Practice CRISC IT Risk Identification questions with full explanations on every answer.
Start practicing
IT Risk Identification — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A company recently experienced a data breach due to an unpatched vulnerability in a public-facing web application. During the post-incident review, the IT risk manager notes that the vulnerability was identified by the vulnerability scanner six months ago but was not remediated because the patch required a critical database server restart. Which of the following is the BEST risk treatment decision to prevent a recurrence?
2During a risk assessment, an organization identifies that its legacy ERP system has a high likelihood of failure during peak transaction periods. The system supports critical financial operations. The risk owner proposes to upgrade the system, but the project would take 18 months and require significant capital investment. The CEO questions whether the risk can be reduced to an acceptable level more quickly. Which of the following is the MOST appropriate immediate risk response?
3An organization is considering migrating its customer database to a public cloud provider. Which of the following is the PRIMARY risk identification technique that should be used to identify potential data exposure risks?
4An IT risk manager is reviewing the results of a recent risk assessment. The organization has a risk appetite that allows for low residual risk. One identified risk has an inherent risk score of 15 (on a scale of 1-25) and currently has no controls. Which of the following is the BEST recommendation for this risk?
5A multinational corporation uses a common identity management system (IdM) across all subsidiaries. During a risk assessment, it is discovered that the IdM system has a critical vulnerability that could allow privilege escalation. The patch requires a 4-hour downtime. The risk manager must decide the best course of action considering the organization's risk appetite of 'low' and the fact that the IdM system is critical for business operations. Which of the following is the BEST approach?
6Which of the following is the BEST example of a key risk indicator (KRI) for the risk of unauthorized access to sensitive data?
7A large retailer is implementing a new point-of-sale (POS) system. The project manager wants to identify risks related to payment card data security. Which risk identification technique would be MOST effective for this purpose?
8During a risk assessment, an organization identifies that its remote workforce uses personal devices for work. The risk manager is concerned about data leakage. The organization has a risk appetite that is 'moderate' and wants to treat the risk. Which of the following is the MOST effective risk treatment option?
9Which of the following is the PRIMARY purpose of a risk register?
10Which TWO of the following are key risk identification techniques used to identify threats and vulnerabilities in IT systems? (Select exactly 2.)
11Which THREE of the following are valid risk identification methods according to ISACA's Risk IT Framework? (Select exactly 3.)
12Which TWO of the following are primary sources of risk identification for IT projects? (Select exactly 2.)
13You are the IT risk manager for a mid-sized e-commerce company. The company processes credit card payments and stores customer data. Recently, the company experienced a security incident where an attacker exploited a SQL injection vulnerability in the web application, exfiltrating a database of customer records. The vulnerability was introduced three months ago during a feature upgrade. The development team claims they followed secure coding guidelines, but the vulnerability was missed due to insufficient testing. The company's risk appetite is moderate, and they have a risk management policy that requires risks to be treated within 30 days of identification. The CISO wants to know the most effective way to reduce the likelihood of similar incidents. You have assessed that the current risk score for web application vulnerabilities is 16 (High). The company has a bug bounty program, but it has not been effective. Which of the following courses of action would BEST address the root cause and reduce the risk?
14You are a risk analyst for a financial institution that uses a legacy mainframe system for core banking transactions. The mainframe is critical for daily operations, but it is no longer supported by the vendor. The system has known vulnerabilities that cannot be patched due to compatibility issues. The institution has a risk appetite that is very low for any disruption to core banking services. Recently, there was a minor outage caused by a hardware failure, which was resolved quickly, but it highlighted the system's fragility. The IT director proposes to migrate to a modern system, but the migration will take 2 years and cost $5 million. The board is concerned about the cost and timeline. You need to recommend an immediate risk treatment to reduce the likelihood of a major outage while the migration is underway. Which of the following is the BEST course of action?
