Practice CRISC IT Risk Assessment questions with full explanations on every answer.
Start practicing
IT Risk Assessment — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
An organization uses a 5×5 risk heat map to assess IT risks. Which of the following is the PRIMARY advantage of this qualitative approach?
2A company is evaluating the risk of a data breach using the FAIR framework. The threat event frequency is estimated at 10 per year, and the vulnerability is 0.2. The primary loss per event is $50,000 and secondary loss is $20,000. What is the annualized loss expectancy (ALE)?
3An organization has identified a high-risk IT process that, if continued, could result in significant regulatory fines. The risk owner recommends implementing additional controls. However, the cost of controls exceeds the potential financial loss. Which risk treatment option is MOST appropriate?
4During an IT risk assessment, the risk practitioner calculates the inherent risk score for a critical application as 25 (on a 5×5 matrix). After evaluating control effectiveness, the residual risk score is 9. What can be inferred about the controls?
5Which of the following is a detective control for an information system?
6A quantitative risk assessment for a server shows an ARO of 0.5 and SLE of $200,000. What is the ALE, and what does it imply?
7An organization is assessing the risk of a ransomware attack. The threat actor capability is high, but vulnerability is low due to strong patching. However, the business impact is severe. According to FAIR, which factor most directly influences Loss Event Frequency (LEF)?
8Which risk treatment option involves eliminating the activity that creates the risk?
9A risk practitioner is prioritizing IT risks for treatment. Which factor should be the PRIMARY basis for prioritization?
10In the FAIR model, which component represents the probable frequency, within a given timeframe, that a threat agent will act against an asset?
11An organization uses a qualitative risk assessment and assigns a likelihood of '3' and impact of '4' on a 5-point scale. The heat map defines risk scores 12-25 as high. What is the risk rating?
12Which type of control is designed to reduce the likelihood of a risk event occurring?
13A risk assessment for a cloud migration identifies high inherent risk. The risk practitioner evaluates controls. Which TWO components are necessary to calculate residual risk?
14An organization is performing a quantitative risk analysis using the FAIR framework. Which THREE of the following are direct components of the FAIR model?
15An organization is evaluating risk treatment options for a critical vulnerability. Which TWO options would be considered risk mitigation?
16A risk manager is using a 5×5 likelihood-impact matrix to assess a set of identified risks. What is the PRIMARY advantage of using this qualitative method?
17An organization uses the FAIR framework to calculate annualized loss expectancy (ALE) for a specific risk. Given that the single loss expectancy (SLE) is $50,000 and the annualized rate of occurrence (ARO) is 0.2, what is the ALE?
18After implementing a set of controls for a critical risk, the residual risk is calculated. The risk owner argues that the residual risk remains high and requires further treatment. Which of the following BEST describes the relationship between inherent risk, control effectiveness, and residual risk?
19A risk assessment identifies a high-likelihood, high-impact risk associated with a legacy system. The business owner decides to decommission the system to eliminate the risk. Which risk treatment option is being applied?
20During a quantitative risk analysis, the risk team calculates the loss event frequency (LEF) using the FAIR framework. If the threat event frequency (TEF) is 10 per year and the vulnerability (V) is 0.3, what is the LEF?
21Which control type is designed to stop a risk event from occurring?
22An organization is evaluating risks and decides to purchase cyber insurance to cover potential financial losses from data breaches. Which risk treatment option does this represent?
23A risk assessment report includes both inherent and residual risk ratings. The inherent risk for a process is rated as 'high' based on a 5×5 heat map. After applying a set of controls, the residual risk is rated as 'medium'. What does this indicate about the control effectiveness?
24In the FAIR framework, loss magnitude (LM) is composed of primary loss and secondary loss. Which of the following is an example of secondary loss?
25Which of the following is a limitation of qualitative risk analysis?
26An organization identifies a risk that is within its risk appetite. The risk owner decides to formally document the risk and accept it without implementing additional controls. Which of the following is required for this risk acceptance?
