Isaca Updated CRISC Exam Questions and Answers by camilla

A maturity model is a tool that assesses the level of development and performance of key processes within an organization. A maturity model typically defines a set of criteria, standards, and best practices for each process, and assigns a rating or score based on the degree of compliance or achievement. A maturity model can help compare the current state of key processes to their desired state, by identifying the strengths, weaknesses, gaps, and opportunities for improvement. A maturity model can also help establish a roadmap for process improvement, by setting realistic and measurable goals and objectives, and monitoring the progress and results. References = Risk and Information Systems Control Study Manual, Chapter 1: IT Risk Identification, Section 1.4: IT Risk Scenarios, p. 49-50.

The greatest inherent risk in IoT adoption is the potential for vulnerabilities within device software and connectivity. The best way to reduce this risk is to implement secure-by-design and secure-coding practices from the outset.

CRISC guidance:

“For emerging technologies such as IoT, risk mitigation begins with embedding secure design, coding, and configuration practices throughout the development lifecycle.”

Pilot testing is beneficial but occurs later; secure design is foundational.

Hence, A is correct.

CRISC Reference: Domain 3 – Risk Response and Mitigation, Topic: Secure System Development and Emerging Technologies.

A mature program is indicated by employees recognizing phishing and actively reporting it—not just deleting it. ISACA guidance states that awareness programs should foster “threat identification and escalation actions,” not just passive compliance.