Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Free Resources

Difficulty IndexLearn — Free ChaptersIT GlossaryFree Tools & LabsStudy GuidesCareer RoadmapsBrowse by VendorCisco Command ReferenceCCNA Scenarios

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← IT Risk Assessment practice sets

CRISC IT Risk Assessment • Complete Question Bank

CRISC IT Risk Assessment — All Questions With Answers

Complete CRISC IT Risk Assessment question bank — all 0 questions with answers and detailed explanations.

140
Questions
Free
No signup
Certifications/CRISC/Practice Test/IT Risk Assessment/All Questions
Question 1easymultiple choice
Read the full IT Risk Assessment explanation →

An organization uses a 5×5 risk heat map to assess IT risks. Which of the following is the PRIMARY advantage of this qualitative approach?

Question 2mediummultiple choice
Read the full IT Risk Assessment explanation →

A company is evaluating the risk of a data breach using the FAIR framework. The threat event frequency is estimated at 10 per year, and the vulnerability is 0.2. The primary loss per event is $50,000 and secondary loss is $20,000. What is the annualized loss expectancy (ALE)?

Question 3hardmultiple choice
Read the full IT Risk Assessment explanation →

An organization has identified a high-risk IT process that, if continued, could result in significant regulatory fines. The risk owner recommends implementing additional controls. However, the cost of controls exceeds the potential financial loss. Which risk treatment option is MOST appropriate?

Question 4mediummultiple choice
Read the full IT Risk Assessment explanation →

During an IT risk assessment, the risk practitioner calculates the inherent risk score for a critical application as 25 (on a 5×5 matrix). After evaluating control effectiveness, the residual risk score is 9. What can be inferred about the controls?

Question 5easymultiple choice
Read the full IT Risk Assessment explanation →

Which of the following is a detective control for an information system?

Question 6mediummultiple choice
Read the full IT Risk Assessment explanation →

A quantitative risk assessment for a server shows an ARO of 0.5 and SLE of $200,000. What is the ALE, and what does it imply?

Question 7hardmultiple choice
Read the full IT Risk Assessment explanation →

An organization is assessing the risk of a ransomware attack. The threat actor capability is high, but vulnerability is low due to strong patching. However, the business impact is severe. According to FAIR, which factor most directly influences Loss Event Frequency (LEF)?

Question 8easymultiple choice
Read the full IT Risk Assessment explanation →

Which risk treatment option involves eliminating the activity that creates the risk?

Question 9mediummultiple choice
Read the full IT Risk Assessment explanation →

A risk practitioner is prioritizing IT risks for treatment. Which factor should be the PRIMARY basis for prioritization?

Question 10hardmultiple choice
Read the full IT Risk Assessment explanation →

In the FAIR model, which component represents the probable frequency, within a given timeframe, that a threat agent will act against an asset?

Question 11mediummultiple choice
Read the full IT Risk Assessment explanation →

An organization uses a qualitative risk assessment and assigns a likelihood of '3' and impact of '4' on a 5-point scale. The heat map defines risk scores 12-25 as high. What is the risk rating?

Question 12easymultiple choice
Read the full IT Risk Assessment explanation →

Which type of control is designed to reduce the likelihood of a risk event occurring?

Question 13mediummulti select
Read the full IT Risk Assessment explanation →

A risk assessment for a cloud migration identifies high inherent risk. The risk practitioner evaluates controls. Which TWO components are necessary to calculate residual risk?

Question 14hardmulti select
Read the full IT Risk Assessment explanation →

An organization is performing a quantitative risk analysis using the FAIR framework. Which THREE of the following are direct components of the FAIR model?

Question 15mediummulti select
Read the full IT Risk Assessment explanation →

An organization is evaluating risk treatment options for a critical vulnerability. Which TWO options would be considered risk mitigation?

Question 16easymultiple choice
Read the full IT Risk Assessment explanation →

A risk manager is using a 5×5 likelihood-impact matrix to assess a set of identified risks. What is the PRIMARY advantage of using this qualitative method?

