Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Risk Response and Mitigation practice sets

CRISC Risk Response and Mitigation • Complete Question Bank

CRISC Risk Response and Mitigation — All Questions With Answers

Complete CRISC Risk Response and Mitigation question bank — all 0 questions with answers and detailed explanations.

71
Questions
Free
No signup
Certifications/CRISC/Practice Test/Risk Response and Mitigation/All Questions
Question 1mediummultiple choice
Read the full Risk Response and Mitigation explanation →

After implementing a new web application, the risk owner reports that the residual risk level is still above the risk appetite. Which of the following should be the risk practitioner's FIRST action?

Question 2hardmultiple choice
Read the full NAT/PAT explanation →

A multinational organization is implementing a risk mitigation strategy for a critical system. The business impact analysis shows that downtime costs are extremely high. Which risk response strategy is MOST appropriate for this scenario?

Question 3easymultiple choice
Read the full Risk Response and Mitigation explanation →

An organization decides to outsource its data center operations to a third party. This is an example of which risk response?

Question 4mediummultiple choice
Read the full Risk Response and Mitigation explanation →

During a review, a risk practitioner discovers that a key control for a high-risk process is not operating effectively. The risk owner is reluctant to invest in additional controls due to budget constraints. What should the risk practitioner do FIRST?

Question 5hardmultiple choice
Read the full Risk Response and Mitigation explanation →

A company has implemented a risk mitigation plan that includes technical controls. However, six months later, the residual risk is still higher than expected. The risk practitioner suspects that the controls are not being followed. Which of the following is the BEST approach to verify this?

Question 6mediummulti select
Read the full Risk Response and Mitigation explanation →

Which TWO of the following are effective risk mitigation strategies for reducing the likelihood of a ransomware attack?

Question 7hardmulti select
Read the full Risk Response and Mitigation explanation →

Which THREE of the following are key components of an effective risk treatment plan?

Question 8easymultiple choice
Study the full ACL explanation →

Refer to the exhibit. A risk practitioner is reviewing the access control list for a critical server. The ACL is applied inbound on the interface connecting to the internet. Which of the following is the MOST significant risk?

Exhibit

Refer to the exhibit.

Access List: ACL-01
10 deny ip host 10.1.1.10 any
20 permit tcp 10.1.1.0 0.0.0.255 any eq 443
30 permit udp 10.1.1.0 0.0.0.255 any eq 53
40 deny ip any any
Question 9hardmultiple choice
Read the full Risk Response and Mitigation explanation →

You are a risk practitioner at a financial institution that is migrating its core banking system to a cloud provider. The migration plan includes a phased approach, with the first phase moving non-critical applications. However, during the second phase (moving customer-facing applications), the cloud provider experiences a major outage that lasts 6 hours. The outage was caused by a misconfiguration in the provider's network. The institution had conducted a risk assessment and identified cloud provider downtime as a risk, but the treatment plan only included a service level agreement (SLA) with financial penalties. The SLA does not cover the reputational damage and loss of customer trust. The risk register shows that the residual risk level was marked as 'low' before the incident. After the incident, senior management is demanding a review. Which of the following is the MOST appropriate action for the risk practitioner to take?

Question 10mediummulti select
Read the full Risk Response and Mitigation explanation →

A risk assessment for a financial trading platform has identified a high-risk vulnerability in the order matching engine. The risk owner has recommended implementing compensating controls rather than fixing the underlying code. Which TWO of the following are valid compensating controls? (Choose two.)

Question 11hardmultiple choice
Read the full Risk Response and Mitigation explanation →

Based on the risk register exhibit, which of the following is the MOST appropriate risk response for R-0042?

Exhibit

Refer to the exhibit.

```
[Risk Register Excerpt]
Risk ID: R-0042
Risk Description: Unauthorized access to customer PII due to weak database encryption
Inherent Risk Score: 16 (Likelihood: 4, Impact: 4)
Control: AES-256 encryption at rest (implemented)
Residual Risk Score: 8 (Likelihood: 2, Impact: 4)
Risk Appetite Threshold: 10
```
Question 12easymultiple choice
Read the full Risk Response and Mitigation explanation →

A global manufacturing company is implementing a new ERP system across multiple regions. The project manager has identified a risk that data migration from legacy systems may cause data corruption, leading to production delays. The risk owner proposes conducting a full data reconciliation after migration. However, the IT director argues that this would be too time-consuming and suggests only sampling data for verification. The risk manager must decide on the risk response. The project timeline is tight, and the company has a low tolerance for data integrity issues. Which of the following is the BEST course of action?

Question 13mediumdrag order
Read the full Risk Response and Mitigation explanation →

Order the steps for implementing a risk treatment plan.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 14mediumdrag order
Read the full Risk Response and Mitigation explanation →

Sequence the steps for implementing a new control based on risk assessment findings.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 15mediumdrag order
Read the full Risk Response and Mitigation explanation →

Put the steps for performing a control self-assessment (CSA) in order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 16mediummatching
Read the full Risk Response and Mitigation explanation →

Match each risk response strategy to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Eliminate the activity that causes the risk

Reduce the likelihood or impact of the risk

Shift the risk to a third party, e.g., insurance

Acknowledge the risk and take no further action

Question 17mediummatching
Read the full Risk Response and Mitigation explanation →

Match each risk management term to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Risk level before controls are applied

Risk level after controls are applied

Amount of risk the organization is willing to accept

Acceptable deviation from risk appetite

Question 18mediummatching
Read the full Risk Response and Mitigation explanation →

Match each risk management process step to its activity.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Find and list potential risks

Determine likelihood and impact

Compare risk levels to risk criteria

Select and implement controls

Question 19easymultiple choice
Read the full NAT/PAT explanation →

A company has identified a critical vulnerability in a legacy application that cannot be patched immediately. The application is used by a small number of users and supports a non-critical business process. Which of the following is the MOST appropriate risk response strategy?

Question 20easymultiple choice
Read the full Risk Response and Mitigation explanation →

During a risk assessment, the risk owner identifies that the residual risk level is higher than the risk appetite. Which of the following actions should the risk owner take FIRST?

Question 21mediummultiple choice
Read the full Risk Response and Mitigation explanation →

An organization's security team recommends implementing a web application firewall (WAF) to protect against SQL injection attacks. The risk manager evaluates the cost of the WAF and the likelihood of a successful attack. This evaluation is BEST described as:

Question 22hardmultiple choice
Read the full Risk Response and Mitigation explanation →

A company is implementing a new cloud-based customer relationship management (CRM) system. The risk manager has identified that the vendor's security controls may not meet the company's requirements. Which of the following is the BEST way to address this risk?

Question 23easymultiple choice
Read the full Risk Response and Mitigation explanation →

A risk assessment reveals that a data center is located in a flood-prone area. The organization decides to build a secondary data center in a different region and replicate critical data between both sites. This is an example of which risk response?

Question 24mediummultiple choice
Read the full Risk Response and Mitigation explanation →

After implementing a set of controls, the risk owner calculates the residual risk and finds it is still above the risk tolerance. However, the cost to further reduce the risk exceeds the potential loss. What is the MOST appropriate next step?

Question 25hardmultiple choice
Read the full Risk Response and Mitigation explanation →

An organization is considering outsourcing its IT support to a third-party provider. The risk manager has identified that the provider's data handling practices may not comply with regulatory requirements. Which of the following is the BEST risk response strategy?

Question 26mediummultiple choice
Read the full Risk Response and Mitigation explanation →

A bank implements a new transaction monitoring system to detect fraudulent activities. After six months, the system has a high false positive rate, causing analysts to miss real threats. Which of the following is the BEST way to address this risk?

