Amazon
Avaya
Checkpoint
Cisco®
CompTIA
CrowdStrike
EC-Council
EXIN
Fortinet
Google
ISC
ISC2
ITIL®
Juniper
Microsoft
Okta
Palo Alto Networks
Salesforce
All Vendors
  1. Home
  2. ISACA
  3. CRISC

ISACA CRISC Exam (page: 40)
ISACA Certified in Risk and Information Systems Control
Updated on: 25-Dec-2025

Viewing Page 40 of 361
CRISC PDF 1895 Questions

Which of the following items is considered as an objective of the three dimensional model within the framework described in COSO ERM?

  1. Risk assessment
  2. Financial reporting
  3. Control environment
  4. Monitoring

Answer(s): B

Explanation:

The COSO ERM (Enterprise Risk Management) frame work is a 3-dimensional model. The dimensions and their components include:
Strategic Objectives - includes strategic, operations, reporting, and compliance.
Risk Components - includes Internal Environment, Objectives settings, Event identification, Risk assessment, Risk response, Control activities, Information and communication, and monitoring. Organizational Levels - include subsidiary, business unit, division, and entity-level.

The COSO ERM framework contains eight risk components: Internal Environment
Objective Settings Event Identification Risk Assessment Risk Response Control Activities
Information and Communication Monitoring

Section 404 of the Sarbanes-Oley act specifies a three dimensional model- COSO ERM, comprised of Internal control components, Internal control objectives, and organization entities. All the items listed are components except Financial reporting which is an internal control objective.

Incorrect Answers:
A, C, D: They are the Internal control components, not the Internal control objectives.



NIST SP 800-53 identifies controls in three primary classes. What are they?

  1. Technical, Administrative, and Environmental
  2. Preventative, Detective, and Corrective
  3. Technical, Operational, and Management
  4. Administrative, Technical, and Operational

Answer(s): C

Explanation:

NIST SP 800-53 is used to review security in any organization, that is, in reviewing physical security. The Physical and Environmental Protection family includes 19 different controls. Organizations use these controls for better physical security. These controls are reviewed to determine if they are relevant to a particular organization or not. Many of the controls described include additional references that provide more details on how to implement them. The National Institute of Standards and Technology (NIST) SP 800-53 rev 3 identifies 18 families of controls. It groups these controls into three classes:
Technical Operational Management



While defining the risk management strategies, what are the major parts to be determined first? Each correct answer represents a part of the solution. Choose two.

  1. IT architecture complexity
  2. Organizational objectives
  3. Risk tolerance
  4. Risk assessment criteria

Answer(s): B,C

Explanation:

While defining the risk management strategies, risk professional should first identify and analyze the objectives of the organization and the risk tolerance. Once the objectives of enterprise are known, risk professional can detect the possible risks which can occur in accomplishing those objectives. Analyzing the risk tolerance would help in identifying the priorities of risk which is the latter steps in risk management. Hence these two do the basic framework in risk management.

Incorrect Answers:
A: IT architecture complexity is related to the risk assessment and not the risk management, as it does much help in evaluating each significant risk identified.

D: Risk assessment is one of the various phases that occur while managing risks, which uses quantitative and qualitative approach to evaluate risks. Hence risk assessment criteria is only a part of this framework.



Which of the following are true for quantitative analysis?
Each correct answer represents a complete solution. Choose three.

  1. Determines risk factors in terms of high/medium/low.
  2. Produces statistically reliable results
  3. Allows discovery of which phenomena are likely to be genuine and which are merely chance occurrences
  4. Allows data to be classified and counted

Answer(s): B,C,D

Explanation:

As quantitative analysis is data driven, it: Allows data classification and counting.
Allows statistical models to be constructed, which help in explaining what is being observed. Generalizes findings for a larger population and direct comparisons between two different sets of data or observations.
Produces statistically reliable results.
Allows discovery of phenomena which are likely to be genuine and merely occurs by chance.

Incorrect Answers:
A: Risk factors are expressed in terms of high/medium/low in qualitative analysis, and not in quantitative analysis.



Ned is the project manager of the HNN project for your company. Ned has asked you to help him complete some probability distributions for his project. What portion of the project will you most likely use for probability distributions?

  1. Bias towards risk in new resources
  2. Risk probability and impact matrixes
  3. Uncertainty in values such as duration of schedule activities
  4. Risk identification

Answer(s): C

Explanation:

Risk probability distributions are likely to be utilized in uncertain values, such as time and cost estimates for a project.

