Practice CRISC IT Risk Identification questions with full explanations on every answer.
Start practicing
IT Risk Identification — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
An organization is developing its IT risk universe. Which of the following is the BEST source of information for identifying potential IT risks?
2A company is adopting a DevSecOps approach and wants to conduct threat modeling early in the development lifecycle. Which threat modeling methodology is BEST suited for this environment due to its focus on agile and continuous integration?
3During a risk identification workshop, a risk owner proposes a scenario: 'A disgruntled employee with privileged access exfiltrates customer data to a competitor.' In the context of the ISACA risk scenario template, which element is missing if the scenario only includes the actor, threat type, event, and asset?
4An organization is categorizing IT risks. Which of the following risk categories would include the risk of regulatory fines due to non-compliance with data protection laws?
5A risk analyst is building a risk register. After identifying a list of risks, what is the NEXT step in the risk identification process according to ISACA best practices?
6A multinational corporation uses commercial threat intelligence feeds and participates in an ISAC. However, they recently missed a critical vulnerability exploited in the wild that was not in their feeds. Which additional source should they incorporate to improve vulnerability identification?
7A company is developing risk scenarios for business impact analysis. Which of the following scenario components directly links the risk event to potential financial loss?
8Which of the following is a key characteristic of a well-maintained risk register?
9A financial services firm uses SAST and DAST tools in its application security testing. However, they are struggling to prioritize vulnerabilities from the large number of findings. Which additional technique would BEST help identify the most critical vulnerabilities in the context of business risk?
10An organization's board has set a risk appetite statement that says: 'We accept moderate levels of operational risk but will not tolerate any compliance violations.' During risk identification, which type of risk should be given the HIGHEST priority?
11A security team is using the STRIDE threat modeling methodology for a new web application. Which threat type under STRIDE would be MOST relevant to a SQL injection vulnerability?
12An organization is conducting a vulnerability assessment of its IT assets. Which of the following sources is MOST authoritative for identifying known software vulnerabilities?
13A risk manager is developing risk scenarios to present to the board. Which TWO elements are essential for connecting a risk scenario to business impact?
14A company is implementing a risk identification process for third-party risks. Which THREE factors should be considered when identifying risks from a critical software vendor?
15An IT risk manager is categorizing risks identified during a recent assessment. Which TWO categories would include the risk of a system outage caused by a software bug?
16An organization is developing an IT risk universe. Which of the following is the PRIMARY purpose of creating a comprehensive IT risk universe?
17During a risk assessment, the risk practitioner is identifying threats to an application. Which threat modeling technique is specifically designed to analyze application threats using categories such as Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege?
18An organization has a risk appetite statement that says 'We accept up to $5 million in operational losses per year.' However, a new cloud migration project is estimated to have a potential operational loss of $8 million if a critical failure occurs. The risk capacity of the organization is $20 million. What should the risk practitioner recommend?
19A risk practitioner is creating a risk scenario for a ransomware attack. Which of the following is the BEST sequence to describe the scenario using the ISACA risk scenarios template?
20Which of the following is a threat intelligence source that provides information about known exploited vulnerabilities, maintained by a government agency?
21During a vulnerability assessment, a risk practitioner identifies that a web application is vulnerable to SQL injection, which is listed in the OWASP Top 10. Which type of vulnerability identification technique MOST likely discovered this issue?
22An organization has a risk register that includes risks related to regulatory compliance, such as GDPR and SOX. The risk practitioner is now categorizing these risks. Which risk category would BEST fit these compliance-related risks?
23A risk practitioner is developing a risk scenario for a data breach caused by an insider threat. Which of the following is the MOST realistic and complete risk scenario?
24Which of the following threat actors is MOST likely to be motivated by ideology rather than financial gain?
25A risk practitioner is updating the risk register after a third-party security incident. Which of the following is the MOST important information to include in the risk register entry for this third-party risk?
26An organization uses the PASTA threat modeling methodology for a new e-commerce platform. Which of the following is a key characteristic of PASTA?
27When identifying vulnerabilities, which of the following is the BEST source for configuration-related vulnerabilities in operating systems?
28Which TWO of the following are examples of operational vulnerabilities that a risk practitioner might identify?
29A risk practitioner is developing risk scenarios for a new cloud service. Which THREE of the following elements should be included in a complete risk scenario?
30Which THREE of the following are common business impact categories used in risk scenarios?
31Which of the following best describes the purpose of an IT risk universe?
