Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

Certifications›CRISC›Objectives›IT Risk Assessment
Objective 2.0

IT Risk Assessment

CRISC Practice Questions

Risk questions require you to match the scenario characteristics to the correct response strategy. The probability-impact combination drives the choice — avoid or mitigate high combinations, accept low ones.

Full Practice Test →All Objectives

What this objective tests

CRISC IT Risk Assessment — Key Topics

Risk management questions test risk identification, qualitative vs quantitative analysis, risk response strategies (avoid, transfer, mitigate, accept), and risk registers.

  • Risk identification techniques: brainstorming, SWOT, Delphi technique, and historical data review.
  • Qualitative analysis: probability-impact matrix, risk categorisation, and urgency assessment.
  • Quantitative analysis: EMV (Expected Monetary Value), Monte Carlo simulation, and sensitivity analysis.
  • Risk response strategies and when each is appropriate based on impact and probability.

Common exam traps

Where candidates lose marks on IT Risk Assessment

  • ⚠Confusing risk avoidance (eliminate the cause) with risk transfer (shift consequence to another party).
  • ⚠Treating a risk with low probability and high impact the same as one with high probability and low impact.
  • ⚠Forgetting that residual risk remains after mitigation and must be accepted or further treated.
  • ⚠Selecting risk acceptance for a high-impact, high-probability risk — acceptance is for low-impact or unavoidable risks.

CRISC IT Risk Assessment — Practice Questions

30 questions from this objective

Question 2mediummultiple choice
Full question →

During a risk assessment, an organization identifies that its primary data center is located in a flood-prone area. Which risk treatment option would best address this risk?

Question 3hardmultiple choice
Full question →

A risk assessment for a healthcare organization reveals a high likelihood of data breaches due to weak encryption on portable devices. The organization decides to deploy full-disk encryption and enforce multi-factor authentication. Which risk response strategy is being applied?

Question 4easymultiple choice
Full question →

Which of the following is the PRIMARY purpose of conducting a business impact analysis (BIA) during the IT risk assessment process?

Question 5mediummultiple choice
Full question →

A retail company is assessing the risk of a POS malware attack. Which approach would BEST quantify the potential financial impact?

Question 6hardmultiple choice
Full question →

A risk assessor is evaluating a third-party cloud service provider. Which of the following is the MOST important factor to consider when assessing the risk of data exfiltration?

Question 7easymultiple choice
Full question →

An organization has a risk appetite that is risk-averse. Which risk treatment option would be most aligned with this appetite?

Question 8mediummultiple choice
Full question →

During a risk assessment, a financial institution identifies that its online banking application uses an outdated encryption protocol. The likelihood of exploitation is high, and the impact is moderate. What should the risk owner do FIRST?

Question 9hardmultiple choice
Read the full NAT/PAT explanation →

A multinational corporation is assessing the risk of non-compliance with GDPR. Which of the following is the BEST approach to quantify the potential fine?

Question 10easymultiple choice
Full question →

Which of the following is the BEST indicator that an organization's IT risk assessment process is effective?

Question 11mediummultiple choice
Full question →

A risk assessment reveals that a legacy system has a high vulnerability score but low business criticality. The cost to remediate is high. What is the MOST appropriate risk response?

Question 12hardmultiple choice
Full question →

An organization uses a quantitative risk analysis method. The annualized rate of occurrence (ARO) for a specific threat is 0.5, and the single loss expectancy (SLE) is $200,000. What is the annualized loss expectancy (ALE)?

Question 13mediummultiple choice
Full question →

During a risk assessment for a cloud migration project, the IT risk manager identifies that the organization lacks visibility into the cloud provider's security controls. Which approach should the risk manager recommend to address this risk?

Question 14hardmultiple choice
Full question →

A financial institution is assessing the risk of a new real-time payment system. The risk manager calculates that the annualized loss expectancy (ALE) for a potential fraud scenario is $500,000. The cost to implement a fraud detection solution is $200,000 initially with $50,000 annual maintenance. The solution is expected to reduce the ALE by 80%. What is the net benefit of implementing the solution over three years?

Question 15easymultiple choice
Full question →

An organization is performing a risk assessment for its new customer relationship management (CRM) system. Which of the following is the BEST way to identify threats to the CRM?

Question 16mediummultiple choice
Full question →

After a risk assessment, the risk owner decides to mitigate a high-risk finding by implementing additional access controls. What should the risk manager do NEXT?

Question 17hardmultiple choice
Read the full NAT/PAT explanation →

An organization has a legacy system that cannot be patched due to vendor end-of-life. The system processes non-critical data. The risk manager has determined that the likelihood of exploitation is low, but the impact would be high. Which risk response strategy is MOST appropriate?

Question 18easymultiple choice
Full question →

During a risk assessment, the risk manager identifies a vulnerability in a web application that could allow SQL injection. The development team states they will fix it in the next release, which is six months away. What should the risk manager do?

