Isaca Certified in Risk and Information Systems Control CRISC Question # 366 Topic 37 Discussion
CRISC Exam Topic 37 Question 366 Discussion:
Question #: 366
Topic #: 37
Several vulnerabilities have been identified in an organization’s core financial systems. Which of the following would be the risk practitioner’s BEST course of action?
Comprehensive and Detailed Explanation (aligned to ISACA CRISC guidance)
When vulnerabilities are discovered, the CRISC approach requires first understanding the risk those vulnerabilities represent before deciding on actions. Evaluating the associated risk means analyzing the likelihood that the vulnerabilities will be exploited and the potential impact on financial reporting, confidentiality, integrity, and availability of core systems. Only after this analysis can the risk practitioner prioritize which vulnerabilities to address, decide on appropriate treatment options, and determine whether remediation is cost-effective and aligned to risk appetite. Immediately remediating without assessment may misallocate resources or disrupt critical services. Initiating incident response is appropriate when an actual incident or compromise is detected, not merely the existence of vulnerabilities. Estimating remediation cost is important but comes after understanding the significance of the risk.
[Reference: CRISC Review Manual – IT Risk Identification and Assessment (vulnerability identification and risk evaluation)., ===========]
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit