CRISC Certified in Risk and Information Systems Control Exam

ISACA’s Certified in Risk and Information Systems Control (CRISC) certification indicates expertise in identifying and managing enterprise IT risk and implementing and maintaining information systems controls. Gain instant recognition and credibility with CRISC and boost your career!

THE CRISC DIFFERENCE
Whether you are seeking a new career opportunity or striving to grow within your current organization, a CRISC certification proves your expertise in these work-related domains

PREPARE FOR THE EXAM
Set yourself up to succeed on exam day. Whether you prefer to prep on your own time or want the additional guidance and interaction that comes with live instruction, we have the right CRISC test prep solutions for you.

Course Description
The CRISC Online Review Course is an online preparation course that prepares learners to pass the CRISC certification exam using proven instructional design techniques and interactive activities.The course covers all four of the CRISC domains, and each section corresponds directly to the CRISC job practice.

The course incorporates video, interactive eLearning modules, downloadable, interactive workbooks, downloadable job aids, case study activities, and pre-and post-course assessments. Learners will be able to navigate the course at their own pace, following a recommended structure, or target preferred job practice areas. Learners may also start and stop the course based on their study schedule, picking up exactly where they left off the next time they access the course.

Learning Objectives:

At the completion of this course you will be able to:
Identify the IT risk management strategy in support of business objectives and alignment with the Enterprise Risk Management (ERM) strategy.
Analyze and evaluate IT risk to determine the likelihood and impact on business objectives to enable risk-based decision making.
Determine risk response options and evaluate their efficiency and effectiveness to manage risk in alignment with business objectives.
Continuously monitor and report on IT risk and controls to relevant stakeholders to ensure the continued efficiency and effectiveness of the IT risk management strategy and its alignment with business objectives.

Included Materials:
Video
Interactive Content
Downloadable workbooks and job aids
Case study activities
Practice exam

Ideal For:
Professionals preparing to become CRISC certified
Risk practitioners
Students or recent graduates

Cancellation/Refund Policy
All purchases of online learning courses are final. Access to the online learning courses and materials is immediate upon purchasing; therefore no refunds or exchanges will be provided. Prices subject to change without notice.

Enterprise Training
Online review courses are also available for purchase through our enterprise sales team for larger organizations. Visit the Enterprise Training page and reach out to an associate for more information.

QUESTION 1
Which of the following is the MOST important reason to maintain key risk indicators (KRIs)?

A. In order to avoid risk
B. Complex metrics require fine-tuning
C. Risk reports need to be timely
D. Threats and vulnerabilities change over time

Correct Answer: D

Explanation:
Threats and vulnerabilities change over time and KRI maintenance ensures that KRIs continue to effectively
capture these changes.
The risk environment is highly dynamic as the enterprise's internal and external environments are constantly
changing. Therefore, the set of KRIs needs to be changed over time, so that they can capture the changes in
threat and vulnerability.
Incorrect Answers:
A: Risk avoidance is one possible risk response. Risk responses are based on KRI reporting, but is not the
reason for maintenance of KRIs.
B: While most key risk indicator (KRI) metrics need to be optimized in respect to their sensitivity, the most
important objective of KRI maintenance is to ensure that KRIs continue to effectively capture the changes in
threats and vulnerabilities over time. Hence the most important reason is that because of change of threat and
vulnerability overtime.
C: Risk reporting timeliness is a business requirement, but is not a reason for KRI maintenance.

QUESTION 2
You are the project manager of a HGT project that has recently finished the final compilation process. The
project customer has signed off on the project completion and you have to do few administrative closure
activities. In the project, there were several large risks that could have wrecked the project but you and your
project team found some new methods to resolve the risks without affecting the project costs or project
completion date. What should you do with the risk responses that you have identified during the project's
monitoring and controlling process?

A. Include the responses in the project management plan.
B. Include the risk responses in the risk management plan.
C. Include the risk responses in the organization's lessons learned database.
D. Nothing. The risk responses are included in the project's risk register already.

Correct Answer: C

Explanation:
The risk responses that do not exist up till then, should be included in the organization's lessons learned
database so other project managers can use these responses in their project if relevant.

Incorrect Answers:
A: The responses are not in the project management plan, but in the risk response plan during the project and
they'll be entered into the organization's lessons learned database.
B: The risk responses are included in the risk response plan, but after completing the project, they should be
entered into the organization's lessons learned database.
D: If the new responses that were identified is only included in the project's risk register then it may not be
shared with project managers working on some other project.

