CRISC: CERTIFIED IN RISK AND INFORMATION SYSTEMS CONTROL |
100% VERIFIED EXAM QUESTIONS & ANSWERS | LATEST 2026/2027
VERSION | PASS GUARANTEE
1. Q: Who is ultimately responsible for risk management? ANSWER
The Board of Directors.
2. Q: What is the PRIMARY goal of IT risk identification? ANSWER To
identify potential events that could prevent the organization from
achieving its objectives.
3. Q: What is the difference between a risk and an issue? ANSWER A
risk is a potential future event; an issue is a current event that has
occurred.
4. Q: What document typically captures the objectives used as a
baseline for risk identification? ANSWER The Strategic IT Plan.
5. Q: Which role is accountable for owning a specific risk? ANSWER
The Business Process Owner.
6. Q: What is "Risk Appetite"? ANSWER The amount and type of risk
an organization is willing to pursue or retain.
7. Q: What is "Risk Tolerance"? ANSWER The acceptable deviation
from the risk appetite.
8. Q: What is "Risk Capacity"? ANSWER The maximum amount of risk
an organization can bear before becoming insolvent.
9. Q: Which method involves reviewing documentation to identify
risks? ANSWER Documentation review.
,10. Q: What is the purpose of a Business Impact Analysis (BIA)?
ANSWER To identify and prioritize critical business functions and
the impact of their disruption.
11. Q: What does RTO stand for? ANSWER Recovery Time
Objective.
12. Q: What does RPO stand for? ANSWER Recovery Point
Objective.
13. Q: If a system has an RTO of 4 hours, what does that mean?
ANSWER The system must be restored within 4 hours of a
disruption.
14. Q: If a system has an RPO of 1 hour, what does that mean?
ANSWER The organization can tolerate losing a maximum of 1 hour
of data.
15. Q: What is a Risk Scenario? ANSWER A narrative description
of a sequence of events that could lead to a loss.
16. Q: What is the FIRST step in developing a risk scenario?
ANSWER Identify the business process or asset.
17. Q: What is a "Threat"? ANSWER A potential cause of an
unwanted incident.
18. Q: What is a "Vulnerability"? ANSWER A weakness in a
control that could be exploited by a threat.
19. Q: How are Threats and Vulnerabilities related? ANSWER A
threat exploits a vulnerability to cause harm.
20. Q: What is Asset Valuation based on? ANSWER CIA
(Confidentiality, Integrity, Availability) and business value.
21. Q: Which is harder to value: Tangible or Intangible assets?
ANSWER Intangible assets (e.g., reputation, brand).
22. Q: What is the "Delphi Technique"? ANSWER A method of
reaching consensus among experts anonymously.
23. Q: What is a "Brainstorming" session used for in risk
identification? ANSWER To gather a broad list of potential risks
from stakeholders.
, 24. Q: What is a "Checklist" approach to risk identification?
ANSWER Using a standardized list of known risks to ensure
nothing is missed.
25. Q: What is the main disadvantage of using checklists?
ANSWER It may limit thinking to only the items on the list, missing
unique risks.
26. Q: What is "Supply Chain Risk"? ANSWER Risk associated
with third-party vendors and service providers.
27. Q: What is the PRIMARY responsibility of the Risk
Management Function? ANSWER To facilitate and coordinate risk
management activities, not own the risk.
28. Q: Who defines the Risk Appetite? ANSWER Senior
Management and the Board.
29. Q: What is "Inherent Risk"? ANSWER The risk level without
any controls in place.
30. Q: What is "Residual Risk"? ANSWER The risk level
remaining after controls are applied.
31. Q: What is a Risk Register? ANSWER A repository of all
identified risks and their attributes.
32. Q: What is the difference between a Risk Owner and a Risk
Control Owner? ANSWER The Risk Owner owns the risk (decision
maker); the Control Owner owns the mitigation (implementer).
33. Q: Which framework is commonly used for IT Governance?
ANSWER COBIT (Control Objectives for Information and Related
Technologies).
34. Q: What is the goal of a "Control Self-Assessment" (CSA)?
ANSWER To allow business units to assess their own control
environment.
35. Q: What is a "Risk Awareness" program? ANSWER Training
to ensure staff understand their role in managing risk.
36. Q: Which factor is most important when prioritizing risks for
the BIA? ANSWER Impact on business objectives.
