Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← IT Risk Assessment practice sets

CRISC IT Risk Assessment • Complete Question Bank

CRISC IT Risk Assessment — All Questions With Answers

Complete CRISC IT Risk Assessment question bank — all 0 questions with answers and detailed explanations.

130
Questions
Free
No signup
Certifications/CRISC/Practice Test/IT Risk Assessment/All Questions
Question 1mediummultiple choice
Read the full IT Risk Assessment explanation →

During a risk assessment, an organization identifies that its primary data center is located in a flood-prone area. Which risk treatment option would best address this risk?

Question 2hardmultiple choice
Read the full IT Risk Assessment explanation →

A risk assessment for a healthcare organization reveals a high likelihood of data breaches due to weak encryption on portable devices. The organization decides to deploy full-disk encryption and enforce multi-factor authentication. Which risk response strategy is being applied?

Question 3easymultiple choice
Read the full IT Risk Assessment explanation →

Which of the following is the PRIMARY purpose of conducting a business impact analysis (BIA) during the IT risk assessment process?

Question 4mediummultiple choice
Read the full IT Risk Assessment explanation →

A retail company is assessing the risk of a POS malware attack. Which approach would BEST quantify the potential financial impact?

Question 5hardmultiple choice
Read the full IT Risk Assessment explanation →

A risk assessor is evaluating a third-party cloud service provider. Which of the following is the MOST important factor to consider when assessing the risk of data exfiltration?

Question 6easymultiple choice
Read the full IT Risk Assessment explanation →

An organization has a risk appetite that is risk-averse. Which risk treatment option would be most aligned with this appetite?

Question 7mediummultiple choice
Read the full IT Risk Assessment explanation →

During a risk assessment, a financial institution identifies that its online banking application uses an outdated encryption protocol. The likelihood of exploitation is high, and the impact is moderate. What should the risk owner do FIRST?

Question 8hardmultiple choice
Read the full NAT/PAT explanation →

A multinational corporation is assessing the risk of non-compliance with GDPR. Which of the following is the BEST approach to quantify the potential fine?

Question 9easymultiple choice
Read the full IT Risk Assessment explanation →

Which of the following is the BEST indicator that an organization's IT risk assessment process is effective?

Question 10mediummultiple choice
Read the full IT Risk Assessment explanation →

A risk assessment reveals that a legacy system has a high vulnerability score but low business criticality. The cost to remediate is high. What is the MOST appropriate risk response?

Question 11hardmultiple choice
Read the full IT Risk Assessment explanation →

An organization uses a quantitative risk analysis method. The annualized rate of occurrence (ARO) for a specific threat is 0.5, and the single loss expectancy (SLE) is $200,000. What is the annualized loss expectancy (ALE)?

Question 12mediummultiple choice
Read the full IT Risk Assessment explanation →

During a risk assessment for a cloud migration project, the IT risk manager identifies that the organization lacks visibility into the cloud provider's security controls. Which approach should the risk manager recommend to address this risk?

Question 13hardmultiple choice
Read the full IT Risk Assessment explanation →

A financial institution is assessing the risk of a new real-time payment system. The risk manager calculates that the annualized loss expectancy (ALE) for a potential fraud scenario is $500,000. The cost to implement a fraud detection solution is $200,000 initially with $50,000 annual maintenance. The solution is expected to reduce the ALE by 80%. What is the net benefit of implementing the solution over three years?

Question 14easymultiple choice
Read the full IT Risk Assessment explanation →

An organization is performing a risk assessment for its new customer relationship management (CRM) system. Which of the following is the BEST way to identify threats to the CRM?

Question 15mediummultiple choice
Read the full IT Risk Assessment explanation →

After a risk assessment, the risk owner decides to mitigate a high-risk finding by implementing additional access controls. What should the risk manager do NEXT?

Question 16hardmultiple choice
Read the full NAT/PAT explanation →

An organization has a legacy system that cannot be patched due to vendor end-of-life. The system processes non-critical data. The risk manager has determined that the likelihood of exploitation is low, but the impact would be high. Which risk response strategy is MOST appropriate?

Question 17easymultiple choice
Read the full IT Risk Assessment explanation →

During a risk assessment, the risk manager identifies a vulnerability in a web application that could allow SQL injection. The development team states they will fix it in the next release, which is six months away. What should the risk manager do?

Question 18mediummultiple choice
Read the full IT Risk Assessment explanation →

A risk manager is evaluating the risk associated with a new third-party vendor that will have access to customer data. The vendor has been in business for 10 years and holds ISO 27001 certification. Which factor should be given the MOST weight when determining the vendor's risk level?

Question 19hardmulti select
Read the full IT Risk Assessment explanation →

Which TWO of the following are valid techniques for identifying risk in IT risk assessment?

Question 20mediummulti select
Read the full IT Risk Assessment explanation →

Which THREE of the following are key components of a risk assessment report?

