Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsCRISCExam Questions

ISACA · Free Practice Questions · Last reviewed May 2026

CRISC Exam Questions and Answers

24real exam-style questions organised by domain, each with the correct answer highlighted and a plain-English explanation of why it's right — and why the others are wrong.

150 exam questions
240 min time limit
Pass: 450/1000 / 1000
4 exam domains
OverviewDomain BlueprintStudy GuideAll QuestionsSample by Domain
1. IT Risk Identification2. Risk Response and Mitigation3. Risk and Control Monitoring and Reporting4. IT Risk Assessment
1

Domain 1: IT Risk Identification

All IT Risk Identification questions
Q1
mediumFull explanation →

A company recently experienced a data breach due to an unpatched vulnerability in a public-facing web application. During the post-incident review, the IT risk manager notes that the vulnerability was identified by the vulnerability scanner six months ago but was not remediated because the patch required a critical database server restart. Which of the following is the BEST risk treatment decision to prevent a recurrence?

A

Ignore the vulnerability until the next maintenance window.

B

Escalate the risk to senior management for acceptance.

C

Implement a compensating control such as a web application firewall.

A WAF can block exploitation attempts until a proper patch can be applied.

D

Accept the risk based on the low likelihood of exploitation.

Why: Option C is correct because implementing a web application firewall (WAF) as a compensating control provides virtual patching, blocking exploitation attempts at the application layer (e.g., SQL injection, path traversal) without requiring a database server restart. This directly addresses the root cause—the unpatched vulnerability—while avoiding the operational disruption that prevented the patch from being applied. A WAF can inspect HTTP/HTTPS traffic and filter malicious payloads based on signatures or behavioral rules, effectively reducing risk to an acceptable level until the next maintenance window.
Q2
hardFull explanation →

During a risk assessment, an organization identifies that its legacy ERP system has a high likelihood of failure during peak transaction periods. The system supports critical financial operations. The risk owner proposes to upgrade the system, but the project would take 18 months and require significant capital investment. The CEO questions whether the risk can be reduced to an acceptable level more quickly. Which of the following is the MOST appropriate immediate risk response?

A

Implement enhanced monitoring and manual fallback procedures.

These measures reduce the impact of failures and can be deployed quickly.

B

Increase cyber insurance coverage.

C

Accept the risk and budget for potential losses.

D

Outsource the ERP hosting to a cloud provider.

Why: Enhanced monitoring and manual fallback procedures directly address the immediate risk of system failure during peak periods by providing early detection and a contingency plan to maintain critical financial operations. This response can be implemented quickly without the 18-month timeline and capital investment required for a full system upgrade, aligning with the CEO's request for a faster risk reduction.
Q3
easyFull explanation →

An organization is considering migrating its customer database to a public cloud provider. Which of the following is the PRIMARY risk identification technique that should be used to identify potential data exposure risks?

A

Vulnerability scanning

B

Threat modeling

Threat modeling systematically identifies threats relevant to the cloud migration.

C

Penetration testing

D

Business impact analysis

Why: Threat modeling is the primary risk identification technique for proactively identifying potential data exposure risks during a cloud migration. It systematically analyzes the system architecture, data flows, and trust boundaries to uncover threats such as misconfigured access controls, insecure APIs, or data leakage between tenants. Unlike reactive techniques, threat modeling focuses on design-level vulnerabilities before they are exploited.
Q4
mediumFull explanation →

An IT risk manager is reviewing the results of a recent risk assessment. The organization has a risk appetite that allows for low residual risk. One identified risk has an inherent risk score of 15 (on a scale of 1-25) and currently has no controls. Which of the following is the BEST recommendation for this risk?

A

Accept the risk because the score is moderate.

B

Implement controls to reduce the residual risk to an acceptable level.

Controls are necessary to lower the residual risk to within appetite.

C

Transfer the risk via cyber insurance.

D

Avoid the risk by discontinuing the business process.

