Real CRISC Dumps PDF - Latest Isaca CRISC PDF by DumpsArchive

Isaca
CRISC Exam
Certified in Risk and Information Systems Control
Thank you for Downloading CRISC exam PDF Demo
Buy Full Product Here:
https://dumpsarchive.com/dumps/CRISC/
Questions & Answers
(Demo Version --- Limited Edition)

Question 1
Assessing the probability and consequences of identied risks to the project objectiess assigning a
risk score to each risks and creatng a list of prioritied risks describes which of the following
processes?
A. Identfy Risks
B. Qualitatie Risk Analysis
C. Quanttatie Risk Analysis
D. Plan Risk Management
Aoswern B
Explanatonn
The purpose of qualitatie risk analysis is to determine what impact the identied risk eients will
haie on the project and the probability they'll occur. It also puts risks in priority order according to
their efects on the project objecties and assigns a risk score for the project.
Answern C is incorrect. This process does not iniolie assessing the probability and consequences of
identied risks.
Quanttatie analysis is the use of numerical and statstcal techniques rather than the analysis of
ierbal material for analyiing risks. Some of the quanttatie methods of risk analysis aren
Internal loss method
External data analysis
Business process modeling (BPM) and simulaton
Statstcal process control (SPC)
Answern A is incorrect. It iniolies listng of all the possible risks so as to cure them before it can occur.
In risk identicaton both threats and opportunites are considereds as both carry some leiel of risk
with them.
Answern D is incorrect. Risk Management is used to identfys assesss and control risks. It includes
analyiing the ialue of assets to the businesss identfying threats to those assetss and eialuatng how
iulnerable each asset is to those threats.
Assessing the probability and consequences of identied risks is only the part of risk management.
Question 2
Which of the following characteristcs of baseline represents speciicaton that is used to identfy
approied requirements in baseline modeling?
A. Functonal
B. Allocated
C. Product
D. Deielopmental
Explanatonn
Aoswern B

In baseline modelings the baseline can characteriie the functonals allocateds deielopmentals and
product aspects of a soluton. The allocated characteristc focus on the speciicatons which met the
requirements approied by management.
Answern As Cs and D are incorrect. These characteristcs do not represents speciicaton that is used to
identfy approied requirements in baseline modeling.
Question 3
Which of the following iariables are associated with quanttatie assessment of risks?
Each correct answer represents a complete soluton. Choose three.
A. Impact
B. Probability
C. Cost
D. Frequency
Aoswern D, B, aod A
Explanatonn
The measurable data used by this assessment include frequencys probabilitys impacts and
efectieness of countermeasures.
Risk assessment is a process of analyiing the identied risks both quanttatiely and qualitatiely.
Quanttatie risk assessment requires calculatons of two components of risks the magnitude of the
potental losss and the probability that the loss will occur. While qualitatiely risk assessment checks
the seierity of risk. The assessment atempts to determine the likelihood of the risk being realiied
and the impact of the risk on the operaton. This proiides seieral conclusions n
Probability-establishing the likelihood of occurrence and reoccurrence of speciic riskss
independently and combined.
Interdependencies-the relatonship between diferent types of risk. For instances one risk may haie
greater potental of occurring if another risk has occurred. Or probability or impact of a situaton may
increase with combined risk.
Question 4
Which of the following laws applies to organiiatons handling health care informaton?
A. SOX
B. GLBA
C. HIPAA
D. FISMA
Aoswern C
Explanatonn
HIPAA handles health care informaton of an organiiaton.
The Health Insurance Portability and Accountability Act (HIPAA) were introduced in 1996. It ensures

