ISACA CRISC Übungsprüfungen
Zuletzt aktualisiert am 05.09.2025- Prüfungscode: CRISC
- Prüfungsname: Certified in Risk and Information Systems Control
- Zertifizierungsanbieter: ISACA
- Zuletzt aktualisiert am: 05.09.2025
A risk practitioner identifies an increasing trend of employees copying company information unrelated to their job functions to USB drives.
Which of the following elements of the risk register should be updated to reflect this observation?
- A . Risk impact
- B . Key risk indicator (KRI)
- C . Risk appetite
- D . Risk likelihood
Which of the following is the BEST criterion to determine whether higher residual risk ratings in the risk register should be accepted?
- A . Risk maturity
- B . Risk policy
- C . Risk appetite
- D . Risk culture
Warning banners on login screens for laptops provided by an organization to its employees are an example of which type of control?
- A . Corrective
- B . Preventive
- C . Detective
- D . Deterrent
Which of the following should be the PRIMARY consideration when implementing controls for monitoring user activity logs?
- A . Ensuring availability of resources for log analysis
- B . Implementing log analysis tools to automate controls
- C . Ensuring the control is proportional to the risk
- D . Building correlations between logs collected from different sources
Which of the following would be the GREATEST concern related to data privacy when implementing an Internet of Things (loT) solution that collects personally identifiable information (Pll)?
- A . A privacy impact assessment has not been completed.
- B . Data encryption methods apply to a subset of Pll obtained.
- C . The data privacy officer was not consulted.
- D . Insufficient access controls are used on the loT devices.
Which of the following is MOST important to ensure when reviewing an organization’s risk register?
- A . Risk ownership is recorded.
- B . Vulnerabilities have separate entries.
- C . Control ownership is recorded.
- D . Residual risk is less than inherent risk.
An organization has been made aware of a newly discovered critical vulnerability in a regulatory reporting system.
Which of the following is the risk practitioner’s BEST course of action?
- A . Perform an impact assessment.
- B . Perform a penetration test.
- C . Request an external audit.
- D . Escalate the risk to senior management.
An organization has an internal control that requires all access for employees be removed within 15 days of their termination date.
Which of the following should the risk practitioner use to monitor adherence to the 15-day threshold?
- A . Operation level agreement (OLA)
- B . Service level agreement (SLA)
- C . Key performance indicator (KPI)
- D . Key risk indicator (KRI)
During an acquisition, which of the following would provide the MOST useful input to the parent company’s risk practitioner when developing risk scenarios for the post-acquisition phase?
- A . Risk management framework adopted by each company
- B . Risk registers of both companies
- C . IT balanced scorecard of each company
- D . Most recent internal audit findings from both companies
Which of the following is the PRIMARY purpose of creating and documenting control procedures?
- A . To facilitate ongoing audit and control testing
- B . To help manage risk to acceptable tolerance levels
- C . To establish and maintain a control inventory
- D . To increase the likelihood of effective control operation