Question 17mediummultiple choice
Read the full IT Risk Assessment explanation →

An organization uses the FAIR framework to calculate annualized loss expectancy (ALE) for a specific risk. Given that the single loss expectancy (SLE) is $50,000 and the annualized rate of occurrence (ARO) is 0.2, what is the ALE?

Question 18hardmultiple choice
Read the full IT Risk Assessment explanation →

After implementing a set of controls for a critical risk, the residual risk is calculated. The risk owner argues that the residual risk remains high and requires further treatment. Which of the following BEST describes the relationship between inherent risk, control effectiveness, and residual risk?

Question 19mediummultiple choice
Read the full IT Risk Assessment explanation →

A risk assessment identifies a high-likelihood, high-impact risk associated with a legacy system. The business owner decides to decommission the system to eliminate the risk. Which risk treatment option is being applied?

Question 20hardmultiple choice
Read the full IT Risk Assessment explanation →

During a quantitative risk analysis, the risk team calculates the loss event frequency (LEF) using the FAIR framework. If the threat event frequency (TEF) is 10 per year and the vulnerability (V) is 0.3, what is the LEF?

Question 21easymultiple choice
Read the full IT Risk Assessment explanation →

Which control type is designed to stop a risk event from occurring?

Question 22mediummultiple choice
Read the full IT Risk Assessment explanation →

An organization is evaluating risks and decides to purchase cyber insurance to cover potential financial losses from data breaches. Which risk treatment option does this represent?

Question 23mediummultiple choice
Read the full IT Risk Assessment explanation →

A risk assessment report includes both inherent and residual risk ratings. The inherent risk for a process is rated as 'high' based on a 5×5 heat map. After applying a set of controls, the residual risk is rated as 'medium'. What does this indicate about the control effectiveness?

Question 24hardmultiple choice
Read the full IT Risk Assessment explanation →

In the FAIR framework, loss magnitude (LM) is composed of primary loss and secondary loss. Which of the following is an example of secondary loss?

Question 25easymultiple choice
Read the full IT Risk Assessment explanation →

Which of the following is a limitation of qualitative risk analysis?

Question 26mediummultiple choice
Read the full IT Risk Assessment explanation →

An organization identifies a risk that is within its risk appetite. The risk owner decides to formally document the risk and accept it without implementing additional controls. Which of the following is required for this risk acceptance?

Question 27hardmultiple choice
Read the full IT Risk Assessment explanation →

In a quantitative risk analysis, the annualized loss expectancy (ALE) is calculated as $1 million. If the organization implements a control that reduces the ARO from 0.5 to 0.1, and the SLE remains constant at $2 million, what is the new ALE?

Question 28mediummulti select
Read the full IT Risk Assessment explanation →

A risk assessment team is prioritizing risks for treatment using inherent risk ratings. Which TWO factors should be considered when deciding which risks to treat first?

Question 29mediummulti select
Read the full IT Risk Assessment explanation →

An organization is assessing control effectiveness for a key process. Which TWO aspects should be evaluated to determine if a control is effective?

Question 30hardmulti select
Read the full IT Risk Assessment explanation →

A risk manager is evaluating the impact assessment for a potential data breach. Which THREE categories of impact should be considered in a comprehensive business impact analysis?

Question 31mediummultiple choice
Read the full IT Risk Assessment explanation →

A risk analyst uses a 5x5 heat map to evaluate a set of IT risks. For a particular risk, the likelihood is rated as 4 (likely) and impact as 5 (very high). What is the resulting risk rating?

Question 32hardmultiple choice
Read the full IT Risk Assessment explanation →

An organization using the FAIR framework estimates that a threat event frequency (TEF) is 10 per year, vulnerability is 0.2, and loss magnitude per event is $500,000. What is the annualized loss expectancy (ALE)?