15A retail company recently deployed a point-of-sale (POS) system that processes credit card transactions. The system is connected to the corporate network and transmits transaction data to a payment processor over the internet. During a risk assessment, the IT risk manager identifies that the POS system is vulnerable to malware injection via unvalidated input from barcode scanners. Which of the following is the MOST appropriate risk mitigation strategy?
16A multinational corporation is expanding its cloud infrastructure to include a new SaaS application that stores sensitive customer data. The vendor claims compliance with SOC 2 Type II and ISO 27001. The risk manager must determine if the remaining residual risk after vendor controls is within the company's risk appetite. Which of the following is the MOST critical next step?
17An organization is implementing a new identity and access management (IAM) system. The risk manager is tasked with identifying risks associated with the migration from legacy authentication to single sign-on (SSO). Which of the following is the GREATEST risk during this migration?
18A financial institution uses a third-party cloud service for data analytics. The service has access to non-public personal information (NPI). During a risk assessment, the risk manager discovers that the cloud provider uses subprocessors without notifying the institution. The contract does not require notification of subprocessor changes. What should the risk manager do FIRST?
19A healthcare organization is migrating its electronic health records (EHR) system to a public cloud. The risk manager identifies several risks. Which TWO of the following are the MOST significant risks related to data privacy and regulatory compliance?
20You are the IT risk manager for a mid-sized e-commerce company that processes over 10,000 transactions per day. The company recently migrated its customer database from an on-premises SQL Server to a cloud-based PostgreSQL instance on AWS RDS. The database contains personally identifiable information (PII) including names, addresses, and credit card numbers (stored as encrypted tokens). The migration was performed by the DevOps team with minimal involvement from the security team. Two weeks after the migration, the company experienced a data breach where an attacker exfiltrated a subset of customer records. The forensic investigation revealed that the attacker exploited a misconfigured security group that allowed inbound traffic from the internet on port 5432 (PostgreSQL default port). Additionally, the database had a publicly accessible endpoint, and the master user password was weak (eight characters, no special characters). The attacker used a brute-force attack to guess the password. The security group has since been corrected, and the password has been changed to a strong one. The breach notification laws require reporting within 72 hours. The CEO wants to understand the root cause and prevent recurrence. As the risk manager, which of the following actions should you recommend as the MOST effective to prevent a similar incident?
21A multinational e-commerce company has experienced multiple security incidents involving unauthorized access to customer payment data. The incidents originated from different regional offices and exploited misconfigured firewall rules. The risk manager needs to identify the root cause of these risks. Which approach would BEST help in identifying the root cause of the IT risk?
22A financial institution is integrating a new cloud-based analytics platform that will process sensitive customer data. The project team is conducting risk identification. Which technique would be MOST effective for identifying risks related to the integration of this platform with existing on-premises systems?
23A retail company uses a legacy inventory system that is no longer supported by the vendor. The IT department is planning to migrate to a modern cloud-based system. During risk identification, which of the following should be considered a PRIMARY risk?
24A hospital uses a patient portal that allows patients to access their medical records. The portal has experienced multiple brute-force login attempts. The risk manager wants to identify the most critical risk scenario. Which of the following should be prioritized?
25A technology startup is developing a mobile payment application. During a risk identification workshop, the team identifies a risk that the application may not comply with Payment Card Industry Data Security Standard (PCI DSS) requirements. What is the BEST way to categorize this risk?
26A manufacturing company uses an industrial control system (ICS) that is connected to the corporate network for monitoring. The risk manager is identifying risks related to this connectivity. Which of the following is the MOST significant risk?
27Arrange the steps for performing a risk assessment in the correct order.
28Order the steps for incident response handling.
29Sequence the steps for developing a disaster recovery plan (DRP).
30Match each CRISC domain to its description.
31Match each control type to its example.
32Match each compliance framework to its primary focus.
33A company is migrating its customer database to a public cloud provider. During the planning phase, which of the following is the MOST effective approach to identify risks specific to this migration?