Question 27hardmultiple choice
Read the full NAT/PAT explanation →

A multinational corporation is evaluating a new vendor for cloud services. The vendor's data centers are located in a country with weak data protection laws. The corporation's data includes personal information of EU citizens subject to GDPR. What is the MOST appropriate risk response?

Question 28easymulti select
Read the full Risk Response and Mitigation explanation →

Which TWO of the following are examples of risk mitigation controls?

Question 29mediummulti select
Read the full Risk Response and Mitigation explanation →

Which THREE of the following are key considerations when selecting a risk response option?

Question 30hardmulti select
Read the full Risk Response and Mitigation explanation →

Which TWO of the following are valid reasons to accept a risk rather than mitigate it?

Question 31easymultiple choice
Read the full Risk Response and Mitigation explanation →

Refer to the exhibit. Which of the following is the MOST critical risk that should be addressed first?

Exhibit

Refer to the exhibit.

Exhibit: Results from a vulnerability scan

```
Vulnerability Scan Report - 2024-01-15
Target: 192.168.1.0/24

Host: 192.168.1.10
  Port 22/tcp: SSH protocol version 1.0 (critical)
  Port 80/tcp: Apache HTTP Server 2.2.3 (high)
  Port 443/tcp: OpenSSL 0.9.8 (high)

Host: 192.168.1.20
  Port 3389/tcp: RDP with weak encryption (medium)
  Port 445/tcp: SMB signing not required (medium)
```
Question 32mediummultiple choice
Read the full Risk Response and Mitigation explanation →

Refer to the exhibit. An organization uses this firewall access list. What is the MOST significant risk associated with this configuration?

Exhibit

Refer to the exhibit.

Exhibit: Firewall rule configuration

```
access-list 100 permit tcp any any eq 80
access-list 100 permit tcp any any eq 443
access-list 100 permit tcp 10.0.0.0 0.255.255.255 any eq 22
access-list 100 deny ip any any
```
Question 33hardmultiple choice
Read the full Risk Response and Mitigation explanation →

Refer to the exhibit. Which type of attack is MOST likely indicated by these log entries?

Exhibit

Refer to the exhibit.

Exhibit: Error log from a web application

```
2024-07-22 14:23:45 ERROR: org.hibernate.exception.ConstraintViolationException: could not execute statement
2024-07-22 14:23:45 ERROR: java.sql.SQLException: Duplicate entry 'admin' for key 'username'
2024-07-22 14:23:46 INFO: User 'admin' login successful
```
Question 34easymultiple choice
Read the full NAT/PAT explanation →

A security team identifies a critical vulnerability in a web application that cannot be patched immediately. They deploy a web application firewall (WAF) to block exploitation attempts. This is an example of:

Question 35easymultiple choice
Read the full Risk Response and Mitigation explanation →

An organization purchases cyber insurance to cover potential losses from data breaches. This is an example of:

Question 36easymultiple choice
Read the full Risk Response and Mitigation explanation →

After a risk assessment, a company decides to stop using a third-party service that has high residual risk. This is an example of:

Question 37mediummultiple choice
Read the full Risk Response and Mitigation explanation →

During a post-mortem of a security incident, the risk manager notes that the response team failed to execute the incident response plan correctly because the plan was outdated. Which of the following is the BEST corrective action?

Question 38mediummultiple choice
Read the full Risk Response and Mitigation explanation →

A risk assessment reveals that a legacy system has a high likelihood of failure. The system is critical and cannot be replaced immediately. The company decides to implement manual overrides and additional monitoring. This is an example of:

Question 39mediummultiple choice
Read the full Risk Response and Mitigation explanation →

An organization has a policy requiring all sensitive data to be encrypted at rest. During an audit, it is found that encryption keys are stored in plaintext on the same server. Which risk response is MOST appropriate?

