Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Free Resources

Difficulty IndexLearn — Free ChaptersIT GlossaryFree Tools & LabsStudy GuidesCareer RoadmapsBrowse by VendorCisco Command ReferenceCCNA Scenarios

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsCRISCDomainsRisk Response and Reporting
CRISCFree — No Signup

Risk Response and Reporting

Practice CRISC Risk Response and Reporting questions with full explanations on every answer.

160questions

Start practicing

Risk Response and Reporting — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

CRISC Domains

IT Risk IdentificationIT Risk AssessmentRisk Response and ReportingInformation Technology and SecurityRisk Response and MitigationRisk and Control Monitoring and Reporting

Practice Risk Response and Reporting questions

10Q20Q30Q50Q

All CRISC Risk Response and Reporting questions (160)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A security team is considering implementing a control to prevent unauthorized access to a critical database. Which type of control is most appropriate for this objective?

2

The risk team is evaluating the cost-effectiveness of a proposed control that will reduce the annualized loss expectancy (ALE) for a cyber attack from $500,000 to $100,000. The annual cost of the control is $150,000. What is the net benefit of implementing this control?

3

A Key Control Indicator (KCI) for a firewall rule review process shows an exception rate of 15% for the past quarter, exceeding the acceptable threshold of 10%. What is the most appropriate immediate action for the control owner?

4

An organization uses a Key Risk Indicator (KRI) that tracks the average number of days to patch critical vulnerabilities. The KRI has been trending upward over the last three months, from 15 days to 30 days, while the risk appetite threshold is 20 days. Which conclusion is most appropriate?

5

When implementing a new access control system, which activity is essential during the change management process?

6

An IT risk manager is preparing a quarterly risk report for the CISO. Which type of reporting structure does this represent?

7

An organization is implementing a continuous monitoring solution for its network. Which of the following is an example of continuous monitoring?

8

During a control implementation project, the risk manager discovers that the resource requirements have increased significantly, making the original cost-benefit analysis invalid. What should the risk manager do first?

9

Which of the following best describes the purpose of a risk heat map in an IT risk report?

10

A critical vendor is being onboarded. The vendor risk appetite policy requires SOC 2 Type II reports for critical vendors. The vendor has provided a SOC 2 Type I report. What should the risk manager do?

11

An organization's IT risk team is promoting a risk-aware culture. Which initiative is most likely to encourage employees to report security incidents without fear?

12

Which of the following is a leading indicator that the risk of a credential-based attack may be increasing?

13

An organization is integrating IT risk into its enterprise risk management (ERM) program. Which TWO of the following are key benefits of this integration?

14

A risk manager is designing a third-party risk management program. Which THREE factors should be considered when determining the risk tier of a vendor?

15

Which TWO of the following are examples of detective controls?

16

An organization is implementing a new access control system to protect sensitive data. Which type of control is most appropriate for preventing unauthorized access?

17

A risk manager is evaluating the cost-effectiveness of a proposed control. The control costs $50,000 annually to implement and maintain. The current annual loss expectancy (ALE) for the risk is $200,000, and the control is expected to reduce the ALE by 70%. What is the net benefit (or loss) of implementing the control?

18

Which of the following is a Key Control Indicator (KCI) that measures the effectiveness of a firewall?

19

An organization is planning to implement a new security control. The project manager must ensure changes to existing systems are properly managed. Which process is most critical to include in the implementation plan?

20

Which type of control testing is typically performed on a continuous basis using automated tools?

21

A Key Risk Indicator (KRI) that shows a rising trend in the average time to apply critical security patches suggests:

22

An IT risk report for the board of directors should primarily focus on:

23

When integrating IT risk into the enterprise risk management (ERM) program, the most important consideration is:

24

A vendor is classified as 'critical' based on its access to sensitive data and the criticality of its service. According to best practices, what minimum security requirement should be mandated for this vendor?

25

An organization wants to promote a risk-aware culture. Which initiative is most effective in encouraging employees to report security incidents without fear?

26

Which risk reporting frequency is most appropriate for tactical risk reporting to the CISO/CIO?

27

An organization's risk report shows a risk heat map with several risks in the high-likelihood, high-impact quadrant. What is the most appropriate action for the risk owner?

28

An organization is designing a vendor risk management program. Which TWO of the following are essential components of ongoing vendor monitoring? (Select TWO)

29

An IT risk manager is developing KRIs for a critical application. Which TWO of the following are leading indicators that the risk level may be increasing? (Select TWO)

30

Which THREE of the following are common elements of a periodic control effectiveness testing program? (Select THREE)

31

Which type of control is primarily designed to prevent an unwanted event from occurring?

