Practice CRISC Risk Response and Reporting questions with full explanations on every answer.
Start practicing
Risk Response and Reporting — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A security team is considering implementing a control to prevent unauthorized access to a critical database. Which type of control is most appropriate for this objective?
2The risk team is evaluating the cost-effectiveness of a proposed control that will reduce the annualized loss expectancy (ALE) for a cyber attack from $500,000 to $100,000. The annual cost of the control is $150,000. What is the net benefit of implementing this control?
3A Key Control Indicator (KCI) for a firewall rule review process shows an exception rate of 15% for the past quarter, exceeding the acceptable threshold of 10%. What is the most appropriate immediate action for the control owner?
4An organization uses a Key Risk Indicator (KRI) that tracks the average number of days to patch critical vulnerabilities. The KRI has been trending upward over the last three months, from 15 days to 30 days, while the risk appetite threshold is 20 days. Which conclusion is most appropriate?
5When implementing a new access control system, which activity is essential during the change management process?
6An IT risk manager is preparing a quarterly risk report for the CISO. Which type of reporting structure does this represent?
7An organization is implementing a continuous monitoring solution for its network. Which of the following is an example of continuous monitoring?
8During a control implementation project, the risk manager discovers that the resource requirements have increased significantly, making the original cost-benefit analysis invalid. What should the risk manager do first?
9Which of the following best describes the purpose of a risk heat map in an IT risk report?
10A critical vendor is being onboarded. The vendor risk appetite policy requires SOC 2 Type II reports for critical vendors. The vendor has provided a SOC 2 Type I report. What should the risk manager do?
11An organization's IT risk team is promoting a risk-aware culture. Which initiative is most likely to encourage employees to report security incidents without fear?
12Which of the following is a leading indicator that the risk of a credential-based attack may be increasing?
13An organization is integrating IT risk into its enterprise risk management (ERM) program. Which TWO of the following are key benefits of this integration?
14A risk manager is designing a third-party risk management program. Which THREE factors should be considered when determining the risk tier of a vendor?
15Which TWO of the following are examples of detective controls?
16An organization is implementing a new access control system to protect sensitive data. Which type of control is most appropriate for preventing unauthorized access?
17A risk manager is evaluating the cost-effectiveness of a proposed control. The control costs $50,000 annually to implement and maintain. The current annual loss expectancy (ALE) for the risk is $200,000, and the control is expected to reduce the ALE by 70%. What is the net benefit (or loss) of implementing the control?
18Which of the following is a Key Control Indicator (KCI) that measures the effectiveness of a firewall?
19An organization is planning to implement a new security control. The project manager must ensure changes to existing systems are properly managed. Which process is most critical to include in the implementation plan?
20Which type of control testing is typically performed on a continuous basis using automated tools?
21A Key Risk Indicator (KRI) that shows a rising trend in the average time to apply critical security patches suggests:
22An IT risk report for the board of directors should primarily focus on:
23When integrating IT risk into the enterprise risk management (ERM) program, the most important consideration is:
24A vendor is classified as 'critical' based on its access to sensitive data and the criticality of its service. According to best practices, what minimum security requirement should be mandated for this vendor?
25An organization wants to promote a risk-aware culture. Which initiative is most effective in encouraging employees to report security incidents without fear?
26Which risk reporting frequency is most appropriate for tactical risk reporting to the CISO/CIO?
27An organization's risk report shows a risk heat map with several risks in the high-likelihood, high-impact quadrant. What is the most appropriate action for the risk owner?
28An organization is designing a vendor risk management program. Which TWO of the following are essential components of ongoing vendor monitoring? (Select TWO)
29An IT risk manager is developing KRIs for a critical application. Which TWO of the following are leading indicators that the risk level may be increasing? (Select TWO)
30Which THREE of the following are common elements of a periodic control effectiveness testing program? (Select THREE)
31Which type of control is primarily designed to prevent an unwanted event from occurring?
32During a cost-benefit analysis for a new control, the annualized loss expectancy (ALE) without the control is $500,000. The control is expected to reduce risk by 80% and will cost $150,000 annually to operate. What is the net benefit of implementing the control?
