CRISC Certified in Risk and Information Systems Control Free Demo Questions – Try Before You Buy

Question 1

A risk practitioner is defining metrics for security threats that were not identified by antivirus software. Which type of metric is being developed?

A

Key control indicator (KCI)

B

Key risk indicator (KRI)

C

Operational level agreement (OLA)

D

Service level agreement (SLA)

Correct Answer: B

Explanation:

A KRI is a measure used by an organization to measure the health of a particular risk. In this case, the risk practitioner is developing a metric to measure the risk associated with security threats that were not identified by antivirus software12.
References
1Standardized Scoring for Security and Risk Metrics - ISACA
2Key Performance Indicators for Security Governance, Part 1 - ISACA

Question 2

When a high number of approved exceptions are observed during a review of a control procedure, an organization should FIRST initiate a review of the:

A

Relevant policies.

B

Threat landscape.

C

Awareness program.

D

Risk heat map.

Correct Answer: A

Explanation:

A high number of exceptions often indicate misalignment between policies and business needs. Reviewing policies helps determine if they are overly restrictive or need adjustments to reduce exceptions while maintaining security.

Question 3

Which of the following provides the MOST useful information to assess the magnitude of identified deficiencies in the IT control environment?

A

Peer benchmarks

B

Internal audit reports

C

Business impact analysis (BIA) results

D

Threat analysis results

Correct Answer: B

Explanation:

Internal audit reports provide the most useful information to assess the magnitude of identified deficiencies in the IT control environment. Internal audit reports are independent and objective evaluations of the design and operating effectiveness of the IT controls, as well as the compliance with policies, standards, and regulations. Internal audit reports also provide recommendations for improvement and follow-up actions for the control deficiencies. Internal audit reports can help measure the impact and severity of the control deficiencies, and prioritize the remediation efforts. Peer benchmarks, business impact analysis (BIA) results, and threat analysis results are not as directly related to the assessment of the control deficiencies, although they may provide some contextual or comparative information. References = Risk and Information Systems Control Study Manual, Chapter 1, Section 1.4.1, page 1-19.

Demo ISACA CRISC Exam Questions

A risk practitioner is defining metrics for security threats that were not identified by antivirus software. Which type of metric is being developed?

Key control indicator (KCI)

Key risk indicator (KRI)

Operational level agreement (OLA)

Service level agreement (SLA)

Correct Answer: B

When a high number of approved exceptions are observed during a review of a control procedure, an organization should FIRST initiate a review of the:

Relevant policies.

Threat landscape.

Awareness program.

Risk heat map.

Correct Answer: A

A high number of exceptions often indicate misalignment between policies and business needs. Reviewing policies helps determine if they are overly restrictive or need adjustments to reduce exceptions while maintaining security.

Which of the following provides the MOST useful information to assess the magnitude of identified deficiencies in the IT control environment?

Peer benchmarks

Internal audit reports

Business impact analysis (BIA) results

Threat analysis results

Correct Answer: B

Demo Practice Mode