Why: The inherent risk score of 15 (out of 25) is moderate, but the organization's risk appetite allows only low residual risk. Since there are currently no controls, the residual risk equals the inherent risk of 15, which exceeds the acceptable threshold. Therefore, implementing controls is the best recommendation to reduce the residual risk to a level that aligns with the risk appetite.
Q5
hardFull explanation →

A multinational corporation uses a common identity management system (IdM) across all subsidiaries. During a risk assessment, it is discovered that the IdM system has a critical vulnerability that could allow privilege escalation. The patch requires a 4-hour downtime. The risk manager must decide the best course of action considering the organization's risk appetite of 'low' and the fact that the IdM system is critical for business operations. Which of the following is the BEST approach?

A

Implement a compensating control and delay patching.

B

Schedule the patch during the next maintenance window.

This minimizes disruption while addressing the vulnerability in a timely manner.

C

Apply the patch immediately during business hours.

D

Accept the risk and postpone patching indefinitely.

Why: Option B is correct because scheduling the patch during the next maintenance window aligns with the organization's low risk appetite by addressing the critical vulnerability in a controlled manner, while minimizing operational disruption. The IdM system is critical for business operations, so applying the patch immediately during business hours (Option C) would cause unacceptable downtime, and delaying indefinitely (Option D) would violate the low risk appetite. A 4-hour downtime is typical for identity management systems like Active Directory or LDAP, where patching requires a reboot or service restart, and a planned maintenance window allows for proper testing and rollback procedures.
Q6
easyFull explanation →

Which of the following is the BEST example of a key risk indicator (KRI) for the risk of unauthorized access to sensitive data?

A

Average server uptime

B

Number of firewalls deployed

C

Percentage of users with access to sensitive data

A high percentage indicates a larger attack surface for unauthorized access.

D

Number of security awareness trainings completed

Why: Option C is correct because a KRI must directly measure the likelihood or impact of a specific risk. The percentage of users with access to sensitive data is a direct indicator of the attack surface for unauthorized access; a higher percentage increases the probability that an unauthorized user could gain access, making it a leading indicator for that risk.

Want more IT Risk Identification practice?

Practice this domain
2

Domain 2: Risk Response and Mitigation

All Risk Response and Mitigation questions
Q1
mediumFull explanation →

After implementing a new web application, the risk owner reports that the residual risk level is still above the risk appetite. Which of the following should be the risk practitioner's FIRST action?

A

Re-evaluate risk treatment options with the risk owner

The practitioner should collaborate with the risk owner to identify additional controls or modify existing ones.

B

Escalate directly to the board

C

Update the risk register to reflect the residual risk

D

Accept the residual risk

Why: When residual risk remains above the risk appetite after treatment, the risk practitioner must first re-evaluate the existing risk treatment options with the risk owner. This collaborative review identifies whether additional controls (e.g., stricter input validation, rate limiting, or Web Application Firewall tuning) can further reduce the risk to an acceptable level before considering escalation or acceptance.
Q2
hardFull explanation →

A multinational organization is implementing a risk mitigation strategy for a critical system. The business impact analysis shows that downtime costs are extremely high. Which risk response strategy is MOST appropriate for this scenario?

A

Risk avoidance by decommissioning the system

B

Risk transfer through cyber insurance

C

Risk reduction by implementing redundant systems

Redundancy reduces both likelihood and impact of downtime.

D

Risk acceptance because mitigation is too costly

Why: Given the extremely high downtime costs, the most appropriate risk response is risk reduction through implementing redundant systems. This directly addresses the critical system's availability requirement by eliminating single points of failure, thereby reducing both the likelihood and impact of downtime. Decommissioning the system (avoidance) would eliminate the business function entirely, which is typically not viable for a critical system, while insurance (transfer) only provides financial compensation after the loss, not preventing the operational impact of downtime.
Q3
easyFull explanation →

An organization decides to outsource its data center operations to a third party. This is an example of which risk response?

A

Risk reduction

B

Risk transfer

Outsourcing transfers operational risk to the third party.