Question 21easymulti select
Read the full IT Risk Assessment explanation →

Which TWO of the following are examples of inherent risk?

Question 22hardmultiple choice
Read the full IT Risk Assessment explanation →

Based on the exhibit, what is the MOST likely risk scenario?

Exhibit

Refer to the exhibit.
```
2023-11-15 14:23:45 [CRITICAL] Failed login attempt for user 'admin' from IP 10.0.0.5
2023-11-15 14:23:46 [CRITICAL] Failed login attempt for user 'admin' from IP 10.0.0.5
2023-11-15 14:23:47 [CRITICAL] Failed login attempt for user 'admin' from IP 10.0.0.5
... (repeated 100 times in 5 minutes)
2023-11-15 14:28:45 [INFO] Successful login for user 'admin' from IP 10.0.0.5
```
Question 23mediummultiple choice
Read the full IT Risk Assessment explanation →

Based on the exhibit, what is the primary risk to the organization?

Exhibit

Refer to the exhibit.
```
{
  "PolicyName": "S3PublicAccessBlock",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::customer-data/*"
    }
  ]
}
```
Question 24hardmultiple choice
Read the full NAT/PAT explanation →

You are the IT risk manager for a multinational corporation with a hybrid cloud environment. The company uses AWS for its primary infrastructure and maintains an on-premises data center for legacy applications. Recently, the security team detected that a contractor's credentials were used to access an S3 bucket containing personally identifiable information (PII) of European customers. The contractor had been granted access to this bucket six months ago for a data migration project that has since been completed. The access was not revoked. The security team has implemented an automated process to review and revoke access for contractors after project completion, but this process has not been applied retroactively. The company is subject to GDPR. Which of the following is the BEST course of action to address the immediate risk?

Question 25mediummultiple choice
Read the full IT Risk Assessment explanation →

A company is implementing a new cloud-based customer relationship management (CRM) system. The IT risk manager needs to assess the risk of data exfiltration by a malicious insider at the cloud provider. Which risk assessment approach is most appropriate for this scenario?

Question 26easymultiple choice
Read the full IT Risk Assessment explanation →

During a risk assessment for a critical financial application, the IT risk manager identifies a vulnerability in the application's authentication module. The exploit would require authenticated access. Which risk rating is most appropriate if the vulnerability has a CVSS base score of 9.0, but the application is behind a strong firewall and requires two-factor authentication?

Question 27hardmulti select
Read the full IT Risk Assessment explanation →

Which THREE of the following are key components of an IT risk assessment report as per ISACA guidelines?

Question 28hardmultiple choice
Read the full IT Risk Assessment explanation →

Based on the exhibit, which risk should be treated first according to the risk rating?

Exhibit

Refer to the exhibit.

```
Risk Register Extract:
Risk ID | Asset | Vulnerability | Threat | Current Control | Likelihood | Impact | Risk Level
R001    | WebApp | SQLi in login | Attacker | WAF | 3 | 5 | 15
R002    | DB Server | Weak password | Insider | Password policy | 2 | 4 | 8
R003    | Firewall | Misconfigured rule | External | Change management | 4 | 3 | 12
```

Risk Rating Matrix:
Likelihood (1-5) x Impact (1-5) = Risk Level (1-25). Thresholds: Low (1-6), Medium (7-12), High (13-25).
Question 29mediummultiple choice
Read the full NAT/PAT explanation →

You are the IT risk manager at a multinational corporation that recently migrated its customer database to a cloud-based platform. The database contains personally identifiable information (PII) subject to GDPR. During a routine vulnerability scan, you discover that the database is accessible from the internet without encryption (port 1433 open). The cloud provider's shared responsibility model indicates that securing the database configuration is the customer's responsibility. You have identified the risk as high likelihood and high impact. The business owner argues that the database is only accessible to a limited IP range and that encryption would degrade performance. Which course of action should you recommend to treat the risk?

Question 30mediummultiple choice
Read the full IT Risk Assessment explanation →

Refer to the exhibit. An organization has identified vulnerabilities on a critical server. The risk owner has limited resources and can remediate only one finding this quarter. Based on the information provided, which approach is the most appropriate risk assessment decision?

Exhibit

Refer to the exhibit.

Vulnerability Scan Report (excerpt):
Host: 10.10.50.100
Port: 443 (HTTPS)
Finding: SSL/TLS certificate uses SHA-1 signature algorithm (CVE-2015-7575)
Severity: Medium
Remediation: Replace certificate with SHA-256 or higher.

Host: 10.10.50.100
Port: 22 (SSH)
Finding: OpenSSH version 7.2 is vulnerable to CVE-2016-6515 (DoS)
Severity: Low
Remediation: Upgrade to OpenSSH 7.3 or later.
Question 31hardmulti select
Read the full IT Risk Assessment explanation →

An organization is implementing a quantitative risk assessment for its customer database. Which TWO elements are essential for calculating the annualized loss expectancy (ALE)?