27In a quantitative risk analysis, the annualized loss expectancy (ALE) is calculated as $1 million. If the organization implements a control that reduces the ARO from 0.5 to 0.1, and the SLE remains constant at $2 million, what is the new ALE?
28A risk assessment team is prioritizing risks for treatment using inherent risk ratings. Which TWO factors should be considered when deciding which risks to treat first?
29An organization is assessing control effectiveness for a key process. Which TWO aspects should be evaluated to determine if a control is effective?
30A risk manager is evaluating the impact assessment for a potential data breach. Which THREE categories of impact should be considered in a comprehensive business impact analysis?
31A risk analyst uses a 5x5 heat map to evaluate a set of IT risks. For a particular risk, the likelihood is rated as 4 (likely) and impact as 5 (very high). What is the resulting risk rating?
32An organization using the FAIR framework estimates that a threat event frequency (TEF) is 10 per year, vulnerability is 0.2, and loss magnitude per event is $500,000. What is the annualized loss expectancy (ALE)?
33Which of the following best describes an advantage of qualitative risk analysis over quantitative risk analysis?
34A company decides to purchase cyber insurance to cover potential losses from a data breach. This is an example of which risk treatment option?
35After implementing a set of controls, the risk owner calculates the residual risk. Which of the following is true about residual risk?
36In the FAIR framework, which of the following correctly represents the calculation of Loss Event Frequency (LEF)?
37A risk assessment reveals a high inherent risk that is within the organization's risk appetite. The risk owner documents the risk and formally accepts it. This is an example of which risk treatment option?
38Which control type is primarily focused on identifying that a risk event has occurred?
39An organization assesses a risk and determines the inherent risk score is 20 (critical). After implementing controls, the residual risk score is 8 (medium). What does this indicate about the controls?
40A company's risk assessment identifies that a threat actor has high capability and motivation to exploit a vulnerability. Which factor does this relate to?
41Which of the following is an example of a preventive control?
42In assessing control effectiveness, an IS auditor evaluates both design adequacy and operating effectiveness. Which of the following indicates that a control is operating effectively?
43A risk assessment identifies that a critical application has a vulnerability with a high likelihood of exploitation. The risk owner proposes to implement a web application firewall (WAF) as a mitigating control. Which TWO of the following are likely benefits of this control?
44An organization is evaluating the impact of a potential data breach. Which THREE of the following are considered indirect financial impacts?
45When performing a risk assessment, which TWO of the following are components of inherent risk?
46A risk practitioner is using a 5×5 heat map with likelihood and impact ratings. Which of the following is a key advantage of this qualitative risk analysis approach?
47An organization is evaluating the risk of a data breach using the FAIR framework. The threat event frequency is estimated at 10 per year, the vulnerability is 0.2, and the loss magnitude is $500,000 per event. What is the annualized loss expectancy (ALE)?
48During an IT risk assessment, a risk owner identifies a risk that is within the organization's risk appetite. The recommended risk treatment option is to:
49Which of the following is a limitation of quantitative risk analysis?
50A company has an inherent risk score of 20 for a specific threat. After implementing controls, the control effectiveness is assessed as 60% (design adequacy 70%, operating effectiveness 85%). What is the approximate residual risk score?
51Which of the following is an example of a detective control?
52An organization is considering outsourcing its payroll processing to a third party. The risk assessment shows that the inherent risk of payroll errors is high, but the vendor contract includes liability clauses and the organization obtains cyber insurance. This risk treatment is best described as:
53When prioritizing risk treatment actions, which of the following should be the primary consideration?
54In the FAIR framework, Loss Event Frequency (LEF) is calculated as:
55Which of the following best describes residual risk?
56A risk assessment reveals that the likelihood of a phishing attack is high, and the impact is moderate. The organization decides to implement security awareness training and email filtering. This is an example of which risk treatment?
