Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Free Resources

Difficulty IndexLearn — Free ChaptersIT GlossaryFree Tools & LabsStudy GuidesCareer RoadmapsBrowse by VendorCisco Command ReferenceCCNA Scenarios

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsCRISCDomainsInformation Technology and Security
CRISCFree — No Signup

Information Technology and Security

Practice CRISC Information Technology and Security questions with full explanations on every answer.

105questions

Start practicing

Information Technology and Security — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

CRISC Domains

IT Risk IdentificationIT Risk AssessmentRisk Response and ReportingInformation Technology and SecurityRisk Response and MitigationRisk and Control Monitoring and Reporting

Practice Information Technology and Security questions

10Q20Q30Q50Q

All CRISC Information Technology and Security questions (105)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A large retail company is implementing a new cloud-based inventory management system. The system will store sensitive customer data and integrate with existing on-premises ERP. The risk manager is asked to identify the most critical risk to address in the shared responsibility model. Which risk is MOST likely to be overlooked?

2

An energy company is integrating its IT network with OT systems for real-time monitoring. The risk manager is assessing the expanded attack surface. Which risk should be given the HIGHEST priority due to its potential for physical consequences?

3

A risk manager is designing an IT risk management programme. Which document should be created FIRST to guide the overall approach to risk management?

4

A financial institution is adopting AI for credit scoring. The model is currently a black box and requires explainability for regulatory compliance. Which risk is MOST critical to address?

5

During a solution architecture review, the Architecture Review Board (ARB) identifies that a new application communicates with a legacy system using plain text over a public network. Which risk treatment option is MOST appropriate?

6

A risk manager is calculating the probable financial impact of a ransomware attack using the FAIR model. Which factor is MOST critical to estimate the annual loss exposure?

7

Which COBIT 2019 domain objective focuses on ensuring that risk is optimized through evaluation, direction, and monitoring?

8

A hospital is deploying IoT medical devices that connect to the network. Which risk is MOST concerning from a cybersecurity perspective?

9

A power utility is required to comply with NERC CIP standards. Which of the following is a primary objective of these standards?

10

A company is migrating critical applications to the cloud. The risk manager is assessing the shared responsibility model. Which risk is the customer typically responsible for?

11

Which of the following is a key component of an IT risk management programme that documents identified risks, their likelihood, and impact?

12

An organization is considering cyber insurance to transfer residual risk. Which factor would MOST significantly influence the premium?

13

A risk manager is integrating the NIST Cybersecurity Framework with the organization's risk management processes. Which TWO functions of the NIST CSF directly support risk assessment?

14

A manufacturing company is evaluating the risks of connecting its OT network to the IT network. Which THREE risks are MOST significant due to IT/OT convergence?

15

An organization is planning to adopt post-quantum cryptography. Which TWO considerations are MOST important for migration planning?

16

Which COBIT 2019 governance objective focuses on ensuring that the enterprise's risk appetite and tolerance are understood, articulated, and communicated, and that risk is managed appropriately?

17

A risk practitioner is designing an IT risk management programme. Which of the following is the BEST sequence of components to establish?

18

An organization is reviewing its enterprise architecture to identify risks. In which IT architecture layer would a risk related to data classification and data sovereignty be primarily addressed?

19

An Architecture Review Board (ARB) is evaluating a new solution architecture for a customer-facing web application. Which of the following is the PRIMARY risk the ARB should consider?

20

When assessing cloud computing risk, which of the following is a key concern related to data sovereignty?

21

An organization is adopting machine learning for credit scoring decisions. Which of the following risks is MOST critical from a regulatory compliance perspective?

22

A risk manager is evaluating the risk of quantum computing for the organization's encryption. The organization uses RSA-2048 for data encryption. What is the PRIMARY consideration in planning for post-quantum cryptography migration?

23

According to the NIST Cybersecurity Framework, which function involves developing and implementing appropriate safeguards to ensure delivery of critical infrastructure services?

24

An organization uses the FAIR (Factor Analysis of Information Risk) model to quantify cyber risk. Which of the following is the correct definition of 'Loss Magnitude' in the FAIR model?

25

Which of the following is a common exclusion in cyber insurance policies that a risk manager should be aware of?