that health informaton data is protected. Before HIPAAs personal medical informaton was ofen
aiailable to anyone. Security to protect the data was laxs and the data was ofen misused.
If your organiiaton handles health informatons HIPAA applies. HIPAA deines health informaton as
any data that is created or receiied by health care proiiderss health planss public health authoritess
employerss life insurerss schools or uniiersitess and health care clearinghouses.
HIPAA deines any data that is related to the health of an indiiiduals including past/present/future
healths physical/mental healths and past/present/future payments for health care.
Creatng a HIPAA compliance plan iniolies following phasesn
Assessmentn An assessment helps in identfying whether organiiaton is coiered by HIPAA. If it iss
then further requirement is to identfy what data is needed to protect.
Risk analysisn A risk analysis helps to identfy the risks. In this phases analyiing method of handling
data of organiiaton is done.
Plan creatonn Afer identfying the riskss plan is created. This plan includes methods to reduce the
risk.
Plan implementatonn In this plan is being implemented.
Contnuous monitoringn Security in depth requires contnuous monitoring. Monitor regulatons for
changes. Monitor risks for changes.
Monitor the plan to ensure it is stll used.
Assessmentn Regular reiiews are conducted to ensure that the organiiaton remains in compliance.
Answern A is incorrect. SOX designed to hold executies and board members personally responsible
for inancial data.
Answern B is incorrect. GLBA is not used for handling health care informaton.
Answern D is incorrect. FISMA ensures protecton of data of federal agencies.
Question 5
You are the project manager of GRT project. You discoiered that by bringing on more qualiied
resources or by proiiding eien beter quality than originally planneds could result in reducing the
amount of tme required to complete the project. If your organiiaton seiies this opportunity it would
be an example of what risk response?
A. Share
B. Enhance
C. Exploit
D. Accept
Aoswern C
Explanatonn
Exploit response is one of the strategies to negate risks or threats that appear in a project. This
strategy may be selected for risks with positie impacts where the organiiaton wishes to ensure that
the opportunity is realiied. Exploitng a risk eient proiides opportunites for positie impact on a
project. Assigning more talented resources to the project to reduce the tme to completon is an
example of exploit response.
Answern A is incorrect. - The share strategy is similar as transfer because in this a porton of the risk is
shared with an external organiiaton or another internal entty.
Answern B is incorrect. The enhance strategy closely watches the probability or impact of the risk
eient to assure that the organiiaton realiies the beneits. The primary point of this strategy is to

atempt to increase the probability and/or impact of positie risks.
Answern D is incorrect. Risk acceptance means that no acton is taken relatie to a partcular risk; loss
is accepted if it occurs.
Question 6
You are the project manager of the NHQ project in Bluewell Inc. The project has an asset ialued at
$200s000 and is subjected to an exposure factor of 45 percent. If the annual rate of occurrence of loss
in this project is once a months then what will be the Annual Loss Expectancy (ALE) of the project?
A. $ 2s160s000
B. $ 95s000
C. $ 90s000
D. $ 108s000
Aoswern D
Explanatonn
The ALE of this project will be $ 108s000.
Single Loss Expectancy is a term related to Quanttatie Risk Assessment. It can be deined as the
monetary ialue expected from the occurrence of a risk on an asset. It is mathematcally expressed as
followsn
SLE = Asset ialue * Exposure factor
Therefores
SLE = 200s000 * 0.45
= $ 90s000
As the loss is occurring once eiery months therefore ARO is 12. Now ALE can be calculated as followsn
ALE = SLE * ARO
= 90s000 * 12
= $ 108s000
Question 7
Which of the following is NOT true for Key Risk Indicators?
A. The complete set of KRIs should also balance indicators for risks root causes and business
impact.
B. They help aioid haiing to manage and report on an excessiiely large number of risk indicators
C. They are monitored annually
D. They are selected as the prime monitoring indicators for the enterprise
Aoswern C
Explanatonn
They are monitored on regular basis as they indicate high probability and high impact risks. As risks
change oier tmes hence KRIs should also be monitored regularly for its efectieness on these
changing risks.

