Isaca Updated CRISC Exam Questions and Answers by jakub

The risk register is a document that records the identified risks, their analysis, and their responses. It is a useful tool for monitoring and controlling the risks throughout the project lifecycle. However, the risk register is not a static document and it should be updated regularly to reflect the changes in the risk environment and the project status. Therefore, when reviewing therisk register, a risk practitioner should not only look at the risk ratings, but also the assumptions and the rationale behind them. Different business units may have different perspectives, contexts, and data sources for the same risk scenario, which can result in significant variances in inherent risk. Inherent risk is the risk level before considering the existing controls or responses. Therefore, the best course of action is to review the assumptions of both risk scenarios to determine whether the variance is reasonable or not. This can help to identify any errors, inconsistencies, or biases in the risk assessment process, and to ensure that the risk register reflects the current and accurate state of the risks. References = Risk and Information Systems Control Study Manual, Chapter 3, Section 3.2.1, p. 106-107

The greatest concern for a risk practitioner when reviewing the findings of a security awareness program assessment is that the program uses non-customized training modules. Non-customizedtraining modules are generic and may not address the specific security needs, issues, and challenges of the organization. They may also fail to engage and motivate the employees to follow the security policies and procedures, and to enhance their security knowledge and skills. The program not decreasing threat counts, not considering business impact, or being significantly revised are other possible findings, but they are not as concerning as the program using non-customized training modules. References = ISACA Certified in Risk and Information Systems Control (CRISC) Certification Exam Question and Answers, question 7; CRISC Review Manual, 6th Edition, page 202.

Residual risk is the risk that remains after the risk response has been implemented. Risk tolerance is the acceptable level of variation from the desired outcome or objective. If the residual risk is within the risk tolerance, it means that the risk response has been effective in reducing the risk to an acceptable level.

References

•ISACA CRISC Review Manual, 7th Edition, Domain 3: Risk Response, Section 3.1.1: Residual Risk

•Residual Risk: Definition, Formula & Management - Video & Lesson Transcript | Study.com

•Risk Tolerance - ISACA

CRISC highlights that inadequate termination or role-change procedures for access rights expose the organization to serious insider threats. When users change roles but retain access not needed for their new responsibilities, the risk offraudulent insider activitiesand unauthorized use of systems significantly increases. Excessive privileges can be abused intentionally or misused accidentally, leading to data breaches, financial loss, or regulatory non-compliance. While noncompliance with policy is an issue, it is a secondary, formal concern—the primary risk is actual misuse of privileges. Misaligned job duties and inefficiencies in access review are consequences but not as severe as the potential for fraud, sabotage, or data theft. Therefore, the greatest concern is the exposure to insider risk due to inadequate de-provisioning and access recertification processes.