Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Free Resources

Difficulty IndexLearn — Free ChaptersIT GlossaryFree Tools & LabsStudy GuidesCareer RoadmapsBrowse by VendorCisco Command ReferenceCCNA Scenarios

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsCRISCDomainsIT Risk Identification
CRISCFree — No Signup

IT Risk Identification

Practice CRISC IT Risk Identification questions with full explanations on every answer.

95questions

Start practicing

IT Risk Identification — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

CRISC Domains

IT Risk IdentificationIT Risk AssessmentRisk Response and ReportingInformation Technology and SecurityRisk Response and MitigationRisk and Control Monitoring and Reporting

Practice IT Risk Identification questions

10Q20Q30Q50Q

All CRISC IT Risk Identification questions (95)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

An organization is developing its IT risk universe. Which of the following is the BEST source of information for identifying potential IT risks?

2

A company is adopting a DevSecOps approach and wants to conduct threat modeling early in the development lifecycle. Which threat modeling methodology is BEST suited for this environment due to its focus on agile and continuous integration?

3

During a risk identification workshop, a risk owner proposes a scenario: 'A disgruntled employee with privileged access exfiltrates customer data to a competitor.' In the context of the ISACA risk scenario template, which element is missing if the scenario only includes the actor, threat type, event, and asset?

4

An organization is categorizing IT risks. Which of the following risk categories would include the risk of regulatory fines due to non-compliance with data protection laws?

5

A risk analyst is building a risk register. After identifying a list of risks, what is the NEXT step in the risk identification process according to ISACA best practices?

6

A multinational corporation uses commercial threat intelligence feeds and participates in an ISAC. However, they recently missed a critical vulnerability exploited in the wild that was not in their feeds. Which additional source should they incorporate to improve vulnerability identification?

7

A company is developing risk scenarios for business impact analysis. Which of the following scenario components directly links the risk event to potential financial loss?

8

Which of the following is a key characteristic of a well-maintained risk register?

9

A financial services firm uses SAST and DAST tools in its application security testing. However, they are struggling to prioritize vulnerabilities from the large number of findings. Which additional technique would BEST help identify the most critical vulnerabilities in the context of business risk?

10

An organization's board has set a risk appetite statement that says: 'We accept moderate levels of operational risk but will not tolerate any compliance violations.' During risk identification, which type of risk should be given the HIGHEST priority?

11

A security team is using the STRIDE threat modeling methodology for a new web application. Which threat type under STRIDE would be MOST relevant to a SQL injection vulnerability?

12

An organization is conducting a vulnerability assessment of its IT assets. Which of the following sources is MOST authoritative for identifying known software vulnerabilities?

13

A risk manager is developing risk scenarios to present to the board. Which TWO elements are essential for connecting a risk scenario to business impact?

14

A company is implementing a risk identification process for third-party risks. Which THREE factors should be considered when identifying risks from a critical software vendor?

15

An IT risk manager is categorizing risks identified during a recent assessment. Which TWO categories would include the risk of a system outage caused by a software bug?

16

An organization is developing an IT risk universe. Which of the following is the PRIMARY purpose of creating a comprehensive IT risk universe?

17

During a risk assessment, the risk practitioner is identifying threats to an application. Which threat modeling technique is specifically designed to analyze application threats using categories such as Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege?

18

An organization has a risk appetite statement that says 'We accept up to $5 million in operational losses per year.' However, a new cloud migration project is estimated to have a potential operational loss of $8 million if a critical failure occurs. The risk capacity of the organization is $20 million. What should the risk practitioner recommend?

19

A risk practitioner is creating a risk scenario for a ransomware attack. Which of the following is the BEST sequence to describe the scenario using the ISACA risk scenarios template?

20

Which of the following is a threat intelligence source that provides information about known exploited vulnerabilities, maintained by a government agency?

21

During a vulnerability assessment, a risk practitioner identifies that a web application is vulnerable to SQL injection, which is listed in the OWASP Top 10. Which type of vulnerability identification technique MOST likely discovered this issue?

22

An organization has a risk register that includes risks related to regulatory compliance, such as GDPR and SOX. The risk practitioner is now categorizing these risks. Which risk category would BEST fit these compliance-related risks?

23

A risk practitioner is developing a risk scenario for a data breach caused by an insider threat. Which of the following is the MOST realistic and complete risk scenario?

24

Which of the following threat actors is MOST likely to be motivated by ideology rather than financial gain?

25

A risk practitioner is updating the risk register after a third-party security incident. Which of the following is the MOST important information to include in the risk register entry for this third-party risk?

26

An organization uses the PASTA threat modeling methodology for a new e-commerce platform. Which of the following is a key characteristic of PASTA?

27

When identifying vulnerabilities, which of the following is the BEST source for configuration-related vulnerabilities in operating systems?

28

Which TWO of the following are examples of operational vulnerabilities that a risk practitioner might identify?

29

A risk practitioner is developing risk scenarios for a new cloud service. Which THREE of the following elements should be included in a complete risk scenario?