32

During a cost-benefit analysis for a new control, the annualized loss expectancy (ALE) without the control is $500,000. The control is expected to reduce risk by 80% and will cost $150,000 annually to operate. What is the net benefit of implementing the control?

33

An organization uses a Key Control Indicator (KCI) to measure control effectiveness. The KCI shows a control deficiency rate of 12% over the past quarter, exceeding the target threshold of 5%. Which action is MOST appropriate as an initial response?

34

Which of the following is a Key Risk Indicator (KRI) that provides leading indication of increasing vulnerability risk?

35

In IT risk reporting, which level of management typically receives operational risk reporting on a weekly or monthly basis?

36

A company is implementing a new access control system. During the project, the IT team updates the system configuration without notifying the risk team. This leads to a temporary misconfiguration that exposes sensitive data. Which process should have been followed to prevent this issue?

37

In third-party risk management, which of the following is typically used for initial onboarding assessment of a vendor?

38

Which of the following is a detective control?

39

An organization wants to promote a risk-aware culture. Which of the following actions is MOST effective for encouraging employees to report incidents without fear?

40

During a vendor risk tiering exercise, a vendor that stores the organization's customer PII and is critical for daily operations should be classified as which tier?

41

Which of the following is a leading indicator that the risk of a credential-based attack may be increasing?

42

What is the primary purpose of a risk heat map in IT risk reporting?

43

An organization is implementing a new control to address a high-risk vulnerability. Which TWO factors are MOST important to consider during the control implementation planning phase?

44

In the context of IT risk reporting to the board, which THREE elements should be included to effectively communicate risk?

45

Which TWO methods are commonly used for continuous monitoring of IT controls?

46

Which type of control is designed to operate before an event to prevent an undesirable outcome?

47

An organization is evaluating a new security control that costs $50,000 annually to implement and maintain. The current annualized loss expectancy (ALE) for a related risk is $200,000. The control is expected to reduce the ALE by 85%. Using cost-benefit analysis, what is the net benefit of implementing this control?

48

A Key Control Indicator (KCI) for a critical firewall rule set shows an exception rate of 12% over the past month, exceeding the acceptable threshold of 5%. The control owner is responsible for remediation. Which action should the risk practitioner recommend FIRST?

49

An organization’s continuous monitoring program includes automated vulnerability scanning and log review. Which of the following is a Key Risk Indicator (KRI) that would BEST signal an increasing risk of a successful network breach?

50

During a quarterly control effectiveness test, internal audit finds that a detective control missed 15% of security incidents. The control owner claims this is within the acceptable error rate of 20%. However, the risk practitioner notes that the missed incidents were high-severity. What should the risk practitioner do?

51

Which risk reporting level is typically provided to the board of directors and focuses on strategic risk posture?

52

An organization is implementing a new access control system. The project manager is concerned about delays due to user training requirements. Which of the following should the risk practitioner prioritize to ensure effective control implementation?

53

A third-party vendor has been tiered as 'high risk' due to access to sensitive customer data. The vendor's SOC 2 Type II report has a qualified opinion on security controls. The vendor risk appetite requires unqualified SOC 2 Type II for critical vendors. What is the MOST appropriate risk response?

54

Which of the following is an example of a leading Key Risk Indicator (KRI) for IT risk?

55

Which of the following is a detective control?

56

During a vendor risk assessment, an organization discovers that a critical vendor has not performed a security assessment in two years. The vendor is tiered as 'medium risk'. According to best practices, what should the risk practitioner recommend?

57

An organization has a risk culture where employees are hesitant to report security incidents due to fear of blame. Which of the following initiatives would MOST effectively promote a risk-aware culture?

58

A risk practitioner is developing a tactical risk report for the CISO. Which TWO of the following elements should be included in the report? (Select TWO)

59

A financial services company is implementing a vendor risk management program. Which THREE of the following are key components of an effective vendor risk assessment process? (Select THREE)

60

Which TWO of the following are examples of continuous monitoring techniques for IT controls? (Select TWO)

61

Which type of control is designed to stop an undesirable event from occurring?

62

A risk practitioner is performing a cost-benefit analysis for a proposed control. The annualized loss expectancy (ALE) for a risk is currently $500,000. The proposed control will reduce the ALE by 80%, and the annual cost of the control is $150,000. What is the net benefit of implementing the control?

63

Which of the following is a Key Control Indicator (KCI) that measures the effectiveness of a control?

