Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Free Resources

Difficulty IndexLearn — Free ChaptersIT GlossaryFree Tools & LabsStudy GuidesCareer RoadmapsBrowse by VendorCisco Command ReferenceCCNA Scenarios

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsCRISCDomainsIT Risk Assessment
CRISCFree — No Signup

IT Risk Assessment

Practice CRISC IT Risk Assessment questions with full explanations on every answer.

140questions

Start practicing

IT Risk Assessment — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

CRISC Domains

IT Risk IdentificationIT Risk AssessmentRisk Response and ReportingInformation Technology and SecurityRisk Response and MitigationRisk and Control Monitoring and Reporting

Practice IT Risk Assessment questions

10Q20Q30Q50Q

All CRISC IT Risk Assessment questions (140)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

An organization uses a 5×5 risk heat map to assess IT risks. Which of the following is the PRIMARY advantage of this qualitative approach?

2

A company is evaluating the risk of a data breach using the FAIR framework. The threat event frequency is estimated at 10 per year, and the vulnerability is 0.2. The primary loss per event is $50,000 and secondary loss is $20,000. What is the annualized loss expectancy (ALE)?

3

An organization has identified a high-risk IT process that, if continued, could result in significant regulatory fines. The risk owner recommends implementing additional controls. However, the cost of controls exceeds the potential financial loss. Which risk treatment option is MOST appropriate?

4

During an IT risk assessment, the risk practitioner calculates the inherent risk score for a critical application as 25 (on a 5×5 matrix). After evaluating control effectiveness, the residual risk score is 9. What can be inferred about the controls?

5

Which of the following is a detective control for an information system?

6

A quantitative risk assessment for a server shows an ARO of 0.5 and SLE of $200,000. What is the ALE, and what does it imply?

7

An organization is assessing the risk of a ransomware attack. The threat actor capability is high, but vulnerability is low due to strong patching. However, the business impact is severe. According to FAIR, which factor most directly influences Loss Event Frequency (LEF)?

8

Which risk treatment option involves eliminating the activity that creates the risk?

9

A risk practitioner is prioritizing IT risks for treatment. Which factor should be the PRIMARY basis for prioritization?

10

In the FAIR model, which component represents the probable frequency, within a given timeframe, that a threat agent will act against an asset?

11

An organization uses a qualitative risk assessment and assigns a likelihood of '3' and impact of '4' on a 5-point scale. The heat map defines risk scores 12-25 as high. What is the risk rating?

12

Which type of control is designed to reduce the likelihood of a risk event occurring?

13

A risk assessment for a cloud migration identifies high inherent risk. The risk practitioner evaluates controls. Which TWO components are necessary to calculate residual risk?

14

An organization is performing a quantitative risk analysis using the FAIR framework. Which THREE of the following are direct components of the FAIR model?

15

An organization is evaluating risk treatment options for a critical vulnerability. Which TWO options would be considered risk mitigation?

16

A risk manager is using a 5×5 likelihood-impact matrix to assess a set of identified risks. What is the PRIMARY advantage of using this qualitative method?

17

An organization uses the FAIR framework to calculate annualized loss expectancy (ALE) for a specific risk. Given that the single loss expectancy (SLE) is $50,000 and the annualized rate of occurrence (ARO) is 0.2, what is the ALE?

18

After implementing a set of controls for a critical risk, the residual risk is calculated. The risk owner argues that the residual risk remains high and requires further treatment. Which of the following BEST describes the relationship between inherent risk, control effectiveness, and residual risk?

19

A risk assessment identifies a high-likelihood, high-impact risk associated with a legacy system. The business owner decides to decommission the system to eliminate the risk. Which risk treatment option is being applied?

20

During a quantitative risk analysis, the risk team calculates the loss event frequency (LEF) using the FAIR framework. If the threat event frequency (TEF) is 10 per year and the vulnerability (V) is 0.3, what is the LEF?

21

Which control type is designed to stop a risk event from occurring?

22

An organization is evaluating risks and decides to purchase cyber insurance to cover potential financial losses from data breaches. Which risk treatment option does this represent?

23

A risk assessment report includes both inherent and residual risk ratings. The inherent risk for a process is rated as 'high' based on a 5×5 heat map. After applying a set of controls, the residual risk is rated as 'medium'. What does this indicate about the control effectiveness?

