Isaca Updated CRISC Exam Questions and Answers by lia

The correct answer isDbecauseuser acceptance testing (UAT) resultsare the most important consideration when deciding whether to release a new system into production. UAT confirms that the system meets business requirements and is ready for operational use. Since the steering committee is making a go/no-go decision for production release, the most critical question is whether users have validated that the solution is fit for purpose.

The other options are important, but not the most important for final release approval:

A. Dynamic application security testing (DAST) resultsare valuable for identifying security weaknesses, but by themselves they do not confirm that the system satisfies business and user requirements.

B. Project implementation plansupports deployment readiness, but it does not prove that the system is acceptable to the business.

C. Project risk registerprovides visibility into project risk, but it is not the strongest direct indicator that the system is ready for production.

Exact Extracts supporting the answer:

“To ensure that an application is ready to be implemented the best test is the user acceptance test.”

“Before moving on to the system design phase it MUST be accomplished that the risk associated with the proposed system and controls is accepted by management.”

“Business stakeholders and decision makers primarily validate the effectiveness of IT risk responses by checking if IT controls achieve the desired objectives.”

“The PRIMARY result of a risk assessment process is input for risk-aware decisions.”

These extracts show that readiness for implementation and final business validation are best demonstrated throughuser acceptance testing. Therefore, UAT results are the most important factor for the steering committee when deciding to release a new system into production.

A post-implementation review (PIR) is a process to evaluate whether the objectives of the project were met and whether the project delivered the expected benefits and outcomes1. The primary objective of a risk practitioner performing a PIR of an IT risk mitigation project is to verify that the risk level has been lowered as a result of the project implementation2. This can be done by comparing the actual risk level with theexpected risk level, assessing the effectiveness and efficiency of the risk mitigation controls, and identifying any residual or emergingrisks3. Documenting project lessons learned, validating the project completion, and confirming the project budget are important aspects of a PIR, but they are not the primary objective for a risk practitioner, as they do not directly measure the impact of the project on the risk level4. References = Risk and Information Systems Control Study Manual, Chapter 5: Risk Response and Mitigation, Section 5.4: Post-Implementation Review, pp. 239-241.

The BIA identifies critical processes, maximum tolerable downtime, and the business impact of disruptions. CRISC and business continuity practices emphasize that the BCP must bealignedwith BIA results. Comparing the BIA with the BCP ensures that recovery strategies, objectives (RTOs/RPOs), and supporting technologies specified in the BCP actually reflect the priorities and impact levels identified in the BIA for each operational area. Alternative facilities and backup/restoration procedures are important BCP components, but theprimary reasonfor comparison is to validate that the chosen solutions and recovery targets match business requirements. The BIA does not primarily “quantify the cost of the technology environment”; cost analysis may follow but is not the core BIA purpose. Therefore, ensuring that BCP objectives and enabling technology are consistent with BIA findings is the key objective of the comparison.

The correct answer is C because continuous monitoring is intended to detect changes in the risk and control environment quickly enough for management to respond. The uploaded CRISC notes state that “the most significant benefit of implementing a continuous risk management process” is that it captures changes to the enterprise risk profile, and that a main purpose of continuous monitoring is detecting changes to the enterprise’s risk environment.

A, B, and D may be secondary benefits, but they are not the greatest benefit. Benchmarking, investment support, and stakeholder identification do not provide the same direct risk-management value as timely detection of emerging risk.

===========