Isaca Certified in Risk and Information Systems Control CRISC Question # 205 Topic 21 Discussion

CRISC Exam Topic 21 Question 205 Discussion:

Question #: 205

Topic #: 21

Which of the following would be- MOST helpful to understand the impact of a new technology system on an organization's current risk profile?

Hire consultants specializing m the new technology.

Review existing risk mitigation controls.

Conduct a gap analysis.

Perform a risk assessment.

Get Premium CRISC Questions

Explanation

A risk assessment is a process of measuring and comparing the likelihood and impact of various risk scenarios, and prioritizing them based on their significance and urgency. A risk assessmentcan help the organization to understand and document the risks that may affect its objectives and operations, and to support the decision making and planning for the risk management.

Performing a risk assessment would be the most helpful to understand the impact of a new technology system on an organization’s current risk profile, because it can help the organization to address the following questions:

What are the potential benefits and challenges of implementing the new technology system, and how do they align with the organization’s objectives and needs?

What are the existing or emerging risks that may affect the new technology system, and how do they relate to the organization’s current risk profile?

How likely and severe are the risks that may affect the new technology system, and what are the possible consequences or impacts for the organization and its stakeholders?

How can the risks that may affect the new technology system be mitigated or prevented, and what are the available or feasible options or solutions?

Performing a risk assessment can help the organization to understand the impact of the new technology system on its current risk profile by providing the following benefits:

It can enable the comparison and evaluation of the current and desired state and performance of the organization’s risk management function, and to identify and quantify the gaps or opportunities for improvement.

It can provide useful references and benchmarks for the alignment and integration of the new technology system with the organization’s risk management function, and for the compliance with the organization’s risk policies and standards.

It can support the implementation and monitoring of the new technology system, and for the allocation and optimization of the resources, time, and budget for the new technology system.

The other options are not the most helpful to understand the impact of a new technology system on an organization’s current risk profile, because they do not provide the same level of detail and insight that performing a risk assessment provides, and they may not be specific or applicable to the organization’s objectives and needs.

Hiring consultants specializing in the new technology means engaging or contracting external experts or professionals that have the skills and knowledge on the new technology system, and that can provide advice or guidance on the implementation and management of the new technology system. Hiring consultants specializing in the new technology can help the organization to enhance its competence and performance on the new technology system, but it is not the most helpful, because it does not measure and compare the likelihood and impact of the risks that may affect the new technology system, and it may not be relevant or appropriate for the organization’s current risk profile.

Reviewing existing risk mitigation controls means examining and evaluating the adequacy and effectiveness of the controls or countermeasures that are intended to reduce or eliminate the risksthat may affect the organization’s objectives and operations. Reviewing existing risk mitigation controls can help the organization to improve and optimize its risk management function, but it is not the most helpful, because it does not identify and prioritize the risks that may affect the newtechnology system, and it may not cover all the relevant or significant risks that may affect the new technology system.

Conducting a gap analysis means comparing and contrasting the current and desired state and performance of the organization’s objectives and operations, and identifying and quantifying the gaps or differences that need to be addressed or corrected. Conducting a gap analysis can help the organization to identify and document its improvement needs and opportunities, but it is not the most helpful, because it does not measure and compare the likelihood and impact of the risks that may affect the new technology system, and it may not be aligned or integrated with the organization’s current risk profile. References =

ISACA, CRISC Review Manual, 7th Edition, 2022, pp. 19-20, 23-24, 27-28, 31-32, 40-41, 47-48, 54-55, 58-59, 62-63

ISACA, CRISC Review Questions, Answers & Explanations Database, 2022, QID 208

CRISC Practice Quiz and Exam Prep

Actual exam question for Isaca CRISC exam by Lyric31176 at Oct 14, 2025, 8:44:06 AM

Contribute your Thoughts:

Chosen Answer: A B C D
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.

Isaca Certified in Risk and Information Systems Control CRISC Question # 205 Topic 21 Discussion

Isaca Certified in Risk and Information Systems Control CRISC Question # 205 Topic 21 Discussion

Correct Answer:

Options Selected by Other Users:

Contribute your Thoughts:

Isaca Certified in Risk and Information Systems Control CRISC Question # 205 Topic 21 Discussion

Isaca Certified in Risk and Information Systems Control CRISC Question # 205 Topic 21 Discussion

Correct Answer:

Options Selected by Other Users:

Contribute your Thoughts:

Awaiting moderator approval