ISACA · Free Practice Questions · Last reviewed May 2026
24real exam-style questions organised by domain, each with the correct answer highlighted and a plain-English explanation of why it's right — and why the others are wrong.
A company recently experienced a data breach due to an unpatched vulnerability in a public-facing web application. During the post-incident review, the IT risk manager notes that the vulnerability was identified by the vulnerability scanner six months ago but was not remediated because the patch required a critical database server restart. Which of the following is the BEST risk treatment decision to prevent a recurrence?
Ignore the vulnerability until the next maintenance window.
Escalate the risk to senior management for acceptance.
Implement a compensating control such as a web application firewall.
A WAF can block exploitation attempts until a proper patch can be applied.
Accept the risk based on the low likelihood of exploitation.
During a risk assessment, an organization identifies that its legacy ERP system has a high likelihood of failure during peak transaction periods. The system supports critical financial operations. The risk owner proposes to upgrade the system, but the project would take 18 months and require significant capital investment. The CEO questions whether the risk can be reduced to an acceptable level more quickly. Which of the following is the MOST appropriate immediate risk response?
Implement enhanced monitoring and manual fallback procedures.
These measures reduce the impact of failures and can be deployed quickly.
Increase cyber insurance coverage.
Accept the risk and budget for potential losses.
Outsource the ERP hosting to a cloud provider.
An organization is considering migrating its customer database to a public cloud provider. Which of the following is the PRIMARY risk identification technique that should be used to identify potential data exposure risks?
Vulnerability scanning
Threat modeling
Threat modeling systematically identifies threats relevant to the cloud migration.
Penetration testing
Business impact analysis
An IT risk manager is reviewing the results of a recent risk assessment. The organization has a risk appetite that allows for low residual risk. One identified risk has an inherent risk score of 15 (on a scale of 1-25) and currently has no controls. Which of the following is the BEST recommendation for this risk?
Accept the risk because the score is moderate.
Implement controls to reduce the residual risk to an acceptable level.
Controls are necessary to lower the residual risk to within appetite.
Transfer the risk via cyber insurance.
Avoid the risk by discontinuing the business process.
A multinational corporation uses a common identity management system (IdM) across all subsidiaries. During a risk assessment, it is discovered that the IdM system has a critical vulnerability that could allow privilege escalation. The patch requires a 4-hour downtime. The risk manager must decide the best course of action considering the organization's risk appetite of 'low' and the fact that the IdM system is critical for business operations. Which of the following is the BEST approach?
Implement a compensating control and delay patching.
Schedule the patch during the next maintenance window.
This minimizes disruption while addressing the vulnerability in a timely manner.
Apply the patch immediately during business hours.
Accept the risk and postpone patching indefinitely.
Which of the following is the BEST example of a key risk indicator (KRI) for the risk of unauthorized access to sensitive data?
Average server uptime
Number of firewalls deployed
Percentage of users with access to sensitive data
A high percentage indicates a larger attack surface for unauthorized access.
Number of security awareness trainings completed
Want more IT Risk Identification practice?
Practice this domainAfter implementing a new web application, the risk owner reports that the residual risk level is still above the risk appetite. Which of the following should be the risk practitioner's FIRST action?
Re-evaluate risk treatment options with the risk owner
The practitioner should collaborate with the risk owner to identify additional controls or modify existing ones.
Escalate directly to the board
Update the risk register to reflect the residual risk
Accept the residual risk
A multinational organization is implementing a risk mitigation strategy for a critical system. The business impact analysis shows that downtime costs are extremely high. Which risk response strategy is MOST appropriate for this scenario?
Risk avoidance by decommissioning the system
Risk transfer through cyber insurance
Risk reduction by implementing redundant systems
Redundancy reduces both likelihood and impact of downtime.
Risk acceptance because mitigation is too costly
An organization decides to outsource its data center operations to a third party. This is an example of which risk response?
Risk reduction
Risk transfer
Outsourcing transfers operational risk to the third party.
Risk acceptance
Risk avoidance
During a review, a risk practitioner discovers that a key control for a high-risk process is not operating effectively. The risk owner is reluctant to invest in additional controls due to budget constraints. What should the risk practitioner do FIRST?
Accept the risk owner's decision
Document the deficiency and move on
Communicate the risk exposure to senior management
Senior management needs to be aware of the risk and decide on additional funding.
Escalate directly to the board
A company has implemented a risk mitigation plan that includes technical controls. However, six months later, the residual risk is still higher than expected. The risk practitioner suspects that the controls are not being followed. Which of the following is the BEST approach to verify this?
Perform a new risk assessment
Interview control owners
Review risk register updates
Conduct a control testing and audit review
Testing provides direct evidence of control operation.
Which TWO of the following are effective risk mitigation strategies for reducing the likelihood of a ransomware attack?
Installing intrusion detection systems
Conducting periodic vulnerability scans
Regularly backing up critical data
Deploying network segmentation
Segmentation limits the spread of ransomware, reducing likelihood of widespread infection.