34During a merger and acquisition (M&A) due diligence, the acquiring company's IT risk manager is tasked with identifying risks in the target's IT environment. Which of the following would be the MOST effective technique to uncover hidden risks?
35A software development team is adopting Agile methodology and wants to integrate risk identification into their sprints. Which approach BEST aligns with Agile principles while ensuring effective risk identification?
36An organization uses a third-party SaaS provider for payroll processing. Which of the following is the BEST technique to identify risks associated with this vendor?
37An internal audit report identifies that the IT department did not patch a critical vulnerability in a database server for 90 days. The risk manager wants to identify the root cause risk. Which approach should be used?
38A financial institution is implementing a new real-time payment system that will process high-value transactions. To identify emerging risks, which method would be MOST effective during the development phase?
39An IT risk manager is facilitating a workshop to identify risks for a new mobile banking application. Which technique is MOST appropriate for generating a comprehensive list of risks?
40A business continuity manager wants to identify risks that could disrupt critical business processes. Which source of information would be MOST valuable for identifying such risks?
41A security operations center (SOC) analyst notices multiple failed login attempts from an internal IP address followed by a successful login from an unusual geographic location. Which risk identification technique should the risk manager use to assess this as a potential risk?
42Which TWO of the following are recognized techniques for identifying IT risks? (Select exactly 2.)
43Which THREE of the following are essential components of a risk register that should be documented during risk identification? (Select exactly 3.)
44A SIEM generates alerts for the following events. Which TWO events should be considered potential emerging risks? (Select exactly 2.)
45Based on the exhibit, which of the following risks is MOST indicated by the policy configuration?
46Based on the exhibit, what risk is indicated by the IAM policy?
47Based on the exhibit, what risk does this database error MOST directly indicate?
48A company is identifying risks associated with a new cloud-based CRM. Which of the following is the MOST effective method for identifying potential threats?
49An organization wants to identify risks related to third-party vendors. Which approach best supports continuous risk identification?
50During a risk identification workshop, the team identifies a potential data leakage from a legacy system. What is the FIRST step the risk owner should take?
51Which risk identification technique relies on analyzing past incidents to predict future risks?
52A retail company is identifying risks in its supply chain. Which approach is most effective for identifying previously unknown risks?
53A company is conducting a Risk Identification for a new payment processing system. The team discovers that the system does not have encryption at rest. This is an example of:
54Which of the following is the PRIMARY purpose of a risk register in the risk identification phase?
55An organization is using the OCTAVE method for risk identification. Which activity is typically performed FIRST?
56A multinational corporation is identifying risks associated with cross-border data transfers. Which regulation's risk identification requirements are most relevant?
57Refer to the exhibit. What is the MOST immediate risk identification action?
58Refer to the exhibit. What is the PRIMARY risk identified from this policy?
59Refer to the exhibit. Which risk is MOST directly identified?
60Which TWO are primary objectives of IT risk identification?
61Which THREE of the following are effective techniques for identifying IT risks?
62Which TWO risk identification techniques are most appropriate for identifying emerging risks from new technologies?
63A company is migrating its legacy on-premises applications to a public cloud environment. Which risk identification technique is most appropriate for this scenario?
64A SOC analyst observes repeated failed login attempts from an external IP address targeting a user account. What is the best next step in the IT risk identification process?
65A company uses a third-party SaaS application for payroll processing. What is the most important activity to identify IT risks associated with this service?
66A new web application is being developed using several open-source libraries. Which risk identification method is most effective for identifying vulnerabilities in these libraries?
67A company plans to deploy an AI-based customer service chatbot that processes personal data. What risk should be identified as the highest priority?
68During a merger and acquisition (M&A) due diligence, the IT risk manager needs to identify risks in the target company's IT environment. Which approach is most effective for comprehensive risk identification?
69A company operates a legacy system for which the vendor no longer provides security patches. What is the most critical risk to identify regarding this system?