Question 32easymultiple choice
Read the full IT Risk Assessment explanation →

You are the IT risk manager for a financial institution that processes high-value transactions. The organization uses a cloud-based core banking system and on-premises servers for backup. During a recent risk assessment, you identified that the cloud provider's service-level agreement (SLA) guarantees 99.9% uptime, but the organization's business impact analysis (BIA) indicates that every hour of downtime costs $500,000. The current recovery time objective (RTO) for the core banking system is 4 hours, but the actual recovery capability is 6 hours due to manual steps in failover. The risk owner has accepted this risk informally. You are asked to recommend a course of action to the risk committee. Which of the following is the most appropriate recommendation?

Question 33mediumdrag order
Read the full IT Risk Assessment explanation →

Put the steps for developing an information security policy in order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 34mediumdrag order
Read the full IT Risk Assessment explanation →

Order the steps for change management in an IT environment.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 35mediummatching
Read the full IT Risk Assessment explanation →

Match each key risk indicator (KRI) to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Measures availability risk

Measures access control risk

Measures vulnerability management risk

Measures security awareness risk

Question 36mediummatching
Read the full IT Risk Assessment explanation →

Match each risk analysis formula to its component.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Asset value × exposure factor

Annual frequency of occurrence

SLE × ARO

Percentage of asset lost per incident

Question 37mediummultiple choice
Read the full IT Risk Assessment explanation →

During a qualitative risk assessment, the risk owner rates the likelihood of a threat as 'high' and the impact as 'medium'. According to standard risk matrices, what is the resulting risk level?

Question 38easymultiple choice
Read the full IT Risk Assessment explanation →

An IT manager is identifying risks for a new cloud application. Which of the following is the BEST source for identifying specific threats relevant to cloud services?

Question 39hardmultiple choice
Read the full IT Risk Assessment explanation →

A financial institution uses a quantitative risk assessment for a core banking system. The annual loss expectancy (ALE) is calculated as $500,000 with a single loss expectancy (SLE) of $2,500,000. What is the annualized rate of occurrence (ARO)?

Question 40mediummultiple choice
Read the full IT Risk Assessment explanation →

After a risk assessment, the risk owner determines that the residual risk is still above the risk appetite. Which of the following is the MOST appropriate next step?

Question 41hardmultiple choice
Read the full IT Risk Assessment explanation →

A company is evaluating control effectiveness for a critical system. The control fails 10% of the time when tested. The inherent risk level is 'high'. What is the effect on residual risk?

Question 42easymultiple choice
Read the full IT Risk Assessment explanation →

Which risk assessment method uses a matrix to plot likelihood and impact to determine risk level?

Question 43mediummultiple choice
Read the full IT Risk Assessment explanation →

An organization's risk register contains a risk with a very high impact but very low likelihood. The risk response strategy should be:

Question 44hardmultiple choice
Read the full IT Risk Assessment explanation →

During a risk assessment of a legacy system, the assessor finds that no control is currently in place. The inherent risk level is 'critical'. The residual risk will be:

Question 45easymultiple choice
Read the full IT Risk Assessment explanation →

A risk assessment that assigns monetary values to assets and calculates expected loss is called:

Question 46mediummulti select
Read the full IT Risk Assessment explanation →

Which TWO of the following are key outputs of a risk assessment process?

Question 47hardmulti select
Read the full IT Risk Assessment explanation →

Which THREE factors should be considered when determining the likelihood of a threat exploiting a vulnerability?

Question 48mediummulti select
Read the full IT Risk Assessment explanation →

Which TWO of the following are examples of risk avoidance?

Question 49mediummultiple choice
Read the full IT Risk Assessment explanation →

Based on the exhibit, what is the MOST appropriate immediate risk response?

Exhibit

Refer to the exhibit.

Exhibit: CLI output from a vulnerability scanner:
Host: 10.10.10.10
Port: 443
Vulnerability: CVE-2024-1234
CVSS Score: 9.8
Exploit Available: Yes
Patch Available: No
Question 50hardmultiple choice
Read the full IT Risk Assessment explanation →

The policy in the exhibit is intended to enforce what security control?

Exhibit

Refer to the exhibit.

Exhibit: JSON snippet of a cloud security policy:
{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "true"
        }
      }
    }
  ]
}
Question 51easymultiple choice
Read the full IT Risk Assessment explanation →

What is the primary risk if the WAF is misconfigured?

Exhibit

Refer to the exhibit.