57In qualitative risk analysis, a risk with a likelihood rating of 'High' and an impact rating of 'High' on a 5×5 heat map would typically be classified as:
58A risk practitioner is conducting a business impact assessment for a critical application. Which TWO of the following are examples of direct financial costs? (Select TWO)
59An organization is assessing control effectiveness for a firewall. Which THREE factors should be evaluated to determine control effectiveness? (Select THREE)
60A company is considering risk transfer for a new IT project. Which TWO options represent valid risk transfer mechanisms? (Select TWO)
61An IT risk assessment team is using a 5×5 risk matrix with likelihood and impact ratings. A risk scenario is rated as likelihood = 4 (likely) and impact = 5 (catastrophic). According to the typical heat map, what would be the risk rating?
62A company uses the FAIR model to perform a quantitative risk analysis. The threat event frequency (TEF) is estimated at 10 per year, vulnerability (V) is 0.5, and loss magnitude (LM) per event is $50,000. What is the annualized loss expectancy (ALE)?
63A risk analyst is assessing a critical application's inherent risk. After implementing controls, the residual risk is calculated as high. The analyst determines that the control design is adequate but operating effectiveness is poor. Which factor most likely explains the high residual risk?
64Which risk treatment option is being used when an organization decides to stop a business activity that creates a high-risk exposure?
65An organization is considering purchasing cyber insurance to cover potential losses from a data breach. This is an example of which risk treatment option?
66In a qualitative risk assessment, a risk owner argues that the likelihood of a cyberattack is low because the organization has strong perimeter defenses. However, the analyst notes that the impact would be catastrophic. Which limitation of qualitative analysis is most relevant?
67A company calculates the annualized loss expectancy (ALE) for a server failure as $150,000. After implementing a backup solution costing $20,000 per year, the ALE drops to $30,000. What is the annualized benefit of the control?
68Which of the following is a detective control?
69A risk is assessed with inherent risk score of 25 on a 5x5 matrix. After implementing controls, the residual risk score is 10. The control effectiveness is considered:
70When prioritizing risk treatment actions, which of the following should be the primary consideration?
71In the FAIR model, 'Loss Event Frequency' is calculated as:
72Which of the following is an example of a corrective control?
73An organization is evaluating whether to accept a risk. Which TWO conditions must be met for risk acceptance to be appropriate?
74A quantitative risk analysis using FAIR requires estimating which THREE primary factors?
75A risk analyst is assessing the impact of a potential ransomware attack. Which THREE categories of business impact should be considered?
76A risk practitioner is using a 5×5 heat map to assess IT risks. Which of the following is the primary advantage of this qualitative approach?
77An organization is evaluating the risk of a data breach using the FAIR framework. Which of the following components is part of Loss Event Frequency (LEF)?
78Which risk treatment option involves formally acknowledging the risk and taking no further action, provided the risk is within the organization's risk appetite?
79A company is assessing the risk of a ransomware attack. The security team estimates the threat event frequency as 2 attacks per year, vulnerability as 0.3 (30% chance of success), primary loss as $500,000, and secondary loss as $200,000. What is the annualized loss expectancy (ALE) using the FAIR framework?
80During an IT risk assessment, the risk owner identifies a high inherent risk for a legacy system. After implementing a firewall and intrusion detection system, the residual risk is calculated. Which of the following best describes residual risk?
81A bank is evaluating the impact of a potential system outage. Which of the following is an example of a direct financial cost associated with this impact?
82An organization decides to outsource its data center operations to a cloud provider with strict contractual penalties for security breaches. This is an example of which risk treatment option?
83A risk assessment identifies a critical vulnerability in a web application. Which control type would be most effective in preventing exploitation of this vulnerability?
84During a risk assessment, a risk is assigned a likelihood of 'High' and an impact of 'Medium' on a 5×5 heat map. What is the risk rating?
85A risk manager is prioritizing risks based on their inherent risk scores. Which of the following factors should be considered when prioritizing treatment actions?
86A quantitative risk analysis for a phishing campaign estimates that threat event frequency is 50 per year, vulnerability is 0.1 (10% of users will click), and loss magnitude per successful attack is $10,000. However, the analyst notes a 90% confidence interval of $5,000 to $20,000 for loss magnitude. Which of the following best describes a limitation of this quantitative analysis?
87An organization has implemented a firewall (preventive), intrusion detection system (detective), and a backup restoration plan (corrective) to address a specific risk. The risk manager assesses the control effectiveness as follows: design adequacy is strong, but operating effectiveness is weak due to inconsistent patching. Which of the following best describes the residual risk?
88A risk assessment of a critical financial application identifies a high inherent risk due to outdated software. The risk manager is considering mitigation options. Which TWO of the following would be considered preventive controls?
89A company is performing a qualitative risk analysis for a new cloud migration project. Which TWO of the following are recognized limitations of qualitative risk analysis?
90A risk assessment identifies a threat with high likelihood and high impact. The risk owner proposes transferring the risk via cyber insurance. However, the insurance policy has a high deductible and excludes certain attack types. Which THREE of the following should be considered when evaluating the effectiveness of this risk transfer?
91A risk assessment using a 5x5 heat map with likelihood and impact scores is an example of which type of risk analysis?
92Which of the following is a key advantage of using a quantitative risk analysis approach such as FAIR?
93An organization calculates the annualized loss expectancy (ALE) for a cyber attack scenario. The single loss expectancy (SLE) is $50,000 and the annualized rate of occurrence (ARO) is 2. What is the ALE?
94In the FAIR framework, Loss Event Frequency (LEF) is calculated as:
95A risk manager decides to accept a risk because the cost of controls exceeds the potential loss. Which of the following is required for this risk treatment option?
96Which risk treatment option involves eliminating the activity that creates the risk?
97An organization implements an intrusion detection system (IDS) to monitor for security incidents. This is an example of which type of control?
98After implementing controls, the risk remaining is called:
99An organization has an inherent risk score of 20 for a process. After controls, the residual risk score is 8. If the control design is assessed as adequate but operating effectiveness is only 60%, what is the control effectiveness adjustment?
100Which of the following best describes the primary limitation of qualitative risk analysis?
101A company uses cyber insurance to cover losses from data breaches. This is an example of which risk treatment?
102When prioritizing risk treatment actions, which factor is most important to consider alongside the risk level?
103Which TWO of the following are examples of corrective controls?
104Which THREE of the following are components of Loss Magnitude in the FAIR framework?
105Which TWO of the following are considered direct costs in the financial impact assessment of a risk event?
106A risk manager is using a 5x5 heat map to assess IT risks. Which of the following best describes the primary limitation of this qualitative risk analysis approach?
107An organization is evaluating the risk of a ransomware attack. Using the FAIR framework, which of the following components directly multiplies to calculate Loss Event Frequency (LEF)?
108A company identifies a high inherent risk in its online payment system. After implementing a Web Application Firewall (WAF) and conducting quarterly penetration tests, the residual risk is assessed as medium. Which of the following best explains the relationship between inherent risk, controls, and residual risk?
109During an IT risk assessment, the risk owner decides to accept a risk that falls within the organization's risk appetite. Which of the following actions is most appropriate for the risk owner to take?
110A quantitative risk analysis for a data breach yields an Annualized Loss Expectancy (ALE) of $500,000. The Single Loss Expectancy (SLE) is $100,000. What is the Annualized Rate of Occurrence (ARO)?
111A company is considering outsourcing its data center operations to a cloud provider. Which risk treatment option is the company primarily exercising?
112In a qualitative risk assessment using a 5x5 heat map, an IT risk is rated with likelihood 4 and impact 5. According to typical heat map conventions (5=Critical, 4=High, 3=Medium, 2=Low, 1=Informational), what is the overall risk rating?
113Which of the following is an example of a detective control in IT risk management?
114A risk assessment identifies a vulnerability in a critical application. The threat actor is a script kiddie with low capability. Using the FAIR framework, which factor would most directly increase the Loss Event Frequency (LEF)?
115After implementing controls for a high-risk IT process, the residual risk is calculated as medium. The risk owner argues that the controls are not adequate because the inherent risk was critical. Which of the following should be the primary basis for determining control adequacy?
116An organization decides to discontinue a high-risk business process that cannot be effectively mitigated. This is an example of which risk treatment option?
117In a quantitative risk analysis using FAIR, which of the following best represents Loss Magnitude (LM)?
118An organization is evaluating the business impact of a potential ransomware attack. Which TWO impact categories should be considered as direct financial losses? (Select TWO)
119A risk assessment team is prioritizing IT risks for treatment. Which THREE factors should be considered when prioritizing risks? (Select THREE)
120An organization is implementing controls to mitigate the risk of data exfiltration. Which TWO control types would be considered preventive? (Select TWO)
121A risk manager uses a 5x5 heat map to plot the likelihood and impact of identified risks. This approach is an example of which type of risk analysis?
122During an IT risk assessment, the risk team calculates the Annualized Loss Expectancy (ALE) for a critical application. Which quantitative risk analysis framework is most commonly used for this calculation?
123An organization uses the FAIR framework to assess the risk of a data breach. The risk analyst estimates that the Threat Event Frequency (TEF) is 10 per year, the Vulnerability (V) is 0.2, the Primary Loss per event is $50,000, and the Secondary Loss per event is $30,000. What is the Annualized Loss Expectancy (ALE)?
124A risk owner decides to accept a risk because the cost of mitigation exceeds the potential loss, and the risk level is within the organization's risk appetite. What should the risk owner do next?
125Which risk treatment option involves eliminating the activity that creates the risk?
126A company is evaluating controls for a high-risk process. Which control type is designed to stop a risk event from occurring?
127An organization calculated the inherent risk for a critical system as 'High' using a 5x5 heat map. After implementing controls, the residual risk is assessed as 'Medium'. What does this indicate about the control effectiveness?
128In the FAIR framework, what does Loss Event Frequency (LEF) represent?
129Which risk treatment option involves purchasing cyber insurance?
130A risk analyst is performing a quantitative risk analysis using the FAIR framework. Which TWO factors are multiplied to calculate Loss Event Frequency (LEF)?
131During an IT risk assessment, the risk team identifies a high inherent risk for a legacy application. The team is evaluating control options. Which THREE are considered preventive controls?
132A company is assessing the impact of a potential ransomware attack. Which TWO impact categories are considered operational impacts?
133A risk practitioner is calculating the residual risk for a critical asset. Which THREE factors should be considered?
134In a qualitative risk assessment, which TWO elements are typically used to determine the risk rating?
135A company is prioritizing risk treatment actions. Which THREE factors should be considered when prioritizing risks?
136A company is considering using a qualitative risk assessment approach to evaluate IT risks. Which TWO of the following are advantages of qualitative risk analysis over quantitative risk analysis?
137An organization is using the FAIR framework to perform a quantitative risk analysis for a data breach scenario. Which THREE of the following are components of the Annualized Loss Expectancy (ALE) calculation in FAIR?
138During an IT risk assessment, a risk owner has identified a risk with a high inherent risk score. After reviewing control effectiveness, the residual risk remains medium. The organization decides to accept the residual risk. Which TWO of the following actions should the risk owner take?
139A company is evaluating control types for a new system. The security team proposes implementing an intrusion detection system (IDS) and a backup restoration process. Which TWO control types do these represent, respectively?
140An organization is conducting a risk assessment and finds that the inherent risk for a critical asset is very high due to a high threat event frequency and high vulnerability. The current controls are assessed as adequate in design but not operating effectively. Which THREE of the following should be considered when calculating residual risk?
The IT Risk Assessment domain covers the key concepts tested in this area of the CRISC exam blueprint published by ISACA. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CRISC domains — no account required.
The Courseiva CRISC question bank contains 140 questions in the IT Risk Assessment domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the IT Risk Assessment domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included