Question 33easymultiple choice
Read the full IT Risk Assessment explanation →

Which of the following best describes an advantage of qualitative risk analysis over quantitative risk analysis?

Question 34mediummultiple choice
Read the full IT Risk Assessment explanation →

A company decides to purchase cyber insurance to cover potential losses from a data breach. This is an example of which risk treatment option?

Question 35mediummultiple choice
Read the full IT Risk Assessment explanation →

After implementing a set of controls, the risk owner calculates the residual risk. Which of the following is true about residual risk?

Question 36hardmultiple choice
Read the full IT Risk Assessment explanation →

In the FAIR framework, which of the following correctly represents the calculation of Loss Event Frequency (LEF)?

Question 37easymultiple choice
Read the full IT Risk Assessment explanation →

A risk assessment reveals a high inherent risk that is within the organization's risk appetite. The risk owner documents the risk and formally accepts it. This is an example of which risk treatment option?

Question 38mediummultiple choice
Read the full IT Risk Assessment explanation →

Which control type is primarily focused on identifying that a risk event has occurred?

Question 39hardmultiple choice
Read the full IT Risk Assessment explanation →

An organization assesses a risk and determines the inherent risk score is 20 (critical). After implementing controls, the residual risk score is 8 (medium). What does this indicate about the controls?

Question 40mediummultiple choice
Read the full IT Risk Assessment explanation →

A company's risk assessment identifies that a threat actor has high capability and motivation to exploit a vulnerability. Which factor does this relate to?

Question 41easymultiple choice
Read the full IT Risk Assessment explanation →

Which of the following is an example of a preventive control?

Question 42mediummultiple choice
Read the full IT Risk Assessment explanation →

In assessing control effectiveness, an IS auditor evaluates both design adequacy and operating effectiveness. Which of the following indicates that a control is operating effectively?

Question 43mediummulti select
Read the full IT Risk Assessment explanation →

A risk assessment identifies that a critical application has a vulnerability with a high likelihood of exploitation. The risk owner proposes to implement a web application firewall (WAF) as a mitigating control. Which TWO of the following are likely benefits of this control?

Question 44hardmulti select
Read the full IT Risk Assessment explanation →

An organization is evaluating the impact of a potential data breach. Which THREE of the following are considered indirect financial impacts?

Question 45easymulti select
Read the full IT Risk Assessment explanation →

When performing a risk assessment, which TWO of the following are components of inherent risk?

Question 46easymultiple choice
Read the full IT Risk Assessment explanation →

A risk practitioner is using a 5×5 heat map with likelihood and impact ratings. Which of the following is a key advantage of this qualitative risk analysis approach?

Question 47mediummultiple choice
Read the full IT Risk Assessment explanation →

An organization is evaluating the risk of a data breach using the FAIR framework. The threat event frequency is estimated at 10 per year, the vulnerability is 0.2, and the loss magnitude is $500,000 per event. What is the annualized loss expectancy (ALE)?

Question 48mediummultiple choice
Read the full IT Risk Assessment explanation →

During an IT risk assessment, a risk owner identifies a risk that is within the organization's risk appetite. The recommended risk treatment option is to:

Question 49easymultiple choice
Read the full IT Risk Assessment explanation →

Which of the following is a limitation of quantitative risk analysis?

Question 50hardmultiple choice
Read the full IT Risk Assessment explanation →

A company has an inherent risk score of 20 for a specific threat. After implementing controls, the control effectiveness is assessed as 60% (design adequacy 70%, operating effectiveness 85%). What is the approximate residual risk score?

Question 51mediummultiple choice
Read the full IT Risk Assessment explanation →

Which of the following is an example of a detective control?

Question 52hardmultiple choice
Read the full IT Risk Assessment explanation →

An organization is considering outsourcing its payroll processing to a third party. The risk assessment shows that the inherent risk of payroll errors is high, but the vendor contract includes liability clauses and the organization obtains cyber insurance. This risk treatment is best described as:

Question 53mediummultiple choice
Read the full IT Risk Assessment explanation →

When prioritizing risk treatment actions, which of the following should be the primary consideration?