Exhibit: Architecture diagram description:
An e-commerce web application consists of a web server, application server, and database server in separate subnets. A WAF (Web Application Firewall) is placed in front of the web server. The web server communicates with the application server on port 8080, and the application server communicates with the database on port 3306.
Question 52easymultiple choice
Read the full NAT/PAT explanation →

A multinational corporation is assessing the risk of a new cloud-based customer relationship management (CRM) system. The risk manager conducts a qualitative risk assessment using a risk matrix that plots likelihood vs. impact. Which of the following is the PRIMARY benefit of using a qualitative approach over a quantitative approach in this context?

Question 53mediummultiple choice
Read the full IT Risk Assessment explanation →

After a security incident, an organization discovers that a critical database was accessed by an unauthorized user due to weak authentication controls. As part of the IT risk assessment process, which step should have identified this vulnerability?

Question 54hardmultiple choice
Read the full IT Risk Assessment explanation →

A financial institution is evaluating the risk of a new mobile payment application. The risk team calculates the Annual Loss Expectancy (ALE) as $500,000 based on a single loss expectancy (SLE) of $100,000 and an annual rate of occurrence (ARO) of 5. After implementing a new encryption control at a cost of $150,000 per year, the ALE is reduced to $200,000. What is the residual risk in terms of ALE after one year of control operation?

Question 55easymultiple choice
Read the full IT Risk Assessment explanation →

An organization is conducting a business impact analysis (BIA) for its core banking system. Which of the following is the PRIMARY metric used to determine the urgency of recovery?

Question 56mediummultiple choice
Read the full IT Risk Assessment explanation →

During a risk assessment, the risk manager identifies that the likelihood of a cyber-attack is high due to recent industry trends. However, the existing controls are deemed effective in reducing impact. Which of the following is the MOST appropriate risk response?

Question 57hardmultiple choice
Read the full NAT/PAT explanation →

A large enterprise uses a risk matrix with impact categories (very low, low, medium, high, very high) and likelihood (rare, unlikely, possible, likely, almost certain). A risk identified has a 'likely' likelihood and 'high' impact. According to the matrix, risks with this combination are classified as 'high' risk. The risk appetite statement requires that all high risks have a response plan within 30 days. However, the risk owner argues that due to effective compensating controls, the residual risk is only 'medium'. Which of the following is the BEST course of action?

Question 58easymultiple choice
Read the full IT Risk Assessment explanation →

Which of the following is the BEST indicator that a risk assessment's results are reliable?

Question 59mediummultiple choice
Read the full IT Risk Assessment explanation →

A company has identified a risk of data exfiltration through an outdated encryption protocol. The risk assessment team determines that the likelihood is low, but the impact is very high. The company decides to update the encryption protocol. This risk response is an example of:

Question 60hardmultiple choice
Read the full IT Risk Assessment explanation →

During a risk assessment, a risk manager is evaluating the effectiveness of a firewall rule set. The manager notes that the firewall logs show a high number of dropped packets from a specific IP range, but no policy changes have been made. The manager suspects the firewall rule set may be misconfigured. Which of the following should the manager do FIRST?

Question 61mediummulti select
Read the full IT Risk Assessment explanation →

An IT risk manager is performing a risk assessment for a new cloud service. Which TWO of the following are key inputs to the risk identification process? (Select TWO.)

Question 62hardmulti select
Read the full IT Risk Assessment explanation →

A risk assessment team is calculating the Annual Loss Expectancy (ALE) for a critical server. The Single Loss Expectancy (SLE) is $50,000 and the Annual Rate of Occurrence (ARO) is estimated to be 2. The team is considering implementing a new backup solution costing $40,000 per year. Which TWO of the following statements are true regarding the cost-benefit analysis? (Select TWO.)

Question 63mediummulti select
Read the full IT Risk Assessment explanation →

An organization is conducting a risk assessment of its remote access infrastructure. Which THREE of the following are typical components of a risk assessment report? (Select THREE.)

Question 64mediummultiple choice
Read the full IT Risk Assessment explanation →

An organization recently experienced a data breach due to a misconfigured cloud storage bucket. As part of the IT risk assessment, which control should be prioritized to prevent recurrence?

Question 65easymultiple choice
Read the full IT Risk Assessment explanation →

During a risk assessment of a web application, the risk owner identifies that the application uses outdated encryption algorithms. What is the most appropriate next step?

Question 66hardmultiple choice
Read the full IT Risk Assessment explanation →

An organization uses a third-party vendor for critical data processing. The vendor has experienced two minor security incidents in the past year with no data loss. The risk manager is updating the vendor risk assessment. Which approach best aligns with ISACA's guidance?

Question 67mediummultiple choice
Read the full IT Risk Assessment explanation →

A company has identified that its legacy financial system has a high inherent risk due to outdated architecture. The system cannot be replaced for three years. What is the best risk treatment strategy?

Question 68easymultiple choice
Read the full IT Risk Assessment explanation →

During an IT risk assessment, a risk analyst discovers that a server contains sensitive customer data but is not included in the organization's vulnerability scanning program. What should the analyst do first?

