New Release CRISC Isaca Certification Questions

Key risk indicators (KRIs) are metrics that provide information on the level of exposure to a given risk. Key control indicators (KCIs) are metrics that measure the performance or effectiveness of a control in mitigating a risk. KCIs provide input for KRIs, because they help to assess the residual risk after applying the control. For example, if the KRI is the number of security incidents, and the KCI is the percentage of incidents detected by the intrusion prevention system (IPS), then the KCI provides input for the KRI by showing how well the IPS is reducing the risk of security breaches. References = CRISC: Certified in Risk & Information Systems Control Sample Questions

Key risk indicators (KRIs) are metrics or measures that provide information on the current or potential exposure and performance of an organization in relation to specific risks. KRIs can help to monitor and track the changes or trends in the risk level and the risk response over time, identify and alert the risk issues or events that require attention or action, evaluate and report the effectiveness and efficiency of the risk management processes and practices, and support and inform the risk decision making and improvement1.

The best way to enable the identification of trends in risk levels is to ensure that the correlation between risk levels and KRIs is positive, because it means that the KRIs are aligned with and reflective of the risk levels, and that they can capture and indicate the variations or movements in the risk levels accurately and reliably. A positive correlation between risk levels and KRIs can be achieved by:

Selecting and defining the KRIs that are relevant and appropriate for the specific risks that the organization faces, and that are consistent and comparable across different domains and contexts

Collecting and analyzing the data and information that are reliable and sufficient for the KRIs, and that are sourced from various methods and sources, such as risk assessments, audits, monitoring, alerts, or incidents

Applying and using the tools and techniques that are suitable and feasible for the KRIs, such as risk matrices, risk registers, risk indicators, or risk models

Reviewing and updating the KRIs periodically or as needed, and ensuring that they reflect the current or accurate risk levels, which may change over time or due to external factors23

The other options are not the best ways to enable the identification of trends in risk levels, but rather some of the factors or aspects of KRIs. Measurements for KRIs are repeatable is a factor that can enhance the reliability and validity of the KRIs, as it means that the KRIs can produce the same or similar results under the same or similar conditions. However, repeatability does not necessarily imply accuracy or sensitivity, and it may not capture or reflect the changes or trends in the risk levels. Quantitative measurements are used for KRIs is an aspect that can improve the objectivity and precision of the KRIs, as it means that the KRIs are expressed in numerical or measurable values, such as percentages, probabilities, or monetary amounts. However, quantitative measurements may not be suitable or feasible for all types of risks or KRIs, and they may not capture or reflect the complexity or uncertainty of the risk levels. Qualitative definitions for KRIs are used is an aspect that can enhance the understanding and communication of the KRIs, as it means that the KRIs are expressed in descriptive or subjective terms, such as high, medium, or low, based on criteria such as likelihood, impact, or severity. However, qualitative definitions may not be consistent or comparable across different risks or KRIs, and they may not capture or reflect the magnitude or variation of the risk levels. References =

Key Risk Indicators: What They Are and How to Use Them

Key Risk Indicators: A Practical Guide | SafetyCulture

Key Risk Indicators: Types and Examples

[CRISC Review Manual, 7th Edition]

A risk treatment plan is a document that outlines the approach and actions to be taken to address the unacceptable risks identified in the risk assessment process1. A risk treatment plan should include the following components2:

The risk identification number and description

The risk treatment option chosen (e.g., avoid, reduce, share, or accept)

The risk treatment owner, who is responsible for implementing and monitoring the risk treatment

The risk treatment actions, which are the specific tasks or steps to be performed to execute the risk treatment

The risk treatment resources, which are the human, financial, or technical resources required to support the risk treatment

The risk treatment target date, which is the deadline for completing the risk treatment

The risk treatment performance indicators, which are the measures to evaluate the effectiveness and efficiency of the risk treatment

The risk treatment status, which is the current progress or outcome of the risk treatment

Among the four options given, the most important component in a risk treatment plan is the treatment plan ownership. This is because the treatment plan ownership defines the accountability and authority for the risk treatment, and ensures that the risk treatment actions are carried out as planned and reported as required3. The treatment plan ownership also facilitates the communication and coordination among the stakeholders involved in the risk treatment, and enables the escalation and resolution of any issues or challenges that may arise during the risk treatment process4.

References = Risk Treatment (With Examples), ISO 27001 Risk Assessment & Risk Treatment: The Complete Guide, Risk Management Framework - Treat Risks, Risk Management Plan Components

 The primary purpose of a business impact analysis (BIA) is to evaluate the priority of business operations in case of disruption. A BIA is a process that identifies and analyzes the potential effects of various types of disruptions on the enterprise’s critical business functions and processes. A BIA helps to determine the recovery objectives, such as the recovery time objective (RTO) and the recovery point objective (RPO), for each business operation, based on the impact of disruption on the enterprise’s objectives, reputation, compliance, and stakeholders. A BIA also helps to identify the dependencies, resources, and interdependencies of the business operations, and to rank them according to their importance and urgency. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 2, Section 2.2.1, page 671