Question 54mediummultiple choice
Read the full IT Risk Assessment explanation →

In the FAIR framework, Loss Event Frequency (LEF) is calculated as:

Question 55easymultiple choice
Read the full IT Risk Assessment explanation →

Which of the following best describes residual risk?

Question 56hardmultiple choice
Read the full IT Risk Assessment explanation →

A risk assessment reveals that the likelihood of a phishing attack is high, and the impact is moderate. The organization decides to implement security awareness training and email filtering. This is an example of which risk treatment?

Question 57mediummultiple choice
Read the full IT Risk Assessment explanation →

In qualitative risk analysis, a risk with a likelihood rating of 'High' and an impact rating of 'High' on a 5×5 heat map would typically be classified as:

Question 58mediummulti select
Read the full IT Risk Assessment explanation →

A risk practitioner is conducting a business impact assessment for a critical application. Which TWO of the following are examples of direct financial costs? (Select TWO)

Question 59hardmulti select
Read the full IT Risk Assessment explanation →

An organization is assessing control effectiveness for a firewall. Which THREE factors should be evaluated to determine control effectiveness? (Select THREE)

Question 60mediummulti select
Read the full IT Risk Assessment explanation →

A company is considering risk transfer for a new IT project. Which TWO options represent valid risk transfer mechanisms? (Select TWO)

Question 61easymultiple choice
Read the full IT Risk Assessment explanation →

An IT risk assessment team is using a 5×5 risk matrix with likelihood and impact ratings. A risk scenario is rated as likelihood = 4 (likely) and impact = 5 (catastrophic). According to the typical heat map, what would be the risk rating?

Question 62mediummultiple choice
Read the full IT Risk Assessment explanation →

A company uses the FAIR model to perform a quantitative risk analysis. The threat event frequency (TEF) is estimated at 10 per year, vulnerability (V) is 0.5, and loss magnitude (LM) per event is $50,000. What is the annualized loss expectancy (ALE)?

Question 63hardmultiple choice
Read the full IT Risk Assessment explanation →

A risk analyst is assessing a critical application's inherent risk. After implementing controls, the residual risk is calculated as high. The analyst determines that the control design is adequate but operating effectiveness is poor. Which factor most likely explains the high residual risk?

Question 64easymultiple choice
Read the full IT Risk Assessment explanation →

Which risk treatment option is being used when an organization decides to stop a business activity that creates a high-risk exposure?

Question 65mediummultiple choice
Read the full IT Risk Assessment explanation →

An organization is considering purchasing cyber insurance to cover potential losses from a data breach. This is an example of which risk treatment option?

Question 66mediummultiple choice
Read the full IT Risk Assessment explanation →

In a qualitative risk assessment, a risk owner argues that the likelihood of a cyberattack is low because the organization has strong perimeter defenses. However, the analyst notes that the impact would be catastrophic. Which limitation of qualitative analysis is most relevant?

Question 67hardmultiple choice
Read the full IT Risk Assessment explanation →

A company calculates the annualized loss expectancy (ALE) for a server failure as $150,000. After implementing a backup solution costing $20,000 per year, the ALE drops to $30,000. What is the annualized benefit of the control?

Question 68easymultiple choice
Read the full IT Risk Assessment explanation →

Which of the following is a detective control?

Question 69mediummultiple choice
Read the full IT Risk Assessment explanation →

A risk is assessed with inherent risk score of 25 on a 5x5 matrix. After implementing controls, the residual risk score is 10. The control effectiveness is considered:

Question 70mediummultiple choice
Read the full IT Risk Assessment explanation →

When prioritizing risk treatment actions, which of the following should be the primary consideration?

Question 71hardmultiple choice
Read the full IT Risk Assessment explanation →

In the FAIR model, 'Loss Event Frequency' is calculated as:

Question 72easymultiple choice
Read the full IT Risk Assessment explanation →

Which of the following is an example of a corrective control?