70After a data breach has been contained, what is the most important action for identifying underlying IT risks?
71A company uses a DevOps approach with a continuous integration/continuous deployment (CI/CD) pipeline. Which risk identification technique is best suited for detecting code vulnerabilities early in the development lifecycle?
72Which TWO of the following are primary sources of IT risk identification? (Select exactly TWO.)
73Which THREE of the following are effective risk identification techniques for a cloud migration project? (Select exactly THREE.)
74Which THREE of the following are indicators of potential IT risk in an organization? (Select exactly THREE.)
75Refer to the exhibit. What risk is most directly indicated by this log entry?
76Refer to the exhibit. What risk is introduced by this IAM policy?
77Refer to the exhibit. What is the most likely risk indicated by this error log?
78A company has implemented a new cloud-based customer relationship management (CRM) system. The IT risk manager is tasked with identifying risks related to this system. Which of the following is the MOST important risk identification technique to use initially?
79During a risk assessment for a new financial application, the risk manager identifies that the application processes sensitive customer data and is accessible from the internet. Which of the following is the MOST appropriate risk scenario to document?
80A multinational organization uses a third-party vendor for cloud-based identity management. The vendor recently suffered a data breach that exposed user credentials. The risk manager is now re-evaluating the associated risk. Which of the following steps should the risk manager perform FIRST to identify potential new risks?
81A risk manager is identifying risks for a new mobile payment application. The application will use end-to-end encryption. Which of the following is the BEST source of risk information for identifying potential threats?
82An organization is planning to deploy an IoT solution in a manufacturing plant. The risk manager is asked to identify risks associated with the integration of IoT devices into the plant network. Which of the following techniques would be MOST effective for identifying both technical and operational risks?
83A risk manager is reviewing the risk register and notices that several risks have been identified as 'high' but no risk owner has been assigned. Which of the following is the MOST appropriate action to ensure proper risk identification going forward?
84An organization is implementing a new data loss prevention (DLP) solution. The risk manager is identifying potential risks related to the DLP solution itself. Which of the following is a risk that should be considered?
85A risk manager is identifying risks for an organization that uses a hybrid cloud environment. The organization stores sensitive data on-premises and in the cloud. Which of the following is the MOST effective method for identifying risks related to data residency and compliance?
86A risk manager discovers that a business unit has been using an unapproved software-as-a-service (SaaS) application for three months. The application stores customer PII. Which of the following risk identification techniques should the risk manager use to understand the full extent of the risk?
87Which TWO of the following are primary sources of risk identification for IT projects?
88Which TWO of the following are valid risk scenarios that should be documented during IT risk identification?
89Which THREE of the following are commonly used techniques for identifying IT risks in a large enterprise?
90Refer to the exhibit. During a risk identification exercise for the internal network, the risk manager reviews this firewall log entry. Which of the following risks is MOST directly suggested by this log entry?
91Refer to the exhibit. A risk manager is reviewing IAM policies for an S3 bucket used for sensitive data. This policy allows which of the following?
92Refer to the exhibit. During a risk identification review, the risk manager sees this IDS alert. What risk does this alert MOST directly indicate?
93During a cloud migration project, the IT risk manager is identifying risks associated with data residency. Which of the following is the MOST effective method to identify applicable regulatory requirements?
94A vulnerability scan of the internal network reveals a critical vulnerability in a legacy application that cannot be patched immediately. What is the FIRST step the risk practitioner should take?
95An organization is evaluating threat intelligence feeds to improve IT risk identification. Which of the following criteria should be given the HIGHEST priority when selecting a feed?
96A company is conducting a risk assessment of a critical third-party service provider. Which of the following is the BEST source of information to identify risks associated with the provider's sub-processors?
97An organization is updating its asset inventory to improve IT risk identification. Which of the following asset attributes is MOST critical for assessing cybersecurity risk?
