- (Exam Topic 1)
IT management has asked for a consolidated view into the organization's risk profile to enable project prioritization and resource allocation. Which of the following materials would be MOST helpful?

1. A. IT risk register
2. B. List of key risk indicators
3. C. Internal audit reports
4. D. List of approved projects

Correct Answer: A

- (Exam Topic 3)
When reviewing a business continuity plan (BCP). which of the following would be the MOST significant deficiency?

1. A. BCP testing is net in conjunction with the disaster recovery plan (DRP)
2. B. Recovery time objectives (RTOs) do not meet business requirements.
3. C. BCP is often tested using the walk-through method.
4. D. Each business location has separate, inconsistent BCPs.

Correct Answer: B

- (Exam Topic 3)
Which of The following is the MOST comprehensive input to the risk assessment process specific to the effects of system downtime?

1. A. Business continuity plan (BCP) testing results
2. B. Recovery lime objective (RTO)
3. C. Business impact analysis (BIA)
4. D. results Recovery point objective (RPO)

Correct Answer: C

- (Exam Topic 2)
What should a risk practitioner do FIRST upon learning a risk treatment owner has implemented a different control than what was specified in the IT risk action plan?

1. A. Seek approval from the control owner.
2. B. Update the action plan in the risk register.
3. C. Reassess the risk level associated with the new control.
4. D. Validate that the control has an established testing method.

Correct Answer: C

- (Exam Topic 4)
Which of the following is MOST helpful in identifying loss magnitude during risk analysis of a new system?

1. A. Recovery time objective (RTO)
2. B. Cost-benefit analysis
3. C. Business impact analysis (BIA)
4. D. Cyber insurance coverage

Correct Answer: C