ISC2-CGRC Domain 1: Information Security Risk Management Program Welcome to your ISC2-CGRC Domain 1: Information Security Risk Management Program 1. CGRC: Information Security Risk Management Program What is the primary goal of an Information Security Risk Management Program (ISRM)? A. To eliminate all cybersecurity risks. B. To ensure compliance with international standards only. C. To identify, assess, and mitigate risks to an acceptable level. D. To invest in the most advanced technology to secure information. None 2. CGRC: Information Security Risk Management Program Which of the following best describes a quantitative risk analysis method in ISRM? A. Assessing risk based on subjective judgment of impact and likelihood. B. Assigning numerical values to the probability and impact of risk events. C. Focusing on the number of reported incidents in a given period. D. Using a color-coded system to prioritize risks. None 3. CGRC: Information Security Risk Management Program In the context of ISRM, what is the primary purpose of a risk register? A. To record and track the progress of risk mitigation actions. B. To store passwords and sensitive access codes securely. C. To log all security breaches and incidents. D. To maintain a list of approved security vendors and tools. None 4. CGRC: Information Security Risk Management Program Which of the following is a key element of the risk assessment process in ISRM? A. Prioritizing risk mitigation measures based solely on cost. B. Assessing the impact and likelihood of identified risks. C. Focusing exclusively on external threats. D. Ignoring risks that are deemed unlikely to occur. None 5. CGRC: Information Security Risk Management Program What principle underlies the concept of 'risk transfer' in ISRM? A. Accepting all risks without taking any mitigation actions. B. Sharing or transferring the risk impact to a third party, such as through insurance. C. Completely eliminating all identified risks. D. Reducing risk by implementing technical controls only. None 6. CGRC: Information Security Risk Management Program Which of the following best exemplifies the 'risk avoidance' strategy in ISRM? A. Implementing strong access controls and encryption. B. Deciding not to proceed with a new business venture due to its high cybersecurity risks. C. Purchasing cybersecurity insurance to cover potential data breaches. D. Conducting regular security awareness training for employees. None 7. CGRC: Information Security Risk Management Program In ISRM, what is the significance of aligning the program with the organization's business objectives? A. It ensures that all technical controls are state-of-the-art. B. It guarantees that the organization will not experience any security incidents. C. It ensures that risk management activities support and enable the achievement of business goals. D. It mandates that all employees become cybersecurity experts. None 8. CGRC: Information Security Risk Management Program What does a 'risk mitigation plan' typically include? A. A detailed list of all employee passwords and access codes. B. Specific actions to address identified risks, responsible parties, and timelines. C. The total budget allocation for the IT department. D. A comprehensive list of all past security incidents. None 9. CGRC: Information Security Risk Management Program How does 'continuous monitoring' contribute to ISRM? A. By ensuring that risk assessments are only conducted annually. B. By providing real-time insights into risk exposure and the effectiveness of controls. C. By eliminating the need for employee training on cybersecurity. D. By focusing solely on external threat intelligence. None 10. CGRC: Information Security Risk Management Program What is the primary purpose of 'third-party risk management' in an ISRM program? A. To ensure that third-party vendors comply with the organization's vacation policies. B. To manage risks associated with outsourcing and the supply chain. C. To control the pricing of third-party services. D. To monitor the social media activities of third-party employees. None 11. CGRC: Information Security Risk Management Program What is the purpose of incorporating 'residual risk' evaluation in an Information Security Risk Management Program? A. To identify the risk that remains after controls are applied. B. To calculate the total cost of the IT infrastructure. C. To assess the performance of the security team. D. To track the number of security incidents over time. None 12. CGRC: Information Security Risk Management Program In the context of ISRM, what is the significance of 'risk communication'? A. It involves broadcasting security alerts to the public. B. It ensures that risk-related information is shared within the organization to facilitate informed decision-making. C. It is the process of negotiating security budgets with vendors. D. It refers to the marketing of the organization's security capabilities to potential clients. None 13. CGRC: Information Security Risk Management Program Which of the following best describes the role of 'information classification' in an ISRM program? A. To determine the cafeteria menu based on employee preferences. B. To prioritize risks based on the color of the information. C. To assign levels of sensitivity to information, guiding its protection. D. To count the number of documents in the organization. None 14. CGRC: Information Security Risk Management Program What is the primary goal of 'asset identification' in an ISRM program? A. To ensure all physical assets are painted the same color. B. To catalog the personal belongings of employees. C. To list all IT equipment for insurance purposes only. D. To systematically identify information assets for risk management purposes. None 15. CGRC: Information Security Risk Management Program How does 'threat intelligence' support an ISRM program? A. By providing data on the latest employee trends. B. By offering insights into potential and emerging information security threats. C. By tracking the stock market to inform investment decisions. D. By monitoring social media for brand mentions. None 16. CGRC: Information Security Risk Management Program In ISRM, what is the importance of 'vulnerability assessment'? A. To identify weaknesses in the organization's physical security, such as locks and alarms. B. To determine the effectiveness of the organization's recruitment process. C. To identify, quantify, and prioritize vulnerabilities in information systems. D. To assess the organization's financial health. None 17. CGRC: Information Security Risk Management Program What role does 'policy development' play in an ISRM program? A. To dictate employee dress codes. B. To establish guidelines and standards for managing information security risks. C. To outline the organization's social media strategy. D. To create a menu for the organization's cafeteria. None 18. CGRC: Information Security Risk Management Program How does 'change management' support effective ISRM? A. By ensuring all employees undergo a change in job roles annually. B. By facilitating the secure and controlled implementation of changes to IT systems and processes. C. By changing the organization's name every five years to stay relevant. D. By regularly updating the interior design of office spaces. None 19. CGRC: Information Security Risk Management Program In the context of ISRM, what is the significance of 'incident response planning'? A. To plan the organization's annual holiday party. B. To ensure a coordinated and effective response to information security incidents. C. To schedule regular fire drills in the organization. D. To arrange quarterly team-building activities. None 20. CGRC: Information Security Risk Management Program What is the purpose of 'security awareness training' within an ISRM program? A. To teach employees about the organization's history. B. To ensure employees are aware of information security risks and the role they play in mitigating those risks. C. To provide training on the use of office equipment. D. To educate employees on the organization's product line. None 1 out of 20 Time is Up! Time's up
