Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Free Resources

Difficulty IndexLearn — Free ChaptersIT GlossaryFree Tools & LabsStudy GuidesCareer RoadmapsBrowse by VendorCisco Command ReferenceCCNA Scenarios

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Risk Response and Reporting practice sets

CRISC Risk Response and Reporting • Complete Question Bank

CRISC Risk Response and Reporting — All Questions With Answers

Complete CRISC Risk Response and Reporting question bank — all 0 questions with answers and detailed explanations.

160
Questions
Free
No signup
Certifications/CRISC/Practice Test/Risk Response and Reporting/All Questions
Question 1easymultiple choice
Read the full Risk Response and Reporting explanation →

A security team is considering implementing a control to prevent unauthorized access to a critical database. Which type of control is most appropriate for this objective?

Question 2mediummultiple choice
Read the full Risk Response and Reporting explanation →

The risk team is evaluating the cost-effectiveness of a proposed control that will reduce the annualized loss expectancy (ALE) for a cyber attack from $500,000 to $100,000. The annual cost of the control is $150,000. What is the net benefit of implementing this control?

Question 3mediummultiple choice
Read the full Risk Response and Reporting explanation →

A Key Control Indicator (KCI) for a firewall rule review process shows an exception rate of 15% for the past quarter, exceeding the acceptable threshold of 10%. What is the most appropriate immediate action for the control owner?

Question 4hardmultiple choice
Read the full Risk Response and Reporting explanation →

An organization uses a Key Risk Indicator (KRI) that tracks the average number of days to patch critical vulnerabilities. The KRI has been trending upward over the last three months, from 15 days to 30 days, while the risk appetite threshold is 20 days. Which conclusion is most appropriate?

Question 5easymultiple choice
Read the full Risk Response and Reporting explanation →

When implementing a new access control system, which activity is essential during the change management process?

Question 6mediummultiple choice
Read the full Risk Response and Reporting explanation →

An IT risk manager is preparing a quarterly risk report for the CISO. Which type of reporting structure does this represent?

Question 7mediummultiple choice
Read the full Risk Response and Reporting explanation →

An organization is implementing a continuous monitoring solution for its network. Which of the following is an example of continuous monitoring?

Question 8hardmultiple choice
Read the full Risk Response and Reporting explanation →

During a control implementation project, the risk manager discovers that the resource requirements have increased significantly, making the original cost-benefit analysis invalid. What should the risk manager do first?

Question 9easymultiple choice
Read the full Risk Response and Reporting explanation →

Which of the following best describes the purpose of a risk heat map in an IT risk report?

Question 10mediummultiple choice
Read the full Risk Response and Reporting explanation →

A critical vendor is being onboarded. The vendor risk appetite policy requires SOC 2 Type II reports for critical vendors. The vendor has provided a SOC 2 Type I report. What should the risk manager do?

Question 11hardmultiple choice
Read the full Risk Response and Reporting explanation →

An organization's IT risk team is promoting a risk-aware culture. Which initiative is most likely to encourage employees to report security incidents without fear?

Question 12easymultiple choice
Read the full Risk Response and Reporting explanation →

Which of the following is a leading indicator that the risk of a credential-based attack may be increasing?

Question 13mediummulti select
Read the full Risk Response and Reporting explanation →

An organization is integrating IT risk into its enterprise risk management (ERM) program. Which TWO of the following are key benefits of this integration?

Question 14hardmulti select
Read the full Risk Response and Reporting explanation →

A risk manager is designing a third-party risk management program. Which THREE factors should be considered when determining the risk tier of a vendor?

Question 15mediummulti select
Read the full Risk Response and Reporting explanation →

Which TWO of the following are examples of detective controls?

Question 16mediummultiple choice
Read the full Risk Response and Reporting explanation →

An organization is implementing a new access control system to protect sensitive data. Which type of control is most appropriate for preventing unauthorized access?

Question 17mediummultiple choice
Read the full Risk Response and Reporting explanation →

A risk manager is evaluating the cost-effectiveness of a proposed control. The control costs $50,000 annually to implement and maintain. The current annual loss expectancy (ALE) for the risk is $200,000, and the control is expected to reduce the ALE by 70%. What is the net benefit (or loss) of implementing the control?

Question 18easymultiple choice
Read the full Risk Response and Reporting explanation →

Which of the following is a Key Control Indicator (KCI) that measures the effectiveness of a firewall?