24

In the FAIR framework, loss magnitude (LM) is composed of primary loss and secondary loss. Which of the following is an example of secondary loss?

25

Which of the following is a limitation of qualitative risk analysis?

26

An organization identifies a risk that is within its risk appetite. The risk owner decides to formally document the risk and accept it without implementing additional controls. Which of the following is required for this risk acceptance?

27

In a quantitative risk analysis, the annualized loss expectancy (ALE) is calculated as $1 million. If the organization implements a control that reduces the ARO from 0.5 to 0.1, and the SLE remains constant at $2 million, what is the new ALE?

28

A risk assessment team is prioritizing risks for treatment using inherent risk ratings. Which TWO factors should be considered when deciding which risks to treat first?

29

An organization is assessing control effectiveness for a key process. Which TWO aspects should be evaluated to determine if a control is effective?

30

A risk manager is evaluating the impact assessment for a potential data breach. Which THREE categories of impact should be considered in a comprehensive business impact analysis?

31

A risk analyst uses a 5x5 heat map to evaluate a set of IT risks. For a particular risk, the likelihood is rated as 4 (likely) and impact as 5 (very high). What is the resulting risk rating?

32

An organization using the FAIR framework estimates that a threat event frequency (TEF) is 10 per year, vulnerability is 0.2, and loss magnitude per event is $500,000. What is the annualized loss expectancy (ALE)?

33

Which of the following best describes an advantage of qualitative risk analysis over quantitative risk analysis?

34

A company decides to purchase cyber insurance to cover potential losses from a data breach. This is an example of which risk treatment option?

35

After implementing a set of controls, the risk owner calculates the residual risk. Which of the following is true about residual risk?

36

In the FAIR framework, which of the following correctly represents the calculation of Loss Event Frequency (LEF)?

37

A risk assessment reveals a high inherent risk that is within the organization's risk appetite. The risk owner documents the risk and formally accepts it. This is an example of which risk treatment option?

38

Which control type is primarily focused on identifying that a risk event has occurred?

39

An organization assesses a risk and determines the inherent risk score is 20 (critical). After implementing controls, the residual risk score is 8 (medium). What does this indicate about the controls?

40

A company's risk assessment identifies that a threat actor has high capability and motivation to exploit a vulnerability. Which factor does this relate to?

41

Which of the following is an example of a preventive control?

42

In assessing control effectiveness, an IS auditor evaluates both design adequacy and operating effectiveness. Which of the following indicates that a control is operating effectively?

43

A risk assessment identifies that a critical application has a vulnerability with a high likelihood of exploitation. The risk owner proposes to implement a web application firewall (WAF) as a mitigating control. Which TWO of the following are likely benefits of this control?

44

An organization is evaluating the impact of a potential data breach. Which THREE of the following are considered indirect financial impacts?

45

When performing a risk assessment, which TWO of the following are components of inherent risk?

46

A risk practitioner is using a 5×5 heat map with likelihood and impact ratings. Which of the following is a key advantage of this qualitative risk analysis approach?

47

An organization is evaluating the risk of a data breach using the FAIR framework. The threat event frequency is estimated at 10 per year, the vulnerability is 0.2, and the loss magnitude is $500,000 per event. What is the annualized loss expectancy (ALE)?

48

During an IT risk assessment, a risk owner identifies a risk that is within the organization's risk appetite. The recommended risk treatment option is to:

49

Which of the following is a limitation of quantitative risk analysis?

50

A company has an inherent risk score of 20 for a specific threat. After implementing controls, the control effectiveness is assessed as 60% (design adequacy 70%, operating effectiveness 85%). What is the approximate residual risk score?

51

Which of the following is an example of a detective control?

52

An organization is considering outsourcing its payroll processing to a third party. The risk assessment shows that the inherent risk of payroll errors is high, but the vendor contract includes liability clauses and the organization obtains cyber insurance. This risk treatment is best described as:

53

When prioritizing risk treatment actions, which of the following should be the primary consideration?

54

In the FAIR framework, Loss Event Frequency (LEF) is calculated as:

55

Which of the following best describes residual risk?

56

A risk assessment reveals that the likelihood of a phishing attack is high, and the impact is moderate. The organization decides to implement security awareness training and email filtering. This is an example of which risk treatment?