Question 40hardmultiple choice
Read the full Risk Response and Mitigation explanation →

A company faces a risk of data loss due to untrained staff. They implement mandatory training and quarterly phishing simulations. This is:

Question 41hardmultiple choice
Read the full Risk Response and Mitigation explanation →

A risk assessment identifies that a legacy system has a high risk of failure with no available vendor support. The organization decides to decommission the system and migrate to a modern platform. This is:

Question 42hardmultiple choice
Read the full Risk Response and Mitigation explanation →

After implementing multiple controls, the residual risk for a new product launch is still slightly above the risk appetite. The risk manager decides to proceed with the launch and monitor the risks regularly. This is:

Question 43mediummulti select
Read the full Risk Response and Mitigation explanation →

Which TWO of the following are examples of risk transfer? (Select TWO.)

Question 44mediummulti select
Read the full Risk Response and Mitigation explanation →

Which TWO of the following are examples of risk avoidance? (Select TWO.)

Question 45easymulti select
Read the full Risk Response and Mitigation explanation →

Which THREE of the following are examples of risk mitigation controls? (Select THREE.)

Question 46easymultiple choice
Read the full Risk Response and Mitigation explanation →

Based on the exhibit, what is the primary risk response strategy demonstrated by this firewall rule?

Exhibit

Refer to the exhibit.

Firewall policy excerpt:
access-list 100 deny ip 203.0.113.0 0.0.0.255 any
deny ip 198.51.100.0 0.0.0.255 any
permit ip any any
Question 47mediummultiple choice
Read the full Risk Response and Mitigation explanation →

Based on the exhibit, which risk response should be prioritized?

Exhibit

Refer to the exhibit.

SIEM alert log:
Time: 2025-03-20 14:23:45
Source IP: 10.0.1.50
Destination: server1.company.local (192.168.1.10)
Event: Multiple failed logins (15 attempts in 30 seconds)
Current state: No account lockout policy enabled.
Question 48hardmultiple choice
Read the full Risk Response and Mitigation explanation →

Based on the exhibit, which risk is most likely present and what is the most appropriate risk response?

Exhibit

Refer to the exhibit.

AWS S3 bucket policy:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*"
    }
  ]
}
Question 49mediummultiple choice
Read the full Risk Response and Mitigation explanation →

A global company uses a critical third-party vendor for data processing. The inherent risk is high, but the vendor has implemented robust controls. However, due to recent geopolitical instability, the vendor's physical location is at risk. The risk owner recommends purchasing a business continuity insurance policy. Which risk response is being applied?

Question 50easymultiple choice
Read the full Risk Response and Mitigation explanation →

A new privacy regulation requires that all personal data be encrypted at rest. The current systems lack encryption. The cost to implement encryption is moderate, and the risk of non-compliance is high. Which risk response is most appropriate?

Question 51hardmultiple choice
Read the full Risk Response and Mitigation explanation →

After implementing security controls, a risk assessment shows a residual risk of data exfiltration with a probability of 5% and potential loss of $10 million. The organization's risk appetite allows a maximum acceptable risk level of 3% probability for such impact. The cost of further mitigation is $1 million. What is the best risk response?

Question 52mediummultiple choice
Read the full Risk Response and Mitigation explanation →

An employee with access to sensitive financial data has been observed accessing systems outside of normal working hours and exhibiting erratic behavior. The IT risk manager suspects insider threat. What is the most appropriate risk response?

Question 53easymultiple choice
Read the full NAT/PAT explanation →

A recent security assessment identified that a critical web application is vulnerable to SQL injection due to unpatched software. The vendor has released a security patch. Which risk response is most appropriate?

Question 54hardmultiple choice
Read the full NAT/PAT explanation →

An organization uses a legacy system that cannot be patched because the vendor is defunct. The system supports a core business function. The risk assessment shows a high likelihood of exploitation and high impact. The board has decided to keep the system operational due to its criticality. Which risk response should the risk manager recommend?

