Isaca Certification Changed CRISC Questions

 The primary objective for requiring an independent review of an organization’s IT risk management process should be to assess gaps in IT risk management operations and strategic focus, as this helps to identify the strengths and weaknesses of the current process, and to provide recommendations for improvement and alignment with the enterprise’s objectives and environment. An independent review is an objective and unbiased evaluation of the IT risk management process by a qualified and competent party that is not involved in the process. An independent review can help to ensure the quality, effectiveness, and efficiency of the IT risk management process, as well as to enhance the credibility and confidence of the process. Confirming that IT risk assessment results are expressed as business impact, verifying implemented controls to reduce the likelihood of threat materialization, and ensuring IT risk management is focused on mitigating potential risk are not the primary objectives for requiring an independent review of an organization’s IT risk management process, but rather the expected outcomes or benefits of the independent review. References = CRISC Certified in Risk and Information Systems Control – Question219; ISACA Certified in Risk and Information Systems Control (CRISC) Certification Exam Question and Answers, question 219.

Residual risk is the risk that remains after applying risk responses, such as avoidance, mitigation, transfer, or acceptance. It represents the level of exposure that the organisation is willing to tolerate or assume. Residual risk should be aligned with the organisation’s risk appetite and risk tolerance, which are determined by senior management. Therefore, the best way to obtain senior management support for investment in a control implementation would be to articulate the reduction in residual risk that the control would achieve. This would demonstrate how the control would help the organisation meet its riskobjectives and reduce the likelihood or impact of adverse events. References = ISACA CRISC Review Manual, 7th Edition, Chapter 1, Section 1.3.2, page 25.

Residual system access is the risk that the customer service representatives who are transferred to the sales department may still have access to the systems or applications that they used in their previous role, which may not be relevant or authorized for their new role.

The access control manager is the person or function who is responsible for defining, implementing, and maintaining the policies and procedures for granting, modifying, reviewing, and revoking access rights to the systems or applications, based on the principle of least privilege and the segregation of duties.

The access control manager is responsible for mitigating the risk associated with residual system access, by ensuring that the access rights of the customer service representatives are updated or removed according to their new role and responsibilities, and that the access changes are documented and approved by the appropriate authorities.

The other options are not responsible for mitigating the risk associated with residual system access. They are either irrelevant or less effective than the access control manager.

The references for this answer are:

Risk IT Framework, page 26

Information Technology & Security, page 20

Risk Scenarios Starter Pack, page 18

 A risk portfolio is a collection of risks that an organization faces or may face in the future. Analyzing trends in key control indicators (KCIs) best enables a risk practitioner to proactively identify impacts on an organization’s risk portfolio, as KCIs measure and monitor the performance and effectiveness of the risk controls that are implemented to mitigate the risks. By analyzing the trends in KCIs, a risk practitioner can assess the current and potential risk exposure of the organization, and identify any changes or emerging risks that may affect the risk portfolio. Analyzing trends in KCIs can also help to evaluate the cost and benefit of the risk controls, and to determine the need for enhancing, modifying, or implementing new controls. References = CRISC: Certified in Risk & Information Systems Control Sample Questions, Question 246. Most Asked CRISC Exam Questions and Answers, Question 10. ISACA Certified in Risk and Information Systems Control (CRISC) Certification Exam Question and Answers, Question 246. CRISC by Isaca Actual Free Exam Q&As, Question 9.