Which of the following is the MAIN reason to continuously monitor IT-related risk?
To redefine the risk appetite and risk tolerance levels based on changes in risk factors
To update the risk register to reflect changes in levels of identified and new IT-related risk
To ensure risk levels are within acceptable limits of the organization's risk appetite and risk tolerance
To help identify root causes of incidents and recommend suitable long-term solutions
According to the CRISC Review Manual (Digital Version), the main reason to continuously monitor IT-related risk is to ensure risk levels are within acceptable limits of the organization’s risk appetite and risk tolerance. The risk appetite is the amount and type of risk that an organization is willing to accept in pursuit of its objectives, while the risk tolerance is the acceptable variation in outcomes related to specific performance measures linked to objectives. Continuous monitoring is a process that tracks the security state of an information system on an ongoing basis and maintains the security authorization for the system over time. Continuous monitoring helps to:
Provide ongoing assurance that the implemented security controls are operating effectively and efficiently
Detect changes in the risk profile of the information system and the environment of operation
Identify new or emerging threats and vulnerabilities that may affect the information system
Support risk-based decisions by providing timely and relevant risk information to stakeholders
Facilitate the implementation of corrective actions and risk mitigation strategies
Promote accountability and transparency in the risk management process
Enhance the security awareness and culture within the organization
References = CRISC Review Manual (Digital Version), Chapter 4: IT Risk Monitoring and Reporting, Section 4.1: IT Risk Monitoring, pp. 213-2141
Which of the following is MOST important when developing key performance indicators (KPIs)?
Alignment to risk responses
Alignment to management reports
Alerts when risk thresholds are reached
Identification of trends
Key performance indicators (KPIs) are quantifiable measures of progress toward an intended result, such as a strategic objective or a desired outcome12.
The most important factor when developing KPIs is the alignment to risk responses, which are the actions taken to address the risks that may affect the achievement of the intended result12.
Alignment to risk responses means that the KPIs should reflect the effectiveness and efficiency of the risk responses, and provide feedback and guidance for improving the risk responses12.
Alignment to risk responses also means that the KPIs should be consistent and compatible with the risk responses, and support the risk management process and objectives12.
The other options are not the most important factor, but rather possible aspects or features of KPIs that may vary depending on the context and purpose of the KPIs. For example:
Alignment to management reports is an aspect of KPIs that relates to the communication and presentation of the KPIs to the relevant stakeholders, such as senior management, board members, or external parties12. However, this aspect does not determine the quality or validity of the KPIs, or the alignment to the intended result12.
Alerts when risk thresholds are reached is a feature of KPIs that relates to the monitoring and control of the KPIs, and the triggering of actions or decisions when the KPIs exceed or fall below a certain level or range12. However, this feature does not define the content or scope of the KPIs, or the alignment to the intended result12.
Identification of trends is a feature of KPIs that relates to the analysis and interpretation of the KPIs, and the identification of patterns or changes in the KPIs over time or across different dimensions12. However, this feature does not specify the criteria or methodology of the KPIs, or the alignment to the intended result12. References =
1: What is a Key Performance Indicator (KPI)? Guide & Examples - Qlik3
2: What is a Key Performance Indicator (KPI)? - KPI.org4
When determining which control deficiencies are most significant, which of the following would provide the MOST useful information?
Risk analysis results
Exception handling policy
Vulnerability assessment results
Benchmarking assessments
A control deficiency is a weakness or flaw in the design or implementation of a control that reduces its effectiveness or efficiency in achieving its intended objective or mitigating the risk that it is designed to address. A control deficiency may be caused by various factors, such as human error, system failure, process inefficiency, resource limitation, etc.
When determining which control deficiencies are most significant, the most useful information would be the risk analysis results, which are the outcomes or outputs of the risk analysis process that measures and compares the likelihood and impact of various risk scenarios, and prioritizes them based on their significance and urgency. The risk analysis results can help to determine which control deficiencies are most significant by providing the following information:
The level and priority of the risks that are associated with the control deficiencies, and the potential consequences or impacts that they may cause for the organization if they materialize.
The gap or difference between the current and desired level of risk, and the extent or degree to which the control deficiencies contribute to or affect the gap or difference.
The cost-benefit or feasibility analysis of the possible actions or plans to address or correct the control deficiencies, and the expected or desired outcomes or benefits that they may provide for the organization.
The other options are not the most useful information when determining which control deficiencies are most significant, because they do not provide the same level of detail and insight that the risk analysis results provide, and they may not be relevant or actionable for the organization.
An exception handling policy is a policy that defines and describes the procedures and guidelines for dealing with the situations or circumstances that deviate from the normal or expected operation or functionality of a control, and that may require special or alternative actions or measures to address or resolve them. An exception handling policy can provide useful information on how to handle or manage the control deficiencies, but it is not the most useful information when determining which control deficiencies are most significant, because it does not indicate the level and priority of the risks that are associated with the control deficiencies, and the potential consequences or impacts that they may cause for the organization.
A vulnerability assessment is an assessment that identifies and evaluates the weaknesses or flaws in the organization’s assets, processes, or systems that can be exploited or compromised by the threats or sources of harm that may affect the organization’s objectives or operations. A vulnerability assessment can provide useful information on the existence and severity of the control deficiencies, but it is not the most useful information when determining which control deficiencies are most significant, because it does not indicate the likelihood and impact of the risk scenarios that are associated with the control deficiencies, and the potential consequences or impacts that they may cause for the organization.
A benchmarking assessment is an assessment that compares and contrasts the organization’s performance, practices, or processes with those of other organizations or industry standards, and identifies the strengths, weaknesses, opportunities, or threats that may affect the organization’s objectives or operations. A benchmarking assessment can provide useful information on the best practices or improvement areas for the organization, but it is not the most useful information when determining which control deficiencies are most significant, because it does not indicate the level and priority of the risks that are associated with the control deficiencies, and the potential consequences or impacts that they may cause for the organization. References =
ISACA, CRISC Review Manual, 7th Edition, 2022, pp. 19-20, 23-24, 27-28, 31-32, 40-41, 47-48, 54-55, 58-59, 62-63
ISACA, CRISC Review Questions, Answers & Explanations Database, 2022, QID 176
CRISC Practice Quiz and Exam Prep
Which of the following should be the PRIMARY objective of promoting a risk-aware culture within an organization?
Better understanding of the risk appetite
Improving audit results
Enabling risk-based decision making
Increasing process control efficiencies
The primary objective of promoting a risk-aware culture within an organization is enabling risk-based decision making, because this helps the organization to achieve its goals and objectives while managing its risks effectively and efficiently. A risk-aware culture is one where everyone understands the organization’s approach to risk, takes personal responsibility to manage risk in everything they do, and encourages others to follow their example. A risk-aware culture also fosters communication, collaboration, and learning about risk across the organization. By promoting a risk-aware culture, the organization can empower its employees to make informed and balanced decisions that consider both the potential benefits and the potential risks of their actions. This can enhance the organization’s performance, resilience, and competitiveness in a dynamic and uncertain environment. References = Risk IT Framework, ISACA, 2022, p. 17
Copyright © 2021-2025 CertsTopics. All Rights Reserved