Question 19hardmultiple choice
Read the full Risk Response and Reporting explanation →

An organization is planning to implement a new security control. The project manager must ensure changes to existing systems are properly managed. Which process is most critical to include in the implementation plan?

Question 20easymultiple choice
Read the full Risk Response and Reporting explanation →

Which type of control testing is typically performed on a continuous basis using automated tools?

Question 21mediummultiple choice
Read the full Risk Response and Reporting explanation →

A Key Risk Indicator (KRI) that shows a rising trend in the average time to apply critical security patches suggests:

Question 22mediummultiple choice
Read the full Risk Response and Reporting explanation →

An IT risk report for the board of directors should primarily focus on:

Question 23hardmultiple choice
Read the full Risk Response and Reporting explanation →

When integrating IT risk into the enterprise risk management (ERM) program, the most important consideration is:

Question 24mediummultiple choice
Read the full Risk Response and Reporting explanation →

A vendor is classified as 'critical' based on its access to sensitive data and the criticality of its service. According to best practices, what minimum security requirement should be mandated for this vendor?

Question 25hardmultiple choice
Read the full Risk Response and Reporting explanation →

An organization wants to promote a risk-aware culture. Which initiative is most effective in encouraging employees to report security incidents without fear?

Question 26easymultiple choice
Read the full Risk Response and Reporting explanation →

Which risk reporting frequency is most appropriate for tactical risk reporting to the CISO/CIO?

Question 27mediummultiple choice
Read the full Risk Response and Reporting explanation →

An organization's risk report shows a risk heat map with several risks in the high-likelihood, high-impact quadrant. What is the most appropriate action for the risk owner?

Question 28mediummulti select
Read the full Risk Response and Reporting explanation →

An organization is designing a vendor risk management program. Which TWO of the following are essential components of ongoing vendor monitoring? (Select TWO)

Question 29hardmulti select
Read the full Risk Response and Reporting explanation →

An IT risk manager is developing KRIs for a critical application. Which TWO of the following are leading indicators that the risk level may be increasing? (Select TWO)

Question 30mediummulti select
Read the full Risk Response and Reporting explanation →

Which THREE of the following are common elements of a periodic control effectiveness testing program? (Select THREE)

Question 31easymultiple choice
Read the full Risk Response and Reporting explanation →

Which type of control is primarily designed to prevent an unwanted event from occurring?

Question 32mediummultiple choice
Read the full Risk Response and Reporting explanation →

During a cost-benefit analysis for a new control, the annualized loss expectancy (ALE) without the control is $500,000. The control is expected to reduce risk by 80% and will cost $150,000 annually to operate. What is the net benefit of implementing the control?

Question 33hardmultiple choice
Read the full Risk Response and Reporting explanation →

An organization uses a Key Control Indicator (KCI) to measure control effectiveness. The KCI shows a control deficiency rate of 12% over the past quarter, exceeding the target threshold of 5%. Which action is MOST appropriate as an initial response?

Question 34easymultiple choice
Read the full Risk Response and Reporting explanation →

Which of the following is a Key Risk Indicator (KRI) that provides leading indication of increasing vulnerability risk?

Question 35mediummultiple choice
Read the full Risk Response and Reporting explanation →

In IT risk reporting, which level of management typically receives operational risk reporting on a weekly or monthly basis?

Question 36hardmultiple choice
Read the full Risk Response and Reporting explanation →

A company is implementing a new access control system. During the project, the IT team updates the system configuration without notifying the risk team. This leads to a temporary misconfiguration that exposes sensitive data. Which process should have been followed to prevent this issue?

Question 37mediummultiple choice
Read the full Risk Response and Reporting explanation →

In third-party risk management, which of the following is typically used for initial onboarding assessment of a vendor?

Question 38easymultiple choice
Read the full Risk Response and Reporting explanation →

Which of the following is a detective control?

Question 39mediummultiple choice
Read the full Risk Response and Reporting explanation →

An organization wants to promote a risk-aware culture. Which of the following actions is MOST effective for encouraging employees to report incidents without fear?

Question 40hardmultiple choice
Read the full Risk Response and Reporting explanation →

During a vendor risk tiering exercise, a vendor that stores the organization's customer PII and is critical for daily operations should be classified as which tier?