Question 69hardmultiple choice
Read the full NAT/PAT explanation →

A multinational organization is assessing the risk of a new cloud service that stores data across multiple geographic regions. The service provider offers standard contractual terms and does not commit to specific data residency requirements. What is the primary risk that should be evaluated?

Question 70mediummultiple choice
Read the full IT Risk Assessment explanation →

An organization has received a critical vulnerability alert for a web application firewall. The risk owner is on leave. What should the risk manager do?

Question 71easymultiple choice
Read the full IT Risk Assessment explanation →

Which risk assessment approach is most appropriate for a new technology that has limited historical data and high uncertainty?

Question 72hardmultiple choice
Read the full NAT/PAT explanation →

During a risk assessment, the risk manager finds that a critical application has a single point of failure in its network path. The application's availability requirement is 99.99%. The current design achieves only 99.9% uptime. Which risk metric should be calculated first?

Question 73mediummulti select
Read the full IT Risk Assessment explanation →

Which TWO controls are most effective for reducing the risk of data leakage from endpoints in a remote work environment?

Question 74hardmulti select
Read the full IT Risk Assessment explanation →

Which THREE factors should be considered when determining the inherent risk level of a new IT project prior to any controls?

Question 75easymulti select
Read the full IT Risk Assessment explanation →

Which TWO outcomes indicate that a risk assessment process is effective?

Question 76easymultiple choice
Read the full IT Risk Assessment explanation →

A company is conducting an IT risk assessment for the first time. Which of the following should be the FIRST step?

Question 77mediummultiple choice
Read the full IT Risk Assessment explanation →

An organization uses a qualitative risk assessment methodology. During a recent assessment, several risks were rated as 'high' due to vague definitions. What is the BEST way to improve the accuracy of the assessment?

Question 78hardmultiple choice
Read the full NAT/PAT explanation →

A multinational corporation is migrating critical applications to a public cloud provider. The IT risk manager needs to design a risk assessment approach that addresses shared responsibility. Which of the following is the MOST appropriate approach?

Question 79easymultiple choice
Read the full IT Risk Assessment explanation →

An IT risk manager is facilitating a brainstorming session to identify threats. Which technique is BEST suited for identifying a wide range of potential threats?

Question 80mediummultiple choice
Read the full IT Risk Assessment explanation →

A company outsourced its payroll processing to a third-party vendor. During the risk assessment, it was found that the vendor's data centers are in a country with weak data protection laws. What is the BEST way to treat this risk?

Question 81hardmultiple choice
Read the full IT Risk Assessment explanation →

During a risk assessment, the IT risk manager needs to prioritize risks for treatment. Which of the following risk characteristics should be weighted MOST heavily?

Question 82easymultiple choice
Read the full IT Risk Assessment explanation →

Which of the following BEST describes inherent risk?

Question 83mediummultiple choice
Read the full IT Risk Assessment explanation →

An organization maintains a risk register. Which of the following updates should be made on an ongoing basis?

Question 84hardmultiple choice
Read the full IT Risk Assessment explanation →

A company has a low risk appetite but high risk tolerance. Which of the following scenarios is consistent with this situation?

Question 85mediummulti select
Read the full IT Risk Assessment explanation →

Which TWO of the following are primary factors that determine how often a risk assessment should be performed?

Question 86hardmulti select
Read the full IT Risk Assessment explanation →

Which THREE of the following are effective risk treatment strategies?

Question 87easymulti select
Read the full IT Risk Assessment explanation →

Which TWO of the following are key elements that should be included in an IT risk assessment report?

Question 88mediummultiple choice
Read the full IT Risk Assessment explanation →

Based on the exhibit, which vulnerability poses the HIGHEST risk to the organization?

Exhibit

Refer to the exhibit.

=== Vulnerability Scan Report (Excerpt) ===
Host: 10.0.1.25 (Critical Server)
Vulnerability: CVE-2023-1234 (Remote Code Execution)
Severity: Critical (CVSS 9.8)
Status: Unpatched

Host: 10.0.2.10 (Web Server)
Vulnerability: CVE-2023-5678 (SQL Injection)
Severity: High (CVSS 7.5)
Status: Patched

Host: 10.0.3.50 (File Server)
Vulnerability: CVE-2022-9876 (Privilege Escalation)
Severity: Medium (CVSS 5.0)
Status: Compensating Control in Place

=== End of Exhibit ===
Question 89hardmultiple choice
Read the full IT Risk Assessment explanation →

Based on the exhibit, what is the MOST significant risk exposure?

Exhibit

Refer to the exhibit.

{
  "PolicyName": "IAMRoleAccessControl",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": { "AWS": "arn:aws:iam::123456789012:role/AdminRole" },
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::confidential-bucket/*",
      "Condition": {
        "IpAddress": { "aws:SourceIp": "10.0.0.0/16" }
      }
    },
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::public-bucket/*"
    }
  ]
}
Question 90easymultiple choice
Read the full IT Risk Assessment explanation →

Based on the exhibit, which risk is MOST likely to be identified during a risk assessment?