32A security analyst is using a threat modeling approach that focuses on identifying threats based on the system's requirements and design. Which threat modeling methodology is being used?
33An organization has identified a new vulnerability in its web application that could allow SQL injection attacks. Which of the following sources would MOST likely have been used to identify this vulnerability?
34During a risk assessment, the risk practitioner develops a scenario involving a disgruntled employee exfiltrating sensitive customer data through a USB drive. The organization has a strict policy against removable media but lacks technical controls to prevent USB usage. Which element of the risk scenario is the vulnerability?
35Which of the following is the PRIMARY purpose of a risk register?
36An organization is implementing a new cloud-based customer relationship management (CRM) system. Which of the following risk categories would BEST describe the risk of the CRM system failing to meet performance expectations?
37A risk practitioner is using the ISACA risk scenario template to document a scenario. The template includes elements such as threat actor, threat type, event, asset/resource, timing, detection, and response. Which element describes the likelihood that the threat event will occur within a specific timeframe?
38Which of the following threat actors is MOST likely to be motivated by financial gain and possess moderate to high technical capabilities?
39An organization's board has issued a risk appetite statement indicating that the company is willing to accept a moderate level of operational risk but has zero tolerance for compliance violations. This statement primarily defines which of the following?
40When using STRIDE for threat modeling, which threat category involves an attacker gaining unauthorized access to a system by pretending to be a legitimate user?
41A risk practitioner is connecting a risk scenario to business impact. The scenario involves a ransomware attack that encrypts critical financial systems, resulting in a two-week outage. Which of the following is the MOST appropriate business impact category?
42An organization is assessing risks related to a third-party cloud provider. Which of the following is the BEST source of threat intelligence for identifying threats targeting the cloud infrastructure?
43A risk practitioner is updating the risk register and needs to categorize risks. Which TWO of the following are standard risk categories used in IT risk management?
44A project manager is identifying risks for a new software development project using Agile methodology. Which THREE threat modeling techniques are BEST suited for Agile/DevSecOps environments?
45When developing realistic risk scenarios, which THREE components are essential according to the ISACA risk scenario template?
46During IT risk identification, which document serves as the central repository for all identified risks, their characteristics, and current status?
47An organization is assessing risks related to a new cloud-based CRM system. The risk team is developing a risk scenario. Which of the following is the BEST example of a complete risk scenario following the ISACA template?
48In the context of threat modeling for a web application, which technique is specifically designed to be integrated into Agile and DevSecOps processes, emphasizing collaboration and visualization?
49A company's risk appetite statement specifies that the organization is willing to accept a moderate level of operational risk to achieve strategic agility. This statement directly influences which activity during IT risk identification?
50Which of the following is a primary source of threat intelligence that provides real-time information about active cyber threats and indicators of compromise?
51A bank is identifying IT risks and categorizes a potential data breach as both a compliance risk (due to GDPR) and a reputational risk. This is an example of:
52During a threat modeling exercise using the STRIDE methodology, a security analyst identifies a threat where an attacker can modify data in transit between a web server and database. Which STRIDE category does this threat belong to?
53An organization uses the CISA Known Exploited Vulnerabilities (KEV) catalog as a primary source for vulnerability identification. This catalog is BEST described as:
54Which type of threat actor is characterized by having significant resources, advanced skills, and often state-sponsored objectives?
55In developing a risk scenario, connecting a threat event to business impact is crucial. Which of the following is the BEST example of a properly connected risk scenario?
56When performing asset-based vulnerability identification, a security analyst uses the Common Vulnerabilities and Exposures (CVE) database along with the National Vulnerability Database (NVD). Which of the following BEST describes the relationship between CVE and NVD?
57An organization is updating its IT risk universe. Which of the following is the MOST important factor to consider when defining the universe?
58A financial institution is identifying IT risks associated with a new mobile banking application. Which TWO threat modeling techniques are best suited for this scenario? (Select two.)
59A risk manager is developing a risk scenario for a potential data breach involving a third-party cloud provider. According to the ISACA risk scenario template, which THREE elements must be included? (Select three.)
60During a risk identification workshop, the team identifies several vulnerabilities. Which TWO of the following are examples of operational vulnerability identification? (Select two.)
61During the risk identification process, an IT risk universe is defined. Which of the following BEST describes the purpose of an IT risk universe?
62Which threat modeling technique is specifically designed to be integrated into Agile and DevSecOps processes, providing a visual and simple approach?
63An organization's risk register contains a scenario: 'A nation-state actor exploits an unpatched vulnerability in a public-facing web application, leading to data exfiltration of customer PII.' According to ISACA's risk scenario template, which element is MISSING from this description?
