Free CRISC Practice Quiz
Lets get started!
This free practice quiz includes questions from ISACA®'s test prep solutions that are the same level of difficulty you can expect on ISACA's official CRISC exam.
-
Which of the following is MOST important to determine when defining risk management strategies?
-
Risk assessment criteria
Information on the internal and external environments must be collected to define a strategy and identify its impact. Risk assessment criteria alone are not sufficient.
-
IT architecture complexity
IT architecture complexity is more directly related to assessing risk than defining strategies.
-
Enterprise disaster recovery plan.
An enterprise disaster recovery plan is more directly related to mitigating the risk.
-
Business objectives and operations
While defining risk management strategies, the risk practitioner needs to analyze the enterprise’s objectives and risk tolerance and define a risk management framework based on this analysis. Some enterprises may accept known risk, while others may invest in and apply mitigating controls to reduce risk.
-
-
The GREATEST risk posed by an absence of strategic planning is:
-
increase in the number of licensing violations.
Licensing violations can lead to fines and penalties from software companies; however, absence of strategic planning does not necessarily entail an increase in licensing violations.
-
increase in the number of obsolete systems.
The number of obsolete systems can increase if strategic planning lapses; however, improper or negligent oversight of IT investment is the more fundamental direct risk, as investment informs the execution of future strategy and ensures that new systems align with business objectives.
-
improper oversight of IT investment.
Improper oversight of IT investment is the greatest risk. Without proper oversight from management, IT investment may fail to align with business strategy, and IT expenditures may not support business objectives.
-
unresolved current and past problems.
Strategic planning is future-oriented, whereas unresolved current and past problems are tactical in nature.
-
-
Which of the following risk management roles is part of first line of defense?
-
Chief risk officer.
The chief risk officer holds a supervisory position and, therefore, is part of the second line of defense.
-
Risk steering committee.
The risk steering committee supervises operations, which is a function of the second line of defense.
-
Risk owner.
The first line of defense is operational management, and risk owners are part of operational management.
-
Board of directors.
The board of directors provides direction and gets feedback for monitoring. It does not take an active role in the three lines of defense because all three lines report to it.
-
-
According to the three lines of defense model, where would the data ethics function MOST likely reside in an enterprise?
-
The first line of defense
The first line of defense is the operations function and may or may not play a role in data ethics.
-
The second line of defense
The second line of defense includes compliance, ethics and risk management and is intended to provide guidance.
-
The third line of defense
Internal audit is the third line of defense and is responsible for providing independent verification and assurance that controls are in place and operating effectively.
-
The board of directors.
The board of directors is responsible for setting the tone at the top; overseeing management; and ensuring that risk management, regulatory, compliance and ethics obligations are met. It may or may not play a role in data ethics.
-
-
Which of the following is MOST relevant to include in a cost-benefit analysis of a two-factor authentication system?
-
The approved budget of the project
The approved budget of the project may have no bearing on what the project may actually cost.
-
The frequency of incidents
The frequency of security incidents can help measure the benefit but the relationship is indirect because not all security incidents may be mitigated by implementing a two-factor authentication system.
-
The annual loss expectancy of security incidents
The ALE of incidents can help measure the benefit but the relationship is indirect because not all incidents may be mitigated by implementing a two-factor authentication system.
-
The total cost of ownership
Total cost of ownership is the most relevant piece of information to be included in the cost-benefit analysis because it establishes a cost baseline that must be considered for the full life cycle of the control.
-
-
Which of the following BEST ensures that appropriate mitigation occurs on identified information systems vulnerabilities?
-
Presenting root cause analysis to the management of the enterprise.
Presenting findings to management will increase management awareness; however, it does not ensure that action will be taken by the staff.
-
Implementing software to input the action points.
Software can help in monitoring the progress of mitigations, but it will not ensure that the mitigation will be completed.
-
Incorporating the findings into the annual report to shareholders.
Reporting to shareholders does not ensure that the mitigation will be completed.
-
Assigning action plans with deadlines to responsible personnel.
Assigning mitigation to personnel establishes responsibility for its completion within the deadline.
-
-
What is the MOST important control that should be in place to safeguard against the misuse of the corporate social media account?
-
Social media account monitoring
Social media account monitoring is a detective control that identifies violations after the fact, as opposed to a proactive measure, such as two-factor authentication.
