ISACA CRISC Übungsprüfungen
Zuletzt aktualisiert am 10.03.2026- Prüfungscode: CRISC
- Prüfungsname: Certified in Risk and Information Systems Control
- Zertifizierungsanbieter: ISACA
- Zuletzt aktualisiert am: 10.03.2026
Which organizational role should be accountable for ensuring information assets are appropriately classified?
- A . Data protection officer
- B . Chief information officer (CIO)
- C . Information asset custodian
- D . Information asset owner
Which of the following provides the MOST reliable evidence to support conclusions after completing an information systems controls assessment?
- A . Risk and control self-assessment (CSA) reports
- B . Information generated by the systems
- C . Control environment narratives
- D . Confirmation from industry peers
Which of the following is the GREATEST advantage of implementing a risk management program?
- A . Enabling risk-aware decisions
- B . Promoting a risk-aware culture
- C . Improving security governance
- D . Reducing residual risk
During a risk assessment, a risk practitioner learns that an IT risk factor is adequately mitigated by compensating controls in an associated business process.
Which of the following would enable the MOST effective management of the residual risk?
- A . Schedule periodic reviews of the compensating controls‘ effectiveness.
- B . Report the use of compensating controls to senior management.
- C . Recommend additional IT controls to further reduce residual risk.
- D . Request that ownership of the compensating controls is reassigned to IT
An organization has granted a vendor access to its data in order to analyze customer behavior.
Which of the following would be the MOST effective control to mitigate the risk of customer data leakage?
- A . Enforce criminal background checks.
- B . Mask customer data fields.
- C . Require vendor to sign a confidentiality agreement.
- D . Restrict access to customer data on a "need to know“ basis.
An organization has been notified that a disgruntled, terminated IT administrator has tried to break into the corporate network.
Which of the following discoveries should be of GREATEST concern to the organization?
- A . Authentication logs have been disabled.
- B . An external vulnerability scan has been detected.
- C . A brute force attack has been detected.
- D . An increase in support requests has been observed.
From a risk management perspective, which of the following is the PRIMARY benefit of using automated system configuration validation tools?
- A . Residual risk is reduced.
- B . Staff costs are reduced.
- C . Operational costs are reduced.
- D . Inherent risk is reduced.
The BEST key performance indicator (KPI) to measure the effectiveness of a vulnerability remediation program is the number of:
- A . vulnerability scans.
- B . recurring vulnerabilities.
- C . vulnerabilities remediated,
- D . new vulnerabilities identified.
Which of the following is the MOST effective way to help ensure future risk levels do not exceed the organization’s risk appetite?
- A . Establishing a series of key risk indicators (KRIs).
- B . Adding risk triggers to entries in the risk register.
- C . Implementing key performance indicators (KPIs).
- D . Developing contingency plans for key processes.
A MAJOR advantage of using key risk indicators (KRIs) is that they:
- A . Identify scenarios that exceed defined risk appetite.
- B . Help with internal control assessments concerning risk appetite.
- C . Assess risk scenarios that exceed defined thresholds.
- D . Identify when risk exceeds defined thresholds.