57

In qualitative risk analysis, a risk with a likelihood rating of 'High' and an impact rating of 'High' on a 5×5 heat map would typically be classified as:

58

A risk practitioner is conducting a business impact assessment for a critical application. Which TWO of the following are examples of direct financial costs? (Select TWO)

59

An organization is assessing control effectiveness for a firewall. Which THREE factors should be evaluated to determine control effectiveness? (Select THREE)

60

A company is considering risk transfer for a new IT project. Which TWO options represent valid risk transfer mechanisms? (Select TWO)

61

An IT risk assessment team is using a 5×5 risk matrix with likelihood and impact ratings. A risk scenario is rated as likelihood = 4 (likely) and impact = 5 (catastrophic). According to the typical heat map, what would be the risk rating?

62

A company uses the FAIR model to perform a quantitative risk analysis. The threat event frequency (TEF) is estimated at 10 per year, vulnerability (V) is 0.5, and loss magnitude (LM) per event is $50,000. What is the annualized loss expectancy (ALE)?

63

A risk analyst is assessing a critical application's inherent risk. After implementing controls, the residual risk is calculated as high. The analyst determines that the control design is adequate but operating effectiveness is poor. Which factor most likely explains the high residual risk?

64

Which risk treatment option is being used when an organization decides to stop a business activity that creates a high-risk exposure?

65

An organization is considering purchasing cyber insurance to cover potential losses from a data breach. This is an example of which risk treatment option?

66

In a qualitative risk assessment, a risk owner argues that the likelihood of a cyberattack is low because the organization has strong perimeter defenses. However, the analyst notes that the impact would be catastrophic. Which limitation of qualitative analysis is most relevant?

67

A company calculates the annualized loss expectancy (ALE) for a server failure as $150,000. After implementing a backup solution costing $20,000 per year, the ALE drops to $30,000. What is the annualized benefit of the control?

68

Which of the following is a detective control?

69

A risk is assessed with inherent risk score of 25 on a 5x5 matrix. After implementing controls, the residual risk score is 10. The control effectiveness is considered:

70

When prioritizing risk treatment actions, which of the following should be the primary consideration?

71

In the FAIR model, 'Loss Event Frequency' is calculated as:

72

Which of the following is an example of a corrective control?

73

An organization is evaluating whether to accept a risk. Which TWO conditions must be met for risk acceptance to be appropriate?

74

A quantitative risk analysis using FAIR requires estimating which THREE primary factors?

75

A risk analyst is assessing the impact of a potential ransomware attack. Which THREE categories of business impact should be considered?

76

A risk practitioner is using a 5×5 heat map to assess IT risks. Which of the following is the primary advantage of this qualitative approach?

77

An organization is evaluating the risk of a data breach using the FAIR framework. Which of the following components is part of Loss Event Frequency (LEF)?

78

Which risk treatment option involves formally acknowledging the risk and taking no further action, provided the risk is within the organization's risk appetite?

79

A company is assessing the risk of a ransomware attack. The security team estimates the threat event frequency as 2 attacks per year, vulnerability as 0.3 (30% chance of success), primary loss as $500,000, and secondary loss as $200,000. What is the annualized loss expectancy (ALE) using the FAIR framework?

80

During an IT risk assessment, the risk owner identifies a high inherent risk for a legacy system. After implementing a firewall and intrusion detection system, the residual risk is calculated. Which of the following best describes residual risk?

81

A bank is evaluating the impact of a potential system outage. Which of the following is an example of a direct financial cost associated with this impact?

82

An organization decides to outsource its data center operations to a cloud provider with strict contractual penalties for security breaches. This is an example of which risk treatment option?

83

A risk assessment identifies a critical vulnerability in a web application. Which control type would be most effective in preventing exploitation of this vulnerability?

84

During a risk assessment, a risk is assigned a likelihood of 'High' and an impact of 'Medium' on a 5×5 heat map. What is the risk rating?

85

A risk manager is prioritizing risks based on their inherent risk scores. Which of the following factors should be considered when prioritizing treatment actions?

86

A quantitative risk analysis for a phishing campaign estimates that threat event frequency is 50 per year, vulnerability is 0.1 (10% of users will click), and loss magnitude per successful attack is $10,000. However, the analyst notes a 90% confidence interval of $5,000 to $20,000 for loss magnitude. Which of the following best describes a limitation of this quantitative analysis?