-
Two-factor authentication
Use of two-factor authentication will proactively protect the account from unauthorized access.
-
Awareness training
Awareness training may be effective with legitimate users; however, two-factor authentication is a preventive control as opposed to a deterrent control.
-
Strong passwords
Using strong passwords will help prevent unauthorized access; however, two-factor authentication provides a proactive control in case the password is compromised.
-
-
A business case developed to support risk mitigation efforts for a complex application development project should be retained until:
-
the project is approved.
The business case should be retained even after project approval to justify audit, project review or project scope change.
-
user acceptance of the application.
The business case should be retained even after user acceptance to validate the return on investment.
-
the application is deployed.
The application may be updated and modified; the business case should be retained because updates may involve new risk.
-
the application’s end of life.
All documentation related to the system should be updated and retained until the system is no longer in service. Documentation may be retained longer to meet the enterprise's record retention period requirement.
-
-
Which of the following factors should be assessed after the likelihood of a loss event has been determined?
-
Risk tolerance
Risk tolerance reflects acceptable deviation from acceptable risk. Risk tolerance requires quantification of risk, which in turn requires determining the magnitude of impact.
-
Magnitude of impact
Once likelihood has been determined, the next step is to determine magnitude of impact.
-
Residual risk
Residual risk is the risk that remains after management implements a risk response. It cannot be calculated until controls are selected.
-
Compensating controls
Compensating controls are internal controls that reduce the risk of an existing or potential control weakness that can result in errors and omissions. They would not be assessed directly in conjunction with assessing the likelihood of a loss event.
-
-
If risk has been identified, but not yet mitigated, the enterprise would?
-
record and mitigate serious risk and disregard low-level risk.
All levels of risk identified should be documented in the risk register. It is important to be able to identify where low-level risk can be aggregated within the register.
-
obtain management commitment to mitigate all identified risk within a reasonable time frame.
Not all identified risk will necessarily be mitigated. The enterprise will conduct a cost-benefit analysis before determining the appropriate risk response.
-
document identified risk in the risk register and maintain the remediation status.
All identified risk should be included in the risk register. The register should capture the proposed remediation plan, the risk owner, and the anticipated date of completion.
-
conduct an annual risk assessment, but disregard previous assessments to prevent risk bias.
Annual risk assessments should consider previous risk assessments.
-
Congratulations, you passed with 0 correct!
Great job! Your knowledge of IT risk management is off to a strong start.
Scroll down for your detailed results.
Remember: these questions are a small preview of what you can expect on exam day. The official CRISC exam has 150 questions.
You're just a few steps away from obtaining your CRISC certification:
- Register and pay for your exam.
- Schedule your exam.
- Prep for your exam.
- Ace the CRISC exam.
Whether you are seeking a new career opportunity or striving to grow within your current organization, the Certified in Risk and Information Systems Control® (CRISC®)certification proves your skills and expertise.
You've Got This! Now take the CRISC exam.
Good work, you scored 0 correct!
Your knowledge of IT risk management is off to a good start.
Scroll down for your detailed results.
Remember: these questions are a small preview of what you can expect on exam day. The official CRISC exam has 150 questions.
You're just a few steps away from obtaining your CRISC certification:
- Prep for your exam.
- Register and pay for your exam.
- Schedule your exam.
- Ace the CRISC exam.
To set yourself up for success on your CRISC certification exam, take a look at ISACA's suite of test prep solutions. There's something for every learning style and schedule. Our team of CRISC-certified IT risk management experts have combined cutting-edge industry practices with proven training formats that maximize learning.
Choose the Exam Prep that Best Fits Your Needs.
Ready for your CRISC? Take the exam now.
You didn't pass with 0 correct, but you can still excel on the exam!
Great effort! No matter your score, the right preparation from ISACA® will help you excel on your CRISC® exam and move your career forward.
Scroll down for your detailed results.
Remember: these questions are a small preview of what you can expect on exam day. The official CRISC exam has 150 questions.
You're just a few steps away from obtaining your CRISC certification:
- Prep for your exam.
- Register and pay for your exam.
- Schedule your exam.
- Ace the CRISC exam.
Choose the Exam Prep that Best Fits Your Needs.
- Master the CRISC material
- Quickly expand your skillset
- Become better at your job
- Make the most of exam day
CRISC Practice Quiz
CRISC Practice Quiz