64

An organization uses automated SIEM rules to continuously monitor for unauthorized access attempts. This is an example of which type of monitoring?

65

A Key Risk Indicator (KRI) for vulnerability management is the "average patch lag time" (number of days between patch release and deployment). In the last month, this metric increased from 15 days to 45 days. How should the risk practitioner interpret this change?

66

Which of the following best describes the purpose of tactical risk reporting?

67

An organization is implementing a new access control system. Which of the following should be included in the control implementation plan?

68

During a vendor risk assessment, a third-party vendor is classified as "critical" because it has access to sensitive customer data. According to the organization's risk appetite, what minimum security requirement should be mandated for this vendor?

69

An organization's risk committee reviews a risk heat map showing that a key IT risk has moved from the "high" to "medium" category. However, the associated control's effectiveness has decreased from 95% to 85%. What is the most likely explanation?

70

Which of the following is a key element of promoting a risk-aware culture within an IT department?

71

A company is integrating its IT risk management program with the enterprise risk management (ERM) program. What is the primary benefit of this integration?

72

Which control implementation activity involves updating system configurations and user access rights when a new security tool is deployed?

73

A risk practitioner is designing a risk report for the board of directors. Which TWO content elements are most appropriate for strategic risk reporting? (Select two.)

74

An organization is implementing continuous monitoring for its critical systems. Which THREE of the following activities are examples of continuous monitoring? (Select three.)

75

A third-party vendor has been assessed as high risk due to its access to sensitive data. Which TWO ongoing monitoring activities are most appropriate for this vendor? (Select two.)

76

An organization is implementing a control to prevent unauthorized access to its critical database. The control must be designed to block access attempts in real time. Which type of control should be selected?

77

During a cost-benefit analysis for a proposed control, the annualized loss expectancy (ALE) without the control is $500,000. The control is expected to reduce the ALE to $100,000. The control implementation cost is $150,000, and the annual operating cost is $30,000. What is the net annual benefit of the control?

78

A risk manager is evaluating the effectiveness of a control that requires dual authorization for high-value transactions. The Key Control Indicator (KCI) for this control is the rate of transactions processed without dual authorization (i.e., exception rate). If the acceptable exception rate is less than 1% and the observed rate is 2.5%, what is the most appropriate immediate action?

79

An organization is implementing a new access control system. Which of the following is the most important activity to ensure the control is effectively integrated into operations?

80

A Key Risk Indicator (KRI) for a critical system is the number of unpatched vulnerabilities older than 30 days. The threshold is set at 5. This KRI is best described as:

81

Which of the following is the most appropriate frequency for operational IT risk reporting to IT management?

82

An organization is integrating IT risk into its enterprise risk management (ERM) program. What is the primary benefit of this integration?

83

A vendor risk manager is tiering vendors based on the criticality of services and data access. A vendor that processes sensitive customer data for a core business application should be classified as which tier?

84

An organization wants to promote a risk-aware culture. Which of the following actions is most effective in encouraging employees to report incidents without fear?

85

During a quarterly control effectiveness test, internal audit discovers that a key automated control failed 15% of the time due to a software bug. The risk owner decides to accept the risk because the cost to fix the bug is high. What should the risk manager do next?

86

Which of the following is the best example of a Key Control Indicator (KCI) for a firewall rule review process?

87

An organization uses continuous monitoring via SIEM rules to detect anomalies. The SIEM generates an alert when the number of failed logins exceeds a threshold. This monitoring is an example of:

88

A risk manager is reviewing the risk report content for a quarterly IT risk committee meeting. Which TWO items are most important to include in the report?

89

An organization is developing a vendor risk management program. Which THREE activities should be included in the initial onboarding assessment for a high-risk vendor?

90

A security awareness program is being designed to promote a risk-aware culture. Which TWO elements are most critical for the program's success?

91

An organization is selecting a control to prevent unauthorized access to a critical database. Which control type is most appropriate?

92

During a cost-benefit analysis for a proposed control, the annual loss expectancy (ALE) for a risk is currently $500,000. The control will cost $100,000 annually and is expected to reduce the ALE by 80%. What is the net benefit of implementing this control?

93

A key control indicator (KCI) for a critical access control shows a deficiency rate of 12% for the quarter, exceeding the target of 5%. Which of the following should be the risk practitioner's PRIMARY action?

94

An organization is implementing a new access control system. Which of the following is the MOST important consideration during the implementation phase?

95

Which of the following is a leading Key Risk Indicator (KRI) for the risk of a data breach?

96

A risk practitioner is designing a quarterly IT risk report for the CISO. Which of the following elements is MOST critical for tactical decision-making?