QUESTION 3
You are the project manager of GHT project. You have identified a risk event on your project that could save
$100,000 in project costs if it occurs. Which of the following statements BEST describes this risk event?

A. This risk event should be mitigated to take advantage of the savings.
B. This is a risk event that should be accepted because the rewards outweigh the threat to the project.
C. This risk event should be avoided to take full advantage of the potential savings.
D. This risk event is an opportunity to the project and should be exploited.

Correct Answer: D

Explanation:
This risk event has the potential to save money on project costs, so it is an opportunity, and the appropriate
strategy to use in this case is the exploit strategy. The exploit response is one of the strategies to negate risks
or threats appear in a project. This strategy may be selected for risks with positive impacts where the
organization wishes to ensure that the opportunity is realized. Exploiting a risk event provides opportunities for
positive impact on a project. Assigning more talented resources to the project to reduce the time to completion
is an example of exploit response.

Incorrect Answers:
A, C: Mitigation and avoidance risk response is used in case of negative risk events, and not in positive risk
events. Here in this scenario, as it is stated that the event could save $100,000, hence it is a positive risk
event. Therefore should not be mitigated or avoided.
B: To accept risk means that no action is taken relative to a particular risk; loss is accepted if it occurs. But as
this risk event bring an opportunity, it should me exploited and not accepted.

QUESTION 4
You are the project manager of a large construction project. This project will last for 18 months and will cost
$750,000 to complete. You are working with your project team, experts, and stakeholders to identify risks
within the project before the project work begins. Management wants to know why you have scheduled so
many risk identification meetings throughout the project rather than just initially during the project planning.
What is the best reason for the duplicate risk identification sessions?

A. The iterative meetings allow all stakeholders to participate in the risk identification processes throughout the project phases.
B. The iterative meetings allow the project manager to discuss the risk events which have passed the project and which did not happen.
C. The iterative meetings allow the project manager and the risk identification participants to identify newly discovered risk events throughout the project.
D. The iterative meetings allow the project manager to communicate pending risks events during project execution.

Correct Answer: C

Explanation:
Risk identification is an iterative process because new risks may evolve or become known as the project progresses through its life cycle.

Incorrect Answers:
A: Stakeholders are encouraged to participate in the risk identification process, but this is not the best choice.
B: Risk identification focuses on discovering new risk events, not the events which did not happen.
D: The primary reason for iterations of risk identification is to identify new risk events.

QUESTION 5
You are the risk official in Bluewell Inc. You are supposed to prioritize several risks. A risk has a rating for
occurrence, severity, and detection as 4, 5, and 6, respectively. What Risk Priority Number (RPN) you would give to it?

A. 120
B. 100
C. 15
D. 30

Correct Answer: A

Explanation:
Steps involving in calculating risk priority number are as follows:
Identify potential failure effects
Identify potential causes
Establish links between each identified potential cause
Identify potential failure modes
Assess severity, occurrence and detection
Perform score assessments by using a scale of 1 -10 (low to high rating) to score these assessments.
Compute the RPN for a particular failure mode as Severity multiplied by occurrence and detection.
RPN = Severity * Occurrence * Detection
Hence,
RPN = 4 * 5 * 6
= 120
Incorrect Answers:
B, C, D: These are not RPN for given values of severity, occurrence, and detection.
QUESTION 6
Which of the following is the MOST important use of KRIs?
A. Providing a backward-looking view on risk events that have occurred
B. Providing an early warning signal
C. Providing an indication of the enterprise's risk appetite and tolerance
D. Enabling the documentation and analysis of trends

Correct Answer: B

Explanation:
Key Risk Indicators are the prime monitoring indicators of the enterprise. KRIs are highly relevant and possess
a high probability of predicting or indicating important risk. KRIs help in avoiding excessively large number of
risk indicators to manage and report that a large enterprise may have.
As KRIs are the indicators of risk, hence its most important function is to effectively give an early warning
signal that a high risk is emerging to enable management to take proactive action before the risk actually
becomes a loss.
Incorrect Answers:
A: This is one of the important functions of KRIs which can help management to improve but is not as
important as giving early warning.
C: KRIs provide an indication of the enterprise's risk appetite and tolerance through metric setting, but this is
not as important as giving early warning.
D: This is not as important as giving early warning.
Click here to view complete Q&A of Isaca CRISC exam
Certkingdom Review, Certkingdom PDF

Best Isaca CRISC Certification, Isaca CRISC Training at certkingdom.com