← Back to exam page

CRISC Certified in Risk and Information Systems Control

Loading demo links...

Showing 16–18 of 20 questions

Question 16 (New Update)

A service provider is managing a client’s servers. During an audit of the service, a noncompliant control is discovered that will not be resolved before the next audit because the client cannot afford the downtime required to correct the issue. The service provider’s MOST appropriate action would be to:

Select an option, then click Submit answer.

  • develop a risk remediation plan overriding the client's decision

  • make a note for this item in the next audit explaining the situation

  • insist that the remediation occur for the benefit of other customers

  • ask the client to document the formal risk acceptance for the provider
Question 17 (Volume D)

When reviewing a business continuity plan (BCP), which of the following would be the MOST significant deficiency?

Select an option, then click Submit answer.

  • BCP is often tested using the walkthrough method

  • BCP testing is not in conjunction with the disaster recovery plan (DRP)

  • Each business location has separate, inconsistent BCPs

  • Recovery time objectives (RTOs) do not meet business requirements
Question 18 (Volume D)

The BEST indication that risk management is effective is when risk has been reduced to meet:

Select an option, then click Submit answer.

  • risk appetite

  • risk capacity

  • risk levels

  • risk budgets