Which of the following tools is MOST helpful when mapping IT risk management outcomes to organizational objectives?

A. Risk dashboard
B. RACI chart
C. Information security risk map
D. Strategic business plan

Which of the following is MOST important when discussing risk within an organization?

A. Adopting a common risk taxonomy.
B. Creating a risk communication policy.
C. Using key performance indicators (KPIs).
D. Using key risk indicators (KRIs).

Several network user accounts were recently created without the required management approvals. Which of the following would be the risk practitioner's BEST recommendation to address this situation?

A. Investigate the root cause of noncompliance.
B. Declare a security breach and inform management.
C. Develop incident response procedure for noncompliance.
D. Conduct a comprehensive compliance review.

Which of the following is the BEST indication of the effectiveness of a business continuity program?

A. Business continuity tests are performed successfully and issues are addressed.
B. Business continuity and disaster recovery plans are regularly updated.
C. Business impact analyses are reviewed and updated in a timely manner.
D. Business units are familiar with the business continuity plans and process.

After the implementation of Internet of Things (IoT) devices, new risk scenarios were identified. What is the PRIMARY reason to report this information to risk owners?

A. To reevaluate continued use of IoT devices.
B. To recommend changes to the IoT policy.
C. To confirm the impact to the risk profile.
D. To add new controls to mitigate the risk.

The PRIMARY objective for requiring an independent review of an organizations IT risk management process should be to:

A. ensure IT risk management is focused on mitigating potential risk.
B. confirm that IT risk assessment results are expressed as business impact.
C. assess gaps in IT risk management operations and strategic focus.
D. verify implemented controls to reduce the likelihood of threat materialization.

Which of the following should be a risk practitioner's NEXT action after identifying a high probability of data loss in a system?

A. Conduct a control assessment.
B. Purchase cyber insurance from a third party.
C. Increase the frequency of incident reporting.
D. Enhance the security awareness program.

Which of the following is MOST important for maintaining the effectiveness of an IT risk register?

A. Recording and tracking the status of risk response plans within the register.
B. Communicating the register to key stakeholders.
C. Performing regular reviews and updates to the register.
D. Removing entries from the register after the risk has been treated.

Which of the following would be MOST helpful to a risk practitioner when ensuring that mitigated risk remains within acceptable limits?

A. Implementing a process for ongoing monitoring of control effectiveness.
B. Designing a process for risk owners to periodically review identified risk.
C. Ensuring risk owners participate on a periodic control testing process.
D. Building an organizational risk profile after updating the risk register.

Which of the following is the MOST important topic to cover in a risk awareness training program for all staff?

A. The risk department’s roles and responsibilities.
B. Policy compliance requirements and exceptions process.
C. The organization’s information security risk profile.
D. Internal and external information security incidents.