Answern Ds Bs and A are incorrect. These all are true for KRIs. Key Risk Indicators are the prime
monitoring indicators of the enterprise. KRIs are highly releiant and possess a high probability of
predictng or indicatng important risk. KRIs help in aioiding excessiiely large number of risk
indicators to manage and report that a large enterprise may haie.
The complete set of KRIs should also balance indicators for risks root causes and business impacts so
as to indicate the risk and its impact completely.
Question 8
You work as a project manager for SofTech Inc. You are working with the project stakeholders to
begin the qualitatie risk analysis process.
Which of the following inputs will be needed for the qualitatie risk analysis process in your project?
Each correct answer represents a complete soluton. Choose all that apply.
A. Cost management plan
B. Organiiatonal process assets
C. Project scope statement
D. Risk register
Aoswern D, B, aod C
Explanatonn
The primary goal of qualitatie risk analysis is to determine proporton of efect and theoretcal
response. The inputs to the Qualitatie Risk Analysis process aren
Organiiatonal process assets
Project Scope Statement
Risk Management Plan
Risk Register
Answern A is incorrect. The cost management plan is the input to the perform quanttatie risk
analysis process.
Question 9
You haie identied seieral risks in your project. You haie opted for risk mitgaton in order to
respond to identied risk. Which of the following ensures that risk mitgaton method that you haie
chosen is efectie?
A. Reducton in the frequency of a threat
B. Minimiiaton of inherent risk
C. Reducton in the impact of a threat
D. Minimiiaton of residual risk
Aoswern B
Explanatonn
The inherent risk of a process is a giien and cannot be afected by risk reducton or risk mitgaton
eforts. Hence it should be reduced as far as possible.

Answern D is incorrect. The objectie of risk reducton is to reduce the residual risk to leiels below
the enterprise's risk tolerance leiel.
Answern A is incorrect. Risk reducton eforts can focus on either aioiding the frequency of the risk or
reducing the impact of a risk.
Answern C is incorrect. Risk reducton eforts can focus on either aioiding the frequency of the risk or
reducing the impact of a risk.
Question 10
Which of the following methods iniolies the use of predictie or diagnostc analytcal tool for
exposing risk factors?
A. Fault tree analysis
B. Scenario analysis
C. Sensitiity analysis
D. Cause and efect analysis
Aoswern D
Explanatonn
Cause-and-efect analysis iniolies the use of predictie or diagnostc analytcal tool for exploring the
root causes or factors that contribute to positie or negatie efects or outcomes. These tools also
help in identfying potental risk.
Answern C is incorrect. Sensitiity analysis is the quanttatie risk analysis technique thatn
Assist in determinaton of risk factors that haie the most potental impact
Examines the extent to which the uncertainty of each element afects the object under consideraton
when all other uncertain elements are held at their baseline ialues
Answern A is incorrect. Fault tree analysis (FIA) is a technique that proiides a systematc descripton
of the combinaton of possible occurrences in a systems which can result in an undesirable outcome.
It combines hardware failures and human failures.
Answern B is incorrect. This analysis is not a method for exposing risk factors. It is used for analyiing
scenarios.
Question 11
Henry is the project sponsor of the JQ Project and Nancy is the project manager. Henry has asked
Nancy to start the risk identicaton process for the projects but Nancy insists that the project team
be iniolied in the process. Why should the project team be iniolied in the risk identicaton?
A. So that the project team can deielop a sense of ownership for the risks and associated risk
responsibilites.
B. So that the project team and the project manager can work together to assign risk ownership.
C. So that the project manager can identfy the risk owners for the risks within the project and the
needed risk responses.
D. So that the project manager isn't the only person identfying the risk eients within the
project.

Aoswern A
Explanatonn
The best answer to include the project team members is that they'll need to deielop a sense of
ownership for the risks and associated risk responsibilites.
Answern D is incorrect. While the project manager shouldn't be the only person to identfy the risk
eientss this isn't the best answer.
Answern B is incorrect. The reason to include the project team is that the project team needs to
deielop a sense of ownership for the risks and associated risk responsibilitess not to assign risk
ownership.
Answern C is incorrect. The reason to include the project team is that the project team needs to
deielop a sense of ownership for the risks and associated risk responsibilitess not to assign risk
ownership and risk responses at this point.
Question 12
Which of the following test is BEST to map for conirming the efectieness of the system access
management process?
A. user accounts to human resources (HR) records.
B. the iendor database to user accounts.
C. access requests to user accounts.
D. user accounts to access requests.
Aoswern D
Explanatonn
Tying user accounts to access requests conirms that all existng accounts haie been approied.
Hences the efectieness of the system access management process can be accounted.
Answern C is incorrect. Tying access requests to user accounts conirms that all access requests haie
been processed; howeiers the test does not consider user accounts that haie been established
without the supportng access request.
Answern A is incorrect. Tying user accounts to human resources (HR) records conirms whether user
accounts are uniquely ted to employeess not accounts for the efectieness of the system access
management process.
Answern B is incorrect. Tying iendor records to user accounts may conirm ialid accounts on an e-
commerce applicatons but it does not consider user accounts that haie been established without the
supportng access request.
Question 13
You are the administrator of your enterprise. You haie to preient unauthoriied access to an
enterprise's informaton. Which of the following control you would use?
A. User authentcaton
B. User identicaton
C. User authoriiaton