26

An organization is connecting its industrial control systems (ICS) to the corporate network for real-time data analytics. Which of the following is the PRIMARY risk introduced by this IT/OT convergence?

27

Which standard is specifically designed for industrial automation and control systems security and provides a framework for addressing security in IACS?

28

A risk manager is evaluating the risks associated with using a public cloud provider. Which TWO of the following are key considerations for multi-tenancy isolation? (Select TWO.)

29

An organization is deploying IoT devices for environmental monitoring in a manufacturing facility. Which THREE of the following are significant security risks that should be addressed? (Select THREE.)

30

Which TWO of the following are key benefits of integrating the NIST Cybersecurity Framework with an organization's risk management processes? (Select TWO.)

31

A company is implementing COBIT 2019 and wants to ensure that risk management activities are aligned with business objectives. Which governance objective is primarily responsible for evaluating, directing, and monitoring risk management?

32

An organization is designing an IT risk management programme. Which of the following is the most critical component to ensure consistent identification and assessment of risks across the enterprise?

33

A financial institution is adopting a cloud-based analytics platform. The data includes sensitive customer information subject to multiple jurisdictions' data residency laws. Which of the following poses the greatest compliance risk?

34

In the NIST Cybersecurity Framework, which function is primarily focused on developing and implementing appropriate safeguards to ensure delivery of critical infrastructure services?

35

An architecture review board (ARB) is evaluating a new solution architecture that processes sensitive data. Which of the following should the ARB review to ensure security risks are addressed before implementation?

36

A manufacturing company is connecting its industrial control systems (ICS) to the corporate network for real-time data analytics. What is the most significant risk arising from this IT/OT convergence?

37

A risk manager is using the FAIR model to quantify cyber risk. After analyzing a ransomware scenario, the probable loss event frequency (LEF) is estimated at 0.2 per year, and the probable loss magnitude (LM) is $5 million. What is the annualized loss expectancy (ALE) in this scenario?

38

Which of the following is a primary concern when using AI/ML models for decisions subject to regulatory oversight?

39

An organization is evaluating cyber insurance to mitigate financial risk from potential data breaches. Which factor would most likely increase the insurance premium?

40

A power utility must comply with NERC CIP standards. Which of the following is a key requirement under these standards?

41

Which of the following is a characteristic of IoT devices that increases cybersecurity risk?

42

A company is planning to migrate to post-quantum cryptography. What is the primary risk that quantum computing poses to current cryptographic systems?

43

A risk manager is integrating risk management with IT governance. Which of the following are key elements of an IT risk management programme design? (Choose TWO.)

44

An organization is deploying IoT devices in a smart building. Which of the following are significant security risks associated with IoT? (Choose THREE.)

45

An organization is considering adopting the NIST Cybersecurity Framework to manage cybersecurity risk. Which of the following are core functions of the framework? (Choose TWO.)

46

In the context of IT governance, which COBIT 2019 process is specifically focused on ensuring risk optimization?

47

An organization is designing an IT risk management program. Which of the following should be the PRIMARY consideration when developing a risk register?

48

A financial institution is implementing a cloud-based data analytics platform. The data includes personally identifiable information (PII) of customers in multiple jurisdictions. Which of the following is the MOST critical risk consideration?

49

An organization's architecture review board (ARB) is evaluating a new solution architecture. What is the PRIMARY risk management role of the ARB in this context?

50

A manufacturing company is integrating its industrial control systems (ICS) with the corporate IT network to enable real-time data analytics. Which of the following represents the MOST significant risk introduced by this convergence?

51

Which of the following is a key component of the NIST Cybersecurity Framework's 'Identify' function?

52

A risk manager is using the FAIR model to quantify cyber risk. Which of the following inputs is MOST directly used to calculate probable financial loss?

53

A power utility subject to NERC CIP standards is planning to deploy a new SCADA system. Which of the following requirements is MOST likely mandated by NERC CIP?

54

An organization is evaluating cyber insurance options. Which of the following factors is MOST likely to influence the insurance premium?

55

Which of the following is a primary goal of the 'Protect' function in the NIST Cybersecurity Framework?