Question 19mediummultiple choice
Full question →

A risk manager is evaluating the risk associated with a new third-party vendor that will have access to customer data. The vendor has been in business for 10 years and holds ISO 27001 certification. Which factor should be given the MOST weight when determining the vendor's risk level?

Question 20hardmulti select
Full question →

Which TWO of the following are valid techniques for identifying risk in IT risk assessment?

Question 21mediummulti select
Full question →

Which THREE of the following are key components of a risk assessment report?

Question 22easymulti select
Full question →

Which TWO of the following are examples of inherent risk?

Question 23hardmultiple choice
Full question →

Based on the exhibit, what is the MOST likely risk scenario?

Exhibit

Refer to the exhibit.
```
2023-11-15 14:23:45 [CRITICAL] Failed login attempt for user 'admin' from IP 10.0.0.5
2023-11-15 14:23:46 [CRITICAL] Failed login attempt for user 'admin' from IP 10.0.0.5
2023-11-15 14:23:47 [CRITICAL] Failed login attempt for user 'admin' from IP 10.0.0.5
... (repeated 100 times in 5 minutes)
2023-11-15 14:28:45 [INFO] Successful login for user 'admin' from IP 10.0.0.5
```
Question 24mediummultiple choice
Full question →

Based on the exhibit, what is the primary risk to the organization?

Exhibit

Refer to the exhibit.
```
{
  "PolicyName": "S3PublicAccessBlock",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::customer-data/*"
    }
  ]
}
```
Question 25hardmultiple choice
Read the full NAT/PAT explanation →

You are the IT risk manager for a multinational corporation with a hybrid cloud environment. The company uses AWS for its primary infrastructure and maintains an on-premises data center for legacy applications. Recently, the security team detected that a contractor's credentials were used to access an S3 bucket containing personally identifiable information (PII) of European customers. The contractor had been granted access to this bucket six months ago for a data migration project that has since been completed. The access was not revoked. The security team has implemented an automated process to review and revoke access for contractors after project completion, but this process has not been applied retroactively. The company is subject to GDPR. Which of the following is the BEST course of action to address the immediate risk?

Question 26mediummultiple choice
Full question →

A company is implementing a new cloud-based customer relationship management (CRM) system. The IT risk manager needs to assess the risk of data exfiltration by a malicious insider at the cloud provider. Which risk assessment approach is most appropriate for this scenario?

Question 27easymultiple choice
Full question →

During a risk assessment for a critical financial application, the IT risk manager identifies a vulnerability in the application's authentication module. The exploit would require authenticated access. Which risk rating is most appropriate if the vulnerability has a CVSS base score of 9.0, but the application is behind a strong firewall and requires two-factor authentication?

Question 28hardmulti select
Full question →

Which THREE of the following are key components of an IT risk assessment report as per ISACA guidelines?

Question 29hardmultiple choice
Full question →

Based on the exhibit, which risk should be treated first according to the risk rating?

Exhibit

Refer to the exhibit.

```
Risk Register Extract:
Risk ID | Asset | Vulnerability | Threat | Current Control | Likelihood | Impact | Risk Level
R001    | WebApp | SQLi in login | Attacker | WAF | 3 | 5 | 15
R002    | DB Server | Weak password | Insider | Password policy | 2 | 4 | 8
R003    | Firewall | Misconfigured rule | External | Change management | 4 | 3 | 12
```

Risk Rating Matrix:
Likelihood (1-5) x Impact (1-5) = Risk Level (1-25). Thresholds: Low (1-6), Medium (7-12), High (13-25).
Question 30mediummultiple choice
Read the full NAT/PAT explanation →

You are the IT risk manager at a multinational corporation that recently migrated its customer database to a cloud-based platform. The database contains personally identifiable information (PII) subject to GDPR. During a routine vulnerability scan, you discover that the database is accessible from the internet without encryption (port 1433 open). The cloud provider's shared responsibility model indicates that securing the database configuration is the customer's responsibility. You have identified the risk as high likelihood and high impact. The business owner argues that the database is only accessible to a limited IP range and that encryption would degrade performance. Which course of action should you recommend to treat the risk?

Question 31mediummultiple choice
Full question →

Refer to the exhibit. An organization has identified vulnerabilities on a critical server. The risk owner has limited resources and can remediate only one finding this quarter. Based on the information provided, which approach is the most appropriate risk assessment decision?

Exhibit

Refer to the exhibit.

Vulnerability Scan Report (excerpt):
Host: 10.10.50.100
Port: 443 (HTTPS)
Finding: SSL/TLS certificate uses SHA-1 signature algorithm (CVE-2015-7575)
Severity: Medium
Remediation: Replace certificate with SHA-256 or higher.

Host: 10.10.50.100
Port: 22 (SSH)
Finding: OpenSSH version 7.2 is vulnerable to CVE-2016-6515 (DoS)
Severity: Low
Remediation: Upgrade to OpenSSH 7.3 or later.

More IT Risk Assessment questions available in the full practice test.

Continue Practising →

All CRISC Objectives

  • 2.IT Risk Assessment