Question 1

Which of the following is the FIRST step when identifying risk items related to a new IT project?

• A. Conduct a cost-benefit analysis.
• B. Review the IT control environment.
• C. Review the business case.
• D. Conduct a gap analysis.

Question 2

Which of the following is MOST important when creating a program to reduce ethical risk?
P-

• A. Defining strict policies
• B. Developing an organizational communication plan
• C. Conducting a gap analysis
• D. Obtaining senior management commitment

Question 3

An organization has implemented immutable backups to prevent successful ransomware attacks.
Which of the following is the MOST effective control for the risk practitioner to review?

• A. Data recovery testing of the backups
• B. Physical security of the backups
• C. Configuration of the backup solution
• D. Retention policy for the backups

Question 4

Which of the following is the GREATEST benefit of involving business owners in risk scenario
development?

• A. Business owners have the ability to effectively manage risk.
• B. Business owners have authority to approve control implementation.
• C. Business owners understand the residual risk of competitors.
• D. Business owners are able to assess the impact.

Question 5

Which of the following is the PRIMARY objective of risk management?

• A. To achieve business objectives
• B. To minimize business disruptions
• C. To identify threats and vulnerabilities
• D. To identify and analyze risk P-

Question 6

During a data loss incident, which role in the RACI chart would be aligned to the risk practitioner?

• A. Responsible
• B. Accountable
• C. Informed
• D. Consulted

Question 7

Which of the following situations would cause the GREATEST concern around the integrity of
application logs?

• A. Weak privileged access management controls
• B. Lack of a security information and event management (SIEM) system
• C. Lack of data classification policies
• D. Use of hashing algorithms

Question 8

Before selecting a final risk response option for a given risk scenario, management should FIRST:

• A. determine control ownership.
• B. evaluate the risk response of similar sized organizations.
• C. evaluate the organization's ability to implement the solution.
• D. determine the remediation timeline.

Question 9

Which of the following is the MOST effective way to identify changes in the performance of the
control environment?

• A. Evaluate key performance indicators (KPIs).
• B. Perform a control self-assessment (CSA).
• C. Implement continuous monitoring.
• D. Adjust key risk indicators (KRIs).

Question 10

Which of the following is the PRIMARY role of the first line of defense with respect to information
security policies?
P-

• A. Draft the information security policy.
• B. Approve the information security policy.
• C. Audit the implementation of the information security policy.
• D. Implement controls in response to the policy requirements.

Question 11

An online retailer has decided to store its customer database with a cloud provider in an
Infrastructure as a Service (laaS) configuration. During an initial review of preliminary risk scenarios,
a risk practitioner identifies instances where sensitive customer information is stored unencrypted.
Who is accountable for ensuring this encryption?

• A. The cloud provider
• B. The retailer's IT department
• C. The chief information officer (CIO)
• D. The data owner

Question 12

Which of the following BEST enables senior management to make risk treatment decisions in line
with the organization's risk appetite?

• A. Quantitative risk analysis
• B. Industry risk benchmarks
• C. Risk scenarios
• D. Risk remediation plans

Question 13

Which of the following is the MOST important risk management activity during project initiation?
A. Defining key risk indicators (KRIs)
B. Classifying project data
C. Identifying key risk stakeholders
D. Establishing a risk mitigation plan

Question 14

A risk practitioner is asked to present the results of the most recent technology risk assessment to
executive management in a concise manner. Which of the following is MOST important to include in
the presentation?

• A. Residual risk levels
• B. Compensating controls
• C. Details of vulnerabilities
• D. Failed high-risk controls

Question 15

Which of the following should be given the HIGHEST priority when developing a response plan for
risk assessment results?
P-

• A. Risk that has been untreated
• B. Items with a high inherent risk
• C. Items with the highest likelihood of occurrence
• D. Risk that exceeds risk appetite