Exhibit

Refer to the exhibit.

=== Data Center Architecture Description ===
The data center has three layers: Core, Aggregation, and Access. The Core layer connects to the internet via redundant firewalls. The Aggregation layer hosts critical application servers in a DMZ. The Access layer connects to user workstations. There is no network segmentation between the DMZ and internal user networks.

=== End of Exhibit ===
Question 91easymultiple choice
Read the full IT Risk Assessment explanation →

A financial institution is selecting a risk assessment methodology for evaluating cybersecurity risks across its critical systems. Which of the following is the PRIMARY consideration when choosing between qualitative and quantitative approaches?

Question 92mediummultiple choice
Read the full NAT/PAT explanation →

During a risk assessment, a risk practitioner identifies that a legacy application uses a deprecated encryption protocol. The application is critical for business operations and cannot be patched. Which of the following is the BEST approach to assess the risk?

Question 93hardmultiple choice
Read the full IT Risk Assessment explanation →

A company calculates the annualized loss expectancy (ALE) for a server outage as $75,000. The cost to implement a high-availability solution is $200,000 with a lifespan of 5 years and annual maintenance of $10,000. What is the residual risk if the solution reduces outage likelihood by 90%?

Question 94easymultiple choice
Read the full IT Risk Assessment explanation →

After a risk assessment, the risk owner states that the residual risk for a specific asset is within the organization's risk tolerance. Which of the following BEST describes the action that should be taken?

Question 95mediummultiple choice
Read the full IT Risk Assessment explanation →

During a risk assessment, the risk practitioner discovers that a critical database does not have an active failover solution. The database is used by multiple business applications. Which of the following factors should be given the HIGHEST weight when determining the inherent risk level?

Question 96hardmultiple choice
Read the full IT Risk Assessment explanation →

A risk practitioner is conducting a threat modeling exercise for a new cloud-based application using the STRIDE methodology. Which of the following is the PRIMARY benefit of using STRIDE over a simple checklist?

Question 97easymultiple choice
Read the full IT Risk Assessment explanation →

Which of the following is the BEST indicator that a control is effective in mitigating a risk?

Question 98mediummultiple choice
Read the full IT Risk Assessment explanation →

A risk register is being updated after a quarterly risk assessment. One risk has decreased in likelihood due to new controls. However, the risk score remains unchanged because the impact increased. What should the risk practitioner do?

Question 99hardmultiple choice
Read the full IT Risk Assessment explanation →

During a quantitative risk analysis, the risk practitioner determines that the single loss expectancy (SLE) for a ransomware attack is $500,000 and the annualized rate of occurrence (ARO) is 0.4. The organization has a risk appetite that accepts annual losses up to $150,000. What is the recommended action?

Question 100mediummulti select
Read the full IT Risk Assessment explanation →

Which TWO of the following are valid triggers for initiating a risk assessment outside the regular cycle? (Select 2)

Question 101hardmulti select
Read the full IT Risk Assessment explanation →

Which TWO of the following are characteristics of quantitative risk analysis compared to qualitative risk analysis? (Select 2)

Question 102easymulti select
Read the full IT Risk Assessment explanation →

Which THREE of the following are valid risk response options according to the ISACA risk management framework? (Select 3)

Question 103easymultiple choice
Read the full IT Risk Assessment explanation →

Based on the exhibit, which of the following is the MOST likely risk scenario?

Exhibit

Refer to the exhibit.

syslog output:
```
Jan 15 14:23:45 server01 sshd[1234]: Failed password for root from 10.0.0.5 port 22 ssh2
Jan 15 14:23:50 server01 sshd[1234]: Failed password for root from 10.0.0.5 port 22 ssh2
Jan 15 14:23:55 server01 sshd[1234]: Failed password for root from 10.0.0.5 port 22 ssh2
```
Question 104mediummultiple choice
Read the full IT Risk Assessment explanation →

Based on the exhibit, what is the PRIMARY risk associated with this S3 bucket policy?

Exhibit

Refer to the exhibit.

JSON policy snippet:
```json
{
  "effect": "Allow",
  "principal": "*",
  "action": "s3:GetObject",
  "resource": "arn:aws:s3:::critical-data/*",
  "condition": {
    "IpAddress": {
      "aws:SourceIp": "10.0.0.0/8"
    }
  }
}
```
Question 105hardmultiple choice
Read the full IT Risk Assessment explanation →

Based on the exhibit, which of the following poses the HIGHEST risk to the environment?

Exhibit

Refer to the exhibit.

