Isaca Certified in Risk and Information Systems Control CRISC Question # 124 Topic 13 Discussion

CRISC Exam Topic 13 Question 124 Discussion:

Question #: 124

Topic #: 13

A peer review of a risk assessment finds that a relevant threat community was not included. Mitigation of the risk will require substantial changes to a software application. Which of the following is the BEST course of action?

Ask the business to make a budget request to remediate the problem.

Build a business case to remediate the fix.

Research the types of attacks the threat can present.

Determine the impact of the missing threat.

Get Premium CRISC Questions

Explanation

Determining the impact of the missing threat is the best course of action for a peer review of a risk assessment, as it helps to assess the potential consequences and severity of the threat on the information system and the business objectives. Determining the impact of the missing threat is a process of estimating and quantifying the possible harm or loss that could result from the occurrence of the threat event, such as data breach, system failure, or service disruption. Determining the impact of the missing threat can help to:

Identify and prioritize the critical assets, processes, and functions that could be affected by the threat

Evaluate and measure the extent and magnitude of the damage or disruption caused by the threat

Analyze and compare the current and residual risk levels and control effectiveness

Develop and implement appropriate risk response and mitigation strategies and actions

Communicate and report the risk exposure and status to the relevant stakeholders

Determining the impact of the missing threat is an essential step to ensure the completeness and accuracy of the risk assessment and to improve the quality and reliability of the risk management and control processes.

The other options are not the best courses of action for a peer review of a risk assessment. Asking the business to make a budget request to remediate the problem is a possible action to allocate the resources and costs for the risk mitigation, but it does not address the root cause or the severity of the problem. Building a business case to remediate the fix is a possible action to justify and support the risk mitigation, but it does not provide a clear and comprehensive analysis of the problem. Researching the types of attacks the threat can present is a possible action to understand and anticipate the threat scenarios andtechniques, but it does not evaluate the actual or potential impact of the threat. References = Risk Assessment and Analysis Methods: Qualitative and Quantitative, IT Risk Resources | ISACA, Peer Review Assessment Framework

Actual exam question for Isaca CRISC exam by Axel9760 at Aug 3, 2025, 11:27:04 AM

Contribute your Thoughts:

Chosen Answer: A B C D
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.

Isaca Certified in Risk and Information Systems Control CRISC Question # 124 Topic 13 Discussion

Isaca Certified in Risk and Information Systems Control CRISC Question # 124 Topic 13 Discussion

Correct Answer:

Options Selected by Other Users:

Contribute your Thoughts:

Isaca Certified in Risk and Information Systems Control CRISC Question # 124 Topic 13 Discussion

Isaca Certified in Risk and Information Systems Control CRISC Question # 124 Topic 13 Discussion

Correct Answer:

Options Selected by Other Users:

Contribute your Thoughts:

Awaiting moderator approval