33An organization uses a Key Control Indicator (KCI) to measure control effectiveness. The KCI shows a control deficiency rate of 12% over the past quarter, exceeding the target threshold of 5%. Which action is MOST appropriate as an initial response?
34Which of the following is a Key Risk Indicator (KRI) that provides leading indication of increasing vulnerability risk?
35In IT risk reporting, which level of management typically receives operational risk reporting on a weekly or monthly basis?
36A company is implementing a new access control system. During the project, the IT team updates the system configuration without notifying the risk team. This leads to a temporary misconfiguration that exposes sensitive data. Which process should have been followed to prevent this issue?
37In third-party risk management, which of the following is typically used for initial onboarding assessment of a vendor?
38Which of the following is a detective control?
39An organization wants to promote a risk-aware culture. Which of the following actions is MOST effective for encouraging employees to report incidents without fear?
40During a vendor risk tiering exercise, a vendor that stores the organization's customer PII and is critical for daily operations should be classified as which tier?
41Which of the following is a leading indicator that the risk of a credential-based attack may be increasing?
42What is the primary purpose of a risk heat map in IT risk reporting?
43An organization is implementing a new control to address a high-risk vulnerability. Which TWO factors are MOST important to consider during the control implementation planning phase?
44In the context of IT risk reporting to the board, which THREE elements should be included to effectively communicate risk?
45Which TWO methods are commonly used for continuous monitoring of IT controls?
46Which type of control is designed to operate before an event to prevent an undesirable outcome?
47An organization is evaluating a new security control that costs $50,000 annually to implement and maintain. The current annualized loss expectancy (ALE) for a related risk is $200,000. The control is expected to reduce the ALE by 85%. Using cost-benefit analysis, what is the net benefit of implementing this control?
48A Key Control Indicator (KCI) for a critical firewall rule set shows an exception rate of 12% over the past month, exceeding the acceptable threshold of 5%. The control owner is responsible for remediation. Which action should the risk practitioner recommend FIRST?
49An organization’s continuous monitoring program includes automated vulnerability scanning and log review. Which of the following is a Key Risk Indicator (KRI) that would BEST signal an increasing risk of a successful network breach?
50During a quarterly control effectiveness test, internal audit finds that a detective control missed 15% of security incidents. The control owner claims this is within the acceptable error rate of 20%. However, the risk practitioner notes that the missed incidents were high-severity. What should the risk practitioner do?
51Which risk reporting level is typically provided to the board of directors and focuses on strategic risk posture?
52An organization is implementing a new access control system. The project manager is concerned about delays due to user training requirements. Which of the following should the risk practitioner prioritize to ensure effective control implementation?
53A third-party vendor has been tiered as 'high risk' due to access to sensitive customer data. The vendor's SOC 2 Type II report has a qualified opinion on security controls. The vendor risk appetite requires unqualified SOC 2 Type II for critical vendors. What is the MOST appropriate risk response?
54Which of the following is an example of a leading Key Risk Indicator (KRI) for IT risk?
55Which of the following is a detective control?
56During a vendor risk assessment, an organization discovers that a critical vendor has not performed a security assessment in two years. The vendor is tiered as 'medium risk'. According to best practices, what should the risk practitioner recommend?
57An organization has a risk culture where employees are hesitant to report security incidents due to fear of blame. Which of the following initiatives would MOST effectively promote a risk-aware culture?
58A risk practitioner is developing a tactical risk report for the CISO. Which TWO of the following elements should be included in the report? (Select TWO)
59A financial services company is implementing a vendor risk management program. Which THREE of the following are key components of an effective vendor risk assessment process? (Select THREE)
60Which TWO of the following are examples of continuous monitoring techniques for IT controls? (Select TWO)
61Which type of control is designed to stop an undesirable event from occurring?
62A risk practitioner is performing a cost-benefit analysis for a proposed control. The annualized loss expectancy (ALE) for a risk is currently $500,000. The proposed control will reduce the ALE by 80%, and the annual cost of the control is $150,000. What is the net benefit of implementing the control?
63Which of the following is a Key Control Indicator (KCI) that measures the effectiveness of a control?
64An organization uses automated SIEM rules to continuously monitor for unauthorized access attempts. This is an example of which type of monitoring?
