Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Free Resources

Difficulty IndexLearn — Free ChaptersIT GlossaryFree Tools & LabsStudy GuidesCareer RoadmapsBrowse by VendorCisco Command ReferenceCCNA Scenarios

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← IT Risk Identification practice sets

CRISC IT Risk Identification • Complete Question Bank

CRISC IT Risk Identification — All Questions With Answers

Complete CRISC IT Risk Identification question bank — all 0 questions with answers and detailed explanations.

95
Questions
Free
No signup
Certifications/CRISC/Practice Test/IT Risk Identification/All Questions
Question 1easymultiple choice
Read the full IT Risk Identification explanation →

An organization is developing its IT risk universe. Which of the following is the BEST source of information for identifying potential IT risks?

Question 2mediummultiple choice
Read the full IT Risk Identification explanation →

A company is adopting a DevSecOps approach and wants to conduct threat modeling early in the development lifecycle. Which threat modeling methodology is BEST suited for this environment due to its focus on agile and continuous integration?

Question 3hardmultiple choice
Read the full IT Risk Identification explanation →

During a risk identification workshop, a risk owner proposes a scenario: 'A disgruntled employee with privileged access exfiltrates customer data to a competitor.' In the context of the ISACA risk scenario template, which element is missing if the scenario only includes the actor, threat type, event, and asset?

Question 4easymultiple choice
Read the full IT Risk Identification explanation →

An organization is categorizing IT risks. Which of the following risk categories would include the risk of regulatory fines due to non-compliance with data protection laws?

Question 5mediummultiple choice
Read the full IT Risk Identification explanation →

A risk analyst is building a risk register. After identifying a list of risks, what is the NEXT step in the risk identification process according to ISACA best practices?

Question 6hardmultiple choice
Read the full IT Risk Identification explanation →

A multinational corporation uses commercial threat intelligence feeds and participates in an ISAC. However, they recently missed a critical vulnerability exploited in the wild that was not in their feeds. Which additional source should they incorporate to improve vulnerability identification?

Question 7mediummultiple choice
Read the full IT Risk Identification explanation →

A company is developing risk scenarios for business impact analysis. Which of the following scenario components directly links the risk event to potential financial loss?

Question 8easymultiple choice
Read the full IT Risk Identification explanation →

Which of the following is a key characteristic of a well-maintained risk register?

Question 9hardmultiple choice
Read the full IT Risk Identification explanation →

A financial services firm uses SAST and DAST tools in its application security testing. However, they are struggling to prioritize vulnerabilities from the large number of findings. Which additional technique would BEST help identify the most critical vulnerabilities in the context of business risk?

Question 10mediummultiple choice
Read the full IT Risk Identification explanation →

An organization's board has set a risk appetite statement that says: 'We accept moderate levels of operational risk but will not tolerate any compliance violations.' During risk identification, which type of risk should be given the HIGHEST priority?

Question 11mediummultiple choice
Read the full IT Risk Identification explanation →

A security team is using the STRIDE threat modeling methodology for a new web application. Which threat type under STRIDE would be MOST relevant to a SQL injection vulnerability?

Question 12easymultiple choice
Read the full IT Risk Identification explanation →

An organization is conducting a vulnerability assessment of its IT assets. Which of the following sources is MOST authoritative for identifying known software vulnerabilities?

Question 13mediummulti select
Read the full IT Risk Identification explanation →

A risk manager is developing risk scenarios to present to the board. Which TWO elements are essential for connecting a risk scenario to business impact?

Question 14hardmulti select
Read the full IT Risk Identification explanation →

A company is implementing a risk identification process for third-party risks. Which THREE factors should be considered when identifying risks from a critical software vendor?

Question 15easymulti select
Read the full IT Risk Identification explanation →

An IT risk manager is categorizing risks identified during a recent assessment. Which TWO categories would include the risk of a system outage caused by a software bug?

Question 16mediummultiple choice
Read the full IT Risk Identification explanation →

An organization is developing an IT risk universe. Which of the following is the PRIMARY purpose of creating a comprehensive IT risk universe?

Question 17easymultiple choice
Read the full IT Risk Identification explanation →

During a risk assessment, the risk practitioner is identifying threats to an application. Which threat modeling technique is specifically designed to analyze application threats using categories such as Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege?