97

When integrating IT risk into the enterprise risk management (ERM) program, what is the PRIMARY benefit?

98

In third-party risk management, which of the following is MOST indicative of a vendor's control effectiveness for a critical vendor?

99

A risk practitioner notices that the number of failed authentication attempts has spiked by 300% over the past week. Which of the following actions should be taken FIRST?

100

Which of the following is the BEST example of promoting a risk-aware culture within an organization?

101

During a vendor risk assessment, a prospective vendor for critical services cannot provide a SOC 2 Type II report. According to the organization's vendor risk appetite, which action should be taken?

102

Which of the following is the BEST Key Control Indicator (KCI) for measuring the effectiveness of a firewall?

103

An organization is implementing continuous monitoring for its critical systems. Which TWO of the following are examples of continuous monitoring techniques? (Select TWO)

104

Which THREE of the following are components of an effective IT risk reporting structure for a large enterprise? (Select THREE)

105

A risk practitioner is evaluating the effectiveness of a security awareness program. Which TWO indicators would BEST measure whether the program is positively influencing risk culture? (Select TWO)

106

An organization is implementing a new control to prevent unauthorized access to its critical database. Which type of control is most appropriate for this requirement?

107

A company is evaluating the cost-benefit of a new control that reduces the annualized loss expectancy (ALE) from $500,000 to $100,000. The control has an annual cost of $150,000. What is the net benefit of implementing this control?

108

During a quarterly control effectiveness test, an internal auditor discovers that a key preventive control has a 10% exception rate. The control is designed to prevent unauthorized transactions. Which Key Control Indicator (KCI) is being measured?

109

An organization uses a SIEM to automatically test access control rules on a continuous basis. This is an example of which type of monitoring?

110

The Chief Information Security Officer (CISO) receives a quarterly report that includes a risk heat map and trend analysis of top risks. This type of reporting is best described as:

111

A company is assessing a new vendor that will have access to its customer database. The vendor's security questionnaire reveals they lack SOC 2 certification. According to risk tiering, the vendor is classified as critical. What should the company do?

112

An organization notices a spike in failed authentication attempts over the past week. This metric is best classified as which type of risk indicator?

113

When implementing a new control, which of the following is the most important factor in ensuring its long-term effectiveness?

114

An IT risk manager is preparing a report for the board of directors. Which of the following content elements is most important for strategic risk reporting?

115

A change to a critical application is being implemented without updating the associated security controls. This is most likely a failure in which process?

116

Which of the following is the primary purpose of a risk heat map in a risk report?

117

An organization has implemented a new control that requires manual approval for all high-value transactions. The control owner is responsible for ensuring approvals are obtained. Which control ownership aspect is demonstrated?

118

An organization is implementing a risk-aware culture. Which TWO of the following are effective practices?

119

A third-party vendor is classified as high risk due to its access to sensitive data. Which THREE activities should be part of ongoing monitoring for this vendor?

120

Which TWO of the following are examples of continuous monitoring techniques?

121

An organization is implementing a new access control system to prevent unauthorized access to sensitive data. Which type of control is being implemented?

122

During a cost-benefit analysis for a proposed control, the annual loss expectancy (ALE) for a risk is currently $500,000. The control is expected to reduce the ALE by 80% and will cost $150,000 per year. What is the net benefit of implementing the control?

123

An organization uses Key Control Indicators (KCIs) to measure the effectiveness of its firewall change management process. Which KCI would best indicate a process deficiency?

124

A security operations center (SOC) uses a Security Information and Event Management (SIEM) system to continuously monitor for suspicious activities. Which type of monitoring is being performed?

125

A quarterly risk report for the IT steering committee shows a key risk indicator (KRI) called 'patch lag' has increased from 15 days to 45 days. What does this trend most likely indicate?

126

Which of the following is an example of a corrective control?

127

An organization is implementing a new control to address a high-risk finding. The project manager has scheduled a user training session and updated the relevant policies. Which implementation phase is being addressed?

128

In a risk report presented to the board of directors, which of the following elements is most appropriate to include?

129

Which of the following is the primary purpose of a Key Risk Indicator (KRI)?

130

During a third-party risk assessment, a vendor is classified as 'critical' due to its access to sensitive customer data. According to the organization's vendor risk appetite, what is the minimum security requirement for this vendor?

131

An organization wants to promote a risk-aware culture. Which initiative best supports this goal?

132

In the context of ERM integration, IT risk is typically considered a subset of which broader risk category?