Question 41mediummultiple choice
Read the full Risk Response and Reporting explanation →

Which of the following is a leading indicator that the risk of a credential-based attack may be increasing?

Question 42easymultiple choice
Read the full Risk Response and Reporting explanation →

What is the primary purpose of a risk heat map in IT risk reporting?

Question 43mediummulti select
Read the full Risk Response and Reporting explanation →

An organization is implementing a new control to address a high-risk vulnerability. Which TWO factors are MOST important to consider during the control implementation planning phase?

Question 44hardmulti select
Read the full Risk Response and Reporting explanation →

In the context of IT risk reporting to the board, which THREE elements should be included to effectively communicate risk?

Question 45mediummulti select
Read the full Risk Response and Reporting explanation →

Which TWO methods are commonly used for continuous monitoring of IT controls?

Question 46easymultiple choice
Read the full Risk Response and Reporting explanation →

Which type of control is designed to operate before an event to prevent an undesirable outcome?

Question 47mediummultiple choice
Read the full Risk Response and Reporting explanation →

An organization is evaluating a new security control that costs $50,000 annually to implement and maintain. The current annualized loss expectancy (ALE) for a related risk is $200,000. The control is expected to reduce the ALE by 85%. Using cost-benefit analysis, what is the net benefit of implementing this control?

Question 48hardmultiple choice
Read the full Risk Response and Reporting explanation →

A Key Control Indicator (KCI) for a critical firewall rule set shows an exception rate of 12% over the past month, exceeding the acceptable threshold of 5%. The control owner is responsible for remediation. Which action should the risk practitioner recommend FIRST?

Question 49mediummultiple choice
Read the full Risk Response and Reporting explanation →

An organization’s continuous monitoring program includes automated vulnerability scanning and log review. Which of the following is a Key Risk Indicator (KRI) that would BEST signal an increasing risk of a successful network breach?

Question 50mediummultiple choice
Read the full Risk Response and Reporting explanation →

During a quarterly control effectiveness test, internal audit finds that a detective control missed 15% of security incidents. The control owner claims this is within the acceptable error rate of 20%. However, the risk practitioner notes that the missed incidents were high-severity. What should the risk practitioner do?

Question 51easymultiple choice
Read the full Risk Response and Reporting explanation →

Which risk reporting level is typically provided to the board of directors and focuses on strategic risk posture?

Question 52mediummultiple choice
Read the full Risk Response and Reporting explanation →

An organization is implementing a new access control system. The project manager is concerned about delays due to user training requirements. Which of the following should the risk practitioner prioritize to ensure effective control implementation?

Question 53hardmultiple choice
Read the full Risk Response and Reporting explanation →

A third-party vendor has been tiered as 'high risk' due to access to sensitive customer data. The vendor's SOC 2 Type II report has a qualified opinion on security controls. The vendor risk appetite requires unqualified SOC 2 Type II for critical vendors. What is the MOST appropriate risk response?

Question 54mediummultiple choice
Read the full Risk Response and Reporting explanation →

Which of the following is an example of a leading Key Risk Indicator (KRI) for IT risk?

Question 55easymultiple choice
Read the full Risk Response and Reporting explanation →

Which of the following is a detective control?

Question 56mediummultiple choice
Read the full Risk Response and Reporting explanation →

During a vendor risk assessment, an organization discovers that a critical vendor has not performed a security assessment in two years. The vendor is tiered as 'medium risk'. According to best practices, what should the risk practitioner recommend?

Question 57hardmultiple choice
Read the full Risk Response and Reporting explanation →

An organization has a risk culture where employees are hesitant to report security incidents due to fear of blame. Which of the following initiatives would MOST effectively promote a risk-aware culture?

Question 58mediummulti select
Read the full Risk Response and Reporting explanation →

A risk practitioner is developing a tactical risk report for the CISO. Which TWO of the following elements should be included in the report? (Select TWO)

Question 59hardmulti select
Read the full Risk Response and Reporting explanation →

A financial services company is implementing a vendor risk management program. Which THREE of the following are key components of an effective vendor risk assessment process? (Select THREE)

Question 60easymulti select
Read the full Risk Response and Reporting explanation →

Which TWO of the following are examples of continuous monitoring techniques for IT controls? (Select TWO)

Question 61easymultiple choice
Read the full Risk Response and Reporting explanation →

Which type of control is designed to stop an undesirable event from occurring?

