Amazon
Avaya
Cisco
CompTIA
CrowdStrike
EC-Council
EXIN
Fortinet
Google
ISC
ISC2
ITIL
Juniper
Microsoft
NVIDIA
Okta
Palo Alto Networks
Salesforce
SAP
ServiceNow
All Vendors
  1. Home
  2. ISACA
  3. CRISC

ISACA CRISC Exam (page: 39)
ISACA Certified in Risk and Information Systems Control
Updated on: 17-Feb-2026

Viewing Page 39 of 361
CRISC PDF 1895 Questions

Jane, the Director of Sales, contacts you and demands that you add a new feature to the software your project team is creating for the organization. In the meeting she tells you how important the scope change would be. You explain to her that the software is almost finished and adding a change now could cause the deliverable to be late, cost additional funds, and would probably introduce new risks to the project. Jane stands up and says to you, "I am the Director of Sales and this change will happen in the project." And then she leaves the room. What should you do with this verbal demand for a change in the project?

  1. Include the change in the project scope immediately.
  2. Direct your project team to include the change if they have time.
  3. Do not implement the verbal change request.
  4. Report Jane to your project sponsor and then include the change.

Answer(s): C

Explanation:

This is a verbal change request, and verbal change requests are never implemented. They introduce risk and cannot be tracked in the project scope. Change requests are requests to expand or reduce the project scope, modify policies, processes, plans, or procedures, modify costs or budgets or revise schedules. These requests for a change can be direct or indirect, externally or internally initiated, and legally or contractually imposed or optional. A Project Manager needs to ensure that only formally documented requested changes are processed and only approved change requests are implemented.

Incorrect Answers:
A: Including the verbal change request circumvents the project's change control system.

B: Directing the project team to include the change request if they have time is not a valid option. The project manager and the project team will have all of the project team already accounted for so there is no extra time for undocumented, unapproved change requests.

D: You may want to report Jane to the project sponsor, but you are not obligated to include the verbal change request.



You are the risk professional in Bluewell Inc. A risk is identified and enterprise wants to quickly implement control by applying technical solution that deviates from the company's policies. What you should do?

  1. Recommend against implementation because it violates the company's policies
  2. Recommend revision of the current policy
  3. Recommend a risk assessment and subsequent implementation only if residual risk is accepted
  4. Conduct a risk assessment and allow or disallow based on the outcome

Answer(s): C

Explanation:

If it is necessary to quickly implement control by applying technical solution that deviates from the company's policies, then risk assessment should be conducted to clarify the risk. It is up to the management to accept the risk or to mitigate it.

Incorrect Answers:
A: As in this case it is important to mitigate the risk, hence risk professional should once recommend a risk assessment. Though the decision for the conduction of risk assessment in case of violation of company's policy, is taken by management.

B: The recommendation to revise the current policy should not be triggered by a single request.

D: Risk professional can only recommend the risk assessment if the company's policies is violating, but it can only be conducted when the management allows.



Jane is the project manager of the NHJ Project for his company. He has identified several positive risk events within his project and he thinks these events can save the project time and money. Positive risk events, such as these within the NHJ Project are referred to as?

  1. Contingency risks
  2. Benefits
  3. Residual risk
  4. Opportunities

Answer(s): D

Explanation:

A positive risk event is also known as an opportunity. Opportunities within the project to save time and money must be evaluated, analyzed, and responded to.

Incorrect Answers:
A: A contingency risk is not a valid risk management term.

B: Benefits are the good outcomes of a project endeavor. Benefits usually have a cost factor associated with them.

C: Residual risk is the risk that remains after applying controls. It is not feasible to eliminate all risks from an organization. Instead, measures can be taken to reduce risk to an acceptable level. The risk that is left is residual risk.



During qualitative risk analysis you want to define the risk urgency assessment. All of the following are indicators of risk priority except for which one?

  1. Warning signs
  2. Symptoms
  3. Risk rating
  4. Cost of the project

Answer(s): D

Explanation:

The cost of the project is not an indicator of risk urgency. The affect of the risk on the overall cost of the project may be considered, but it is not the best answer.

Incorrect Answers:
A: Warning signs are an indicator of the risk urgency. B: Symptoms are an indicator of the risk urgency.
C: The risk rating can be an indicator of the risk urgency.



Which of the following phases is involved in the Data Extraction, Validation, Aggregation and Analysis?

  1. Risk response and Risk monitoring
  2. Requirements gathering, Data access, Data validation, Data analysis, and Reporting and corrective action
  3. Data access and Data validation
  4. Risk identification, Risk assessment, Risk response and Risk monitoring

Answer(s): B

Explanation:

The basic concepts related to data extraction, validation, aggregation and analysis is important as KRIs often rely on digital information from diverse sources. The phases which are involved in this are:
Requirements gathering: Detailed plan and project's scope is required for monitoring risks. In the case of a monitoring project, this step should involve process owners, data owners, system custodians and other process stakeholders.

