Isaca Certified in Risk and Information Systems Control CRISC Question # 448 Topic 45 Discussion

CRISC Exam Topic 45 Question 448 Discussion:

Question #: 448

Topic #: 45

A risk practitioner is conducting a risk assessment after discovering the use of unauthorized cloud software on personal devices to accomplish work-related tasks. Which of the following is the risk practitioner ' s BEST course of action?

Evaluate the effectiveness of controls to prevent data loss.

Develop a policy standard for conducting business using personal devices.

Recommend blocking downloads of unauthorized software.

Identify the business need for the unauthorized software.

Get Premium CRISC Questions

Explanation

The correct answer isDbecause the risk practitioner should firstidentify the business need for the unauthorized software. If employees are using unauthorized cloud software on personal devices for work-related tasks, this indicates there is likely an unmet business requirement. Before recommending controls or restrictions, the best course of action is to understand why the software is being used, what business process it supports, and what gap in approved solutions exists. This aligns with CRISC principles that risk assessment must consider business objectives and operational needs before selecting risk responses.

The other options are not the best first step:

A. Evaluate the effectiveness of controls to prevent data lossmay be necessary later, but first the practitioner must understand the business driver behind the behavior.

B. Develop a policy standard for conducting business using personal devicesmay eventually be appropriate, but not before the underlying need is identified.

C. Recommend blocking downloads of unauthorized softwareis a control response, but it may disrupt business activities if the root business need is not understood.

Exact Extracts supporting the answer:

“During the initial stages of developing a risk management program it ' s crucial that the context and purpose of the program are defined.”

“Strategic planning and business requirements should be the driving forces behind the IT plan.”

“When selecting a risk response technique the foremost consideration should be the enterprise goals and objectives.”

“To best support IT in fulfilling business requirements an internal control system or framework is essential.”

“An approach that best helps an enterprise achieve risk-based organizational objectives is to embed risk management activities into business processes.”

These extracts support that the practitioner should first understand the business context and requirements behind the unauthorized use. Only after identifying that business need can the organization choose the most appropriate policy, control, or risk response.

Actual exam question for Isaca CRISC exam by Aspen31996 at May 24, 2026, 12:06:35 AM

Contribute your Thoughts:

Chosen Answer: A B C D
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.

Summer Certification Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: force70

Isaca Certified in Risk and Information Systems Control CRISC Question # 448 Topic 45 Discussion

Isaca Certified in Risk and Information Systems Control CRISC Question # 448 Topic 45 Discussion

Correct Answer:

Options Selected by Other Users:

Contribute your Thoughts:

Summer Certification Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: force70

Isaca Certified in Risk and Information Systems Control CRISC Question # 448 Topic 45 Discussion

Isaca Certified in Risk and Information Systems Control CRISC Question # 448 Topic 45 Discussion

Correct Answer:

Options Selected by Other Users:

Contribute your Thoughts:

Awaiting moderator approval