65A Key Risk Indicator (KRI) for vulnerability management is the "average patch lag time" (number of days between patch release and deployment). In the last month, this metric increased from 15 days to 45 days. How should the risk practitioner interpret this change?
66Which of the following best describes the purpose of tactical risk reporting?
67An organization is implementing a new access control system. Which of the following should be included in the control implementation plan?
68During a vendor risk assessment, a third-party vendor is classified as "critical" because it has access to sensitive customer data. According to the organization's risk appetite, what minimum security requirement should be mandated for this vendor?
69An organization's risk committee reviews a risk heat map showing that a key IT risk has moved from the "high" to "medium" category. However, the associated control's effectiveness has decreased from 95% to 85%. What is the most likely explanation?
70Which of the following is a key element of promoting a risk-aware culture within an IT department?
71A company is integrating its IT risk management program with the enterprise risk management (ERM) program. What is the primary benefit of this integration?
72Which control implementation activity involves updating system configurations and user access rights when a new security tool is deployed?
73A risk practitioner is designing a risk report for the board of directors. Which TWO content elements are most appropriate for strategic risk reporting? (Select two.)
74An organization is implementing continuous monitoring for its critical systems. Which THREE of the following activities are examples of continuous monitoring? (Select three.)
75A third-party vendor has been assessed as high risk due to its access to sensitive data. Which TWO ongoing monitoring activities are most appropriate for this vendor? (Select two.)
76An organization is implementing a control to prevent unauthorized access to its critical database. The control must be designed to block access attempts in real time. Which type of control should be selected?
77During a cost-benefit analysis for a proposed control, the annualized loss expectancy (ALE) without the control is $500,000. The control is expected to reduce the ALE to $100,000. The control implementation cost is $150,000, and the annual operating cost is $30,000. What is the net annual benefit of the control?
78A risk manager is evaluating the effectiveness of a control that requires dual authorization for high-value transactions. The Key Control Indicator (KCI) for this control is the rate of transactions processed without dual authorization (i.e., exception rate). If the acceptable exception rate is less than 1% and the observed rate is 2.5%, what is the most appropriate immediate action?
79An organization is implementing a new access control system. Which of the following is the most important activity to ensure the control is effectively integrated into operations?
80A Key Risk Indicator (KRI) for a critical system is the number of unpatched vulnerabilities older than 30 days. The threshold is set at 5. This KRI is best described as:
81Which of the following is the most appropriate frequency for operational IT risk reporting to IT management?
82An organization is integrating IT risk into its enterprise risk management (ERM) program. What is the primary benefit of this integration?
83A vendor risk manager is tiering vendors based on the criticality of services and data access. A vendor that processes sensitive customer data for a core business application should be classified as which tier?
84An organization wants to promote a risk-aware culture. Which of the following actions is most effective in encouraging employees to report incidents without fear?
85During a quarterly control effectiveness test, internal audit discovers that a key automated control failed 15% of the time due to a software bug. The risk owner decides to accept the risk because the cost to fix the bug is high. What should the risk manager do next?
86Which of the following is the best example of a Key Control Indicator (KCI) for a firewall rule review process?
87An organization uses continuous monitoring via SIEM rules to detect anomalies. The SIEM generates an alert when the number of failed logins exceeds a threshold. This monitoring is an example of:
88A risk manager is reviewing the risk report content for a quarterly IT risk committee meeting. Which TWO items are most important to include in the report?
89An organization is developing a vendor risk management program. Which THREE activities should be included in the initial onboarding assessment for a high-risk vendor?
90A security awareness program is being designed to promote a risk-aware culture. Which TWO elements are most critical for the program's success?
91An organization is selecting a control to prevent unauthorized access to a critical database. Which control type is most appropriate?
92During a cost-benefit analysis for a proposed control, the annual loss expectancy (ALE) for a risk is currently $500,000. The control will cost $100,000 annually and is expected to reduce the ALE by 80%. What is the net benefit of implementing this control?
93A key control indicator (KCI) for a critical access control shows a deficiency rate of 12% for the quarter, exceeding the target of 5%. Which of the following should be the risk practitioner's PRIMARY action?
94An organization is implementing a new access control system. Which of the following is the MOST important consideration during the implementation phase?
95Which of the following is a leading Key Risk Indicator (KRI) for the risk of a data breach?
