CAPM.v2026-07-17.q643
- 126Cisco.300-215.v2026-07-17.q60
- 129CollegeAdmission.PMHNP.v2026-07-17.q640
- 130Microsoft.MB-240.v2026-07-17.q174
- 115SAP.C_CE325_2601.v2026-07-17.q37
- 243Microsoft.AZ-900.v2026-07-16.q224
[×]
Download PDF File
Enter your email address to download ISACA.CRISC.v2026-07-15.q907 Practice Test