Question 18hardmultiple choice
Read the full IT Risk Identification explanation →

An organization has a risk appetite statement that says 'We accept up to $5 million in operational losses per year.' However, a new cloud migration project is estimated to have a potential operational loss of $8 million if a critical failure occurs. The risk capacity of the organization is $20 million. What should the risk practitioner recommend?

Question 19mediummultiple choice
Read the full IT Risk Identification explanation →

A risk practitioner is creating a risk scenario for a ransomware attack. Which of the following is the BEST sequence to describe the scenario using the ISACA risk scenarios template?

Question 20easymultiple choice
Read the full IT Risk Identification explanation →

Which of the following is a threat intelligence source that provides information about known exploited vulnerabilities, maintained by a government agency?

Question 21mediummultiple choice
Read the full IT Risk Identification explanation →

During a vulnerability assessment, a risk practitioner identifies that a web application is vulnerable to SQL injection, which is listed in the OWASP Top 10. Which type of vulnerability identification technique MOST likely discovered this issue?

Question 22mediummultiple choice
Read the full IT Risk Identification explanation →

An organization has a risk register that includes risks related to regulatory compliance, such as GDPR and SOX. The risk practitioner is now categorizing these risks. Which risk category would BEST fit these compliance-related risks?

Question 23hardmultiple choice
Read the full IT Risk Identification explanation →

A risk practitioner is developing a risk scenario for a data breach caused by an insider threat. Which of the following is the MOST realistic and complete risk scenario?

Question 24easymultiple choice
Read the full IT Risk Identification explanation →

Which of the following threat actors is MOST likely to be motivated by ideology rather than financial gain?

Question 25mediummultiple choice
Read the full IT Risk Identification explanation →

A risk practitioner is updating the risk register after a third-party security incident. Which of the following is the MOST important information to include in the risk register entry for this third-party risk?

Question 26hardmultiple choice
Read the full IT Risk Identification explanation →

An organization uses the PASTA threat modeling methodology for a new e-commerce platform. Which of the following is a key characteristic of PASTA?

Question 27mediummultiple choice
Read the full IT Risk Identification explanation →

When identifying vulnerabilities, which of the following is the BEST source for configuration-related vulnerabilities in operating systems?

Question 28easymulti select
Read the full IT Risk Identification explanation →

Which TWO of the following are examples of operational vulnerabilities that a risk practitioner might identify?

Question 29mediummulti select
Read the full IT Risk Identification explanation →

A risk practitioner is developing risk scenarios for a new cloud service. Which THREE of the following elements should be included in a complete risk scenario?

Question 30mediummulti select
Read the full IT Risk Identification explanation →

Which THREE of the following are common business impact categories used in risk scenarios?

Question 31easymultiple choice
Read the full IT Risk Identification explanation →

Which of the following best describes the purpose of an IT risk universe?

Question 32mediummultiple choice
Read the full IT Risk Identification explanation →

A security analyst is using a threat modeling approach that focuses on identifying threats based on the system's requirements and design. Which threat modeling methodology is being used?

Question 33mediummultiple choice
Read the full IT Risk Identification explanation →

An organization has identified a new vulnerability in its web application that could allow SQL injection attacks. Which of the following sources would MOST likely have been used to identify this vulnerability?

Question 34hardmultiple choice
Read the full IT Risk Identification explanation →

During a risk assessment, the risk practitioner develops a scenario involving a disgruntled employee exfiltrating sensitive customer data through a USB drive. The organization has a strict policy against removable media but lacks technical controls to prevent USB usage. Which element of the risk scenario is the vulnerability?

Question 35easymultiple choice
Read the full IT Risk Identification explanation →

Which of the following is the PRIMARY purpose of a risk register?

Question 36mediummultiple choice
Read the full IT Risk Identification explanation →

An organization is implementing a new cloud-based customer relationship management (CRM) system. Which of the following risk categories would BEST describe the risk of the CRM system failing to meet performance expectations?

Question 37hardmultiple choice
Read the full IT Risk Identification explanation →

A risk practitioner is using the ISACA risk scenario template to document a scenario. The template includes elements such as threat actor, threat type, event, asset/resource, timing, detection, and response. Which element describes the likelihood that the threat event will occur within a specific timeframe?