87

An organization has implemented a firewall (preventive), intrusion detection system (detective), and a backup restoration plan (corrective) to address a specific risk. The risk manager assesses the control effectiveness as follows: design adequacy is strong, but operating effectiveness is weak due to inconsistent patching. Which of the following best describes the residual risk?

88

A risk assessment of a critical financial application identifies a high inherent risk due to outdated software. The risk manager is considering mitigation options. Which TWO of the following would be considered preventive controls?

89

A company is performing a qualitative risk analysis for a new cloud migration project. Which TWO of the following are recognized limitations of qualitative risk analysis?

90

A risk assessment identifies a threat with high likelihood and high impact. The risk owner proposes transferring the risk via cyber insurance. However, the insurance policy has a high deductible and excludes certain attack types. Which THREE of the following should be considered when evaluating the effectiveness of this risk transfer?

91

A risk assessment using a 5x5 heat map with likelihood and impact scores is an example of which type of risk analysis?

92

Which of the following is a key advantage of using a quantitative risk analysis approach such as FAIR?

93

An organization calculates the annualized loss expectancy (ALE) for a cyber attack scenario. The single loss expectancy (SLE) is $50,000 and the annualized rate of occurrence (ARO) is 2. What is the ALE?

94

In the FAIR framework, Loss Event Frequency (LEF) is calculated as:

95

A risk manager decides to accept a risk because the cost of controls exceeds the potential loss. Which of the following is required for this risk treatment option?

96

Which risk treatment option involves eliminating the activity that creates the risk?

97

An organization implements an intrusion detection system (IDS) to monitor for security incidents. This is an example of which type of control?

98

After implementing controls, the risk remaining is called:

99

An organization has an inherent risk score of 20 for a process. After controls, the residual risk score is 8. If the control design is assessed as adequate but operating effectiveness is only 60%, what is the control effectiveness adjustment?

100

Which of the following best describes the primary limitation of qualitative risk analysis?

101

A company uses cyber insurance to cover losses from data breaches. This is an example of which risk treatment?

102

When prioritizing risk treatment actions, which factor is most important to consider alongside the risk level?

103

Which TWO of the following are examples of corrective controls?

104

Which THREE of the following are components of Loss Magnitude in the FAIR framework?

105

Which TWO of the following are considered direct costs in the financial impact assessment of a risk event?

106

A risk manager is using a 5x5 heat map to assess IT risks. Which of the following best describes the primary limitation of this qualitative risk analysis approach?

107

An organization is evaluating the risk of a ransomware attack. Using the FAIR framework, which of the following components directly multiplies to calculate Loss Event Frequency (LEF)?

108

A company identifies a high inherent risk in its online payment system. After implementing a Web Application Firewall (WAF) and conducting quarterly penetration tests, the residual risk is assessed as medium. Which of the following best explains the relationship between inherent risk, controls, and residual risk?

109

During an IT risk assessment, the risk owner decides to accept a risk that falls within the organization's risk appetite. Which of the following actions is most appropriate for the risk owner to take?

110

A quantitative risk analysis for a data breach yields an Annualized Loss Expectancy (ALE) of $500,000. The Single Loss Expectancy (SLE) is $100,000. What is the Annualized Rate of Occurrence (ARO)?

111

A company is considering outsourcing its data center operations to a cloud provider. Which risk treatment option is the company primarily exercising?

112

In a qualitative risk assessment using a 5x5 heat map, an IT risk is rated with likelihood 4 and impact 5. According to typical heat map conventions (5=Critical, 4=High, 3=Medium, 2=Low, 1=Informational), what is the overall risk rating?

113

Which of the following is an example of a detective control in IT risk management?

114

A risk assessment identifies a vulnerability in a critical application. The threat actor is a script kiddie with low capability. Using the FAIR framework, which factor would most directly increase the Loss Event Frequency (LEF)?

115

After implementing controls for a high-risk IT process, the residual risk is calculated as medium. The risk owner argues that the controls are not adequate because the inherent risk was critical. Which of the following should be the primary basis for determining control adequacy?

116

An organization decides to discontinue a high-risk business process that cannot be effectively mitigated. This is an example of which risk treatment option?