Implementing user awareness training
Training reduces the chance of users falling for phishing attacks.
Want more Risk Response and Mitigation practice?
Practice this domainA security analyst notices that the number of failed login attempts has significantly increased over the past week. The SIEM alerts are not being triggered because the threshold was set too high. What is the MOST effective immediate action to improve monitoring?
Implement a new authentication system with biometrics.
Lower the threshold for failed login alerts in the SIEM.
Directly fixes the issue of missed alerts.
Enable all SIEM rules to capture every event.
Review logs manually each day to identify anomalies.
A risk manager is reviewing the control monitoring reports and finds that a key control's effectiveness rating has dropped from 'effective' to 'partially effective' due to increased errors in manual data entry. Which of the following is the BEST course of action?
Conduct a root cause analysis to identify why errors increased.
Identifies underlying issues to inform corrective actions.
Immediately implement an automated data entry solution.
Increase the frequency of monitoring to detect errors sooner.
Assign additional staff to double-check data entries.
A company has implemented a new control to detect unauthorized access attempts. What is the PRIMARY purpose of monitoring this control?
To provide evidence for regulatory audits.
To reduce the number of unauthorized access attempts.
To confirm the control is working effectively.
Ensures the control functions as designed.
To calculate the residual risk level.
A risk practitioner is designing a monitoring dashboard for senior management. Which key performance indicator (KPI) would be MOST useful for tracking control effectiveness over time?
Number of security incidents reported.
Number of transactions processed per hour.
Value at Risk (VaR) for operational risk.
Percentage of controls passing automated tests.
Directly indicates control effectiveness.
A company has multiple business units each using different risk assessment methodologies. The risk committee wants consistent monitoring reports. What is the BEST approach to achieve consistency?
Develop and mandate a standardized risk assessment methodology.
Ensures consistent risk identification and evaluation.
Aggregate risks at the enterprise level using a common taxonomy.
Require each business unit to adopt the same risk scoring scale.
Create a centralized reporting template with predefined fields.
During a control monitoring review, it is discovered that a detective control has a high false positive rate. What is the MOST significant impact of this issue?
Loss of confidence in the control by management.
Increased risk of missing actual security incidents.
Alert fatigue causes real incidents to be overlooked.
Reduced system performance due to alert processing.
Increased cost of investigating alerts.
Want more Risk and Control Monitoring and Reporting practice?
Practice this domainDuring a risk assessment, an organization identifies that its primary data center is located in a flood-prone area. Which risk treatment option would best address this risk?
Purchase business interruption insurance
Move all operations to a cloud provider
Implement flood barriers and redundant cooling systems
This is a mitigation action.
Accept the risk and document it in the risk register
A risk assessment for a healthcare organization reveals a high likelihood of data breaches due to weak encryption on portable devices. The organization decides to deploy full-disk encryption and enforce multi-factor authentication. Which risk response strategy is being applied?
Transfer
Acceptance
Avoidance
Mitigation
Controls reduce risk.
Which of the following is the PRIMARY purpose of conducting a business impact analysis (BIA) during the IT risk assessment process?
To determine the criticality and recovery time objectives of business processes
BIA focuses on business impact.
To identify vulnerabilities in IT systems
To identify potential threat actors
To inventory all IT assets
A retail company is assessing the risk of a POS malware attack. Which approach would BEST quantify the potential financial impact?
Vulnerability scanning and penetration testing
Annualized Loss Expectancy (ALE) calculation based on past incidents
Scenario analysis with input from business and IT stakeholders
Scenario analysis provides tailored impact estimates.
Failure Mode and Effects Analysis (FMEA)
A risk assessor is evaluating a third-party cloud service provider. Which of the following is the MOST important factor to consider when assessing the risk of data exfiltration?
The provider's data portability and exit process
The provider's service level agreement (SLA) for uptime
The number of security certifications held by the provider
The provider's encryption standards for data at rest and in transit
Encryption is key to protecting data.
An organization has a risk appetite that is risk-averse. Which risk treatment option would be most aligned with this appetite?
Avoid the risk by discontinuing the activity
Avoidance aligns with risk-averse appetite.
Mitigate the risk with controls
Accept the risk
Transfer the risk through insurance
Want more IT Risk Assessment practice?
Practice this domainThe CRISC exam has 150 questions and must be completed in 240 minutes. The passing score is 450/1000.
Scenario questions on IT risk identification, assessment, response, and reporting.
The exam covers 4 domains: IT Risk Identification, Risk Response and Mitigation, Risk and Control Monitoring and Reporting, IT Risk Assessment. Questions are weighted by domain — higher-weight domains appear more on your actual exam.
No. These are original exam-style practice questions written against the official ISACA CRISC exam objectives. They are not copied from the real exam. Courseiva focuses on genuine understanding, not memorisation of braindumps.
Courseiva tracks your accuracy per domain and routes you toward weak areas automatically. Free, no account required.