Question 38mediummultiple choice
Read the full IT Risk Identification explanation →

Which of the following threat actors is MOST likely to be motivated by financial gain and possess moderate to high technical capabilities?

Question 39easymultiple choice
Read the full IT Risk Identification explanation →

An organization's board has issued a risk appetite statement indicating that the company is willing to accept a moderate level of operational risk but has zero tolerance for compliance violations. This statement primarily defines which of the following?

Question 40mediummultiple choice
Read the full IT Risk Identification explanation →

When using STRIDE for threat modeling, which threat category involves an attacker gaining unauthorized access to a system by pretending to be a legitimate user?

Question 41hardmultiple choice
Read the full IT Risk Identification explanation →

A risk practitioner is connecting a risk scenario to business impact. The scenario involves a ransomware attack that encrypts critical financial systems, resulting in a two-week outage. Which of the following is the MOST appropriate business impact category?

Question 42mediummultiple choice
Read the full IT Risk Identification explanation →

An organization is assessing risks related to a third-party cloud provider. Which of the following is the BEST source of threat intelligence for identifying threats targeting the cloud infrastructure?

Question 43mediummulti select
Read the full IT Risk Identification explanation →

A risk practitioner is updating the risk register and needs to categorize risks. Which TWO of the following are standard risk categories used in IT risk management?

Question 44hardmulti select
Read the full IT Risk Identification explanation →

A project manager is identifying risks for a new software development project using Agile methodology. Which THREE threat modeling techniques are BEST suited for Agile/DevSecOps environments?

Question 45mediummulti select
Read the full IT Risk Identification explanation →

When developing realistic risk scenarios, which THREE components are essential according to the ISACA risk scenario template?

Question 46easymultiple choice
Read the full IT Risk Identification explanation →

During IT risk identification, which document serves as the central repository for all identified risks, their characteristics, and current status?

Question 47mediummultiple choice
Read the full IT Risk Identification explanation →

An organization is assessing risks related to a new cloud-based CRM system. The risk team is developing a risk scenario. Which of the following is the BEST example of a complete risk scenario following the ISACA template?

Question 48hardmultiple choice
Read the full IT Risk Identification explanation →

In the context of threat modeling for a web application, which technique is specifically designed to be integrated into Agile and DevSecOps processes, emphasizing collaboration and visualization?

Question 49mediummultiple choice
Read the full IT Risk Identification explanation →

A company's risk appetite statement specifies that the organization is willing to accept a moderate level of operational risk to achieve strategic agility. This statement directly influences which activity during IT risk identification?

Question 50easymultiple choice
Read the full IT Risk Identification explanation →

Which of the following is a primary source of threat intelligence that provides real-time information about active cyber threats and indicators of compromise?

Question 51mediummultiple choice
Read the full IT Risk Identification explanation →

A bank is identifying IT risks and categorizes a potential data breach as both a compliance risk (due to GDPR) and a reputational risk. This is an example of:

Question 52hardmultiple choice
Read the full IT Risk Identification explanation →

During a threat modeling exercise using the STRIDE methodology, a security analyst identifies a threat where an attacker can modify data in transit between a web server and database. Which STRIDE category does this threat belong to?

Question 53mediummultiple choice
Read the full IT Risk Identification explanation →

An organization uses the CISA Known Exploited Vulnerabilities (KEV) catalog as a primary source for vulnerability identification. This catalog is BEST described as:

Question 54easymultiple choice
Read the full IT Risk Identification explanation →

Which type of threat actor is characterized by having significant resources, advanced skills, and often state-sponsored objectives?

Question 55mediummultiple choice
Read the full IT Risk Identification explanation →

In developing a risk scenario, connecting a threat event to business impact is crucial. Which of the following is the BEST example of a properly connected risk scenario?

Question 56hardmultiple choice
Read the full IT Risk Identification explanation →

When performing asset-based vulnerability identification, a security analyst uses the Common Vulnerabilities and Exposures (CVE) database along with the National Vulnerability Database (NVD). Which of the following BEST describes the relationship between CVE and NVD?

Question 57mediummultiple choice
Read the full IT Risk Identification explanation →

An organization is updating its IT risk universe. Which of the following is the MOST important factor to consider when defining the universe?

Question 58mediummulti select
Read the full IT Risk Identification explanation →

A financial institution is identifying IT risks associated with a new mobile banking application. Which TWO threat modeling techniques are best suited for this scenario? (Select two.)