Question 62mediummultiple choice
Read the full Risk Response and Reporting explanation →

A risk practitioner is performing a cost-benefit analysis for a proposed control. The annualized loss expectancy (ALE) for a risk is currently $500,000. The proposed control will reduce the ALE by 80%, and the annual cost of the control is $150,000. What is the net benefit of implementing the control?

Question 63mediummultiple choice
Read the full Risk Response and Reporting explanation →

Which of the following is a Key Control Indicator (KCI) that measures the effectiveness of a control?

Question 64easymultiple choice
Read the full Risk Response and Reporting explanation →

An organization uses automated SIEM rules to continuously monitor for unauthorized access attempts. This is an example of which type of monitoring?

Question 65hardmultiple choice
Read the full Risk Response and Reporting explanation →

A Key Risk Indicator (KRI) for vulnerability management is the "average patch lag time" (number of days between patch release and deployment). In the last month, this metric increased from 15 days to 45 days. How should the risk practitioner interpret this change?

Question 66mediummultiple choice
Read the full Risk Response and Reporting explanation →

Which of the following best describes the purpose of tactical risk reporting?

Question 67easymultiple choice
Read the full Risk Response and Reporting explanation →

An organization is implementing a new access control system. Which of the following should be included in the control implementation plan?

Question 68mediummultiple choice
Read the full Risk Response and Reporting explanation →

During a vendor risk assessment, a third-party vendor is classified as "critical" because it has access to sensitive customer data. According to the organization's risk appetite, what minimum security requirement should be mandated for this vendor?

Question 69hardmultiple choice
Read the full Risk Response and Reporting explanation →

An organization's risk committee reviews a risk heat map showing that a key IT risk has moved from the "high" to "medium" category. However, the associated control's effectiveness has decreased from 95% to 85%. What is the most likely explanation?

Question 70mediummultiple choice
Read the full Risk Response and Reporting explanation →

Which of the following is a key element of promoting a risk-aware culture within an IT department?

Question 71hardmultiple choice
Read the full Risk Response and Reporting explanation →

A company is integrating its IT risk management program with the enterprise risk management (ERM) program. What is the primary benefit of this integration?

Question 72easymultiple choice
Read the full Risk Response and Reporting explanation →

Which control implementation activity involves updating system configurations and user access rights when a new security tool is deployed?

Question 73mediummulti select
Read the full Risk Response and Reporting explanation →

A risk practitioner is designing a risk report for the board of directors. Which TWO content elements are most appropriate for strategic risk reporting? (Select two.)

Question 74hardmulti select
Read the full Risk Response and Reporting explanation →

An organization is implementing continuous monitoring for its critical systems. Which THREE of the following activities are examples of continuous monitoring? (Select three.)

Question 75mediummulti select
Read the full Risk Response and Reporting explanation →

A third-party vendor has been assessed as high risk due to its access to sensitive data. Which TWO ongoing monitoring activities are most appropriate for this vendor? (Select two.)

Question 76mediummultiple choice
Read the full Risk Response and Reporting explanation →

An organization is implementing a control to prevent unauthorized access to its critical database. The control must be designed to block access attempts in real time. Which type of control should be selected?

Question 77easymultiple choice
Read the full Risk Response and Reporting explanation →

During a cost-benefit analysis for a proposed control, the annualized loss expectancy (ALE) without the control is $500,000. The control is expected to reduce the ALE to $100,000. The control implementation cost is $150,000, and the annual operating cost is $30,000. What is the net annual benefit of the control?

Question 78hardmultiple choice
Read the full Risk Response and Reporting explanation →

A risk manager is evaluating the effectiveness of a control that requires dual authorization for high-value transactions. The Key Control Indicator (KCI) for this control is the rate of transactions processed without dual authorization (i.e., exception rate). If the acceptable exception rate is less than 1% and the observed rate is 2.5%, what is the most appropriate immediate action?

Question 79mediummultiple choice
Read the full Risk Response and Reporting explanation →

An organization is implementing a new access control system. Which of the following is the most important activity to ensure the control is effectively integrated into operations?