Question 73mediummulti select
Read the full IT Risk Assessment explanation →

An organization is evaluating whether to accept a risk. Which TWO conditions must be met for risk acceptance to be appropriate?

Question 74hardmulti select
Read the full IT Risk Assessment explanation →

A quantitative risk analysis using FAIR requires estimating which THREE primary factors?

Question 75mediummulti select
Read the full IT Risk Assessment explanation →

A risk analyst is assessing the impact of a potential ransomware attack. Which THREE categories of business impact should be considered?

Question 76easymultiple choice
Read the full IT Risk Assessment explanation →

A risk practitioner is using a 5×5 heat map to assess IT risks. Which of the following is the primary advantage of this qualitative approach?

Question 77easymultiple choice
Read the full IT Risk Assessment explanation →

An organization is evaluating the risk of a data breach using the FAIR framework. Which of the following components is part of Loss Event Frequency (LEF)?

Question 78easymultiple choice
Read the full IT Risk Assessment explanation →

Which risk treatment option involves formally acknowledging the risk and taking no further action, provided the risk is within the organization's risk appetite?

Question 79mediummultiple choice
Read the full IT Risk Assessment explanation →

A company is assessing the risk of a ransomware attack. The security team estimates the threat event frequency as 2 attacks per year, vulnerability as 0.3 (30% chance of success), primary loss as $500,000, and secondary loss as $200,000. What is the annualized loss expectancy (ALE) using the FAIR framework?

Question 80mediummultiple choice
Read the full IT Risk Assessment explanation →

During an IT risk assessment, the risk owner identifies a high inherent risk for a legacy system. After implementing a firewall and intrusion detection system, the residual risk is calculated. Which of the following best describes residual risk?

Question 81mediummultiple choice
Read the full IT Risk Assessment explanation →

A bank is evaluating the impact of a potential system outage. Which of the following is an example of a direct financial cost associated with this impact?

Question 82mediummultiple choice
Read the full IT Risk Assessment explanation →

An organization decides to outsource its data center operations to a cloud provider with strict contractual penalties for security breaches. This is an example of which risk treatment option?

Question 83mediummultiple choice
Read the full IT Risk Assessment explanation →

A risk assessment identifies a critical vulnerability in a web application. Which control type would be most effective in preventing exploitation of this vulnerability?

Question 84mediummultiple choice
Read the full IT Risk Assessment explanation →

During a risk assessment, a risk is assigned a likelihood of 'High' and an impact of 'Medium' on a 5×5 heat map. What is the risk rating?

Question 85mediummultiple choice
Read the full IT Risk Assessment explanation →

A risk manager is prioritizing risks based on their inherent risk scores. Which of the following factors should be considered when prioritizing treatment actions?

Question 86hardmultiple choice
Read the full IT Risk Assessment explanation →

A quantitative risk analysis for a phishing campaign estimates that threat event frequency is 50 per year, vulnerability is 0.1 (10% of users will click), and loss magnitude per successful attack is $10,000. However, the analyst notes a 90% confidence interval of $5,000 to $20,000 for loss magnitude. Which of the following best describes a limitation of this quantitative analysis?

Question 87hardmultiple choice
Read the full IT Risk Assessment explanation →

An organization has implemented a firewall (preventive), intrusion detection system (detective), and a backup restoration plan (corrective) to address a specific risk. The risk manager assesses the control effectiveness as follows: design adequacy is strong, but operating effectiveness is weak due to inconsistent patching. Which of the following best describes the residual risk?

Question 88mediummulti select
Read the full IT Risk Assessment explanation →

A risk assessment of a critical financial application identifies a high inherent risk due to outdated software. The risk manager is considering mitigation options. Which TWO of the following would be considered preventive controls?

