Isaca Certified in Risk and Information Systems Control CRISC Question # 402 Topic 41 Discussion

CRISC Exam Topic 41 Question 402 Discussion:

Question #: 402

Topic #: 41

Which of the following methods is an example of risk mitigation?

Not providing capability for employees to work remotely

Outsourcing the IT activities and infrastructure

Enforcing change and configuration management processes

Taking out insurance coverage for IT-related incidents

Get Premium CRISC Questions

Explanation

Risk mitigation is a proactive business strategy to identify, assess, and mitigate potential threats or uncertainties that could harm an organization’s objectives, assets, or operations1. It entails specific action plans to reduce the likelihood or impact of these identified risks2.

There are several recognized ways to mitigate risk, such as accepting, avoiding, hedging, transferring, or reducing the risk3. Among the options given, only C is an example of risk reduction, which involvesimplementing controls or safeguards to minimize the negative effects of the risk3. Change and configuration management processes are methods to ensure that changes to the IT systems or infrastructure are properly authorized, documented, tested, and implemented, and that the configuration of the IT assets is consistent and accurate. These processes can help prevent or detect errors, defects, or vulnerabilities that could compromise the IT performance, security, or availability.

The other options are not examples of risk mitigation, but rather risk avoidance (A), risk transfer (B), or risk acceptance (D). Risk avoidance means eliminating the risk entirely by not engaging in the activity that causes the risk3. Not providing capability for employees to work remotely could avoid the risk of data breaches or network issues, but it could also limit the productivity and flexibility of the workforce. Risk transfer means shifting the responsibility or burden of the risk to another party, such as a vendor or an insurer3. Outsourcing the IT activities and infrastructure could transfer the risk of IT failures or incidents to the service provider, but it could also introduce new risks such as vendor dependency or loss of control. Risk acceptance means acknowledging the risk and its consequences without taking any action to address it3. Taking out insurance coverage for IT-related incidents could provide some financial compensation in case of a loss, but it does not reduce the likelihood or impact of the risk itself. References =

5 Key Risk Mitigation Strategies (With Examples) | Indeed.com

10 Risk Mitigation techniques you need to know - Stakeholdermap.com

Risk Mitigation Strategies: Types & Examples (+ Free Template)

[Change and Configuration Management - ISACA]

Actual exam question for Isaca CRISC exam by Talon6367 at Oct 8, 2025, 3:49:05 PM

Contribute your Thoughts:

Chosen Answer: A B C D
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.

Isaca Certified in Risk and Information Systems Control CRISC Question # 402 Topic 41 Discussion

Isaca Certified in Risk and Information Systems Control CRISC Question # 402 Topic 41 Discussion

Correct Answer:

Options Selected by Other Users:

Contribute your Thoughts:

Isaca Certified in Risk and Information Systems Control CRISC Question # 402 Topic 41 Discussion

Isaca Certified in Risk and Information Systems Control CRISC Question # 402 Topic 41 Discussion

Correct Answer:

Options Selected by Other Users:

Contribute your Thoughts:

Awaiting moderator approval