56

An organization is deploying IoT sensors in a manufacturing plant. Which of the following is the MOST significant security risk associated with these devices?

57

A risk manager is assessing the potential impact of quantum computing on the organization's cryptographic infrastructure. What is the MOST immediate action the organization should take?

58

An organization is implementing an AI/ML model for credit approval decisions subject to regulatory oversight. Which TWO of the following are the most significant risk considerations?

59

A global company is moving its critical applications to a public cloud. Which THREE of the following are key risk considerations in the shared responsibility model?

60

An OT environment is being assessed for compliance with IEC 62443. Which TWO of the following are key security requirements of this standard?

61

An organization is implementing COBIT 2019 and the board has requested assurance that risk management activities are aligned with business objectives. Which governance objective is primarily focused on ensuring risk optimization through evaluation, direction, and monitoring?

62

A risk manager is designing an IT risk management program. Which document should serve as the primary source for defining the organization's approach to risk assessment, treatment, and reporting?

63

A multinational corporation is migrating its customer relationship management (CRM) system to a public cloud provider. The data includes personally identifiable information (PII) from multiple jurisdictions. Which risk should be considered most critical during the cloud architecture review?

64

A manufacturing company is integrating its industrial control systems (ICS) with the corporate IT network to enable real-time production monitoring. Which risk is most directly introduced by this convergence?

65

Which component of the NIST Cybersecurity Framework is primarily concerned with developing and implementing appropriate safeguards to ensure delivery of critical infrastructure services?

66

A risk practitioner is using the FAIR model to quantify cyber risk for a proposed new online payment system. Which factor must be estimated to calculate the probable financial impact of a data breach?

67

An organization is evaluating cyber insurance to cover potential losses from ransomware attacks. The insurer requires that the organization have multi-factor authentication (MFA) on all remote access systems. This requirement is an example of which factor influencing insurance premiums?

68

A bank is considering adopting artificial intelligence for credit scoring. The risk manager identifies that the AI model might produce biased outcomes against certain demographic groups. Which AI/ML risk is most directly associated with this concern?

69

An organization is deploying a large number of Internet of Things (IoT) sensors for environmental monitoring in a remote facility. The sensors have limited processing power and cannot be patched easily. Which risk should the risk manager prioritize?

70

A risk manager is assessing the impact of quantum computing on the organization's cryptographic infrastructure. The timeline for quantum advantage is estimated to be 10 years. What is the most appropriate immediate action to address this risk?

71

Which enterprise architecture layer is most directly responsible for managing the storage and processing of data, and for which data classification and encryption controls are critical?

72

A power utility is required to comply with NERC CIP standards. Which of the following is a primary objective of these standards?

73

An organization is reviewing its IT risk management program and identifies that the risk register is not being updated after project changes. Which TWO components of the risk management program are most likely deficient?

74

A financial services firm is migrating critical applications to a public cloud. The architecture review board (ARB) is evaluating the solution architecture. Which THREE risks should the ARB prioritize for review?

75

A risk manager is evaluating the application of IEC 62443 for industrial control systems. Which THREE of the following are key security requirements addressed by this standard?

76

An organization is developing a new cloud-based application that will process personal data of EU citizens. The risk manager is assessing the shared responsibility model with the cloud service provider (CSP). Which of the following is the MOST critical risk to address in the risk assessment?

77

A manufacturing company is integrating its operational technology (OT) network with the corporate IT network to enable real-time data analytics. Which of the following risks should be prioritized during the risk assessment?

78

The risk committee is reviewing a cyber risk quantification report that uses the FAIR model. The report estimates the annualized loss expectancy (ALE) for a ransomware attack as $2.5 million. The committee asks the risk manager to explain the key components used to derive this figure. Which of the following is the MOST important factor in the FAIR model for calculating ALE?

79

A risk manager is designing an IT risk management program. According to COBIT 2019, which governance objective is specifically focused on ensuring that risk management is optimized?

80

A financial institution is considering adopting a new AI/ML model for credit scoring. The model uses customer demographic data and transaction history. Which of the following risks is MOST likely to cause regulatory penalties if not addressed?