Question 89mediummulti select
Read the full IT Risk Assessment explanation →

A company is performing a qualitative risk analysis for a new cloud migration project. Which TWO of the following are recognized limitations of qualitative risk analysis?

Question 90hardmulti select
Read the full IT Risk Assessment explanation →

A risk assessment identifies a threat with high likelihood and high impact. The risk owner proposes transferring the risk via cyber insurance. However, the insurance policy has a high deductible and excludes certain attack types. Which THREE of the following should be considered when evaluating the effectiveness of this risk transfer?

Question 91easymultiple choice
Read the full IT Risk Assessment explanation →

A risk assessment using a 5x5 heat map with likelihood and impact scores is an example of which type of risk analysis?

Question 92easymultiple choice
Read the full IT Risk Assessment explanation →

Which of the following is a key advantage of using a quantitative risk analysis approach such as FAIR?

Question 93mediummultiple choice
Read the full IT Risk Assessment explanation →

An organization calculates the annualized loss expectancy (ALE) for a cyber attack scenario. The single loss expectancy (SLE) is $50,000 and the annualized rate of occurrence (ARO) is 2. What is the ALE?

Question 94mediummultiple choice
Read the full IT Risk Assessment explanation →

In the FAIR framework, Loss Event Frequency (LEF) is calculated as:

Question 95mediummultiple choice
Read the full IT Risk Assessment explanation →

A risk manager decides to accept a risk because the cost of controls exceeds the potential loss. Which of the following is required for this risk treatment option?

Question 96easymultiple choice
Read the full IT Risk Assessment explanation →

Which risk treatment option involves eliminating the activity that creates the risk?

Question 97mediummultiple choice
Read the full IT Risk Assessment explanation →

An organization implements an intrusion detection system (IDS) to monitor for security incidents. This is an example of which type of control?

Question 98hardmultiple choice
Read the full IT Risk Assessment explanation →

After implementing controls, the risk remaining is called:

Question 99hardmultiple choice
Read the full IT Risk Assessment explanation →

An organization has an inherent risk score of 20 for a process. After controls, the residual risk score is 8. If the control design is assessed as adequate but operating effectiveness is only 60%, what is the control effectiveness adjustment?

Question 100mediummultiple choice
Read the full IT Risk Assessment explanation →

Which of the following best describes the primary limitation of qualitative risk analysis?

Question 101hardmultiple choice
Read the full IT Risk Assessment explanation →

A company uses cyber insurance to cover losses from data breaches. This is an example of which risk treatment?

Question 102easymultiple choice
Read the full IT Risk Assessment explanation →

When prioritizing risk treatment actions, which factor is most important to consider alongside the risk level?

Question 103mediummulti select
Read the full IT Risk Assessment explanation →

Which TWO of the following are examples of corrective controls?

Question 104mediummulti select
Read the full IT Risk Assessment explanation →

Which THREE of the following are components of Loss Magnitude in the FAIR framework?

Question 105hardmulti select
Read the full IT Risk Assessment explanation →

Which TWO of the following are considered direct costs in the financial impact assessment of a risk event?

Question 106easymultiple choice
Read the full IT Risk Assessment explanation →

A risk manager is using a 5x5 heat map to assess IT risks. Which of the following best describes the primary limitation of this qualitative risk analysis approach?

Question 107mediummultiple choice
Read the full IT Risk Assessment explanation →

An organization is evaluating the risk of a ransomware attack. Using the FAIR framework, which of the following components directly multiplies to calculate Loss Event Frequency (LEF)?

Question 108hardmultiple choice
Read the full IT Risk Assessment explanation →

A company identifies a high inherent risk in its online payment system. After implementing a Web Application Firewall (WAF) and conducting quarterly penetration tests, the residual risk is assessed as medium. Which of the following best explains the relationship between inherent risk, controls, and residual risk?

Question 109easymultiple choice
Read the full IT Risk Assessment explanation →

During an IT risk assessment, the risk owner decides to accept a risk that falls within the organization's risk appetite. Which of the following actions is most appropriate for the risk owner to take?