C

Risk acceptance

D

Risk avoidance

Why: Outsourcing data center operations transfers the financial and operational risks associated with managing the infrastructure to a third-party provider. This is a classic risk transfer response because the organization retains ownership of the data and business accountability but shifts the liability for physical security, hardware maintenance, and uptime to the vendor via contractual agreements, such as SLAs with penalty clauses.
Q4
mediumFull explanation →

During a review, a risk practitioner discovers that a key control for a high-risk process is not operating effectively. The risk owner is reluctant to invest in additional controls due to budget constraints. What should the risk practitioner do FIRST?

A

Accept the risk owner's decision

B

Document the deficiency and move on

C

Communicate the risk exposure to senior management

Senior management needs to be aware of the risk and decide on additional funding.

D

Escalate directly to the board

Why: Option C is correct because the risk practitioner's primary duty is to ensure that senior management is aware of material risk exposures that could impact business objectives. When a key control for a high-risk process is ineffective and the risk owner refuses to remediate due to budget constraints, the practitioner must communicate the residual risk exposure to senior management, who have the authority to allocate resources and make strategic risk acceptance decisions. This aligns with the CRISC framework's emphasis on escalating risk information to the appropriate decision-making level when the risk owner's response is inadequate.
Q5
hardFull explanation →

A company has implemented a risk mitigation plan that includes technical controls. However, six months later, the residual risk is still higher than expected. The risk practitioner suspects that the controls are not being followed. Which of the following is the BEST approach to verify this?

A

Perform a new risk assessment

B

Interview control owners

C

Review risk register updates

D

Conduct a control testing and audit review

Testing provides direct evidence of control operation.

Why: Conducting a control testing and audit review directly assesses whether controls are operating as intended. Option A is indirect. Option C does not verify effectiveness. Option D is too broad.
Q6
mediumFull explanation →

Which TWO of the following are effective risk mitigation strategies for reducing the likelihood of a ransomware attack?

A

Installing intrusion detection systems

B

Conducting periodic vulnerability scans

C

Regularly backing up critical data

D

Deploying network segmentation

Segmentation limits the spread of ransomware, reducing likelihood of widespread infection.

E

Implementing user awareness training

Training reduces the chance of users falling for phishing attacks.

Why: Deploying network segmentation (D) reduces the likelihood of a ransomware attack by limiting lateral movement. If an endpoint is compromised, segmentation using VLANs or firewall rules (e.g., 802.1Q, ACLs) prevents the ransomware from spreading to critical systems, thereby reducing the attack surface and the probability of widespread encryption. User awareness training (E) directly reduces likelihood by teaching users to recognize phishing emails and malicious attachments, which are the primary initial vectors for ransomware delivery.

Want more Risk Response and Mitigation practice?

Practice this domain
3

Domain 3: Risk and Control Monitoring and Reporting

All Risk and Control Monitoring and Reporting questions
Q1
mediumFull explanation →

A security analyst notices that the number of failed login attempts has significantly increased over the past week. The SIEM alerts are not being triggered because the threshold was set too high. What is the MOST effective immediate action to improve monitoring?

A

Implement a new authentication system with biometrics.

B

Lower the threshold for failed login alerts in the SIEM.

Directly fixes the issue of missed alerts.

C

Enable all SIEM rules to capture every event.

D

Review logs manually each day to identify anomalies.

Why: B is correct because the immediate issue is that the SIEM alert threshold is set too high, causing failed login attempts to go undetected. Lowering the threshold directly addresses the monitoring gap by ensuring that the SIEM generates alerts for anomalous failed login activity, enabling timely incident response without requiring a system overhaul.
Q2
hardFull explanation →

A risk manager is reviewing the control monitoring reports and finds that a key control's effectiveness rating has dropped from 'effective' to 'partially effective' due to increased errors in manual data entry. Which of the following is the BEST course of action?

A

Conduct a root cause analysis to identify why errors increased.

Identifies underlying issues to inform corrective actions.

B

Immediately implement an automated data entry solution.

C

Increase the frequency of monitoring to detect errors sooner.

D

Assign additional staff to double-check data entries.

