- (Exam Topic 3)
Which of the following should be the PRIMARY goal of developing information security metrics?

1. A. Raising security awareness
2. B. Enabling continuous improvement
3. C. Identifying security threats
4. D. Ensuring regulatory compliance

Correct Answer: B

- (Exam Topic 3)
A risk practitioner is preparing a report to communicate changes in the risk and control environment. The BEST way to engage stakeholder attention is to:

1. A. include detailed deviations from industry benchmarks,
2. B. include a summary linking information to stakeholder needs,
3. C. include a roadmap to achieve operational excellence,
4. D. publish the report on-demand for stakeholders.

Correct Answer: B

- (Exam Topic 3)
When updating the risk register after a risk assessment, which of the following is MOST important to include?

1. A. Historical losses due to past risk events
2. B. Cost to reduce the impact and likelihood
3. C. Likelihood and impact of the risk scenario
4. D. Actor and threat type of the risk scenario

Correct Answer: C

- (Exam Topic 3)
Which of the following is the MOST important key performance indicator (KPI) to monitor the effectiveness of disaster recovery processes?

1. A. Percentage of IT systems recovered within the mean time to restore (MTTR) during the disaster recovery test
2. B. Percentage of issues arising from the disaster recovery test resolved on time
3. C. Percentage of IT systems included in the disaster recovery test scope
4. D. Percentage of IT systems meeting the recovery time objective (RTO) during the disaster recovery test

Correct Answer: D

- (Exam Topic 3)
Which of the following is MOST important to compare against the corporate risk profile?

1. A. Industry benchmarks
2. B. Risk tolerance
3. C. Risk appetite
4. D. Regulatory compliance

Correct Answer: D