Question 110mediummultiple choice
Read the full IT Risk Assessment explanation →

A quantitative risk analysis for a data breach yields an Annualized Loss Expectancy (ALE) of $500,000. The Single Loss Expectancy (SLE) is $100,000. What is the Annualized Rate of Occurrence (ARO)?

Question 111mediummultiple choice
Read the full IT Risk Assessment explanation →

A company is considering outsourcing its data center operations to a cloud provider. Which risk treatment option is the company primarily exercising?

Question 112hardmultiple choice
Read the full IT Risk Assessment explanation →

In a qualitative risk assessment using a 5x5 heat map, an IT risk is rated with likelihood 4 and impact 5. According to typical heat map conventions (5=Critical, 4=High, 3=Medium, 2=Low, 1=Informational), what is the overall risk rating?

Question 113easymultiple choice
Read the full IT Risk Assessment explanation →

Which of the following is an example of a detective control in IT risk management?

Question 114mediummultiple choice
Read the full IT Risk Assessment explanation →

A risk assessment identifies a vulnerability in a critical application. The threat actor is a script kiddie with low capability. Using the FAIR framework, which factor would most directly increase the Loss Event Frequency (LEF)?

Question 115hardmultiple choice
Read the full IT Risk Assessment explanation →

After implementing controls for a high-risk IT process, the residual risk is calculated as medium. The risk owner argues that the controls are not adequate because the inherent risk was critical. Which of the following should be the primary basis for determining control adequacy?

Question 116easymultiple choice
Read the full IT Risk Assessment explanation →

An organization decides to discontinue a high-risk business process that cannot be effectively mitigated. This is an example of which risk treatment option?

Question 117mediummultiple choice
Read the full IT Risk Assessment explanation →

In a quantitative risk analysis using FAIR, which of the following best represents Loss Magnitude (LM)?

Question 118mediummulti select
Read the full IT Risk Assessment explanation →

An organization is evaluating the business impact of a potential ransomware attack. Which TWO impact categories should be considered as direct financial losses? (Select TWO)

Question 119hardmulti select
Read the full IT Risk Assessment explanation →

A risk assessment team is prioritizing IT risks for treatment. Which THREE factors should be considered when prioritizing risks? (Select THREE)

Question 120easymulti select
Read the full IT Risk Assessment explanation →

An organization is implementing controls to mitigate the risk of data exfiltration. Which TWO control types would be considered preventive? (Select TWO)

Question 121easymultiple choice
Read the full IT Risk Assessment explanation →

A risk manager uses a 5x5 heat map to plot the likelihood and impact of identified risks. This approach is an example of which type of risk analysis?

Question 122mediummultiple choice
Read the full IT Risk Assessment explanation →

During an IT risk assessment, the risk team calculates the Annualized Loss Expectancy (ALE) for a critical application. Which quantitative risk analysis framework is most commonly used for this calculation?

Question 123hardmultiple choice
Read the full IT Risk Assessment explanation →

An organization uses the FAIR framework to assess the risk of a data breach. The risk analyst estimates that the Threat Event Frequency (TEF) is 10 per year, the Vulnerability (V) is 0.2, the Primary Loss per event is $50,000, and the Secondary Loss per event is $30,000. What is the Annualized Loss Expectancy (ALE)?

Question 124mediummultiple choice
Read the full IT Risk Assessment explanation →

A risk owner decides to accept a risk because the cost of mitigation exceeds the potential loss, and the risk level is within the organization's risk appetite. What should the risk owner do next?

Question 125easymultiple choice
Read the full IT Risk Assessment explanation →

Which risk treatment option involves eliminating the activity that creates the risk?

Question 126mediummultiple choice
Read the full IT Risk Assessment explanation →

A company is evaluating controls for a high-risk process. Which control type is designed to stop a risk event from occurring?