Question 59hardmulti select
Read the full IT Risk Identification explanation →

A risk manager is developing a risk scenario for a potential data breach involving a third-party cloud provider. According to the ISACA risk scenario template, which THREE elements must be included? (Select three.)

Question 60mediummulti select
Read the full IT Risk Identification explanation →

During a risk identification workshop, the team identifies several vulnerabilities. Which TWO of the following are examples of operational vulnerability identification? (Select two.)

Question 61mediummultiple choice
Read the full IT Risk Identification explanation →

During the risk identification process, an IT risk universe is defined. Which of the following BEST describes the purpose of an IT risk universe?

Question 62easymultiple choice
Read the full IT Risk Identification explanation →

Which threat modeling technique is specifically designed to be integrated into Agile and DevSecOps processes, providing a visual and simple approach?

Question 63hardmultiple choice
Read the full IT Risk Identification explanation →

An organization's risk register contains a scenario: 'A nation-state actor exploits an unpatched vulnerability in a public-facing web application, leading to data exfiltration of customer PII.' According to ISACA's risk scenario template, which element is MISSING from this description?

Question 64mediummultiple choice
Read the full IT Risk Identification explanation →

A risk practitioner is categorizing IT risks for a manufacturing company. Which of the following risks would be classified as an 'operational' IT risk?

Question 65mediummultiple choice
Read the full IT Risk Identification explanation →

Which of the following is the PRIMARY source for identifying known software vulnerabilities in a systematic manner?

Question 66easymultiple choice
Read the full IT Risk Identification explanation →

An organization uses threat intelligence feeds from an Information Sharing and Analysis Center (ISAC). What is the PRIMARY benefit of using ISACs?

Question 67hardmultiple choice
Read the full IT Risk Identification explanation →

A company's risk appetite statement says it is willing to accept moderate levels of operational risk but has low tolerance for compliance risk. During risk identification, which of the following scenarios should be IMMEDIATELY escalated to senior management?

Question 68mediummultiple choice
Read the full IT Risk Identification explanation →

Which of the following BEST describes the difference between a threat actor who is a 'hacktivist' and one who is an 'organized crime' actor?

Question 69mediummultiple choice
Read the full IT Risk Identification explanation →

A risk scenario is being developed for a phishing attack leading to credential theft. Using ISACA's risk scenario template, which component would describe the 'threat event'?

Question 70easymultiple choice
Read the full IT Risk Identification explanation →

Which of the following is an example of a 'configuration vulnerability' that should be identified during vulnerability assessment?

Question 71hardmultiple choice
Read the full IT Risk Identification explanation →

When developing IT risk scenarios, connecting them to business impact is critical. Which of the following BEST describes how a risk practitioner should link a technical scenario to business impact?

Question 72mediummultiple choice
Read the full IT Risk Identification explanation →

An organization is conducting a threat identification exercise using the STRIDE model. Which threat type would be MOST relevant when analyzing a banking application that allows fund transfers between accounts?

Question 73mediummulti select
Read the full IT Risk Identification explanation →

A risk practitioner is identifying vulnerabilities in an organization's IT environment. Which TWO of the following are examples of 'operational vulnerability identification'? (Choose two.)

Question 74hardmulti select
Read the full IT Risk Identification explanation →

During risk identification, a risk manager is reviewing threat intelligence sources. Which THREE of the following are considered legitimate sources of threat intelligence? (Choose three.)

Question 75easymulti select
Read the full IT Risk Identification explanation →

A risk register is being created for a new ERP implementation project. Which TWO of the following risks should be included in the project's risk register? (Choose two.)

Question 76easymultiple choice
Read the full IT Risk Identification explanation →

A retail company is establishing an IT risk universe. Which of the following should be included as a primary category of IT risk?

Question 77mediummultiple choice
Read the full IT Risk Identification explanation →

During a threat modeling exercise for a new web application, the team uses STRIDE. Which threat type under STRIDE corresponds to an attacker modifying data in transit?

Question 78hardmultiple choice
Read the full IT Risk Identification explanation →

A risk practitioner is developing a risk scenario for a potential ransomware attack. Using the ISACA risk scenario template, which element describes the entity that initiates the attack?