81

During the solution architecture review, the Architecture Review Board (ARB) identifies a security risk in a proposed cloud migration project. The solution relies on a single cloud region with no disaster recovery plan. Which of the following is the BEST recommendation to mitigate this risk?

82

A power utility company is required to comply with NERC CIP standards. The risk manager is assessing the impact of connecting a remote substation's OT network to the corporate WAN. Which of the following is the MOST significant risk that must be addressed to comply with NERC CIP?

83

Which of the following is the PRIMARY purpose of a risk register in an IT risk management program?

84

An organization is implementing the NIST Cybersecurity Framework to manage cyber risk. The risk manager is mapping the 'Detect' function to existing risk management processes. Which of the following activities is MOST directly aligned with the 'Detect' function?

85

A risk manager is evaluating the potential impact of quantum computing on the organization's encryption infrastructure. The organization uses RSA-2048 for key exchanges and digital signatures. According to current quantum computing projections, what is the MOST urgent risk management action to take?

86

An organization is deploying a large number of IoT sensors in a smart building project. The sensors are from multiple vendors and some have limited firmware update capabilities. Which of the following risks should be the PRIMARY concern for the risk manager?

87

Which of the following is a key component of an IT risk management programme design?

88

A risk manager is assessing the risks of an IT/OT convergence project in a chemical plant. Which TWO of the following are the most significant security risks? (Select two.)

89

Which THREE of the following are key considerations when evaluating cyber insurance coverage? (Select three.)

90

An organization is implementing IEC 62443 for its industrial control systems. Which THREE of the following are key requirements of IEC 62443? (Select three.)

91

An organization is implementing a new cloud-based CRM system. The risk manager is reviewing the solution architecture for security risks. Which architectural layer should be evaluated to ensure data encryption at rest and in transit?

92

A power utility is integrating its industrial control system (ICS) with the corporate IT network to enable real-time operational data access. The risk manager identifies that the ICS uses legacy proprietary protocols without authentication. Which risk treatment option best addresses this issue while maintaining operational availability?

93

According to COBIT 2019, which governance objective is primarily concerned with evaluating, directing, and monitoring the management of IT risk?

94

A financial institution is evaluating cyber insurance to cover potential losses from a ransomware attack. Which factor is most likely to increase the insurance premium?

95

An organization uses AI/ML for credit scoring decisions. The risk manager is concerned about regulatory compliance if the model cannot explain its decisions. Which AI risk is most directly addressed by requiring explainability?

96

A company's risk management policy requires a risk register to be maintained. Which of the following is the primary purpose of a risk register?

97

Which of the following is a key component of the NIST Cybersecurity Framework's Identify function?

98

A risk manager is evaluating IoT device risks for a smart building project. Which TWO of the following are significant IoT security risks?

99

According to the FAIR model, which TWO of the following are primary components used to calculate probable financial impact of a cyber incident?

100

A risk manager is designing an IT risk management programme. Which THREE of the following are essential components of a risk management policy?

101

An enterprise is migrating to a public cloud environment. Which THREE of the following are critical cloud-specific risk considerations?

102

A risk manager is assessing IT/OT convergence risks at a manufacturing plant. Which TWO of the following are primary risks introduced by connecting industrial control systems to the corporate network?

103

Which TWO of the following are key functions of an Architecture Review Board (ARB) in managing risk?

104

Which THREE of the following are typical exclusions in a cyber insurance policy?

105

An organization is planning for post-quantum cryptography migration. Which THREE of the following are key considerations for this migration?

Practice all 105 Information Technology and Security questions

Other CRISC exam domains

IT Risk IdentificationIT Risk AssessmentRisk Response and ReportingRisk Response and MitigationRisk and Control Monitoring and Reporting

Frequently asked questions

What does the Information Technology and Security domain cover on the CRISC exam?

The Information Technology and Security domain covers the key concepts tested in this area of the CRISC exam blueprint published by ISACA. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CRISC domains — no account required.

How many Information Technology and Security questions are in the CRISC question bank?

The Courseiva CRISC question bank contains 105 questions in the Information Technology and Security domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Information Technology and Security for CRISC?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Information Technology and Security questions for CRISC?

Yes — the session launcher on this page draws questions exclusively from the Information Technology and Security domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your CRISC domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

CISMCISA