Isaca Updated CRISC Exam Questions and Answers by zayd

When reviewing a report on the performance of control processes, it is most important to verify whether the residual risk objectives have been achieved, as this indicates the extent to which the control processes have reduced the risk to an acceptable level. Residual risk is the risk that remains after the implementation of controls, and it should be aligned with the risk appetite and tolerance of the enterprise. Business process objectives, regulatory standards, and control process design are not the most important factors to verify,as they do not directly measure the effectiveness and efficiency of the control processes in managing the risk. References = CRISCPractice Quiz and Exam Prep; CRISC: Certified in Risk & Information Systems Control Sample Questions, question 209.

The correct answer isBbecause when a business unit cannot fully implement a required security policy, the best way to manage the related risk is through anexception managementprocess. This allows the deviation to be formally reviewed, justified, approved by the appropriate authority, documented, and monitored with awareness of the resulting residual risk.

The other options are less appropriate:

A. Change managementcontrols how changes are introduced, but it does not formally manage policy deviations.

C. Configuration managementhelps maintain technical baselines, but it does not address acceptance of noncompliance with policy.

D. Incident managementis used after an event occurs, not for governing approved deviations from policy.

Exact Extracts supporting the answer:

“In the absence of a formal policy on personal devices in the workplace the risk practitioner should recommend implementing an exception process based on appropriate approvals.”

“The primary reason for initiating a policy-exception process is the risk being justified by the benefit.”

“When an enterprise wants to quickly implement a technical solution that deviates from the company’s policies the risk practitioner should recommend a risk assessment and subsequent implementation only if residual risk is accepted.”

“The BEST way to ensure appropriate mitigation occurs on identified information systems vulnerabilities is by assigning action plans with deadlines to responsible personnel.”

These extracts directly support that a formalexception managementprocess is the best mechanism for managing risk when policy cannot be fully implemented.

===========

According to the CRISC Review Manual (Digital Version), a contract associated with a cloud service provider must include ownership of responsibilities, as this defines the roles and obligations of both the cloudprovider and the customer in relation to the cloud services. The contract should specify who is responsible for:

Service delivery and performance

Data security and privacy

Compliance with regulations and standards

Incident management and reporting

Business continuity and disaster recovery

Change management and configuration control

Intellectual property rights and licensing

Termination and data egress

The contract should also include service level agreements (SLAs) that measure and monitor the quality and availability of the cloud services, as well as remedies and penalties for non-compliance. The contract should also address pricing and payment terms, dispute resolution mechanisms, and liability and indemnification clauses.

References = CRISC Review Manual (Digital Version), Chapter 3: IT Risk Response, Section 3.3: Risk Response Options, pp. 173-1741

A risk map is a visual tool that helps to communicate risk to management by showing the likelihood and impact of different risks on a matrix1. A risk map can help to:

Identify the most critical risks that need immediate attention or action

Compare and prioritize risks based on their severity and probability

Align risk management strategies with the organization’s risk appetite and tolerance

Communicate risk information in a clear and concise way that is easy to understand and interpret2

References = Risk and Information Systems Control Study Manual, Chapter 5: Risk Assessment Process3