Data access: In the data access process, management identifies which data are available and how they can be acquired in a format that can be used for analysis. There are two options for data extraction:
- Extracting data directly from the source systems after system owner approval
- Receiving data extracts from the system custodian (IT) after system owner approval

Direct extraction is preferred, especially since this involves management monitoring its own controls, instead of auditors/third parties monitoring management's controls. If it is not feasible to get direct access, a data access request form should be submitted to the data owners that detail the appropriate data fields to be extracted. The request should specify the method of delivery for the file.
Data validation: Data validation ensures that extracted data are ready for analysis. One of its important objective is to perform tests examining the data quality to ensure data are valid complete and free of errors. This may also involve making data from different sources suitable for comparative analysis. Following concepts should be considered while validating data:
- Ensure the validity, i.e., data match definitions in the table layout
- Ensure that the data are complete
- Ensure that extracted data contain only the data requested
- Identify missing data, such as gaps in sequence or blank records
- Identify and confirm the validity of duplicates
- Identify the derived values
- Check if the data given is reasonable or not
- Identify the relationship between table fields
- Record, in a transaction or detail table, that the record has no match in a master table

Data analysis: Analysis of data involves simple set of steps or complex combination of commands and other functionality. Data analysis is designed in such a way to achieve the stated objectives from the project plan. Although this may be applicable to any monitoring activity, it would be beneficial to consider transferability and scalability. This may include robust documentation, use of software development standards and naming conventions.

Reporting and corrective action: According to the requirements of the monitoring objectives and the technology being used, reporting structure and distribution are decided. Reporting procedures indicate to whom outputs from the automated monitoring process are distributed so that they are directed to the right people, in the right format, etc. Similar to the data analysis stage, reporting may also identify areas in which changes to the sensitivity of the reporting parameters or the timing and frequency of the monitoring activity may be required.

Incorrect Answers:
D: These are the phases that are involved in risk management.



Viewing Page 39 of 361



Share your comments for ISACA CRISC exam with other users:

Andrus 12/17/2023 12:09:00 PM

q52 should be d. vm storage controller bandwidth represents the amount of data (in terms of bandwidth) that a vms storage controller is using to read and write data to the storage fabric.
Anonymous


Raj 5/25/2023 8:43:00 AM

nice questions
UNITED STATES


max 12/22/2023 3:45:00 PM

very useful
Anonymous


Muhammad Rawish Siddiqui 12/8/2023 6:12:00 PM

question # 208: failure logs is not an example of operational metadata.
SAUDI ARABIA


Sachin Bedi 1/5/2024 4:47:00 AM

good questions
Anonymous


Kenneth 12/8/2023 7:34:00 AM

thank you for the test materials!
KOREA REPUBLIC OF


Harjinder Singh 8/9/2023 4:16:00 AM

its very helpful
HONG KONG


SD 7/13/2023 12:56:00 AM

good questions
UNITED STATES


kanjoe 7/2/2023 11:40:00 AM

good questons
UNITED STATES


Mahmoud 7/6/2023 4:24:00 AM

i need the dumb of the hcip security v4.0 exam
EGYPT


Wei 8/3/2023 4:18:00 AM

upload the dump please
HONG KONG


Stephen 10/3/2023 6:24:00 PM

yes, iam looking this
AUSTRALIA


Stephen 8/4/2023 9:08:00 PM

please upload cima e2 managing performance dumps
Anonymous


hp 6/16/2023 12:44:00 AM

wonderful questions
Anonymous


Priyo 11/14/2023 2:23:00 AM

i used this site since 2000, still great to support my career
INDONESIA


Jude 8/29/2023 1:56:00 PM

why is the answer to "which of the following is required by scrum?" all of the following stated below since most of them are not mandatory? sprint retrospective. members must be stand up at the daily scrum. sprint burndown chart. release planning.
UNITED STATES


Marc blue 9/15/2023 4:11:00 AM

great job. hope this helps out.
UNITED STATES


Anne 9/13/2023 2:33:00 AM

upload please. many thanks!
Anonymous


pepe el toro 9/12/2023 7:55:00 PM

this is so interesting
Anonymous


Antony 11/28/2023 12:13:00 AM

great material thanks
AUSTRALIA


Thembelani 5/30/2023 2:22:00 AM

anyone who wrote this exam recently
Anonymous


P 9/16/2023 1:27:00 AM

ok they re good
Anonymous


Jorn 7/13/2023 5:05:00 AM

relevant questions
UNITED KINGDOM


AM 6/20/2023 7:54:00 PM

please post
UNITED STATES


Nagendra Pedipina 7/13/2023 2:22:00 AM

q:42 there has to be a image in the question to choose what does it mean from the options
INDIA


BrainDumpee 11/18/2023 1:36:00 PM

looking for cphq dumps, where can i find these for free? please and thank you.
UNITED STATES


sheik 10/14/2023 11:37:00 AM

@aarun , thanks for the information. it would be great help if you share your email
Anonymous


Random user 12/11/2023 1:34:00 AM

1z0-1078-23 need this dumps
Anonymous


labuschanka 11/16/2023 6:06:00 PM

i gave the microsoft azure az-500 tests and prepared from this site as it has latest mock tests available which helped me evaluate my performance and score 919/1000
Anonymous


Marianne 10/22/2023 11:57:00 PM

i cannot see the button to go to the questions
Anonymous


sushant 6/28/2023 4:52:00 AM

good questions
EUROPEAN UNION


A\MAM 6/27/2023 5:17:00 PM

q-6 ans-b correct. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-cli-quick-start/use-the-cli/commit-configuration-changes
UNITED STATES


unanimous 12/15/2023 6:38:00 AM

very nice very nice
Anonymous


akminocha 9/28/2023 10:36:00 AM

please help us with 1z0-1107-2 dumps
INDIA