- (Exam Topic 3)
Which of the following is the BEST way to help ensure risk will be managed properly after a business process has been re-engineered?

1. A. Reassessing control effectiveness of the process
2. B. Conducting a post-implementation review to determine lessons learned
3. C. Reporting key performance indicators (KPIs) for core processes
4. D. Establishing escalation procedures for anomaly events

Correct Answer: A

- (Exam Topic 3)
An IT risk practitioner has been asked to regularly report on the overall status and effectiveness of the IT risk management program. Which of the following is MOST useful for this purpose?

1. A. Balanced scorecard
2. B. Capability maturity level
3. C. Internal audit plan
4. D. Control self-assessment (CSA)

Correct Answer: A

- (Exam Topic 2)
Which of the following is the PRIMARY reason to establish the root cause of an IT security incident?

1. A. Update the risk register.
2. B. Assign responsibility and accountability for the incident.
3. C. Prepare a report for senior management.
4. D. Avoid recurrence of the incident.

Correct Answer: D

- (Exam Topic 2)
The GREATEST concern when maintaining a risk register is that:

1. A. impacts are recorded in qualitative terms.
2. B. executive management does not perform periodic reviews.
3. C. IT risk is not linked with IT assets.
4. D. significant changes in risk factors are excluded.

Correct Answer: D

- (Exam Topic 3)
Who is BEST suited to provide objective input when updating residual risk to reflect the results of control effectiveness?

1. A. Control owner
2. B. Risk owner
3. C. Internal auditor
4. D. Compliance manager

Correct Answer: C