Question 127hardmultiple choice
Read the full IT Risk Assessment explanation →

An organization calculated the inherent risk for a critical system as 'High' using a 5x5 heat map. After implementing controls, the residual risk is assessed as 'Medium'. What does this indicate about the control effectiveness?

Question 128mediummultiple choice
Read the full IT Risk Assessment explanation →

In the FAIR framework, what does Loss Event Frequency (LEF) represent?

Question 129easymultiple choice
Read the full IT Risk Assessment explanation →

Which risk treatment option involves purchasing cyber insurance?

Question 130mediummulti select
Read the full IT Risk Assessment explanation →

A risk analyst is performing a quantitative risk analysis using the FAIR framework. Which TWO factors are multiplied to calculate Loss Event Frequency (LEF)?

Question 131hardmulti select
Read the full IT Risk Assessment explanation →

During an IT risk assessment, the risk team identifies a high inherent risk for a legacy application. The team is evaluating control options. Which THREE are considered preventive controls?

Question 132mediummulti select
Read the full IT Risk Assessment explanation →

A company is assessing the impact of a potential ransomware attack. Which TWO impact categories are considered operational impacts?

Question 133hardmulti select
Read the full IT Risk Assessment explanation →

A risk practitioner is calculating the residual risk for a critical asset. Which THREE factors should be considered?

Question 134easymulti select
Read the full IT Risk Assessment explanation →

In a qualitative risk assessment, which TWO elements are typically used to determine the risk rating?

Question 135mediummulti select
Read the full IT Risk Assessment explanation →

A company is prioritizing risk treatment actions. Which THREE factors should be considered when prioritizing risks?

Question 136easymulti select
Read the full IT Risk Assessment explanation →

A company is considering using a qualitative risk assessment approach to evaluate IT risks. Which TWO of the following are advantages of qualitative risk analysis over quantitative risk analysis?

Question 137mediummulti select
Read the full IT Risk Assessment explanation →

An organization is using the FAIR framework to perform a quantitative risk analysis for a data breach scenario. Which THREE of the following are components of the Annualized Loss Expectancy (ALE) calculation in FAIR?

Question 138hardmulti select
Read the full IT Risk Assessment explanation →

During an IT risk assessment, a risk owner has identified a risk with a high inherent risk score. After reviewing control effectiveness, the residual risk remains medium. The organization decides to accept the residual risk. Which TWO of the following actions should the risk owner take?

Question 139mediummulti select
Read the full IT Risk Assessment explanation →

A company is evaluating control types for a new system. The security team proposes implementing an intrusion detection system (IDS) and a backup restoration process. Which TWO control types do these represent, respectively?

Question 140hardmulti select
Read the full IT Risk Assessment explanation →

An organization is conducting a risk assessment and finds that the inherent risk for a critical asset is very high due to a high threat event frequency and high vulnerability. The current controls are assessed as adequate in design but not operating effectively. Which THREE of the following should be considered when calculating residual risk?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

CRISC Practice Test 1 — 25 Questions→CRISC Practice Test 2 — 25 Questions→CRISC Practice Test 3 — 25 Questions→CRISC Practice Test 4 — 25 Questions→CRISC Practice Test 5 — 25 Questions→CRISC Practice Exam 1 — 20 Questions→CRISC Practice Exam 2 — 20 Questions→CRISC Practice Exam 3 — 20 Questions→CRISC Practice Exam 4 — 20 Questions→Free CRISC Practice Test 1 — 30 Questions→Free CRISC Practice Test 2 — 30 Questions→Free CRISC Practice Test 3 — 30 Questions→CRISC Practice Questions 1 — 50 Questions→CRISC Practice Questions 2 — 50 Questions→CRISC Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

IT Risk IdentificationIT Risk AssessmentRisk Response and ReportingInformation Technology and SecurityRisk Response and MitigationRisk and Control Monitoring and Reporting

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All IT Risk Assessment setsAll IT Risk Assessment questionsCRISC Practice Hub