Isaca Updated CRISC Exam Questions and Answers by harri

According to the CRISC Review Manual, an enterprise-wide ethics training and awareness program is one of the key elements of a strong risk culture, as it helps to promote ethical behavior, raise awareness of risk management principles and practices, and foster a culture of accountability and transparency2

1: Developing Collective Risk Leadership Through CRISC - ISACA 2: CRISC Review Manual, 7th Edition, page 23

 User Access Management:

Effective user access management ensures that accounts are properly created, managed, and disabled to prevent unauthorized access.

Monitoring the percentage of accounts disabled within the SLA helps ensure that the organization responds promptly to changes in user status, reducing the risk of unauthorized access.

 Importance of KPI:

This KPI measures the efficiency and effectiveness of the user access management process by tracking how quickly accounts are disabled when no longer needed.

A high percentage indicates timely action, reducing the risk of orphaned accounts being exploited.

 Comparing Other KPIs:

Proportion of End Users Having More Than One Account: Useful but not directly related to the timeliness of disabling accounts.

Proportion of Privileged to Non-Privileged Accounts: Important for monitoring privilege distribution but does not measure process efficiency.

Percentage of Accounts Not Activated: Indicates potential inefficiencies but does not address the risk of active accounts.

 References:

The CRISC Review Manual highlights the importance of timely account management to mitigate access risks (CRISC Review Manual, Chapter 3: Risk Response and Mitigation, Section 3.3 User Access Management)​​.

Key risk indicators provide predictive insights into emerging risks, enabling timely interventions to keep risks within acceptable levels. This aligns with Risk Monitoring and Reporting best practices.

Risk avoidance involves ceasing activities that expose the organization to significant risks, such as shutting down the sales order system. This decision aligns with Risk Treatment Strategies aimed at eliminating exposure.