Free Isaca CRISC Exam Questions

Become Isaca Certified with updated CRISC exam questions and correct answers

Page: 1 / 364

Total 1818 Questions | Updated On: Apr 03, 2026

Add To Cart

Question 1

During testing, a risk practitioner finds the IT department's recovery time objective (RTO) for a key system does not align with the enterprise's business continuity plan (BCP). Which of the following should be done NEXT?

A : mplete a risk exception form

B : port the gap to senior management

C : nsult with the business owner to update the BCP

D : nsult with the IT department to update the RTO

Answer: B

Question 2

Before assigning sensitivity levels to information, it is MOST important to:

A : fine the information classification policy.

B : nduct a sensitivity analysis.

C : entify information custodians.

D : fine recovery time objectives (RTOs).

Answer: A

Question 3

When a risk cannot be sufficiently mitigated through manual or automatic controls, which of the following options will BEST protect the enterprise from the potential financial impact of the risk?

A : dating the IT risk registry

B : uring against the risk

C : tsourcing the related business process to a third party

D : proving staff-training in the risk area

Answer: B

Question 4

The MAIN reason to use the risk register to monitor aggregated risk is to provide:

A : insight on control gaps.

B : a basis for risk management resource allocation.

C : a comprehensive view of risk impact.

D : historical information about risk impact.

Answer: C

Question 5

An organization moved one of its applications to a public cloud, but after migration decided to move it back on-premise after an issue caused the application to be down for one day. What does this scenario indicate?

A : The organization has high risk tolerance.

B : The organization has low risk tolerance.

C : The organization has high risk appetite.

D : The organization has low risk appetite.

Answer: B

Page: 1 / 364

Total 1818 Questions | Updated On: Apr 03, 2026

Add To Cart