Free CRISC Certification MCQ Questions and Answers

Question 1

Which of the following BEST describes an effective incident response training program?

Accepted Answer

Increased reporting of security incidents to the response team

Answer

An effective incident response training program empowers employees to recognize and report security incidents promptly. Increased reporting indicates that staff are better trained to identify potential threats and understand the importance of escalating them, leading to faster detection and response. This proactive behavior is a key sign of a successful training program.

Question 2

Which of the following elements will most strongly influence the kind of information security governance model a company chooses to implement?

Accepted Answer

The organizational structure

Answer

The organizational structure dictates reporting lines, roles, responsibilities, and decision-making processes within an enterprise. An information security governance model must align with this structure to be effective, ensuring clear accountability, appropriate authority, and seamless integration into existing operational frameworks. It is foundational to how governance is implemented and sustained.

Question 3

Using comparable network technology, an enterprise learns of a security breach at another organization. The MOST crucial thing a risk practitioner should do is:

Accepted Answer

Assess the likelihood of the incident occurring at the risk practitioner’s enterprise

Answer

When a similar organization experiences a breach, it serves as a strong indicator of potential vulnerability. The most crucial action for a risk practitioner is to immediately assess if their own enterprise faces a similar likelihood of the incident, given their comparable technology and environment. This proactive assessment helps determine if mitigation actions are needed to prevent a similar occurrence.

Question 4

An anti-malware system has been installed by an IT company to lower risk. Which of the following statements BEST explains how this control lowers risk, assuming it is operating within the parameters set?

Accepted Answer

The control reduces the impact of malware on company computers but does not reduce the probability of those attacks

Answer

An anti-malware system primarily functions to detect and neutralize malware *after* it has attempted to infect a system. While it doesn't prevent the *probability* of an attack attempt (e.g., someone clicking a malicious link), it significantly reduces the *impact* by preventing successful infection, data corruption, or system compromise. Thus, it reduces the impact, not the probability of the initial attack.

Question 5

Which of the following will help you create a set of recovery time goals the MOST?

Accepted Answer

Business impact analysis

Answer

A Business Impact Analysis (BIA) identifies critical business functions and processes, determines the maximum tolerable downtime (MTD) for each, and quantifies the impact of disruptions. This information is essential for setting realistic and appropriate Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs), which are the core of recovery time goals. The BIA provides the necessary data to define these targets.

CRISC - Certified in Risk and Information Systems Control Practice Test

CRISC - Certified in Risk and Information Systems Control Practice Test

Free CRISC Certification MCQ Questions and Answers