98A risk practitioner is analyzing the results of a phishing simulation. The simulation had a 15% click rate on a test email targeting finance department staff. Which of the following conclusions is MOST valid regarding IT risk identification?
99During a risk identification workshop, the business process owner states that a key system has no documented dependencies. What is the BEST next step for the risk practitioner?
100An organization is implementing a data classification scheme. Which of the following classification categories would be MOST effective for identifying risks related to intellectual property theft?
101A risk practitioner is reviewing system logs and notices multiple failed login attempts from a foreign IP address. This observation is an example of which type of risk identification activity?
102Which TWO of the following are primary techniques for identifying IT risks in an organization? (Choose two.)
103Which THREE of the following are key indicators that a risk identification process is effective? (Choose three.)
104Which TWO of the following are examples of external risk identification sources? (Choose two.)
105Based on the firewall log exhibit, which of the following conclusions is MOST appropriate for risk identification?
106A mid-sized retail company operates 50 stores across three regions. Each store uses a point-of-sale (POS) system that transmits credit card transactions to a centralized payment processor. The company recently deployed a new SaaS-based inventory management application that connects to the POS system via API. The IT department has no formal process for tracking third-party connections. The risk manager suspects that unknown or unauthorized connections may exist. During a risk identification review, the risk manager discovers that the POS vendor's API documentation was shared with the inventory SaaS provider without a non-disclosure agreement (NDA). Additionally, the API keys for the POS system are stored in plain text configuration files on the inventory SaaS application server. The company's security policy requires encryption of all sensitive data in transit and at rest. Which of the following should the risk manager prioritize as the HIGHEST risk scenario to document in the risk register?
107A financial institution is migrating its core banking system from an on-premises data center to a public cloud infrastructure. The migration is planned in phases over 18 months. The IT risk manager is tasked with identifying risks during the transition. During the first phase, the team moves non-critical applications to the cloud. A vulnerability assessment of the cloud environment reveals that several virtual machines have default administrative credentials enabled. Additionally, the cloud security group configuration for the application tier allows inbound SSH from the entire internet (0.0.0.0/0). The risk manager also learns that the cloud provider's shared responsibility model is not fully understood by the operations team, who believe the provider is responsible for all security controls. The institution's risk appetite statement allows for moderate risk tolerance but prohibits any exposure that could lead to unauthorized access to customer financial data. Which of the following risk scenarios should the risk manager identify as the MOST critical to address immediately?
108During a risk assessment for a cloud migration project, the risk team identifies that the new SaaS application has not been tested for interoperability with existing identity management systems. The project manager argues that the integration will be straightforward and asks to remove this from the risk register. Which of the following is the BEST response from the risk practitioner?
109An organization has recently suffered a ransomware attack that encrypted critical files. During the post-incident review, the risk team is identifying key risk indicators (KRIs) to improve early detection. Which of the following KRIs would be MOST effective in detecting similar attacks in the future?
110A risk practitioner is facilitating a workshop to identify IT risks for a new product launch. Which technique BEST encourages participants to think about risks from different perspectives?
111During a review of third-party vendor risks, the risk team identifies that a cloud service provider's data center is located in a country with unstable political conditions. What should the risk practitioner do FIRST?
112A risk practitioner is identifying risks related to a new API gateway implementation. Which TWO of the following are MOST likely to be significant risks?
113An organization is migrating on-premises applications to a public cloud. Which THREE of the following should be considered as key risk identification activities?
114A company's IT risk team is conducting a risk identification exercise for a new blockchain-based supply chain solution. Which THREE risks are MOST specific to this technology?
115A medium-sized e-commerce company recently experienced a denial-of-service (DoS) attack that took down its website for two hours. The incident response team quickly mitigated the attack by blocking the source IPs. In the aftermath, the risk manager is tasked with identifying risks to prevent recurrence. The company relies heavily on a single internet service provider (ISP) and has no DDoS protection service. The IT director suggests purchasing additional server capacity to absorb future attacks. The CEO is concerned about the cost. The risk team has identified that the likelihood of a similar attack is high based on recent industry trends, and the impact includes lost revenue and customer trust. What is the MOST effective risk identification action the risk team should take next?