30

Which THREE of the following are common business impact categories used in risk scenarios?

31

Which of the following best describes the purpose of an IT risk universe?

32

A security analyst is using a threat modeling approach that focuses on identifying threats based on the system's requirements and design. Which threat modeling methodology is being used?

33

An organization has identified a new vulnerability in its web application that could allow SQL injection attacks. Which of the following sources would MOST likely have been used to identify this vulnerability?

34

During a risk assessment, the risk practitioner develops a scenario involving a disgruntled employee exfiltrating sensitive customer data through a USB drive. The organization has a strict policy against removable media but lacks technical controls to prevent USB usage. Which element of the risk scenario is the vulnerability?

35

Which of the following is the PRIMARY purpose of a risk register?

36

An organization is implementing a new cloud-based customer relationship management (CRM) system. Which of the following risk categories would BEST describe the risk of the CRM system failing to meet performance expectations?

37

A risk practitioner is using the ISACA risk scenario template to document a scenario. The template includes elements such as threat actor, threat type, event, asset/resource, timing, detection, and response. Which element describes the likelihood that the threat event will occur within a specific timeframe?

38

Which of the following threat actors is MOST likely to be motivated by financial gain and possess moderate to high technical capabilities?

39

An organization's board has issued a risk appetite statement indicating that the company is willing to accept a moderate level of operational risk but has zero tolerance for compliance violations. This statement primarily defines which of the following?

40

When using STRIDE for threat modeling, which threat category involves an attacker gaining unauthorized access to a system by pretending to be a legitimate user?

41

A risk practitioner is connecting a risk scenario to business impact. The scenario involves a ransomware attack that encrypts critical financial systems, resulting in a two-week outage. Which of the following is the MOST appropriate business impact category?

42

An organization is assessing risks related to a third-party cloud provider. Which of the following is the BEST source of threat intelligence for identifying threats targeting the cloud infrastructure?

43

A risk practitioner is updating the risk register and needs to categorize risks. Which TWO of the following are standard risk categories used in IT risk management?

44

A project manager is identifying risks for a new software development project using Agile methodology. Which THREE threat modeling techniques are BEST suited for Agile/DevSecOps environments?

45

When developing realistic risk scenarios, which THREE components are essential according to the ISACA risk scenario template?

46

During IT risk identification, which document serves as the central repository for all identified risks, their characteristics, and current status?

47

An organization is assessing risks related to a new cloud-based CRM system. The risk team is developing a risk scenario. Which of the following is the BEST example of a complete risk scenario following the ISACA template?

48

In the context of threat modeling for a web application, which technique is specifically designed to be integrated into Agile and DevSecOps processes, emphasizing collaboration and visualization?

49

A company's risk appetite statement specifies that the organization is willing to accept a moderate level of operational risk to achieve strategic agility. This statement directly influences which activity during IT risk identification?

50

Which of the following is a primary source of threat intelligence that provides real-time information about active cyber threats and indicators of compromise?

51

A bank is identifying IT risks and categorizes a potential data breach as both a compliance risk (due to GDPR) and a reputational risk. This is an example of:

52

During a threat modeling exercise using the STRIDE methodology, a security analyst identifies a threat where an attacker can modify data in transit between a web server and database. Which STRIDE category does this threat belong to?

53

An organization uses the CISA Known Exploited Vulnerabilities (KEV) catalog as a primary source for vulnerability identification. This catalog is BEST described as:

54

Which type of threat actor is characterized by having significant resources, advanced skills, and often state-sponsored objectives?

55

In developing a risk scenario, connecting a threat event to business impact is crucial. Which of the following is the BEST example of a properly connected risk scenario?

56

When performing asset-based vulnerability identification, a security analyst uses the Common Vulnerabilities and Exposures (CVE) database along with the National Vulnerability Database (NVD). Which of the following BEST describes the relationship between CVE and NVD?

57

An organization is updating its IT risk universe. Which of the following is the MOST important factor to consider when defining the universe?

58

A financial institution is identifying IT risks associated with a new mobile banking application. Which TWO threat modeling techniques are best suited for this scenario? (Select two.)

59

A risk manager is developing a risk scenario for a potential data breach involving a third-party cloud provider. According to the ISACA risk scenario template, which THREE elements must be included? (Select three.)

60

During a risk identification workshop, the team identifies several vulnerabilities. Which TWO of the following are examples of operational vulnerability identification? (Select two.)

61

During the risk identification process, an IT risk universe is defined. Which of the following BEST describes the purpose of an IT risk universe?

62

Which threat modeling technique is specifically designed to be integrated into Agile and DevSecOps processes, providing a visual and simple approach?

63

An organization's risk register contains a scenario: 'A nation-state actor exploits an unpatched vulnerability in a public-facing web application, leading to data exfiltration of customer PII.' According to ISACA's risk scenario template, which element is MISSING from this description?