Why: A root cause analysis (RCA) is the best course of action because it systematically identifies the underlying reasons for the increased manual data entry errors, such as inadequate training, unclear procedures, or system interface issues. Without understanding the root cause, any corrective action (like automation or additional staff) may address symptoms rather than the actual problem, leading to wasted resources or recurring control failures. This aligns with the CRISC principle that control effectiveness must be restored by addressing the fundamental cause of degradation, not just the symptoms.
Q3
easyFull explanation →

A company has implemented a new control to detect unauthorized access attempts. What is the PRIMARY purpose of monitoring this control?

A

To provide evidence for regulatory audits.

B

To reduce the number of unauthorized access attempts.

C

To confirm the control is working effectively.

Ensures the control functions as designed.

D

To calculate the residual risk level.

Why: The primary purpose of monitoring a detective control, such as one that detects unauthorized access attempts, is to confirm that the control is operating effectively as designed. Monitoring provides ongoing assurance that the control is correctly identifying and logging unauthorized access events, which is essential for maintaining the security posture and for timely incident response.
Q4
mediumFull explanation →

A risk practitioner is designing a monitoring dashboard for senior management. Which key performance indicator (KPI) would be MOST useful for tracking control effectiveness over time?

A

Number of security incidents reported.

B

Number of transactions processed per hour.

C

Value at Risk (VaR) for operational risk.

D

Percentage of controls passing automated tests.

Directly indicates control effectiveness.

Why: Option D is correct because the percentage of controls passing automated tests directly measures the effectiveness of controls over time. A trend of increasing or stable high percentages indicates that controls are functioning as intended, while a decline signals degradation. This KPI is specifically designed for control monitoring, unlike metrics that measure activity or outcomes.
Q5
hardFull explanation →

A company has multiple business units each using different risk assessment methodologies. The risk committee wants consistent monitoring reports. What is the BEST approach to achieve consistency?

A

Develop and mandate a standardized risk assessment methodology.

Ensures consistent risk identification and evaluation.

B

Aggregate risks at the enterprise level using a common taxonomy.

C

Require each business unit to adopt the same risk scoring scale.

D

Create a centralized reporting template with predefined fields.

Why: Option A is correct because mandating a standardized risk assessment methodology ensures that all business units apply the same criteria, scales, and processes for identifying, analyzing, and evaluating risks. This eliminates methodological inconsistencies at the source, enabling the risk committee to produce truly comparable and reliable monitoring reports across the enterprise.
Q6
easyFull explanation →

During a control monitoring review, it is discovered that a detective control has a high false positive rate. What is the MOST significant impact of this issue?

A

Loss of confidence in the control by management.

B

Increased risk of missing actual security incidents.

Alert fatigue causes real incidents to be overlooked.

C

Reduced system performance due to alert processing.

D

Increased cost of investigating alerts.

Why: Option D is correct because high false positives can cause alert fatigue, leading to missed real incidents. Option A is a secondary effect. Option B is not directly caused by false positives. Option C is a possible result but not the most significant.

Want more Risk and Control Monitoring and Reporting practice?

Practice this domain
4

Domain 4: IT Risk Assessment

All IT Risk Assessment questions
Q1
mediumFull explanation →

During a risk assessment, an organization identifies that its primary data center is located in a flood-prone area. Which risk treatment option would best address this risk?

A

Purchase business interruption insurance

B

Move all operations to a cloud provider

C

Implement flood barriers and redundant cooling systems

This is a mitigation action.

D

Accept the risk and document it in the risk register

Why: Implementing flood barriers and redundant cooling systems directly reduces the likelihood and impact of a flood event on the data center's physical infrastructure. This is a risk mitigation strategy that proactively addresses the root cause of the risk (flooding) by hardening the facility, which is the most effective treatment for a high-probability, high-impact physical threat.
Q2
hardFull explanation →

A risk assessment for a healthcare organization reveals a high likelihood of data breaches due to weak encryption on portable devices. The organization decides to deploy full-disk encryption and enforce multi-factor authentication. Which risk response strategy is being applied?

A

Transfer

B

Acceptance

C

Avoidance

D

Mitigation

Controls reduce risk.