Question 80hardmultiple choice
Read the full Risk Response and Reporting explanation →

A Key Risk Indicator (KRI) for a critical system is the number of unpatched vulnerabilities older than 30 days. The threshold is set at 5. This KRI is best described as:

Question 81easymultiple choice
Read the full Risk Response and Reporting explanation →

Which of the following is the most appropriate frequency for operational IT risk reporting to IT management?

Question 82mediummultiple choice
Read the full Risk Response and Reporting explanation →

An organization is integrating IT risk into its enterprise risk management (ERM) program. What is the primary benefit of this integration?

Question 83mediummultiple choice
Read the full Risk Response and Reporting explanation →

A vendor risk manager is tiering vendors based on the criticality of services and data access. A vendor that processes sensitive customer data for a core business application should be classified as which tier?

Question 84easymultiple choice
Read the full Risk Response and Reporting explanation →

An organization wants to promote a risk-aware culture. Which of the following actions is most effective in encouraging employees to report incidents without fear?

Question 85hardmultiple choice
Read the full Risk Response and Reporting explanation →

During a quarterly control effectiveness test, internal audit discovers that a key automated control failed 15% of the time due to a software bug. The risk owner decides to accept the risk because the cost to fix the bug is high. What should the risk manager do next?

Question 86mediummultiple choice
Read the full Risk Response and Reporting explanation →

Which of the following is the best example of a Key Control Indicator (KCI) for a firewall rule review process?

Question 87hardmultiple choice
Read the full Risk Response and Reporting explanation →

An organization uses continuous monitoring via SIEM rules to detect anomalies. The SIEM generates an alert when the number of failed logins exceeds a threshold. This monitoring is an example of:

Question 88mediummulti select
Read the full Risk Response and Reporting explanation →

A risk manager is reviewing the risk report content for a quarterly IT risk committee meeting. Which TWO items are most important to include in the report?

Question 89hardmulti select
Read the full Risk Response and Reporting explanation →

An organization is developing a vendor risk management program. Which THREE activities should be included in the initial onboarding assessment for a high-risk vendor?

Question 90mediummulti select
Read the full Risk Response and Reporting explanation →

A security awareness program is being designed to promote a risk-aware culture. Which TWO elements are most critical for the program's success?

Question 91easymultiple choice
Read the full Risk Response and Reporting explanation →

An organization is selecting a control to prevent unauthorized access to a critical database. Which control type is most appropriate?

Question 92mediummultiple choice
Read the full Risk Response and Reporting explanation →

During a cost-benefit analysis for a proposed control, the annual loss expectancy (ALE) for a risk is currently $500,000. The control will cost $100,000 annually and is expected to reduce the ALE by 80%. What is the net benefit of implementing this control?

Question 93hardmultiple choice
Read the full Risk Response and Reporting explanation →

A key control indicator (KCI) for a critical access control shows a deficiency rate of 12% for the quarter, exceeding the target of 5%. Which of the following should be the risk practitioner's PRIMARY action?

Question 94mediummultiple choice
Read the full Risk Response and Reporting explanation →

An organization is implementing a new access control system. Which of the following is the MOST important consideration during the implementation phase?

Question 95mediummultiple choice
Read the full Risk Response and Reporting explanation →

Which of the following is a leading Key Risk Indicator (KRI) for the risk of a data breach?

Question 96hardmultiple choice
Read the full Risk Response and Reporting explanation →

A risk practitioner is designing a quarterly IT risk report for the CISO. Which of the following elements is MOST critical for tactical decision-making?

Question 97easymultiple choice
Read the full Risk Response and Reporting explanation →

When integrating IT risk into the enterprise risk management (ERM) program, what is the PRIMARY benefit?

Question 98mediummultiple choice
Read the full Risk Response and Reporting explanation →

In third-party risk management, which of the following is MOST indicative of a vendor's control effectiveness for a critical vendor?

Question 99hardmultiple choice
Read the full Risk Response and Reporting explanation →

A risk practitioner notices that the number of failed authentication attempts has spiked by 300% over the past week. Which of the following actions should be taken FIRST?

Question 100easymultiple choice
Read the full Risk Response and Reporting explanation →

Which of the following is the BEST example of promoting a risk-aware culture within an organization?

Question 101mediummultiple choice
Read the full Risk Response and Reporting explanation →

During a vendor risk assessment, a prospective vendor for critical services cannot provide a SOC 2 Type II report. According to the organization's vendor risk appetite, which action should be taken?

