CRISC Exam Dumps - Certified in Risk and Information Systems Control

Residual risk is the level of risk remaining after controls and mitigation are applied. An effective awareness program reduces the likelihood of incidents (e.g., phishing, human error), thereby lowering residual risk. Inherent risk remains unchanged, as it is independent of controls.

A key performance indicator (KPI) is a measurable value that demonstrates how effectively an organization is achieving its key objectives. A KPI should be relevant, specific, measurable, achievable, and time-bound. The number of identified system vulnerabilities is a KPI that measures the security posture and performance of the organization’s information systems. It also helps to identify the areas that need improvement or remediation. The number of identified system vulnerabilities is relevant to the organization’s objective of protecting its information assets, specific to the system level, measurable by using tools or methods, achievable by implementing security controls or practices, and time-bound by setting a target or threshold. Aggregate risk of the organization, number of exception requests processed in the past 90 days, and number of attacks against the organization’s website are not KPIs, as they are either too broad, not relevant, or not measurable. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 4, Section 4.1.1.1, page 1741

1: ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide, Answer to Question 647.

Assigning a data owner ensures accountability and responsibility for classifying and protecting data according to its sensitivity. This role is critical in implementing effectiveData Governance Practices.

According to the CRISC Review Manual1, the risk register is a tool that records the results of risk identification, analysis, evaluation, and treatment. The risk register should be updated whenever there is a change in the risk profile, such as when a risk response is implemented or a new risk is identified. Updating the risk register allows the organization to monitor the current status of risks and the effectiveness of risk responses. Therefore, the next step for the risk practitioner after identifying a risk with high impact and very low likelihood that is covered by insurance is to update the risk register with the new information. References = CRISC Review Manual1, page 191.

 According to the CRISC Review Manual, the average time to grant access privileges is the best indicator of the efficiency of a process for granting access privileges, because it measures how quickly and effectively the process can respond to the access requests and meet the business needs. The average time to grant access privileges can be calculated by dividing the total time spent on granting access privileges by the number of access requests processed. The other options are not the best indicators of the efficiency of the process, because they measure other aspects of the process, such as the quality, the security, or the maintenance. The number of changes in access granted to users measures the quality of the process, as it indicates how wellthe process can align the access rights with the user roles and functions. The average number of access privilege exceptions measures the security of the process, as it indicates how often theprocess deviates from the established policies and standards. The number and type of locked obsolete accounts measures the maintenance of the process, as it indicates how well the process can remove the unnecessary or outdated accounts. References = CRISC Review Manual, 7th Edition, Chapter 4, Section 4.1.2, page 163

The most important thing for mitigating ethical risk when establishing accountability for control ownership is to ensure that the performance metrics balance business goals with risk appetite. Performance metrics are the measures that evaluate the achievement of the objectives or the performance of the processes or controls. Business goals are the desired or expected outcomes or results of the business activities or processes. Risk appetite is the amount and type of risk that the organization is willing and able to take. Ethical risk is the risk that arises from the violation or breach of the ethical principles or standards of the organization or the profession. To mitigate ethical risk, the performance metrics should balance business goals with risk appetite, meaning that they should not encourage or reward excessive or inappropriate risk-taking or unethical behavior, but rather promote and support responsible and ethical risk management and decision making. The other options are not as important as ensuring performance metrics balance business goals with risk appetite, as they are related to the documentation, communication, or monitoring of the processes or controls, not the evaluation or alignment of the performance metrics. References = Risk and Information Systems Control Study Manual, Chapter 4: Risk and Control Monitoring and Reporting, Section 4.2: Key Performance Indicators, page 183.

The MOST effective way to help ensure an organization’s current risk scenarios are relevant is to involve the stakeholders in the risk assessment process, because they are the ones who have the knowledge, experience, and interest in the risk scenarios that affect their domains and objectives. The involvement of stakeholders can help to identify and validate the risk scenarios, to provide input and feedback on the risk analysis and evaluation, and to ensure the alignment andintegration of the risk scenarios with the business processes and goals. The other options are not as effective as the involvement of stakeholders, because:

Option A: Adoption of industry best practices is a good way to improve the quality and consistency of the risk scenarios, but it does not ensure their relevance to the organization’s specific context and environment. Industry best practices are general and standardized guidelines that may not reflect the organization’s unique risks and needs.

Option C: Review of risk scenarios by independent parties is a useful way to verify and enhance the accuracy and reliability of the risk scenarios, but it does not ensure their relevance to the organization’s internal and external stakeholders. Independent parties are objective and impartial reviewers who may not have the same knowledge, experience, and interest as the stakeholders.

Option D: Documentation of potential risk in business cases is a helpful way to communicate and justify the importance and value of the risk scenarios, but it does not ensure their relevance to the organization’s current and future state. Business cases are concise and persuasive documents that may not capture all the aspects and dimensions of the risk scenarios. References = Risk and Information Systems Control Study Manual, 7th Edition, ISACA, 2020, p. 104.

A risk register is a document that records and tracks the information and status of the identified risks and their responses. It includes the risk description, category, source, cause, impact, probability, priority, response, owner, action plan, status, etc.

A risk register update is a change or modification to the information or status of the risks and their responses in the risk register. It may be triggered by the occurrence or resolution of a risk event, the identification or evaluation of a new or emerging risk, the implementation or completion of a risk response, the monitoring or review of the risk performance, etc.

The most important risk register update for senior management to review is avoiding a risk that was previously accepted, which means that the organization has decided to eliminate or withdraw from the risk exposure or activity that may cause the risk, instead of tolerating or retaining the risk as before. This may indicate a significant change in the organization’s risk appetite, strategy, objectives, or environment, and it may have a major impact on the organization’s performance and value.

The other options are not the most important risk register updates for senior management to review, because they do not indicate a significant change or impact on the organization’s risk profile or performance.

Extending the date of a future action plan by two months means that the organization has postponed the implementation or completion of the planned actions or measures to address the risk, due to some reasons or constraints. This may indicate a delay or deviation from the expected or desired risk outcome, but it may not have a major impact on the organization’s performance and value, unless the risk is very urgent or critical.

Retiring a risk scenario no longer used means that the organization has removed or discarded the risk scenario that is no longer relevant or applicable to the organization’s objectives or operations, due to some changes or developments. This may indicate a reduction or improvement in the organization’s risk exposure or level, but it may not have a major impact on the organization’s performance and value, unless the risk scenario was very significant or influential.

Changing a risk owner means that the organization has assigned or transferred the responsibility and accountability for the risk and its response to a different person or role, due to some reasons or circumstances. This may indicate a change or improvement in the organization’s risk governance or culture, but it may not have a major impact on the organization’s performance and value, unless the risk owner was very ineffective or inappropriate. References =

ISACA, CRISC Review Manual, 7th Edition, 2022, pp. 19-20, 23-24, 27-28, 31-32, 40-41, 47-48, 54-55, 58-59, 62-63

ISACA, CRISC Review Questions, Answers & Explanations Database, 2022, QID 160

CRISC Practice Quiz and Exam Prep