Architecture description:
The organization has a three-tier web application: web servers (public subnet), application servers (private subnet), and database servers (private subnet). The web servers communicate with application servers via HTTPS. Application servers query the database using SQL with embedded credentials. The database has direct internet access for remote administration via SSH, but access is restricted to a single IP address of the DBA's home office.
Question 106easymultiple choice
Read the full IT Risk Assessment explanation →

During a risk assessment, a risk owner is unsure about the likelihood rating for a specific threat. Which of the following is the BEST source of information to determine the likelihood?

Question 107mediummultiple choice
Read the full IT Risk Assessment explanation →

A company has identified a risk of data breach due to weak encryption. The current controls include encryption at rest but not in transit. The risk assessment team calculates inherent risk as high and residual risk as high. What should the team recommend FIRST?

Question 108hardmultiple choice
Read the full IT Risk Assessment explanation →

An organization uses a quantitative risk analysis method. The annualized loss expectancy (ALE) for a specific risk is calculated as $500,000. The cost of implementing a control is $150,000 per year, and it is expected to reduce the ALE by 80%. What is the net benefit of implementing the control?

Question 109easymultiple choice
Read the full IT Risk Assessment explanation →

When assessing IT risks, which of the following is the PRIMARY purpose of developing risk scenarios?

Question 110mediummultiple choice
Read the full IT Risk Assessment explanation →

A risk assessment team is evaluating the effectiveness of existing controls for a critical application. Which of the following approaches best determines whether controls are operating as intended?

Question 111hardmultiple choice
Read the full NAT/PAT explanation →

During a risk assessment, the risk team identifies that a legacy system has multiple known vulnerabilities that cannot be patched. The system is critical for operations. Which of the following risk treatment options is MOST appropriate?

Question 112easymultiple choice
Read the full IT Risk Assessment explanation →

Which of the following is the BEST indicator that a risk assessment should be performed outside the normal cycle?

Question 113mediummultiple choice
Read the full IT Risk Assessment explanation →

An organization uses a qualitative risk assessment methodology. The risk matrix has impact and likelihood scales of 1-5. A risk is assessed with impact=4 and likelihood=3. What is the risk level?

Question 114hardmultiple choice
Read the full IT Risk Assessment explanation →

A risk assessment for a cloud migration project identifies that the cloud provider does not support encryption keys managed by the customer. Which of the following risk scenarios is MOST directly related to this finding?

Question 115easymulti select
Read the full IT Risk Assessment explanation →

Which TWO of the following are key inputs to a risk assessment?

Question 116mediummulti select
Read the full IT Risk Assessment explanation →

Which TWO are characteristics of inherent risk?

Question 117hardmulti select
Read the full IT Risk Assessment explanation →

Which THREE of the following are typical components of a risk scenario?

Question 118mediummultiple choice
Read the full NAT/PAT explanation →

You are the IT risk manager for a financial institution. During a routine vulnerability scan, you discover that a critical web application has a high-severity vulnerability that could allow remote code execution. The development team states that a patch is not yet available from the vendor, and the application is business-critical with no acceptable downtime. The risk owner wants to accept the risk. However, the organization's risk appetite is very low for security vulnerabilities. You have been asked to recommend a course of action. Which of the following should you recommend?

Question 119hardmultiple choice
Read the full IT Risk Assessment explanation →

Your organization is undergoing a merger and acquisition. The IT risk assessment team is tasked with evaluating the target company's IT environment. During the assessment, you discover that the target company uses a legacy ERP system that is no longer supported by the vendor. They have no disaster recovery plan for this system, and it contains financial data critical to the merged entity. The integration timeline is aggressive, and replacing the system would delay the merger by 18 months. The executive team is reluctant to delay. What is the BEST risk treatment option?

Question 120easymultiple choice
Read the full NAT/PAT explanation →

You are the risk manager for a healthcare provider. A risk assessment identified that patient data is transmitted over unencrypted connections between clinics and the data center. The existing controls include strong network perimeter defenses. The risk is rated as high. Management is concerned about the cost of implementing encryption. You have proposed a control that encrypts data in transit. However, the network team argues that the perimeter controls are sufficient. What is the MOST appropriate response?

Question 121mediummultiple choice
Read the full IT Risk Assessment explanation →

During an IT risk assessment for a new cloud-based customer relationship management (CRM) system, the risk practitioner identifies that the vendor's data center is located in a country with different data protection regulations. Which of the following is the MOST appropriate next step?

Question 122easymulti select
Read the full IT Risk Assessment explanation →

An organization is performing a business impact analysis (BIA) for its critical applications. Which TWO of the following are primary objectives of a BIA?

Question 123hardmulti select
Read the full IT Risk Assessment explanation →

A risk practitioner is evaluating the effectiveness of existing risk mitigation controls for a critical financial application. Which THREE of the following are key indicators that controls are operating effectively?