96A risk practitioner is designing a quarterly IT risk report for the CISO. Which of the following elements is MOST critical for tactical decision-making?
97When integrating IT risk into the enterprise risk management (ERM) program, what is the PRIMARY benefit?
98In third-party risk management, which of the following is MOST indicative of a vendor's control effectiveness for a critical vendor?
99A risk practitioner notices that the number of failed authentication attempts has spiked by 300% over the past week. Which of the following actions should be taken FIRST?
100Which of the following is the BEST example of promoting a risk-aware culture within an organization?
101During a vendor risk assessment, a prospective vendor for critical services cannot provide a SOC 2 Type II report. According to the organization's vendor risk appetite, which action should be taken?
102Which of the following is the BEST Key Control Indicator (KCI) for measuring the effectiveness of a firewall?
103An organization is implementing continuous monitoring for its critical systems. Which TWO of the following are examples of continuous monitoring techniques? (Select TWO)
104Which THREE of the following are components of an effective IT risk reporting structure for a large enterprise? (Select THREE)
105A risk practitioner is evaluating the effectiveness of a security awareness program. Which TWO indicators would BEST measure whether the program is positively influencing risk culture? (Select TWO)
106An organization is implementing a new control to prevent unauthorized access to its critical database. Which type of control is most appropriate for this requirement?
107A company is evaluating the cost-benefit of a new control that reduces the annualized loss expectancy (ALE) from $500,000 to $100,000. The control has an annual cost of $150,000. What is the net benefit of implementing this control?
108During a quarterly control effectiveness test, an internal auditor discovers that a key preventive control has a 10% exception rate. The control is designed to prevent unauthorized transactions. Which Key Control Indicator (KCI) is being measured?
109An organization uses a SIEM to automatically test access control rules on a continuous basis. This is an example of which type of monitoring?
110The Chief Information Security Officer (CISO) receives a quarterly report that includes a risk heat map and trend analysis of top risks. This type of reporting is best described as:
111A company is assessing a new vendor that will have access to its customer database. The vendor's security questionnaire reveals they lack SOC 2 certification. According to risk tiering, the vendor is classified as critical. What should the company do?
112An organization notices a spike in failed authentication attempts over the past week. This metric is best classified as which type of risk indicator?
113When implementing a new control, which of the following is the most important factor in ensuring its long-term effectiveness?
114An IT risk manager is preparing a report for the board of directors. Which of the following content elements is most important for strategic risk reporting?
115A change to a critical application is being implemented without updating the associated security controls. This is most likely a failure in which process?
116Which of the following is the primary purpose of a risk heat map in a risk report?
117An organization has implemented a new control that requires manual approval for all high-value transactions. The control owner is responsible for ensuring approvals are obtained. Which control ownership aspect is demonstrated?
118An organization is implementing a risk-aware culture. Which TWO of the following are effective practices?
119A third-party vendor is classified as high risk due to its access to sensitive data. Which THREE activities should be part of ongoing monitoring for this vendor?
120Which TWO of the following are examples of continuous monitoring techniques?
121An organization is implementing a new access control system to prevent unauthorized access to sensitive data. Which type of control is being implemented?
122During a cost-benefit analysis for a proposed control, the annual loss expectancy (ALE) for a risk is currently $500,000. The control is expected to reduce the ALE by 80% and will cost $150,000 per year. What is the net benefit of implementing the control?
123An organization uses Key Control Indicators (KCIs) to measure the effectiveness of its firewall change management process. Which KCI would best indicate a process deficiency?
124A security operations center (SOC) uses a Security Information and Event Management (SIEM) system to continuously monitor for suspicious activities. Which type of monitoring is being performed?
125A quarterly risk report for the IT steering committee shows a key risk indicator (KRI) called 'patch lag' has increased from 15 days to 45 days. What does this trend most likely indicate?
126Which of the following is an example of a corrective control?
127An organization is implementing a new control to address a high-risk finding. The project manager has scheduled a user training session and updated the relevant policies. Which implementation phase is being addressed?
128In a risk report presented to the board of directors, which of the following elements is most appropriate to include?
129Which of the following is the primary purpose of a Key Risk Indicator (KRI)?
