Isaca Updated CRISC Exam Questions and Answers by woody

When the cost of mitigating a risk exceeds the benefit,organizations may adjust their risk toleranceto accept a higher level of risk. Thus, financial feasibility influences how much risk the organization is willing to accept.

The effectiveness of risk treatment determines whether the selected response sufficiently mitigates the identified risk. This consideration ensures alignment with risk appetite and reduces residual risk to acceptable levels, reflecting the priorities set out in theRisk Response and Treatmentdomain of CRISC.

According to the CRISC Review Manual, the most important time to involve business stakeholders in the development of bottom-up IT risk scenarios is when validating the risk scenarios, as they can provide valuable input on the relevance, completeness, and accuracy of the scenarios and their impact on the business objectives and processes2

1: CRISC Review Questions, Answers & Explanations Database, Question ID: 100001 2: CRISC Review Manual, 7th Edition, page 97

According to the ISACA Risk and Information Systems Control study guide and handbook, the most comprehensive approach to capture the risk scenario of collecting and storing credit card information is event tree analysis (ETA). ETA is a forward, top-down, logical modeling technique that explores the responses and outcomes of a single initiating event, such as a data breach or a cyberattack. ETA can help to identify all possible consequences of the scenario, such as financial losses, reputational damages, legal liabilities, regulatory penalties, and customer dissatisfaction. ETA can also help to assess the probabilities of the outcomes and the effectiveness of the controls and mitigation strategies12

1: ISACA Risk and Information Systems Control Study Guide, 4th Edition, page 33 2: ISACA Risk and Information Systems Control Handbook, 1st Edition, page 25