CRISC Practice Test

Which stakeholders are PRIMARILY responsible for determining enterprise IT risk appetite?

A.

Audit and compliance management

B.

The chief information officer (CIO) and the chief financial officer (CFO)

C.

Enterprise risk management and business process owners

D.

Executive management and the board of directors

A risk practitioner is reporting on an increasing trend of ransomware attacks in the industry. Which of the
following information is MOST important to include to enable an informed response decision by key
stakeholders?

A.

Methods of attack progression

B.

Losses incurred by industry peers

C.

Most recent antivirus scan reports

D.

Potential impact of events

Which of the following BEST measures the efficiency of an incident response process?

A.

Number of incidents escalated to management

B.

Average time between changes and updating of escalation matrix

C.

Average gap between actual and agreed response times

D.

Number of incidents lacking responses

Which of the following is MOST effective in continuous risk management process improvement?

A.

Periodic assessments

B.

Change management

C.

Awareness training

D.

Policy updates

Which of the following provides the MOST up-to-date information about the effectiveness of an organization's
overall IT control environment?

A.

Key performance indicators (KPIs)

B.

Risk heat maps

C.

Internal audit findings

D.

Periodic penetration testing