Question 102mediummultiple choice
Read the full Risk Response and Reporting explanation →

Which of the following is the BEST Key Control Indicator (KCI) for measuring the effectiveness of a firewall?

Question 103hardmulti select
Read the full Risk Response and Reporting explanation →

An organization is implementing continuous monitoring for its critical systems. Which TWO of the following are examples of continuous monitoring techniques? (Select TWO)

Question 104mediummulti select
Read the full Risk Response and Reporting explanation →

Which THREE of the following are components of an effective IT risk reporting structure for a large enterprise? (Select THREE)

Question 105mediummulti select
Read the full Risk Response and Reporting explanation →

A risk practitioner is evaluating the effectiveness of a security awareness program. Which TWO indicators would BEST measure whether the program is positively influencing risk culture? (Select TWO)

Question 106easymultiple choice
Read the full Risk Response and Reporting explanation →

An organization is implementing a new control to prevent unauthorized access to its critical database. Which type of control is most appropriate for this requirement?

Question 107mediummultiple choice
Read the full Risk Response and Reporting explanation →

A company is evaluating the cost-benefit of a new control that reduces the annualized loss expectancy (ALE) from $500,000 to $100,000. The control has an annual cost of $150,000. What is the net benefit of implementing this control?

Question 108mediummultiple choice
Read the full Risk Response and Reporting explanation →

During a quarterly control effectiveness test, an internal auditor discovers that a key preventive control has a 10% exception rate. The control is designed to prevent unauthorized transactions. Which Key Control Indicator (KCI) is being measured?

Question 109hardmultiple choice
Read the full Risk Response and Reporting explanation →

An organization uses a SIEM to automatically test access control rules on a continuous basis. This is an example of which type of monitoring?

Question 110easymultiple choice
Read the full Risk Response and Reporting explanation →

The Chief Information Security Officer (CISO) receives a quarterly report that includes a risk heat map and trend analysis of top risks. This type of reporting is best described as:

Question 111mediummultiple choice
Read the full Risk Response and Reporting explanation →

A company is assessing a new vendor that will have access to its customer database. The vendor's security questionnaire reveals they lack SOC 2 certification. According to risk tiering, the vendor is classified as critical. What should the company do?

Question 112hardmultiple choice
Read the full Risk Response and Reporting explanation →

An organization notices a spike in failed authentication attempts over the past week. This metric is best classified as which type of risk indicator?

Question 113easymultiple choice
Read the full Risk Response and Reporting explanation →

When implementing a new control, which of the following is the most important factor in ensuring its long-term effectiveness?

Question 114mediummultiple choice
Read the full Risk Response and Reporting explanation →

An IT risk manager is preparing a report for the board of directors. Which of the following content elements is most important for strategic risk reporting?

Question 115hardmultiple choice
Read the full Risk Response and Reporting explanation →

A change to a critical application is being implemented without updating the associated security controls. This is most likely a failure in which process?

Question 116easymultiple choice
Read the full Risk Response and Reporting explanation →

Which of the following is the primary purpose of a risk heat map in a risk report?

Question 117mediummultiple choice
Read the full Risk Response and Reporting explanation →

An organization has implemented a new control that requires manual approval for all high-value transactions. The control owner is responsible for ensuring approvals are obtained. Which control ownership aspect is demonstrated?

Question 118mediummulti select
Read the full Risk Response and Reporting explanation →

An organization is implementing a risk-aware culture. Which TWO of the following are effective practices?

Question 119hardmulti select
Read the full Risk Response and Reporting explanation →

A third-party vendor is classified as high risk due to its access to sensitive data. Which THREE activities should be part of ongoing monitoring for this vendor?

Question 120easymulti select
Read the full Risk Response and Reporting explanation →

Which TWO of the following are examples of continuous monitoring techniques?

Question 121easymultiple choice
Read the full Risk Response and Reporting explanation →

An organization is implementing a new access control system to prevent unauthorized access to sensitive data. Which type of control is being implemented?

Question 122mediummultiple choice
Read the full Risk Response and Reporting explanation →

During a cost-benefit analysis for a proposed control, the annual loss expectancy (ALE) for a risk is currently $500,000. The control is expected to reduce the ALE by 80% and will cost $150,000 per year. What is the net benefit of implementing the control?