64A risk practitioner is categorizing IT risks for a manufacturing company. Which of the following risks would be classified as an 'operational' IT risk?
65Which of the following is the PRIMARY source for identifying known software vulnerabilities in a systematic manner?
66An organization uses threat intelligence feeds from an Information Sharing and Analysis Center (ISAC). What is the PRIMARY benefit of using ISACs?
67A company's risk appetite statement says it is willing to accept moderate levels of operational risk but has low tolerance for compliance risk. During risk identification, which of the following scenarios should be IMMEDIATELY escalated to senior management?
68Which of the following BEST describes the difference between a threat actor who is a 'hacktivist' and one who is an 'organized crime' actor?
69A risk scenario is being developed for a phishing attack leading to credential theft. Using ISACA's risk scenario template, which component would describe the 'threat event'?
70Which of the following is an example of a 'configuration vulnerability' that should be identified during vulnerability assessment?
71When developing IT risk scenarios, connecting them to business impact is critical. Which of the following BEST describes how a risk practitioner should link a technical scenario to business impact?
72An organization is conducting a threat identification exercise using the STRIDE model. Which threat type would be MOST relevant when analyzing a banking application that allows fund transfers between accounts?
73A risk practitioner is identifying vulnerabilities in an organization's IT environment. Which TWO of the following are examples of 'operational vulnerability identification'? (Choose two.)
74During risk identification, a risk manager is reviewing threat intelligence sources. Which THREE of the following are considered legitimate sources of threat intelligence? (Choose three.)
75A risk register is being created for a new ERP implementation project. Which TWO of the following risks should be included in the project's risk register? (Choose two.)
76A retail company is establishing an IT risk universe. Which of the following should be included as a primary category of IT risk?
77During a threat modeling exercise for a new web application, the team uses STRIDE. Which threat type under STRIDE corresponds to an attacker modifying data in transit?
78A risk practitioner is developing a risk scenario for a potential ransomware attack. Using the ISACA risk scenario template, which element describes the entity that initiates the attack?
79A financial institution uses threat intelligence from an Information Sharing and Analysis Center (ISAC). This is an example of which type of threat intelligence source?
80Which threat actor is most likely motivated by political ideology and may target government systems?
81A security analyst is reviewing CVE entries and NVD data to identify vulnerabilities in software assets. This activity is part of which vulnerability identification approach?
82An organization uses the PASTA threat modeling methodology. In which stage would the team identify threat agents and their capabilities?
83A risk manager is categorizing IT risks. Which risk category would a potential fine for violating GDPR be assigned to?
84Which of the following best describes risk capacity?
85A company is updating its risk register. Which of the following is the primary purpose of a risk register?
86During a VAST threat modeling session for a DevSecOps pipeline, the team focuses on threats that align with agile development. Which of the following is a key advantage of VAST?
87A risk analyst is identifying operational vulnerabilities. Which TWO of the following are examples of operational vulnerability identification?
88Which THREE of the following are common consequences in an IT risk scenario?
89A risk practitioner is using the TRIKE threat modeling methodology. Which TWO of the following are characteristics of TRIKE?
90Which TWO of the following are types of insider threats?
91A multinational corporation is developing a new e-commerce platform using microservices architecture. The security team is conducting a threat modeling exercise to identify potential application-level threats. Which TWO threat modeling methodologies are most appropriate for this DevSecOps environment?
92An organization is updating its IT risk universe to include emerging threats. The CISO wants to ensure the risk register captures realistic risk scenarios. Which THREE components are essential for constructing a complete risk scenario according to ISACA's risk scenario template?
93A financial services firm is assessing vulnerabilities in its web application. The team wants to identify application-level vulnerabilities that could be exploited. Which TWO vulnerability identification techniques should be prioritized for this purpose?
94An organization is creating a risk register for its IT risk universe. The risk manager needs to categorize risks to align with the enterprise risk management framework. Which TWO risk categories are most commonly used in IT risk identification?
95A critical infrastructure organization is enhancing its threat identification capabilities. The risk team wants to leverage threat intelligence sources to identify emerging threats. Which THREE sources are most relevant for obtaining actionable threat intelligence?
The IT Risk Identification domain covers the key concepts tested in this area of the CRISC exam blueprint published by ISACA. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CRISC domains — no account required.
The Courseiva CRISC question bank contains 95 questions in the IT Risk Identification domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the IT Risk Identification domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included