Why: Deploying full-disk encryption and multi-factor authentication directly reduces the likelihood and/or impact of data breaches from weak encryption on portable devices. This is the definition of risk mitigation — applying controls to lower risk to an acceptable level. The organization is actively reducing the vulnerability, not transferring, accepting, or avoiding the risk.
Q3
easyFull explanation →

Which of the following is the PRIMARY purpose of conducting a business impact analysis (BIA) during the IT risk assessment process?

A

To determine the criticality and recovery time objectives of business processes

BIA focuses on business impact.

B

To identify vulnerabilities in IT systems

C

To identify potential threat actors

D

To inventory all IT assets

Why: Option B is correct because the BIA identifies critical business processes and their recovery priorities. Option A is wrong because vulnerability assessment is separate. Option C is wrong because threats are identified in threat modeling. Option D is wrong because asset inventory is part of asset management.
Q4
mediumFull explanation →

A retail company is assessing the risk of a POS malware attack. Which approach would BEST quantify the potential financial impact?

A

Vulnerability scanning and penetration testing

B

Annualized Loss Expectancy (ALE) calculation based on past incidents

C

Scenario analysis with input from business and IT stakeholders

Scenario analysis provides tailored impact estimates.

D

Failure Mode and Effects Analysis (FMEA)

Why: Scenario analysis with input from business and IT stakeholders is the best approach because it allows the organization to model specific POS malware attack scenarios, incorporating both technical threat vectors (e.g., memory scraping of track data) and business context (e.g., PCI DSS fines, card reissuance costs, brand damage). This collaborative method produces a more accurate and contextualized financial impact estimate than purely historical or technical assessments, especially for emerging or evolving threats like POS malware.
Q5
hardFull explanation →

A risk assessor is evaluating a third-party cloud service provider. Which of the following is the MOST important factor to consider when assessing the risk of data exfiltration?

A

The provider's data portability and exit process

B

The provider's service level agreement (SLA) for uptime

C

The number of security certifications held by the provider

D

The provider's encryption standards for data at rest and in transit

Encryption is key to protecting data.

Why: Data exfiltration risk is primarily mitigated by strong encryption standards for data at rest and in transit. Even if a provider has robust access controls, weak encryption (e.g., using TLS 1.0 or AES-128-CBC with predictable IVs) can allow an attacker to intercept or decrypt data during transfer or storage. Encryption directly prevents unauthorized extraction of readable data, making it the most critical factor.
Q6
easyFull explanation →

An organization has a risk appetite that is risk-averse. Which risk treatment option would be most aligned with this appetite?

A

Avoid the risk by discontinuing the activity

Avoidance aligns with risk-averse appetite.

B

Mitigate the risk with controls

C

Accept the risk

D

Transfer the risk through insurance

Why: A risk-averse organization prioritizes avoiding exposure to threats. Discontinuing the activity that introduces the risk (option A) eliminates the threat source entirely, ensuring no residual risk remains. This aligns directly with a risk-averse appetite, where even low-probability, high-impact events are unacceptable.

Want more IT Risk Assessment practice?

Practice this domain

Frequently asked questions

How many questions are on the CRISC exam?

The CRISC exam has 150 questions and must be completed in 240 minutes. The passing score is 450/1000.

What types of questions appear on the CRISC exam?

Scenario questions on IT risk identification, assessment, response, and reporting.

How are CRISC questions organised by domain?

The exam covers 4 domains: IT Risk Identification, Risk Response and Mitigation, Risk and Control Monitoring and Reporting, IT Risk Assessment. Questions are weighted by domain — higher-weight domains appear more on your actual exam.

Are these the actual CRISC exam questions?

No. These are original exam-style practice questions written against the official ISACA CRISC exam objectives. They are not copied from the real exam. Courseiva focuses on genuine understanding, not memorisation of braindumps.

Ready to practice all 150 CRISC questions?

Courseiva tracks your accuracy per domain and routes you toward weak areas automatically. Free, no account required.

Browse all CRISC questionsTake a timed practice test