133

Which TWO of the following are examples of continuous monitoring activities? (Select TWO.)

134

Which THREE of the following are essential components of an effective IT risk report to senior management? (Select THREE.)

135

Which TWO of the following are leading indicators that could be used as KRIs for information security risk? (Select TWO.)

136

An organization is selecting a control to reduce the risk of unauthorized data exfiltration. The annual loss expectancy (ALE) for this risk is currently $500,000. The proposed control costs $80,000 annually and is expected to reduce the ALE by 60%. What is the net benefit (reduction in risk exposure minus control cost) of implementing this control?

137

A risk manager is evaluating a control that addresses a high-risk finding from an internal audit. Which of the following is the MOST important factor in determining whether the control is effective?

138

An organization has implemented a new firewall rule to block malicious IP addresses. This is an example of which type of control?

139

During a quarterly risk review, the CISO notes that the number of failed authentication attempts has increased by 300% over the last month. The IT team confirms no changes to authentication systems. This metric is BEST categorized as which of the following?

140

A company is implementing a new access control system. According to the project plan, user training will be delivered after the system goes live. What change management issue does this present?

141

An IT risk report to the board of directors should primarily focus on which of the following?

142

A risk owner is reviewing a control that has a deficiency rate of 15%. The target deficiency rate is less than 5%. Which of the following is the MOST appropriate immediate action?

143

An organization is implementing continuous monitoring of its network using SIEM rules. Which of the following is the PRIMARY benefit of this approach over periodic manual testing?

144

In a risk-aware culture, which of the following behaviors is MOST encouraged?

145

A vendor risk tier is assigned based on data access and service criticality. A vendor that processes sensitive customer data and is critical to operations should be classified as which tier?

146

An organization uses a KRI that tracks the average time to patch critical vulnerabilities. The metric has been increasing over the past three months. What does this indicate from a risk perspective?

147

Which of the following is the PRIMARY purpose of integrating IT risk reporting into the enterprise risk management (ERM) program?

148

An organization is conducting a post-implementation review of a new data loss prevention (DLP) control. Which TWO metrics are Key Control Indicators (KCIs) that would best measure the control's effectiveness?

149

A risk manager is updating the risk report for the IT steering committee. Which THREE elements should be included to provide a comprehensive view of the risk posture?

150

An organization is implementing a third-party risk management program. Which TWO are essential components of the initial vendor risk assessment process?

151

A financial services company is implementing a new control to mitigate the risk of unauthorized access to customer data. Which TWO of the following are key factors to consider during the control design phase?

152

After implementing a new access control system, the IT risk manager needs to measure its effectiveness. Which THREE of the following are Key Control Indicators (KCIs) that would be appropriate?

153

An organization is implementing continuous monitoring for its network security controls. Which TWO of the following are examples of continuous monitoring techniques?

154

A multinational corporation is developing its IT risk reporting structure. The risk manager must align reports with different audiences. Which THREE of the following reporting frequencies and audiences are correctly matched?

155

During a third-party risk management review, the organization is tiering its vendors based on risk. Which TWO of the following criteria are most relevant for determining vendor risk tier?

156

An organization wants to promote a risk-aware culture. Which TWO of the following initiatives are most effective for achieving this?

157

An organization is integrating its IT risk program with the enterprise risk management (ERM) framework. Which THREE of the following activities support this integration?

158

A company's IT risk manager is evaluating Key Risk Indicators (KRIs) for the cybersecurity function. Which TWO of the following are valid examples of leading KRIs?

159

An organization is designing a vendor risk assessment process for critical vendors. Which THREE of the following should be included in the initial onboarding assessment?

160

During a quarterly IT risk review, the risk manager presents a risk heat map. Which TWO of the following elements should be included in the report to provide a comprehensive view?

Practice all 160 Risk Response and Reporting questions

Other CRISC exam domains

IT Risk IdentificationIT Risk AssessmentInformation Technology and SecurityRisk Response and MitigationRisk and Control Monitoring and Reporting

Frequently asked questions

What does the Risk Response and Reporting domain cover on the CRISC exam?

The Risk Response and Reporting domain covers the key concepts tested in this area of the CRISC exam blueprint published by ISACA. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CRISC domains — no account required.

How many Risk Response and Reporting questions are in the CRISC question bank?

The Courseiva CRISC question bank contains 160 questions in the Risk Response and Reporting domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Risk Response and Reporting for CRISC?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Risk Response and Reporting questions for CRISC?

Yes — the session launcher on this page draws questions exclusively from the Risk Response and Reporting domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your CRISC domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

CISMCISA