Isaca Updated CRISC Exam Questions and Answers by benji

Reviewing the risk register change log is the best way for management to validate whether risk response activities have been completed, because it helps to track and monitor the changes and updates that have been made to the risk register, and to verify that the risk response activities have been implemented and closed. A risk register is a document that captures, identifies, assesses and tracks risk as part of the risk management process4. A risk register change log is a record that documents the date, description, and reason for each change or update that is made to the risk register. A risk response activity is an action or task that is performed to implement the chosen risk response strategy for a specific risk, such as avoid, transfer, mitigate, or accept. Reviewing the risk register change log is the best way, as it helps to ensure that the risk register is accurate and current, and that the risk response activities have been completed and reported. Reviewing evidence of risk acceptance, control effectiveness test results, and control design documentation are all possible ways to validate whether risk response activities have been completed, but they are not the best way, as they may not cover all the risk response activities, and they may not reflect the changes or updates in the risk register. References = Risk and Information Systems Control Study Manual, Chapter 3, Section 3.4.1, page 101

According to the CRISC Review Manual1, impact assessment is the process of identifying and evaluating the potential effects of changes to IT services on the organization’s business objectives, processes, resources, and risks. Impact assessment is essential for ensuring that the changes are aligned with the organization’s strategy, goals, and risk appetite, and that the benefits of the changes outweigh the costs and risks. Impact assessment also helps to prioritize, plan, and implement the changes effectively and efficiently, and to monitor and measure the outcomes of the changes. Therefore, the most important factor for a risk practitioner to consider when evaluating plans for changes to IT services is the impact assessment of the change. References = CRISC Review Manual1, page 224.

The risk register should clearly documentwho is accountablefor managing each risk. CRISC defines the risk owner as the individual (often a business or process owner) who is responsible for ensuring appropriate treatment and monitoring of the risk. When a major organizational change occurs—such as restructuring, mergers, or changes in responsibility—it is critical to update the risk owner so that accountability remains clear and no risk is left unmanaged. The identity of the person who identified the risk is less important; that role is informational and does not drive ongoing accountability. Control owners and risk response owners are important roles, but they typically operate under the direction of the risk owner. Ensuring the correct risk owner is assigned prevents gaps in oversight and aligns the risk with the correct decision-making authority.

Administrative controls, such as policies, procedures, and training, complement technical controls by addressing the human and organizational aspects of risk management. Using bothtypes of controls together enhances the overall effectiveness of the risk mitigation strategy, ensuring that technical measures are supported by appropriate governance and user behavior.