Isaca Updated CRISC Exam Questions and Answers by harleen

 According to the Risk Assessment and Management: A Complete Guide, risk magnitude is the product of the likelihood and impact of a risk scenario. Risk magnitude is an important factor to consider before choosing risk treatment options, as it indicates the level of exposure and potential harm that the organization faces from the risk scenario. Risk treatment options should be selected based on the risk magnitude, as well as the risk appetite and tolerance of the organization. For a scenario with significant impact, the risk magnitude is likely to be high, and therefore the risk treatment options should aim to reduce the likelihood and/or impact of the risk scenario as much as possible, or to transfer or avoid the risk altogether. References = Risk Assessment and Management: A Complete Guide, ISO 27001 Risk Assessment & Risk Treatment: The Complete Guide

The most important objective of embedding risk management practices into the initiation phase of the project management life cycle is to assess inherent risk. Inherent risk is the risk that exists before any controls or mitigations are applied. By assessing inherent risk in the initiation phase, the project team can identify the potential sources, causes, and impacts of risk that may affect the project objectives, scope, and deliverables. Assessing inherent risk in the initiation phase also helps to prioritize the risks, determine the risk appetite and tolerance, and plan the risk responses. Delivering projects on time and on budget, including project risk in the enterprise-wide IT risk profile, and assessing risk throughout the project are important objectives of risk management, but they are not the most important objective of embedding risk management practices into the initiation phase. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 2, Section 2.1.1.1, page 511

1: ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide, Answer to Question 658.

Commitment to controls is the degree to which the organization and its stakeholders support and adhere to the controls that are designed and implemented to manage or mitigate the risks1. Commitment to controls is essential for ensuring the effectiveness and efficiency of the controls, as well as the achievement of the organization’s objectives and strategies2. The best way to promote commitment to controls is to assign control ownership, which is the process of identifying and assigning the person or entity that has the authority and accountability for a control and its management3. By assigning control ownership, the organization can ensure that the controls are properly and promptly designed, implemented, monitored, and maintained, and that the issues or gaps in the controls are identified andresolved4. Assigning control ownership also helps to establish and communicate the roles and responsibilities of the control owners and the other stakeholders, and to enforce the accountability and performance of the control owners5. Assigning appropriate resources, assigning a quality control review, and performing regular independent control reviews are not the best ways to promote commitment to controls, as they do not provide the same level of authority and accountability as assigning control ownership. Assigning appropriate resources is the process of allocating and providing the necessary funds, staff, equipment, or technology that are required to support or enable the controls. Assigning appropriate resources can enhance the quality and performance of the controls, but it does not ensure that the controls are managed or maintained by a specific person or entity. Assigning a quality control review is the process of conducting and documenting a systematic and objective examination and evaluation of the controls, to ensure that they meet the established standards and requirements. Assigning a quality control review can improve the reliability and compliance of the controls, but it does not ensure that the controls are owned or operated by a specific person or entity. Performing regular independent control reviews is the process of performing and reporting an independent and impartial assessment and verification of the controls, to provide assurance and advice on the adequacy and effectiveness of the controls. Performing regular independent control reviews can provide feedback and recommendations for the controls, but it does notensure that the controls are implemented or improved by a specific person or entity. References = 1: Commitment Controls - IMF2: 17 COSO Principles of Effective Internal Control | Weaver3: [Control Ownership - ISACA] 4: [Risk and Information Systems Control Study Manual, Chapter 5: Information Systems Control Design and Implementation, Section 5.1: Control Design, pp. 233-235.] 5: [Risk and Information Systems Control Study Manual, Chapter 5: Information Systems Control Design and Implementation, Section 5.2: Control Implementation, pp. 243-245.] : Resource Allocation - an overview | ScienceDirect Topics : Quality Control Review - an overview | ScienceDirect Topics : IT Risk Resources | ISACA : [Risk and Information Systems Control Study Manual, Chapter 2: IT Risk Assessment, Section 2.1: Risk Identification, pp. 57-59.] : [Risk and Information Systems Control Study Manual, Chapter 4: Risk and Control Monitoring and Reporting, Section 4.2: Risk Monitoring, pp. 189-191.] : [Risk and Information Systems Control Study Manual, Chapter 5: Information Systems Control Design and Implementation, Section 5.3: Control Monitoring and Maintenance, pp. 251-253.]

 According to the CRISC Review Manual (Digital Version), the business significance of the information is the most important criterion when developing a response to an attack that would compromise data, as it determines the impact and severity of the attack on the organization’s objectives and performance. The business significance of the information helps to:

Assess the value and sensitivity of the data that is compromised or at risk of compromise

Evaluate the potential losses or damages that the organization may incur due to the data compromise

Prioritize the data recovery and restoration activities based on the criticality and urgency of the data

Communicate and coordinate the data breach response and notification with the relevant stakeholders, such as the data owners, the customers, the regulators, and the media

Enhance the data protection and security measures to prevent or mitigate future data compromise incidents

References = CRISC Review Manual (Digital Version), Chapter 3: IT Risk Response, Section 3.3: Risk Response Options, pp. 174-1751