Isaca Updated CRISC Exam Questions and Answers by cobie

The risk practitioner should verify the cost-benefit of the new controls being implemented to ensure that they are aligned with the enterprise’s risk appetite and strategy, and that they provide value to the business. The other options are not as important as verifying the cost-benefit of the new controls, because:

Option A: Updating the risk register is a good practice, but it does not provide assurance that the new controls are effective and efficient.

Option B: Ensuring risk monitoring for the project is initiated is also a good practice, but it is not as urgent as verifying the cost-benefit of the new controls, which should be done before the project is closed.

Option C: Conducting and documenting a BIA is not relevant to the scenario, as the project is already completed and the new controls are implemented. References = Risk and Information Systems Control Study Manual, 7th Edition, ISACA, 2020, p. 184.

The business owner should own the risk if the ERP and payroll system fail to operate as expected, because the business owner is ultimately responsible for the business processes and objectives that depend on the systems. The other options are not the risk owners, because:

Option B: The ERP administrator is responsible for the technical aspects of the ERP system, but not the payroll system or the business outcomes.

Option C: The project steering committee is responsible for overseeing the project of replacing the ERP system, but not the ongoing operation and maintenance of the systems or the business risks.

Option D: The IT project manager is responsible for managing the project of replacing the ERP system, but not the payroll system or the business risks. References = Risk and Information Systems Control Study Manual, 7th Edition, ISACA, 2020, p. 90.

 A benchmark analysis is a process of comparing the organization’s performance, practices, and processes with those of other organizations in the same industry or sector. A benchmark analysis can provide the most useful information when determining the frequency of risk assessments, because it can help the organization to identify the best practices, standards, and expectations for security risk management in its industry. A benchmark analysis can also help the organization to assess its current level of maturity, capability, and compliance in relation to security risk management, and to determine the gaps and areas for improvement. By conducting a benchmark analysis, the organization can establish a realistic and appropriate frequency of risk assessments that aligns with its industry norms and its own risk profile. The other options are not as useful as a benchmark analysis, because they do not provide a comprehensive and relevant view of the security risk management landscape, but rather focus on specific or partial aspects of the organization’s situation. References = Risk and Information Systems Control Study Manual, Chapter 1, Section 1.3.2, page 18.

 The most essential content to include in an IT risk awareness program is how to comply with the organization’s IT risk and information security policies. This will help to ensure that the staff members are aware of their roles and responsibilities, and that they follow the best practices and standards to protect the organization’s information assets and systems. Compliance with the IT risk and information security policies also helps to reduce the likelihood and impact of IT-related incidents and breaches, and to align the IT activities with the organization’s objectives and strategies. Populating risk register entries, prioritizing IT-related actions, and defining the IT risk framework are important aspects of IT risk management, but they are not the most essential content to include in an IT risk awareness program. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 5, Section 5.1.1.2, page 2291

1: ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide, Answer to Question 646.