100% VERIFIED EXAM QUESTIONS & ANSWERS | LATEST 2026/2027
VERSION | PASS GUARANTEE
1. Q: Who is ultimately responsible for risk management? ANSWER
The Board of Directors.
2. Q: What is the PRIMARY goal of IT risk identification? ANSWER To
identify potential events that could prevent the organization from
achieving its objectives.
3. Q: What is the difference between a risk and an issue? ANSWER A
risk is a potential future event; an issue is a current event that has
occurred.
4. Q: What document typically captures the objectives used as a
baseline for risk identification? ANSWER The Strategic IT Plan.
5. Q: Which role is accountable for owning a specific risk? ANSWER
The Business Process Owner.
6. Q: What is "Risk Appetite"? ANSWER The amount and type of risk
an organization is willing to pursue or retain.
7. Q: What is "Risk Tolerance"? ANSWER The acceptable deviation
from the risk appetite.
8. Q: What is "Risk Capacity"? ANSWER The maximum amount of risk
an organization can bear before becoming insolvent.
9. Q: Which method involves reviewing documentation to identify
risks? ANSWER Documentation review.
,10. Q: What is the purpose of a Business Impact Analysis (BIA)?
ANSWER To identify and prioritize critical business functions and
the impact of their disruption.
11. Q: What does RTO stand for? ANSWER Recovery Time
Objective.
12. Q: What does RPO stand for? ANSWER Recovery Point
Objective.
13. Q: If a system has an RTO of 4 hours, what does that mean?
ANSWER The system must be restored within 4 hours of a
disruption.
14. Q: If a system has an RPO of 1 hour, what does that mean?
ANSWER The organization can tolerate losing a maximum of 1 hour
of data.
15. Q: What is a Risk Scenario? ANSWER A narrative description
of a sequence of events that could lead to a loss.
16. Q: What is the FIRST step in developing a risk scenario?
ANSWER Identify the business process or asset.
17. Q: What is a "Threat"? ANSWER A potential cause of an
unwanted incident.
18. Q: What is a "Vulnerability"? ANSWER A weakness in a
control that could be exploited by a threat.
19. Q: How are Threats and Vulnerabilities related? ANSWER A
threat exploits a vulnerability to cause harm.
20. Q: What is Asset Valuation based on? ANSWER CIA
(Confidentiality, Integrity, Availability) and business value.
21. Q: Which is harder to value: Tangible or Intangible assets?
ANSWER Intangible assets (e.g., reputation, brand).
22. Q: What is the "Delphi Technique"? ANSWER A method of
reaching consensus among experts anonymously.
23. Q: What is a "Brainstorming" session used for in risk
identification? ANSWER To gather a broad list of potential risks
from stakeholders.
, 24. Q: What is a "Checklist" approach to risk identification?
ANSWER Using a standardized list of known risks to ensure
nothing is missed.
25. Q: What is the main disadvantage of using checklists?
ANSWER It may limit thinking to only the items on the list, missing
unique risks.
26. Q: What is "Supply Chain Risk"? ANSWER Risk associated
with third-party vendors and service providers.
27. Q: What is the PRIMARY responsibility of the Risk
Management Function? ANSWER To facilitate and coordinate risk
management activities, not own the risk.
28. Q: Who defines the Risk Appetite? ANSWER Senior
Management and the Board.
29. Q: What is "Inherent Risk"? ANSWER The risk level without
any controls in place.
30. Q: What is "Residual Risk"? ANSWER The risk level
remaining after controls are applied.
31. Q: What is a Risk Register? ANSWER A repository of all
identified risks and their attributes.
32. Q: What is the difference between a Risk Owner and a Risk
Control Owner? ANSWER The Risk Owner owns the risk (decision
maker); the Control Owner owns the mitigation (implementer).
33. Q: Which framework is commonly used for IT Governance?
ANSWER COBIT (Control Objectives for Information and Related
Technologies).
34. Q: What is the goal of a "Control Self-Assessment" (CSA)?
ANSWER To allow business units to assess their own control
environment.
35. Q: What is a "Risk Awareness" program? ANSWER Training
to ensure staff understand their role in managing risk.
36. Q: Which factor is most important when prioritizing risks for
the BIA? ANSWER Impact on business objectives.
