- (Exam Topic 3)
Which of the following would be a risk practitioner’s BEST recommendation upon learning of an updated cybersecurity regulation that could impact the organization?

1. A. Perform a gap analysis
2. B. Conduct system testing
3. C. Implement compensating controls
4. D. Update security policies

Correct Answer: A

- (Exam Topic 2)
A risk assessment indicates the residual risk associated with a new bring your own device (BYOD) program is within organizational risk tolerance. Which of the following should the risk practitioner
recommend be done NEXT?

1. A. Implement targeted awareness training for new BYOD users.
2. B. Implement monitoring to detect control deterioration.
3. C. Identify log sources to monitor BYOD usage and risk impact.
4. D. Reduce the risk tolerance level.

Correct Answer: B

- (Exam Topic 2)
Which of the following would BEST help identify the owner for each risk scenario in a risk register?

1. A. Determining which departments contribute most to risk
2. B. Allocating responsibility for risk factors equally to asset owners
3. C. Mapping identified risk factors to specific business processes
4. D. Determining resource dependency of assets

Correct Answer: C

- (Exam Topic 3)
Which of the following would provide the BEST evidence of an effective internal control environment/?

1. A. Risk assessment results
2. B. Adherence to governing policies
3. C. Regular stakeholder briefings
4. D. Independent audit results

Correct Answer: D

- (Exam Topic 2)
Following a review of a third-party vendor, it is MOST important for an organization to ensure:

1. A. results of the review are accurately reported to management.
2. B. identified findings are reviewed by the organization.
3. C. results of the review are validated by internal audit.
4. D. identified findings are approved by the vendor.

Correct Answer: A