Question 123hardmultiple choice
Read the full Risk Response and Reporting explanation →

An organization uses Key Control Indicators (KCIs) to measure the effectiveness of its firewall change management process. Which KCI would best indicate a process deficiency?

Question 124mediummultiple choice
Read the full Risk Response and Reporting explanation →

A security operations center (SOC) uses a Security Information and Event Management (SIEM) system to continuously monitor for suspicious activities. Which type of monitoring is being performed?

Question 125mediummultiple choice
Read the full Risk Response and Reporting explanation →

A quarterly risk report for the IT steering committee shows a key risk indicator (KRI) called 'patch lag' has increased from 15 days to 45 days. What does this trend most likely indicate?

Question 126easymultiple choice
Read the full Risk Response and Reporting explanation →

Which of the following is an example of a corrective control?

Question 127hardmultiple choice
Read the full Risk Response and Reporting explanation →

An organization is implementing a new control to address a high-risk finding. The project manager has scheduled a user training session and updated the relevant policies. Which implementation phase is being addressed?

Question 128mediummultiple choice
Read the full Risk Response and Reporting explanation →

In a risk report presented to the board of directors, which of the following elements is most appropriate to include?

Question 129mediummultiple choice
Read the full Risk Response and Reporting explanation →

Which of the following is the primary purpose of a Key Risk Indicator (KRI)?

Question 130hardmultiple choice
Read the full Risk Response and Reporting explanation →

During a third-party risk assessment, a vendor is classified as 'critical' due to its access to sensitive customer data. According to the organization's vendor risk appetite, what is the minimum security requirement for this vendor?

Question 131easymultiple choice
Read the full Risk Response and Reporting explanation →

An organization wants to promote a risk-aware culture. Which initiative best supports this goal?

Question 132mediummultiple choice
Read the full Risk Response and Reporting explanation →

In the context of ERM integration, IT risk is typically considered a subset of which broader risk category?

Question 133mediummulti select
Read the full Risk Response and Reporting explanation →

Which TWO of the following are examples of continuous monitoring activities? (Select TWO.)

Question 134hardmulti select
Read the full Risk Response and Reporting explanation →

Which THREE of the following are essential components of an effective IT risk report to senior management? (Select THREE.)

Question 135mediummulti select
Read the full Risk Response and Reporting explanation →

Which TWO of the following are leading indicators that could be used as KRIs for information security risk? (Select TWO.)

Question 136mediummultiple choice
Read the full Risk Response and Reporting explanation →

An organization is selecting a control to reduce the risk of unauthorized data exfiltration. The annual loss expectancy (ALE) for this risk is currently $500,000. The proposed control costs $80,000 annually and is expected to reduce the ALE by 60%. What is the net benefit (reduction in risk exposure minus control cost) of implementing this control?

Question 137mediummultiple choice
Read the full Risk Response and Reporting explanation →

A risk manager is evaluating a control that addresses a high-risk finding from an internal audit. Which of the following is the MOST important factor in determining whether the control is effective?

Question 138easymultiple choice
Read the full Risk Response and Reporting explanation →

An organization has implemented a new firewall rule to block malicious IP addresses. This is an example of which type of control?

Question 139hardmultiple choice
Read the full Risk Response and Reporting explanation →

During a quarterly risk review, the CISO notes that the number of failed authentication attempts has increased by 300% over the last month. The IT team confirms no changes to authentication systems. This metric is BEST categorized as which of the following?

Question 140mediummultiple choice
Read the full Risk Response and Reporting explanation →

A company is implementing a new access control system. According to the project plan, user training will be delivered after the system goes live. What change management issue does this present?

Question 141easymultiple choice
Read the full Risk Response and Reporting explanation →

An IT risk report to the board of directors should primarily focus on which of the following?

Question 142mediummultiple choice
Read the full Risk Response and Reporting explanation →

A risk owner is reviewing a control that has a deficiency rate of 15%. The target deficiency rate is less than 5%. Which of the following is the MOST appropriate immediate action?

Question 143hardmultiple choice
Read the full Risk Response and Reporting explanation →

An organization is implementing continuous monitoring of its network using SIEM rules. Which of the following is the PRIMARY benefit of this approach over periodic manual testing?

Question 144easymultiple choice
Read the full Risk Response and Reporting explanation →

In a risk-aware culture, which of the following behaviors is MOST encouraged?