Question 124easymultiple choice
Read the full NAT/PAT explanation →

A multinational corporation is conducting a risk assessment for its new online payment platform. The platform processes transactions in multiple currencies and stores sensitive customer financial data. The risk team has identified that the encryption algorithm used for data at rest is outdated and could be vulnerable to advanced attacks. The company's risk appetite is low for data breaches. The security team recommends upgrading the encryption to a modern standard, but the upgrade will require a 48-hour downtime impacting all global transactions. The business unit is concerned about revenue loss during the downtime. As the risk practitioner, what is the BEST course of action to balance security and business continuity?

Question 125mediummultiple choice
Read the full NAT/PAT explanation →

A healthcare organization is implementing a new electronic health records (EHR) system. During the risk assessment, the risk practitioner discovers that the system's access control mechanism allows any authenticated user to view patient records without additional authorization checks. This violates the principle of least privilege and could lead to unauthorized disclosure of protected health information (PHI). The IT team proposes implementing role-based access control (RBAC), but it will require significant changes to the system configuration and user training. The project manager is concerned about delays to the go-live date. The organization has a moderate risk appetite but must comply with HIPAA regulations. Which of the following actions should the risk practitioner recommend FIRST?

Question 126mediummultiple choice
Read the full IT Risk Assessment explanation →

A financial services company uses a legacy mainframe system for core banking transactions. The risk assessment identifies that the system does not support modern encryption standards, and data is transmitted in clear text over internal networks. The IT department has proposed implementing network segmentation and encryption at the application layer using a middleware solution. However, the cost is high and the project would take 18 months. Meanwhile, the company is planning to migrate to a new core system in two years. The risk appetite for data confidentiality is low. As the risk practitioner, what is the MOST appropriate risk response?

Question 127hardmultiple choice
Read the full IT Risk Assessment explanation →

A large e-commerce company is assessing the risk of a distributed denial-of-service (DDoS) attack on its web applications. The company has experienced three DDoS attacks in the past year, each causing significant downtime and revenue loss. The current mitigation strategy relies on an on-premise appliance that can handle up to 10 Gbps of attack traffic. Recent industry reports indicate that DDoS attacks are growing in volume and sophistication, with some exceeding 100 Gbps. The company's risk appetite for availability is moderate. The security team has proposed migrating to a cloud-based DDoS protection service that scales to 200 Gbps, but it will increase annual operational costs by 40%. The business is concerned about the cost increase. Which of the following is the BEST risk treatment decision?

Question 128easymultiple choice
Read the full IT Risk Assessment explanation →

A small manufacturing company is conducting its first IT risk assessment. The company has a flat network with no segmentation, and all employees have administrative access to their workstations. The risk practitioner identifies that a malware infection on one workstation could easily spread to the entire network. The company has a limited budget for IT security improvements. Which of the following risk treatment options is MOST cost-effective and practical?

Question 129hardmultiple choice
Read the full IT Risk Assessment explanation →

A government agency is migrating its critical applications to a public cloud infrastructure. The risk assessment reveals that the cloud provider uses shared tenancy, and the agency's sensitive data will be stored alongside other customers' data. The agency has a very low risk appetite for data leakage and must comply with strict data sovereignty laws. The cloud provider offers data encryption at rest and in transit, as well as dedicated hardware security modules (HSMs) for key management. However, the provider's physical datacenters are located in another country with different legal frameworks. As the risk practitioner, which of the following should be the PRIMARY risk response?

Question 130mediummultiple choice
Read the full IT Risk Assessment explanation →

A university is implementing a new online learning management system (LMS) that will store student records, grades, and personal information. During the risk assessment, the IT team identifies that the LMS vendor's default configuration allows students to see each other's email addresses in the class roster. This could lead to privacy violations under FERPA regulations. The vendor states that this feature can be disabled in the settings but doing so will require manual configuration for each course. The university has a moderate risk appetite and wants to launch the system within two weeks. Which of the following is the MOST appropriate risk response?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

CRISC Practice Test 1 — 10 Questions→CRISC Practice Test 2 — 10 Questions→CRISC Practice Test 3 — 10 Questions→CRISC Practice Test 4 — 10 Questions→CRISC Practice Test 5 — 10 Questions→CRISC Practice Exam 1 — 20 Questions→CRISC Practice Exam 2 — 20 Questions→CRISC Practice Exam 3 — 20 Questions→CRISC Practice Exam 4 — 20 Questions→Free CRISC Practice Test 1 — 30 Questions→Free CRISC Practice Test 2 — 30 Questions→Free CRISC Practice Test 3 — 30 Questions→CRISC Practice Questions 1 — 50 Questions→CRISC Practice Questions 2 — 50 Questions→CRISC Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

IT Risk IdentificationRisk Response and MitigationRisk and Control Monitoring and ReportingIT Risk Assessment

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All IT Risk Assessment setsAll IT Risk Assessment questionsCRISC Practice Hub