Incorrect Answers:
A: Risk probability distributions do not typically interact with the bias towards risks in new resources. B: Risk probability distributions are not likely to be used with risk probability and impact matrices.
D: Risk probability distributions are not likely the risk identification.



Viewing Page 40 of 361



Share your comments for ISACA CRISC exam with other users:

Pushkar 11/7/2022 12:12:00 AM

the questions are incredibly close to real exam. you people are amazing.
INDIA


Ankit S 11/13/2023 3:58:00 AM

q15. answer is b. simple
UNITED STATES


S. R 12/8/2023 9:41:00 AM

great practice
FRANCE


Mungara 3/14/2023 12:10:00 AM

thanks to this exam dumps, i felt confident and passed my exam with ease.
UNITED STATES


Anonymous 7/25/2023 2:55:00 AM

need 1z0-1105-22 exam
Anonymous


Nigora 5/31/2022 10:05:00 PM

this is a beautiful tool. passed after a week of studying.
UNITED STATES


Av dey 8/16/2023 2:35:00 PM

can you please upload the dumps for 1z0-1096-23 for oracle
INDIA


Mayur Shermale 11/23/2023 12:22:00 AM

its intresting, i would like to learn more abouth this
JAPAN


JM 12/19/2023 2:23:00 PM

q252: dns poisoning is the correct answer, not locator redirection. beaconing is detected from a host. this indicates that the system has been infected with malware, which could be the source of local dns poisoning. location redirection works by either embedding the redirection in the original websites code or having a user click on a url that has an embedded redirect. since users at a different office are not getting redirected, it isnt an embedded redirection on the original website and since the user is manually typing in the url and not clicking a link, it isnt a modified link.
UNITED STATES


Freddie 12/12/2023 12:37:00 PM

helpful dump questions
SOUTH AFRICA


Da Costa 8/25/2023 7:30:00 AM

question 423 eigrp uses metric
Anonymous


Bsmaind 8/20/2023 9:22:00 AM

hello nice dumps
Anonymous


beau 1/12/2024 4:53:00 PM

good resource for learning
UNITED STATES


Sandeep 12/29/2023 4:07:00 AM

very useful
Anonymous


kevin 9/29/2023 8:04:00 AM

physical tempering techniques
Anonymous


Blessious Phiri 8/15/2023 4:08:00 PM

its giving best technical knowledge
Anonymous


Testbear 6/13/2023 11:15:00 AM

please upload
ITALY


shime 10/24/2023 4:23:00 AM

great question with explanation thanks!!
ETHIOPIA


Thembelani 5/30/2023 2:40:00 AM

does this exam have lab sections?
Anonymous


Shin 9/8/2023 5:31:00 AM

please upload
PHILIPPINES


priti kagwade 7/22/2023 5:17:00 AM

please upload the braindump for .net
UNITED STATES


Robe 9/27/2023 8:15:00 PM

i need this exam 1z0-1107-2. please.
Anonymous


Chiranthaka 9/20/2023 11:22:00 AM

very useful!
Anonymous


Not Miguel 11/26/2023 9:43:00 PM

for this question - "which three type of basic patient or member information is displayed on the patient info component? (choose three.)", list of conditions is not displayed (it is displayed in patient card, not patient info). so should be thumbnail of chatter photo
Anonymous


Andrus 12/17/2023 12:09:00 PM

q52 should be d. vm storage controller bandwidth represents the amount of data (in terms of bandwidth) that a vms storage controller is using to read and write data to the storage fabric.
Anonymous


Raj 5/25/2023 8:43:00 AM

nice questions
UNITED STATES


max 12/22/2023 3:45:00 PM

very useful
Anonymous


Muhammad Rawish Siddiqui 12/8/2023 6:12:00 PM

question # 208: failure logs is not an example of operational metadata.
SAUDI ARABIA


Sachin Bedi 1/5/2024 4:47:00 AM

good questions
Anonymous


Kenneth 12/8/2023 7:34:00 AM

thank you for the test materials!
KOREA REPUBLIC OF


Harjinder Singh 8/9/2023 4:16:00 AM

its very helpful
HONG KONG


SD 7/13/2023 12:56:00 AM

good questions
UNITED STATES


kanjoe 7/2/2023 11:40:00 AM

good questons
UNITED STATES


Mahmoud 7/6/2023 4:24:00 AM

i need the dumb of the hcip security v4.0 exam
EGYPT