Isaca Updated CRISC Exam Questions and Answers by cobie

An IT risk register is a document that records and tracks the significant IT risks that an organization faces across its various functions, processes, and activities. An IT risk register can help to provide a comprehensive and consistent view of the organization’s IT risk profile, and to support the decision making and reporting of the IT risk management function1.

One of the data that must be updated to maintain an IT risk register is the expected frequency and potential impact of each IT risk. The expected frequency is the probability or likelihood of the IT risk occurring, based on historical data, statistical analysis, expert judgment, or other methods. The potential impact is the magnitude or severity of the consequences or outcomes of the IT risk, measured in terms of cost, time, quality, reputation, or other criteria2.

Updating the expected frequency and potential impact of each IT risk is essential for maintaining an IT risk register, because it can help to:

Evaluate and prioritize the IT risks based on their risk level, which is calculated by multiplying the frequency and impact

Monitor and track the changes or trends in the IT risk exposure and performance over time

Identify and implement the appropriate risk response strategies and controls, based on the risk level and the risk appetite and tolerance of the organization

Report and communicate the IT risk status and progress to the stakeholders, using risk indicators, dashboards, or matrices3

The other options are not the data that must be updated to maintain an IT risk register, but rather the data that are used as inputs or outputs of the IT risk management process. Risk tolerance is the acceptable variation in the outcomes related to specific objectives or risks. Risk tolerance is used to measure the IT risk analysis and to guide the IT risk response. Enterprise-wide IT risk assessment is a process that identifies, analyzes, and evaluates the IT risks across theorganization. Enterprise-wide IT risk assessment is used topopulate the IT risk register and to inform the IT risk response. Risk appetite is the amount and type of risk that an organization is willing to accept in order to achieve its objectives. Risk appetite is used to guide the IT risk analysis and to align the IT risk response. References =

Risk Register - ISACA

Risk Analysis - ISACA

Risk Register 2021-2022 - UNECE

[How To Conduct Business Impact Analysis in 8 Easy Steps - G2]

[Risk Appetite and Risk Tolerance - ISACA]

[Enterprise Risk Assessment - ISACA]

[CRISC Review Manual, 7th Edition]

Using an entry in the risk register to track the aggregate risk associated with server failure provides a comprehensive view of the impact should the servers simultaneously fail, as it considers the combined effect of the server failure on the enterprise’s objectives and operations. The risk register is a document that records and tracks the identified risks, their likelihood, impact, and mitigation strategies. By aggregating the risk associated with server failure, the risk register can help to estimate the worst-case scenario and to prioritize the risk response accordingly. It provides a cost-benefit analysis on controloptions available for implementation, it provides a view on where controls should be applied to maximize the uptime of servers, and it provides historical information about the impact of individual servers malfunctioning are not the primary benefits of using an entry in the risk register to track the aggregate risk associated with server failure, but rather the possible outcomes or actions of using the risk register. References = CRISC Certified in Risk and Information Systems Control –Question220; ISACA Certified in Risk and Information Systems Control (CRISC) Certification Exam Question and Answers, question 220.

The most effective way to limit the impact of a ransomware attack is to have data backups. Data backups are copies of the data that are stored in a separate location or device, and can be used to restore the data in case of a loss or corruption. Data backups can help to recover the data that is encrypted or deleted by the ransomware, and to avoid paying the ransom to the attackers. Data backups also help to reduce the downtime and disruption caused by the ransomware attack, and to maintain the business continuity and availability of the data. Cyber insurance, cryptocurrency reserve, and end user training are not the most effective ways to limit the impact of a ransomware attack, as they may not prevent or recover the data loss, and may incur additional costs or risks for the enterprise. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 5, Section 5.1.1.1, page 2281

1: ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide, Answer to Question 657.

Theimpact to business objectivesis paramount when developing risk scenarios, as the primary purpose of risk management is to protect and support business objectives. Understanding the impact helps tailor scenarios to potential risks that could disrupt key operations or strategic goals.