ISACA CRISC Übungsprüfungen
Zuletzt aktualisiert am 08.09.2025- Prüfungscode: CRISC
- Prüfungsname: Certified in Risk and Information Systems Control
- Zertifizierungsanbieter: ISACA
- Zuletzt aktualisiert am: 08.09.2025
A risk practitioner has been notified of a social engineering attack using artificial intelligence (AI) technology to impersonate senior management personnel.
Which of the following would BEST mitigate the impact of such attacks?
- A . Subscription to data breach monitoring sites
- B . Suspension and takedown of malicious domains or accounts
- C . Increased monitoring of executive accounts
- D . Training and awareness of employees for increased vigilance
Which of the following is the MOST effective way to integrate risk and compliance management?
- A . Embedding risk management into compliance decision-making
- B . Designing corrective actions to improve risk response capabilities
- C . Embedding risk management into processes that are aligned with business drivers
- D . Conducting regular self-assessments to verify compliance
Which of the following is a PRIMARY reason for considering existing controls during initial risk assessment?
- A . To determine the inherent risk level
- B . To determine the acceptable risk level
- C . To determine the current risk level
- D . To determine the desired risk level
An organization has asked an IT risk practitioner to conduct an operational risk assessment on an initiative to outsource the organization’s customer service operations overseas.
Which of the following would MOST significantly impact management’s decision?
- A . Time zone difference of the outsourcing location
- B . Ongoing financial viability of the outsourcing company
- C . Cross-border information transfer restrictions in the outsourcing country
- D . Historical network latency between the organization and outsourcing location
A risk practitioner discovers several key documents detailing the design of a product currently in development have been posted on the Internet.
What should be the risk practitioner’s FIRST course of action?
- A . invoke the established incident response plan.
- B . Inform internal audit.
- C . Perform a root cause analysis
- D . Conduct an immediate risk assessment
An organization is making significant changes to an application. At what point should the application risk profile be updated?
- A . After user acceptance testing (UAT)
- B . Upon release to production
- C . During backlog scheduling
- D . When reviewing functional requirements
An organization has outsourced its backup and recovery procedures to a third-party cloud provider.
Which of the following is the risk practitioner s BEST course of action?
- A . Accept the risk and document contingency plans for data disruption.
- B . Remove the associated risk scenario from the risk register due to avoidance.
- C . Mitigate the risk with compensating controls enforced by the third-party cloud provider.
- D . Validate the transfer of risk and update the register to reflect the change.
Which of the following would provide the MOST objective assessment of the effectiveness of an organization’s security controls?
- A . An internal audit
- B . Security operations center review
- C . Internal penetration testing
- D . A third-party audit
Which of the following would BEST facilitate the implementation of data classification requirements?
- A . Assigning a data owner
- B . Implementing technical control over the assets
- C . Implementing a data loss prevention (DLP) solution
- D . Scheduling periodic audits
A global organization is planning to collect customer behavior data through social media advertising.
Which of the following is the MOST important business risk to be considered?
- A . Regulatory requirements may differ in each country.
- B . Data sampling may be impacted by various industry restrictions.
- C . Business advertising will need to be tailored by country.
- D . The data analysis may be ineffective in achieving objectives.