Question 145mediummultiple choice
Read the full Risk Response and Reporting explanation →

A vendor risk tier is assigned based on data access and service criticality. A vendor that processes sensitive customer data and is critical to operations should be classified as which tier?

Question 146hardmultiple choice
Read the full Risk Response and Reporting explanation →

An organization uses a KRI that tracks the average time to patch critical vulnerabilities. The metric has been increasing over the past three months. What does this indicate from a risk perspective?

Question 147mediummultiple choice
Read the full Risk Response and Reporting explanation →

Which of the following is the PRIMARY purpose of integrating IT risk reporting into the enterprise risk management (ERM) program?

Question 148mediummulti select
Read the full Risk Response and Reporting explanation →

An organization is conducting a post-implementation review of a new data loss prevention (DLP) control. Which TWO metrics are Key Control Indicators (KCIs) that would best measure the control's effectiveness?

Question 149hardmulti select
Read the full Risk Response and Reporting explanation →

A risk manager is updating the risk report for the IT steering committee. Which THREE elements should be included to provide a comprehensive view of the risk posture?

Question 150mediummulti select
Read the full Risk Response and Reporting explanation →

An organization is implementing a third-party risk management program. Which TWO are essential components of the initial vendor risk assessment process?

Question 151mediummulti select
Read the full Risk Response and Reporting explanation →

A financial services company is implementing a new control to mitigate the risk of unauthorized access to customer data. Which TWO of the following are key factors to consider during the control design phase?

Question 152mediummulti select
Read the full Risk Response and Reporting explanation →

After implementing a new access control system, the IT risk manager needs to measure its effectiveness. Which THREE of the following are Key Control Indicators (KCIs) that would be appropriate?

Question 153easymulti select
Read the full Risk Response and Reporting explanation →

An organization is implementing continuous monitoring for its network security controls. Which TWO of the following are examples of continuous monitoring techniques?

Question 154hardmulti select
Read the full Risk Response and Reporting explanation →

A multinational corporation is developing its IT risk reporting structure. The risk manager must align reports with different audiences. Which THREE of the following reporting frequencies and audiences are correctly matched?

Question 155mediummulti select
Read the full Risk Response and Reporting explanation →

During a third-party risk management review, the organization is tiering its vendors based on risk. Which TWO of the following criteria are most relevant for determining vendor risk tier?

Question 156easymulti select
Read the full Risk Response and Reporting explanation →

An organization wants to promote a risk-aware culture. Which TWO of the following initiatives are most effective for achieving this?

Question 157mediummulti select
Read the full Risk Response and Reporting explanation →

An organization is integrating its IT risk program with the enterprise risk management (ERM) framework. Which THREE of the following activities support this integration?

Question 158hardmulti select
Read the full Risk Response and Reporting explanation →

A company's IT risk manager is evaluating Key Risk Indicators (KRIs) for the cybersecurity function. Which TWO of the following are valid examples of leading KRIs?

Question 159mediummulti select
Read the full Risk Response and Reporting explanation →

An organization is designing a vendor risk assessment process for critical vendors. Which THREE of the following should be included in the initial onboarding assessment?

Question 160hardmulti select
Read the full Risk Response and Reporting explanation →

During a quarterly IT risk review, the risk manager presents a risk heat map. Which TWO of the following elements should be included in the report to provide a comprehensive view?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

CRISC Practice Test 1 — 25 Questions→CRISC Practice Test 2 — 25 Questions→CRISC Practice Test 3 — 25 Questions→CRISC Practice Test 4 — 25 Questions→CRISC Practice Test 5 — 25 Questions→CRISC Practice Exam 1 — 20 Questions→CRISC Practice Exam 2 — 20 Questions→CRISC Practice Exam 3 — 20 Questions→CRISC Practice Exam 4 — 20 Questions→Free CRISC Practice Test 1 — 30 Questions→Free CRISC Practice Test 2 — 30 Questions→Free CRISC Practice Test 3 — 30 Questions→CRISC Practice Questions 1 — 50 Questions→CRISC Practice Questions 2 — 50 Questions→CRISC Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

IT Risk IdentificationIT Risk AssessmentRisk Response and ReportingInformation Technology and SecurityRisk Response and MitigationRisk and Control Monitoring and Reporting

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Risk Response and Reporting setsAll Risk Response and Reporting questionsCRISC Practice Hub