130During a third-party risk assessment, a vendor is classified as 'critical' due to its access to sensitive customer data. According to the organization's vendor risk appetite, what is the minimum security requirement for this vendor?
131An organization wants to promote a risk-aware culture. Which initiative best supports this goal?
132In the context of ERM integration, IT risk is typically considered a subset of which broader risk category?
133Which TWO of the following are examples of continuous monitoring activities? (Select TWO.)
134Which THREE of the following are essential components of an effective IT risk report to senior management? (Select THREE.)
135Which TWO of the following are leading indicators that could be used as KRIs for information security risk? (Select TWO.)
136An organization is selecting a control to reduce the risk of unauthorized data exfiltration. The annual loss expectancy (ALE) for this risk is currently $500,000. The proposed control costs $80,000 annually and is expected to reduce the ALE by 60%. What is the net benefit (reduction in risk exposure minus control cost) of implementing this control?
137A risk manager is evaluating a control that addresses a high-risk finding from an internal audit. Which of the following is the MOST important factor in determining whether the control is effective?
138An organization has implemented a new firewall rule to block malicious IP addresses. This is an example of which type of control?
139During a quarterly risk review, the CISO notes that the number of failed authentication attempts has increased by 300% over the last month. The IT team confirms no changes to authentication systems. This metric is BEST categorized as which of the following?
140A company is implementing a new access control system. According to the project plan, user training will be delivered after the system goes live. What change management issue does this present?
141An IT risk report to the board of directors should primarily focus on which of the following?
142A risk owner is reviewing a control that has a deficiency rate of 15%. The target deficiency rate is less than 5%. Which of the following is the MOST appropriate immediate action?
143An organization is implementing continuous monitoring of its network using SIEM rules. Which of the following is the PRIMARY benefit of this approach over periodic manual testing?
144In a risk-aware culture, which of the following behaviors is MOST encouraged?
145A vendor risk tier is assigned based on data access and service criticality. A vendor that processes sensitive customer data and is critical to operations should be classified as which tier?
146An organization uses a KRI that tracks the average time to patch critical vulnerabilities. The metric has been increasing over the past three months. What does this indicate from a risk perspective?
147Which of the following is the PRIMARY purpose of integrating IT risk reporting into the enterprise risk management (ERM) program?
148An organization is conducting a post-implementation review of a new data loss prevention (DLP) control. Which TWO metrics are Key Control Indicators (KCIs) that would best measure the control's effectiveness?
149A risk manager is updating the risk report for the IT steering committee. Which THREE elements should be included to provide a comprehensive view of the risk posture?
150An organization is implementing a third-party risk management program. Which TWO are essential components of the initial vendor risk assessment process?
151A financial services company is implementing a new control to mitigate the risk of unauthorized access to customer data. Which TWO of the following are key factors to consider during the control design phase?
152After implementing a new access control system, the IT risk manager needs to measure its effectiveness. Which THREE of the following are Key Control Indicators (KCIs) that would be appropriate?
153An organization is implementing continuous monitoring for its network security controls. Which TWO of the following are examples of continuous monitoring techniques?
154A multinational corporation is developing its IT risk reporting structure. The risk manager must align reports with different audiences. Which THREE of the following reporting frequencies and audiences are correctly matched?
155During a third-party risk management review, the organization is tiering its vendors based on risk. Which TWO of the following criteria are most relevant for determining vendor risk tier?
156An organization wants to promote a risk-aware culture. Which TWO of the following initiatives are most effective for achieving this?
157An organization is integrating its IT risk program with the enterprise risk management (ERM) framework. Which THREE of the following activities support this integration?
158A company's IT risk manager is evaluating Key Risk Indicators (KRIs) for the cybersecurity function. Which TWO of the following are valid examples of leading KRIs?
159An organization is designing a vendor risk assessment process for critical vendors. Which THREE of the following should be included in the initial onboarding assessment?
160During a quarterly IT risk review, the risk manager presents a risk heat map. Which TWO of the following elements should be included in the report to provide a comprehensive view?
The Risk Response and Reporting domain covers the key concepts tested in this area of the CRISC exam blueprint published by ISACA. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CRISC domains — no account required.
The Courseiva CRISC question bank contains 160 questions in the Risk Response and Reporting domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Risk Response and Reporting domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included