117

In a quantitative risk analysis using FAIR, which of the following best represents Loss Magnitude (LM)?

118

An organization is evaluating the business impact of a potential ransomware attack. Which TWO impact categories should be considered as direct financial losses? (Select TWO)

119

A risk assessment team is prioritizing IT risks for treatment. Which THREE factors should be considered when prioritizing risks? (Select THREE)

120

An organization is implementing controls to mitigate the risk of data exfiltration. Which TWO control types would be considered preventive? (Select TWO)

121

A risk manager uses a 5x5 heat map to plot the likelihood and impact of identified risks. This approach is an example of which type of risk analysis?

122

During an IT risk assessment, the risk team calculates the Annualized Loss Expectancy (ALE) for a critical application. Which quantitative risk analysis framework is most commonly used for this calculation?

123

An organization uses the FAIR framework to assess the risk of a data breach. The risk analyst estimates that the Threat Event Frequency (TEF) is 10 per year, the Vulnerability (V) is 0.2, the Primary Loss per event is $50,000, and the Secondary Loss per event is $30,000. What is the Annualized Loss Expectancy (ALE)?

124

A risk owner decides to accept a risk because the cost of mitigation exceeds the potential loss, and the risk level is within the organization's risk appetite. What should the risk owner do next?

125

Which risk treatment option involves eliminating the activity that creates the risk?

126

A company is evaluating controls for a high-risk process. Which control type is designed to stop a risk event from occurring?

127

An organization calculated the inherent risk for a critical system as 'High' using a 5x5 heat map. After implementing controls, the residual risk is assessed as 'Medium'. What does this indicate about the control effectiveness?

128

In the FAIR framework, what does Loss Event Frequency (LEF) represent?

129

Which risk treatment option involves purchasing cyber insurance?

130

A risk analyst is performing a quantitative risk analysis using the FAIR framework. Which TWO factors are multiplied to calculate Loss Event Frequency (LEF)?

131

During an IT risk assessment, the risk team identifies a high inherent risk for a legacy application. The team is evaluating control options. Which THREE are considered preventive controls?

132

A company is assessing the impact of a potential ransomware attack. Which TWO impact categories are considered operational impacts?

133

A risk practitioner is calculating the residual risk for a critical asset. Which THREE factors should be considered?

134

In a qualitative risk assessment, which TWO elements are typically used to determine the risk rating?

135

A company is prioritizing risk treatment actions. Which THREE factors should be considered when prioritizing risks?

136

A company is considering using a qualitative risk assessment approach to evaluate IT risks. Which TWO of the following are advantages of qualitative risk analysis over quantitative risk analysis?

137

An organization is using the FAIR framework to perform a quantitative risk analysis for a data breach scenario. Which THREE of the following are components of the Annualized Loss Expectancy (ALE) calculation in FAIR?

138

During an IT risk assessment, a risk owner has identified a risk with a high inherent risk score. After reviewing control effectiveness, the residual risk remains medium. The organization decides to accept the residual risk. Which TWO of the following actions should the risk owner take?

139

A company is evaluating control types for a new system. The security team proposes implementing an intrusion detection system (IDS) and a backup restoration process. Which TWO control types do these represent, respectively?

140

An organization is conducting a risk assessment and finds that the inherent risk for a critical asset is very high due to a high threat event frequency and high vulnerability. The current controls are assessed as adequate in design but not operating effectively. Which THREE of the following should be considered when calculating residual risk?

Practice all 140 IT Risk Assessment questions

Other CRISC exam domains

IT Risk IdentificationRisk Response and ReportingInformation Technology and SecurityRisk Response and MitigationRisk and Control Monitoring and Reporting

Frequently asked questions

What does the IT Risk Assessment domain cover on the CRISC exam?

The IT Risk Assessment domain covers the key concepts tested in this area of the CRISC exam blueprint published by ISACA. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CRISC domains — no account required.

How many IT Risk Assessment questions are in the CRISC question bank?

The Courseiva CRISC question bank contains 140 questions in the IT Risk Assessment domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice IT Risk Assessment for CRISC?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only IT Risk Assessment questions for CRISC?

Yes — the session launcher on this page draws questions exclusively from the IT Risk Assessment domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your CRISC domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

CISMCISA