ISACA CRISC Übungsprüfungen
Zuletzt aktualisiert am 03.06.2025- Prüfungscode: CRISC
- Prüfungsname: Certified in Risk and Information Systems Control
- Zertifizierungsanbieter: ISACA
- Zuletzt aktualisiert am: 03.06.2025
Which of the following BEST indicates that an organizations risk management program is effective?
- A . Fewer security incidents have been reported.
- B . The number of audit findings has decreased.
- C . Residual risk is reduced.
- D . inherent risk Is unchanged.
The results of a risk assessment reveal risk scenarios with high impact and low likelihood of occurrence.
Which of the following would be the BEST action to address these scenarios?
- A . Assemble an incident response team.
- B . Create a disaster recovery plan (DRP).
- C . Develop a risk response plan.
- D . Initiate a business impact analysis (BIA).
An organization’s IT department wants to complete a proof of concept (POC) for a security tool. The project lead has asked for approval to use the production data for testing purposes as it will yield the best results.
Which of the following is the risk practitioner’s BEST recommendation?
- A . Accept the risk of using the production data to ensure accurate results.
- B . Assess the risk of using production data for testing before making a decision.
- C . Benchmark against what peer organizations are doing with POC testing environments.
- D . Deny the request, as production data should not be used for testing purposes.
Which of the following would be a weakness in procedures for controlling the migration of changes to production libraries?
- A . The programming project leader solely reviews test results before approving the transfer to production.
- B . Test and production programs are in distinct libraries.
- C . Only operations personnel are authorized to access production libraries.
- D . A synchronized migration of executable and source code from the test environment to the production environment is allowed.
Which of the following process controls BEST mitigates the risk of an employee issuing fraudulent payments to a vendor?
- A . Performing credit verification of third-party vendors prior to payment
- B . Conducting system access reviews to ensure least privilege and appropriate access
- C . Performing regular reconciliation of payments to the check registers
- D . Enforcing segregation of duties between the vendor master file and invoicing
Which of the following will MOST likely change as a result of the decrease in risk appetite due to a new privacy regulation?
- A . Key risk indicator (KRI) thresholds
- B . Risk trends
- C . Key performance indicators (KPIs)
- D . Risk objectives
An organization has built up its cash reserves and has now become financially able to support additional risk while meeting its objectives.
What is this change MOST likely to impact?
- A . Risk profile
- B . Risk capacity
- C . Risk indicators
- D . Risk tolerance
In which of the following system development life cycle (SDLC) phases should controls be incorporated into system specifications?
- A . Implementation
- B . Development
- C . Design
- D . Feasibility
Mitigating technology risk to acceptable levels should be based PRIMARILY upon:
- A . organizational risk appetite.
- B . business sector best practices.
- C . business process requirements.
- D . availability of automated solutions
Senior management has asked the risk practitioner for the overall residual risk level for a process that contains numerous risk scenarios.
Which of the following should be provided?
- A . The sum of residual risk levels for each scenario
- B . The loss expectancy for aggregated risk scenarios
- C . The highest loss expectancy among the risk scenarios
- D . The average of anticipated residual risk levels