QUESTION 1
Which of the following observations would be the GREATEST concern to a risk practitioner evaluating an organization’s risk management practices?
A. Business leaders provide final approval for information security policies.
B. Senior management does not set risk tolerance.
C. Several risk scenarios have action plans spanning multiple years.
D. Senior management has approved numerous requests for risk acceptance.
Correct Answer: B
QUESTION 2
Which of the following is a risk practitioner’s BEST course of action upon receiving information about a new threat that has impacted a peer organization?
A. Update the threat inventory.
B. Conduct a vulnerability assessment.
C. Implement compensating controls.
D. Report the threat to senior management.
Correct Answer: B
QUESTION 3
An organization requires all new employees to complete cybersecurity awareness training within 30 days of being onboarded. What type of metric would monitor the completion status?
A. Key performance indicator (KPI)
B. Critical success factor (CSF)
C. Key control indicator (KCI)
D. Key risk indicator (KRI)
Correct Answer: A
QUESTION 4
An organization has observed an increasing trend of social engineering attempts facilitated by phishing emails. Which control type is the risk practitioner’s BEST recommendation to reduce the risk likelihood?
A. Preventive
B. Compensating
C. Corrective
D. Detective
Correct Answer: A
QUESTION 5
Which of the following should be done FIRST when a business unit revises a key business process?
A. Review risk ownership.
B. Conduct a control self-assessment (CSA).
C. Perform a risk assessment.
D. Revise risk policies and procedures.
Correct Answer: C
QUESTION 6
Which of the following enterprise architecture (EA) controls BEST mitigates the risk of increasingly complex systems becoming compromised by unauthorized network access?
A. Requirements to change default settings on network devices
B. Complex password policy and procedures
C. Continuous access verification and authentication
D. Continuous network vulnerability scanning and remediation
Correct Answer: C
QUESTION 7
Which of the following is the BEST approach when developing information security requirements for a global organization?
A. Develop a global policy to be applied uniformly by each country.
B. Develop country-specific policies to address local regulations.
C. Develop a global policy that accommodates country-specific requirements.
D. Develop policies with less restrictive requirements to ensure consistency across the organization.
Correct Answer: C
QUESTION 8
A cloud service provider has completed upgrades to its cloud infrastructure to enhance service availability. Which of the following is the MOST important key risk indicator (KRI) for management to monitor?
A. Number of incidents with downtime exceeding contract threshold
B. Percentage of technology upgrades resulting in security breaches
C. Peak demand on the cloud service during business hours
D. Percentage of servers not patched per policy
Correct Answer: A
QUESTION 9
Which of the following is the MOST important factor to consider when determining whether to approve a policy exception request?
A. Volume of exceptions
B. Time required to implement controls
C. Lack of technical resources
D. Cost of noncompliance
Correct Answer: D
QUESTION 10
Which of the following is the PRIMARY reason for an organization to rely on a business impact analysis (BIA) when planning continuity strategies for an organization?
A. Details on recovery cost
B. Evaluation of restoration procedures
C. Quantification of recovery objectives
D. Identification of alternative facilities
Correct Answer: C
QUESTION 11
A recently hired IT risk practitioner has been asked to conduct an annual risk assessment of the organization’s e-commerce solution. The available documentation indicates the existing set of risk scenarios was developed five years ago using a formal and well-known methodology. Which of the following should be of MOST concern to the practitioner?
A. Some risk remediation activities from the last assessment are still in progress.
B. The risk scenario development process was led by an external consultant.
C. The number of risk scenarios is very high.
D. The risk scenarios have never been updated.
Correct Answer: D
QUESTION 12
Which of the following BEST enables an organization to mitigate ethical risk?
A. Reorganization of business processes to deter unethical activities
B. Ethics training for staff during onboarding
C. Senior leadership communication of ethics policies
D. A culture of ethical integrity from the top down
Correct Answer: D
QUESTION 13
To effectively address ethical risk within an organization, who MUST ensure the ethics policy is enforced and equally applied to all levels of authority?
A. Ethics and compliance team
B. Local authorities and regulators
C. Senior management
D. Internal audit team
Correct Answer: C
QUESTION 14
Which of the following criteria would a CISO find MOST useful when reviewing key performance indicators (KPIs) for the efficiency of the risk assessment process in an organization?
A. The number of hours spent assessing risk
B. The percentage of risk scenarios realized
C. The percentage of planned annual risk assessments completed
D. The number of assessments presented to asset owners
Correct Answer: C
QUESTION 15
The PRIMARY benefit of threat modeling is that it helps to:
A. examine threat scenarios with different attributes during risk assessment.
B. analyze insider threats resulting in loss to the organization.
C. determine the likelihood and impact on the organization when threats materialize.
D. identify threat actors to assess the possibility of threats materializing
Correct Answer: A
QUESTION 16
Which of the following stakeholders establishes risk capacity?
A. Corporate legal
B. Risk practitioner
C. Risk owner
D. Executive management
Correct Answer: D
QUESTION 17
An organization’s risk profile indicates that residual risk levels have fallen significantly below management’s risk appetite. Which of the following is the BEST course of action?
A. Decrease monitoring of residual risk levels.
B. Add more risk scenarios to the risk register.
C. Increase risk appetite.
D. Optimize controls.
Correct Answer: D
QUESTION 18
Which of the following is the MOST important consideration when determining the appropriate data retention period throughout the data management life cycle?
A. Legal and regulatory requirements
B. Data storage and collection methods
C. Choice of encryption algorithms
D. Data owner preferences
Correct Answer: A
QUESTION 19
A risk practitioner has noted repeated instances of scope creep in an organization’s information security projects. Which of the following is the BEST recommendation to address this situation?
A. Require approved project change requests.
B. Escalate cost overruns to project sponsors.
C. Increase scope and budget proportionately.
D. Provide financial incentives for on-time delivery.
Correct Answer: A
QUESTION 20
Which of the following would BEST enable an effective control environment?
A. Prioritize investments for resource allocation.
B. Implement continuous control monitoring.
C. Align control ownership with business lines.
D. Consult with internal audit.
Correct Answer: C
We use cookies to improve your experience, including essential cookies required for the website to function. By continuing, you agree to our use of cookies. Learn more.
We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.
Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with customised advertisements based on the pages you visited previously and to analyse the effectiveness of the ad campaigns.
Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.