64

A risk practitioner is categorizing IT risks for a manufacturing company. Which of the following risks would be classified as an 'operational' IT risk?

65

Which of the following is the PRIMARY source for identifying known software vulnerabilities in a systematic manner?

66

An organization uses threat intelligence feeds from an Information Sharing and Analysis Center (ISAC). What is the PRIMARY benefit of using ISACs?

67

A company's risk appetite statement says it is willing to accept moderate levels of operational risk but has low tolerance for compliance risk. During risk identification, which of the following scenarios should be IMMEDIATELY escalated to senior management?

68

Which of the following BEST describes the difference between a threat actor who is a 'hacktivist' and one who is an 'organized crime' actor?

69

A risk scenario is being developed for a phishing attack leading to credential theft. Using ISACA's risk scenario template, which component would describe the 'threat event'?

70

Which of the following is an example of a 'configuration vulnerability' that should be identified during vulnerability assessment?

71

When developing IT risk scenarios, connecting them to business impact is critical. Which of the following BEST describes how a risk practitioner should link a technical scenario to business impact?

72

An organization is conducting a threat identification exercise using the STRIDE model. Which threat type would be MOST relevant when analyzing a banking application that allows fund transfers between accounts?

73

A risk practitioner is identifying vulnerabilities in an organization's IT environment. Which TWO of the following are examples of 'operational vulnerability identification'? (Choose two.)

74

During risk identification, a risk manager is reviewing threat intelligence sources. Which THREE of the following are considered legitimate sources of threat intelligence? (Choose three.)

75

A risk register is being created for a new ERP implementation project. Which TWO of the following risks should be included in the project's risk register? (Choose two.)

76

A retail company is establishing an IT risk universe. Which of the following should be included as a primary category of IT risk?

77

During a threat modeling exercise for a new web application, the team uses STRIDE. Which threat type under STRIDE corresponds to an attacker modifying data in transit?

78

A risk practitioner is developing a risk scenario for a potential ransomware attack. Using the ISACA risk scenario template, which element describes the entity that initiates the attack?

79

A financial institution uses threat intelligence from an Information Sharing and Analysis Center (ISAC). This is an example of which type of threat intelligence source?

80

Which threat actor is most likely motivated by political ideology and may target government systems?

81

A security analyst is reviewing CVE entries and NVD data to identify vulnerabilities in software assets. This activity is part of which vulnerability identification approach?

82

An organization uses the PASTA threat modeling methodology. In which stage would the team identify threat agents and their capabilities?

83

A risk manager is categorizing IT risks. Which risk category would a potential fine for violating GDPR be assigned to?

84

Which of the following best describes risk capacity?

85

A company is updating its risk register. Which of the following is the primary purpose of a risk register?

86

During a VAST threat modeling session for a DevSecOps pipeline, the team focuses on threats that align with agile development. Which of the following is a key advantage of VAST?

87

A risk analyst is identifying operational vulnerabilities. Which TWO of the following are examples of operational vulnerability identification?

88

Which THREE of the following are common consequences in an IT risk scenario?

89

A risk practitioner is using the TRIKE threat modeling methodology. Which TWO of the following are characteristics of TRIKE?

90

Which TWO of the following are types of insider threats?

91

A multinational corporation is developing a new e-commerce platform using microservices architecture. The security team is conducting a threat modeling exercise to identify potential application-level threats. Which TWO threat modeling methodologies are most appropriate for this DevSecOps environment?

92

An organization is updating its IT risk universe to include emerging threats. The CISO wants to ensure the risk register captures realistic risk scenarios. Which THREE components are essential for constructing a complete risk scenario according to ISACA's risk scenario template?

93

A financial services firm is assessing vulnerabilities in its web application. The team wants to identify application-level vulnerabilities that could be exploited. Which TWO vulnerability identification techniques should be prioritized for this purpose?

94

An organization is creating a risk register for its IT risk universe. The risk manager needs to categorize risks to align with the enterprise risk management framework. Which TWO risk categories are most commonly used in IT risk identification?

95

A critical infrastructure organization is enhancing its threat identification capabilities. The risk team wants to leverage threat intelligence sources to identify emerging threats. Which THREE sources are most relevant for obtaining actionable threat intelligence?

Practice all 95 IT Risk Identification questions

Other CRISC exam domains

IT Risk AssessmentRisk Response and ReportingInformation Technology and SecurityRisk Response and MitigationRisk and Control Monitoring and Reporting

Frequently asked questions

What does the IT Risk Identification domain cover on the CRISC exam?

The IT Risk Identification domain covers the key concepts tested in this area of the CRISC exam blueprint published by ISACA. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CRISC domains — no account required.

How many IT Risk Identification questions are in the CRISC question bank?

The Courseiva CRISC question bank contains 95 questions in the IT Risk Identification domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice IT Risk Identification for CRISC?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only IT Risk Identification questions for CRISC?

Yes — the session launcher on this page draws questions exclusively from the IT Risk Identification domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your CRISC domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

CISMCISA