The ISACA Exam is challenging and thorough preparation is essential for success. This exam study guide is designed to help you prepare for the CRISC certification exam. It contains a detailed list of the topics covered on the Professional exam, as well as a detailed list of preparation resources. These study guide for the ISACA Risk and Information Systems Control will help guide you through the study process for your certification.

CRISC ISACA Risk and Information Systems Control Exam Summary

• Exam Name: ISACA Certified in Risk and Information Systems Control (CRISC)

• Exam Code: CRISC

• Exam Price: $760 (USD)

• Duration: 240 mins

• Number of Questions: 150

• Passing Score: 450/800

• Reference Books: CRISC requirements, CRISC Review Manual

• Schedule Exam: Exam Registration

• Sample Questions: ISACA CRISC Sample Questions

• Recommended Practice: ISACA CRISC Certification Practice Exam

Exam Syllabus: CRISC ISACA Certified in Risk and Information Systems Control (CRISC)

Domain 1: (27%)

• IT Risk Identification

Domain 2: (28%)

• IT Risk Assessment

Domain 3: (23%)

• Risk Response and Mitigation

Domain 4: (22%)

• Risk and Control Monitoring and Reporting

ISACA CRISCCertification Sample Questions and Answers

To make you familiar with ISACA Risk and Information Systems Control (CRISC) certification exam structure, we have prepared this sample question set. We suggest you to try our Sample Questions for CRISC Certification to test your understanding of ISACA CRISCprocess with real ISACA certification exam environment.

CRISC ISACA Risk and Information Systems Control Sample Questions:-

01. Which two of the following factors are the primary focus during risk evaluation?

(Choose two.)

a) Likelihood

b) Impact

c) Threat

d) Vulnerability

02. How can ISSE processes assist the control design and implementation process?

a) By ensuring security is considered throughout the entire SDLC process

b) By minimizing threats to assets and threat actors

c) By ensuring that vulnerabilities are not exposed to threats

d) By eliminating the risk for a particular asset as it is designed, developed, and implemented

03. __________ measurements can be derived from historical trend analysis, experience, expert opinion, existing internal and external environmental factors, governance, and other inputs that are not always necessarily quantifiable.

a) Quantitative

b) Objective

c) Solid

d) Qualitative

04. When considering control and risk ownership, which of the following is the main concern?

a) How much a control costs to maintain

b) Accountability

c) Organizational structuring

d) Ensuring that risk and control owners are separate to ensure that there is no conflict of interest

05. Which of the following best describes the reason to create a business case for IT control implementation?

a) To determine the cost to the organization if a control is implemented

b) To help create the organization’s risk profile

c) To justify the resources expended in implementing the IT control

d) To inform control owners about the potential risk of a control

06. Your business just went through a major storm that flooded your data center. Members of your recovery team are attempting to salvage equipment, as well as locate critical data backups.

No one seems to know exactly what they’re supposed to do, and they don’t have the right equipment available to them. Additionally, there is no coordinated effort within the team to perform specific tasks.

Which of the following vulnerabilities most likely led up to this scenario?

a) Failure to back up sensitive data

b) Failure to acquire an alternate processing site

c) Lack of a business impact analysis

d) Failure to test the disaster recovery plan

07. All of the following statements describe characteristics of controls except which one?

a) Controls are defined and implemented in terms of addressing a specific vulnerability or deficiency in asset protection.

b) They are used to specify what measures should be taken to ensure security and reduce risk.

c) Controls are designed to be effective in completely eliminating a particular risk.

d) Specific control sets may be required by legal governance.

08. Who is ultimately responsible for risk ownership within an organization?

a) Risk assessor

b) Mid-level manager

c) Designated risk owner

d) Senior executives and board of directors

09. The KPI category of _____ deals with maintaining baselines of systems and applications.

a) Configuration management

b) Audit and accountability

c) Access control

d) Awareness and training

10. Which of the following is not part of the risk response process?

a) Reviewing the results of the risk analysis

b) Implementing change management

c) Prioritizing risk response options

d) Implementing the risk reaction plan

Answers:-

Answer 1:- a, b

Answer 2:- a

Answer 3:- d

Answer 4:- b

Answer 5:- c

Answer 6:- d

Answer 7:- c

Answer 8:- d

Answer 9:- a

Answer 10:- b