Question 79mediummultiple choice
Read the full IT Risk Identification explanation →

A financial institution uses threat intelligence from an Information Sharing and Analysis Center (ISAC). This is an example of which type of threat intelligence source?

Question 80easymultiple choice
Read the full IT Risk Identification explanation →

Which threat actor is most likely motivated by political ideology and may target government systems?

Question 81mediummultiple choice
Read the full IT Risk Identification explanation →

A security analyst is reviewing CVE entries and NVD data to identify vulnerabilities in software assets. This activity is part of which vulnerability identification approach?

Question 82hardmultiple choice
Read the full IT Risk Identification explanation →

An organization uses the PASTA threat modeling methodology. In which stage would the team identify threat agents and their capabilities?

Question 83mediummultiple choice
Read the full IT Risk Identification explanation →

A risk manager is categorizing IT risks. Which risk category would a potential fine for violating GDPR be assigned to?

Question 84easymultiple choice
Read the full IT Risk Identification explanation →

Which of the following best describes risk capacity?

Question 85mediummultiple choice
Read the full IT Risk Identification explanation →

A company is updating its risk register. Which of the following is the primary purpose of a risk register?

Question 86hardmultiple choice
Read the full IT Risk Identification explanation →

During a VAST threat modeling session for a DevSecOps pipeline, the team focuses on threats that align with agile development. Which of the following is a key advantage of VAST?

Question 87mediummulti select
Read the full IT Risk Identification explanation →

A risk analyst is identifying operational vulnerabilities. Which TWO of the following are examples of operational vulnerability identification?

Question 88mediummulti select
Read the full IT Risk Identification explanation →

Which THREE of the following are common consequences in an IT risk scenario?

Question 89hardmulti select
Read the full IT Risk Identification explanation →

A risk practitioner is using the TRIKE threat modeling methodology. Which TWO of the following are characteristics of TRIKE?

Question 90easymulti select
Read the full IT Risk Identification explanation →

Which TWO of the following are types of insider threats?

Question 91mediummulti select
Read the full IT Risk Identification explanation →

A multinational corporation is developing a new e-commerce platform using microservices architecture. The security team is conducting a threat modeling exercise to identify potential application-level threats. Which TWO threat modeling methodologies are most appropriate for this DevSecOps environment?

Question 92hardmulti select
Read the full IT Risk Identification explanation →

An organization is updating its IT risk universe to include emerging threats. The CISO wants to ensure the risk register captures realistic risk scenarios. Which THREE components are essential for constructing a complete risk scenario according to ISACA's risk scenario template?

Question 93mediummulti select
Read the full IT Risk Identification explanation →

A financial services firm is assessing vulnerabilities in its web application. The team wants to identify application-level vulnerabilities that could be exploited. Which TWO vulnerability identification techniques should be prioritized for this purpose?

Question 94easymulti select
Read the full IT Risk Identification explanation →

An organization is creating a risk register for its IT risk universe. The risk manager needs to categorize risks to align with the enterprise risk management framework. Which TWO risk categories are most commonly used in IT risk identification?

Question 95hardmulti select
Read the full IT Risk Identification explanation →

A critical infrastructure organization is enhancing its threat identification capabilities. The risk team wants to leverage threat intelligence sources to identify emerging threats. Which THREE sources are most relevant for obtaining actionable threat intelligence?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

CRISC Practice Test 1 — 25 Questions→CRISC Practice Test 2 — 25 Questions→CRISC Practice Test 3 — 25 Questions→CRISC Practice Test 4 — 25 Questions→CRISC Practice Test 5 — 25 Questions→CRISC Practice Exam 1 — 20 Questions→CRISC Practice Exam 2 — 20 Questions→CRISC Practice Exam 3 — 20 Questions→CRISC Practice Exam 4 — 20 Questions→Free CRISC Practice Test 1 — 30 Questions→Free CRISC Practice Test 2 — 30 Questions→Free CRISC Practice Test 3 — 30 Questions→CRISC Practice Questions 1 — 50 Questions→CRISC Practice Questions 2 — 50 Questions→CRISC Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

IT Risk IdentificationIT Risk AssessmentRisk Response and ReportingInformation Technology and SecurityRisk Response and MitigationRisk and Control Monitoring and Reporting

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All IT Risk Identification setsAll IT Risk Identification questionsCRISC Practice Hub