ISACA CRISC Übungsprüfungen

Zuletzt aktualisiert am 01.05.2026

Prüfungscode: CRISC
Prüfungsname: Certified in Risk and Information Systems Control
Zertifizierungsanbieter: ISACA
Zuletzt aktualisiert am: 01.05.2026

Vollständige ISACA CRISC-Prüfungsfragen erhalten

Question #640

While reviewing the risk register, a risk practitioner notices that different business units have significant variances in inherent risk for the same risk scenario.

Which of the following is the BEST course of action?

A . Update the risk register with the average of residual risk for both business units.
B . Review the assumptions of both risk scenarios to determine whether the variance is reasonable.
C . Update the risk register to ensure both risk scenarios have the highest residual risk.
D . Request that both business units conduct another review of the risk.

Lösung einblenden Lösung ausblenden

Question #642

A company has located its computer center on a moderate earthquake fault.

Which of the following is the MOST important consideration when establishing a contingency plan and an alternate processing site?

A . The alternative site is a hot site with equipment ready to resume processing immediately.
B . The contingency plan provides for backup media to be taken to the alternative site.
C . The contingency plan for high priority applications does not involve a shared cold site.
D . The alternative site does not reside on the same fault to matter how the distance apart.

Lösung einblenden Lösung ausblenden

Question #643

Which of the following would BEST help an enterprise define and communicate its risk appetite?

A . Gap analysis
B . Risk assessment
C . Heat map
D . Risk register

Lösung einblenden Lösung ausblenden

Richtige Antwort: D
D

Explanation:

The best way to help an enterprise define and communicate its risk appetite is to use a risk register, which is a document that records and summarizes the key information and data about the identified risks and the risk responses1.

A risk register can help to:

Define the risk appetite, which is the amount and type of risk that the enterprise is willing to accept or pursue in order to achieve its objectives2. The risk register can include the risk appetite statement, which is a clear and concise expression of the enterprise’s risk preferences and boundaries3. Communicate the risk appetite, which is the process of sharing and informing the risk appetite to the relevant stakeholders, such as the board, the management, the employees, or the customers4. The risk register can be used as a communication tool, which can provide a consistent and transparent view of the enterprise’s risk profile and performance5.

The other options are not the best ways to help an enterprise define and communicate its risk appetite, because:

Gap analysis is a technique that compares the current state and the desired state of a process, system, or organization, and identifies the gaps or differences between them6. Gap analysis can help to assess the alignment or misalignment of the enterprise’s risk appetite with its risk level, but it does not help to define or communicate the risk appetite itself.

Risk assessment is a process that estimates the probability and impact of the risks, and prioritizes the risks based on their significance and urgency. Risk assessment can help to identify and analyze the risks that may affect the enterprise’s objectives, but it does not help to define or communicate the risk appetite itself.

Heat map is a graphical representation that uses colors to indicate the level or intensity of a variable, such as risk. Heat map can help to visualize and compare the risks based on their probability and impact, but it does not help to define or communicate the risk appetite itself.

Reference: =

Risk Register – CIO Wiki

Risk Appetite – CIO Wiki

Risk Appetite Statement – CIO Wiki

Risk Communication – CIO Wiki

Risk Reporting – CIO Wiki

Gap Analysis – CIO Wiki

[Risk Assessment – CIO Wiki]

[Heat Map – CIO Wiki]

[Risk and Information Systems Control documents and learning resources by ISACA]

Question #644

The PRIMARY purpose of using a framework for risk analysis is to:

A . improve accountability
B . improve consistency
C . help define risk tolerance
D . help develop risk scenarios.

Lösung einblenden Lösung ausblenden

Question #645

Which of the following activities is a responsibility of the second line of defense?

A . Challenging risk decision making
B . Developing controls to manage risk scenarios
C . Implementing risk response plans
D . Establishing organizational risk appetite

Lösung einblenden Lösung ausblenden

Previous Questions

Free ISACA CRISC Übungsprüfungen

ISACA CRISC Übungsprüfungen