116A large healthcare organization is implementing a new electronic health record (EHR) system. During the risk identification process, the risk team discovers that the EHR vendor has a history of minor security incidents but has always resolved them quickly. The vendor’s data center is located in a region prone to earthquakes. Additionally, the EHR system will integrate with several legacy systems that have known vulnerabilities. The project sponsor is keen to proceed and believes the vendor is reputable. The risk team needs to ensure all relevant risks are identified and documented. Which of the following should be the PRIORITY for the risk team?
117An international bank is expanding its operations into a new country with strict data localization laws. The IT department plans to use a cloud service provider that stores data in neighboring countries but promises compliance. The risk team has identified several potential risks: regulatory fines for non-compliance, data interception during cross-border transmission, and difficulty in auditing the cloud provider. The legal team advises that the contract includes data protection clauses, but these have not been tested. The risk manager must now prioritize risk identification efforts. What is the MOST important risk identification step the risk team should undertake?
118A manufacturing company uses IoT sensors on the factory floor to monitor equipment performance. The sensors transmit data to a central server via Wi-Fi. During a risk identification workshop, the operations manager reveals that some sensors are operating on outdated firmware with known vulnerabilities. The IT director proposes replacing all sensors at a high cost. The risk team notes that a breach could cause production downtime but the sensors only collect non-sensitive operational data. The company has a low tolerance for downtime. What should the risk team identify as the most critical risk?
119A software development company uses a DevOps pipeline with automated code deployment. Recently, a developer accidentally pushed a configuration file containing database credentials to a public repository. The credentials were changed within an hour, but the file remained public for a few hours. The risk team is now identifying risks in the CI/CD process. The security team has proposed adding static code analysis to detect secrets in code. The development team objects, citing false positives. The risk manager must identify the most significant risk that could lead to a data breach. Which risk should be prioritized?
120A retail company is planning to launch a mobile payment app. The risk team is identifying potential risks related to payment card industry (PCI) compliance. The app will process credit card numbers. The development team has implemented tokenization to replace card numbers with tokens, but the token vault is located on-premises. The network architect proposes exposing the token vault to the internet for mobile app access. The compliance officer is concerned about PCI DSS requirements. The risk manager needs to identify the highest risk related to this setup. What is the primary risk?
121A university's IT department is implementing a single sign-on (SSO) solution for students and faculty. The solution will integrate with existing Active Directory and a cloud-based learning management system (LMS). During risk identification, the team learns that the SSO vendor had a minor security incident last year. The university's security policy requires multi-factor authentication (MFA) for all administrative access, but the SSO solution does not support MFA for student accounts. The project manager insists that MFA for students is not necessary because they only access academic records. The risk team must identify the most significant risk that could affect the university's reputation. Which risk should be documented?
122A risk manager is facilitating a risk identification workshop for a new cloud migration initiative. Which TWO techniques are most effective for identifying potential IT risks at this stage?
123What is the most significant risk identified by this configuration?
124A smart manufacturing company has deployed hundreds of IoT sensors and actuators across its production line. These devices are connected directly to the corporate network without any segmentation and communicate using unencrypted protocols. A third-party vendor manages all IoT devices and has administrative access from their own network. Recently, the IT team detected unusual outbound traffic from the IoT segment to unknown IP addresses on the internet. The risk manager is leading a risk identification workshop. Based on this scenario, what is the most critical risk to the organization that should be identified and documented?
The IT Risk Identification domain covers the key concepts tested in this area of the CRISC exam blueprint published by ISACA. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CRISC domains — no account required.
The Courseiva CRISC question bank contains 124 questions in the IT Risk Identification domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the IT Risk Identification domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included