D. User accountability
Aoswern A
Explanatonn
Authentcaton ieriies the user's identty and the right to access informaton according to the access
rules. Hence it preients unauthoriied access to an enterprise's informaton.
Answern D is incorrect. User accountability does not grant access.
Answern B is incorrect. User identicaton without authentcaton does not grant access.
Answern C is incorrect. User authoriiaton without authentcaton does not grant access.
Question 14
You work as a project manager for BlueWell Inc. You are about to complete the quanttatie risk
analysis process for your project. You can use three aiailable tools and techniques to complete this
process. Which one of the following is NOT a tool or technique that is appropriate for the
quanttatie risk analysis process?
A. Expert judgment
B. Quanttatie risk analysis and modeling techniques
C. Organiiatonal process assets
D. Data gathering and representaton techniques
Aoswern C
Explanatonn
Organiiatonal process asset is not a tool and techniques but an input to the quanttatie risk analysis
process. Quanttatie Risk Analysis is a process to assess the probability of achieiing partcular
project objectiess to quantfy the efect of risks on the whole project objecties
and to prioritie the risks based on the impact to oierall project risk. Quanttatie Risk Analysis
process analyies the afect of a risk eient deriiing a numerical ialue. It also presents a quanttatie
approach to build decisions in the presence of uncertainty. The inputs for Quanttatie Risk Analysis
are n
Organiiatonal process assets
Project Scope Statement
Risk Management Plan
Risk Register
Project Management Plan
Answern D is incorrect. Data gathering and representaton technique is a tool and technique for the
quanttatie risk analysis process.
Answern B is incorrect. Quanttatie risk analysis and modeling techniques is a tool and technique for
the quanttatie risk analysis process.
Answern A is incorrect. Expert judgment is a tool and technique for the quanttatie risk analysis
process.
Question 15

Which of the following is the PRIMARY requirement before choosing Key performance indicators of
an enterprise?
A. Determine siie and complexity of the enterprise
B. Enterprise must establish its strategic and operatonal goals
C. Determine type of market in which the enterprise operates
D. Prioritie iarious enterprise processes
Aoswern B
Explanatonn
Key Performance Indicators is a set of measures that a company or industry uses to measure and/or
compare performance in terms of meetng their strategic and operatonal goals. KPIs iary with
company to companys depending on their priorites or performance criteria.
A company must establish its strategic and operatonal goals and then choose their KPIs which can
best refect those goals. For examples if a sofware company's goal is to haie the fastest growth in its
industrys its main performance indicator may be the measure of its annual reienue growth.
Answern D is incorrect. This is not the ialid answer.
Answern A is incorrect. Determinaton of siie and complexity of the enterprise is the selecton criteria
of the KRIs not KPI. KPI does not haie any releiancy with siie and complexity of the enterprise.
Answern C is incorrect. Type of market in which the enterprise is operatng do not afect the selecton
of KPIs.
Question 16
Which of the following serie as the authoriiaton for a project to begin?
A. Approial of project management plan
B. Approial of risk management document
C. Approial of a risk response document
D. Approial of a project request document
Aoswern D
Explanatonn
Approial of a project initaton document (PID) or a project request document (PRD) is the
authoriiaton for a project to begin.
Answern B is incorrect. Risk management document is being prepared later afer the project
initatons during the risk management plan. It has no scope during project initaliiaton.
Answern C is incorrect. Risk response document comes under risk management processs hence the
later phase in project deielopment process.
Answern A is incorrect. Project management plan is being made afer the project is being authoriied.
Question 17
You work as the project manager for www.company.com Inc. The project on which you are working
has seieral risks that will afect seieral stakeholder requirements. Which project management plan

will deine who will be aiailable to share informaton on the project risks?
A. Risk Management Plan
B. Communicatons Management Plan
C. Stakeholder management strategy
D. Resource Management Plan
Aoswern B
Explanatonn
The Communicatons Management Plan deiness in regard to risk managements who will be aiailable
to share informaton on risks and responses throughout the project.
The Communicatons Management Plan aims to deine the communicaton necessites for the
project and how the informaton will be circulated. The Communicatons Management Plan sets the
communicaton structure for the project. This structure proiides guidance for
communicaton throughout the project's life and is updated as communicaton needs change. The
Communicaton Managements Plan identies and deines the roles of persons concerned with the
project. It includes a matrix known as the communicaton matrix to map the communicaton
requirements of the project.
Answern C is incorrect. The stakeholder management strategy does not address risk communicatons.
Answern A is incorrect. The Risk Management Plan deals with risk identicatons analysiss responses
and monitoring.
Answern D is incorrect. The Resource Management Plan does not deine risk communicatons.
Question 18
You are working in an enterprise. Your enterprise owned iarious risks. Which among the following is
MOST likely to own the risk to an informaton system that supports a critcal business process?
A. Senior management
B. System users
C. Risk management department
D. IT director
Aoswern A
Explanatonn
Senior management is responsible for the acceptance and mitgaton of all risk. Hence they will also
own the risk to an informaton system that supports a critcal business process.
Answern D is incorrect. The IT director manages the IT systems on behalf of the business owners.
Answern C is incorrect. The risk management department determines and reports on leiel of risks but
does not own the risk. Risk is owned by senior management.
Answern B is incorrect. The system users are responsible for utliiing the system properly and
following proceduress but they do not own the risk.
Question 19

Which of the following statements is NOT true for risk management plan?
A. The risk management plan includes a descripton of the responses to risks and triggers.
B. The risk management plan is an input to all the remaining risk-planning processes.
C. The risk management plan is an output of the Plan Risk Management process.
D. The risk management plan includes thresholdss scoring and interpretaton methodss responsible
partess and budgets.
Aoswern A
Explanatonn
The risk management plan details how risk management processes will be implementeds
monitoreds and controlled throughout the life of the project. The risk management plan does not
include responses to risks or triggers. Responses to risks are documented in the risk register as part
of the Plan Risk Responses process.
Answern Cs Ds and B are incorrect. These statements are true for risk management plan. The risk
management is the result of Plan Risk Management process and do act as input for the remaining
risk-planning process. It also includes thresholdss scoring and interpretaton methodss responsible
partess and budgets.
Question 20
Which of the following comes under phases of risk management?
A. Identfy risk
B. Deieloping risk
C. Assessing risk
D. Prioritiaton of risk
E. Monitoring risk
Aoswern A, C, D, aod
E
Explanatonn
Risk management proiides an approach for indiiiduals and groups to make a decision on how to deal
with potentally harmful situatons.
Following are the four phases iniolied in risk managementn
1.Risk identicaton nThe irst thing we must do in risk management is to identfy the areas of the
project where the risks can occur.
This is termed as risk identicaton. Listng all the possible risks is proied to be iery productie for
the enterprise as we can cure them before it can occur. In risk identicaton both threats and
opportunites are considereds as both carry some leiel of risk with them.
2.Risk Assessment and Eialuaton nRisk assessment use quanttatie and qualitatie analysis
approaches to eialuate each signiicant risk identied.
3.Risk Prioritiaton and Response nAs many risks are being identied in an enterprises it is best to
giie each risk a score based on its likelihood and signiicance in form of ranking. This concludes
whether the risk with high likelihood and high signiicance must be giien greater atenton as

compared to similar risk with low likelihood and low signiicance. Hences risks can be prioritied and
appropriate responses to those risks are created.
4.Risk Monitoring nRisk monitoring is an actiity which oiersees the changes in risk assessment. Oier
tmes the likelihood or signiicance originally atributed to a risk may change. This is especially true
when certain responsess such as mitgatons haie been made.

Thank You For Trying Free CRISC PDF Demo
Get Updated CRISC Exam
Questions Answers PDF
Visit Link Below
https://dumpsarchive.com/dumps/CRISC/
Start Your CRISC Preparation