Question 55mediummultiple choice
Read the full Risk Response and Mitigation explanation →

A risk assessment reveals that the cost of implementing a control ($500k) exceeds the annualized loss expectancy (ALE) of $300k. The risk is currently within the organization's risk appetite. What is the appropriate risk response?

Question 56easymultiple choice
Read the full Risk Response and Mitigation explanation →

For a risk with very low likelihood and low impact, what is the typical risk response?

Question 57hardmultiple choice
Read the full Risk Response and Mitigation explanation →

A third-party vendor's security assessment reveals multiple high-risk findings related to data handling. The vendor is unwilling to remediate, citing cost. The vendor contract includes a clause that requires adherence to security standards. The organization's risk appetite for third-party risk is low. What is the most appropriate risk response?

Question 58mediummulti select
Read the full Risk Response and Mitigation explanation →

A company has a critical production system with a known vulnerability. Due to the system's age, the vendor no longer supports it. The company decides to implement network segmentation and purchase cyber insurance to cover potential losses. Which TWO risk response options are they applying?

Question 59hardmulti select
Read the full Risk Response and Mitigation explanation →

An organization assesses a risk of intellectual property theft through email exfiltration. They decide to enforce DLP controls, purchase a cyber liability policy, and officially accept the residual risk after controls. Which THREE risk response options are demonstrated?

Question 60hardmulti select
Read the full Risk Response and Mitigation explanation →

A risk assessment identifies a high likelihood of a data breach due to insecure APIs. The risk team proposes disabling the APIs until they are secured, implementing a WAF, and purchasing breach insurance. Which THREE risk response options are being considered?

Question 61mediummultiple choice
Read the full Risk Response and Mitigation explanation →

Refer to the exhibit. Based on the risk register, which risk response is applied to the risk with the highest inherent risk?

Exhibit

Risk ID | Inherent Risk | Controls | Residual Risk | Response
Risk-001 | High | Firewall, IDS | Medium | Transfer
Risk-002 | Medium | Encryption | Low | Accept
Risk-003 | Critical | None | Critical | Mitigate
Question 62mediummultiple choice
Read the full Risk Response and Mitigation explanation →

Refer to the exhibit. A risk manager reviews the vulnerability scan output. According to the policy, what is the required risk response?

Exhibit

Vulnerability ID: VULN-001
Severity: Critical
CVSS: 9.8
Port: 443
Service: HTTPS
Status: Open

Policy: All vulnerabilities with CVSS >= 9.0 must be remediated within 7 days.
Question 63hardmultiple choice
Read the full NAT/PAT explanation →

GlobalTech Inc., a multinational corporation, is planning to migrate its customer data to a new cloud platform. The migration involves transferring sensitive personally identifiable information (PII) from an on-premises database to a cloud-based CRM. The risk manager conducted a risk assessment and identified several risks, including unauthorized access during transit and residual data exposure due to misconfiguration. Mitigation controls include encryption in transit, encryption at rest, and strict access controls. The residual risk after mitigation is assessed as medium. The risk appetite statement defines that 'No data breach incidents resulting in regulatory fines exceeding $1 million are acceptable.' The estimated potential fine from a breach is $5 million with a likelihood of 2% after controls. The cost of additional controls to reduce likelihood to 0.5% is $500,000. The migrating team proposes to purchase cyber insurance with a $3 million coverage for $200,000 annual premium. The board of directors prefers to accept the residual risk to avoid additional costs. What should the risk manager do?

Question 64mediummulti select
Read the full Risk Response and Mitigation explanation →

Which THREE of the following are key components of an effective risk response plan?

Question 65easymultiple choice
Read the full NAT/PAT explanation →

A small e-commerce company has identified a high-risk vulnerability in its payment processing system that could expose customer credit card data. The IT team recommends immediately patching the system, but the patch requires a 4-hour downtime during peak sales hours. The risk manager proposes accepting the risk until the next scheduled maintenance window in two weeks. The CEO is concerned about potential fines from PCI DSS non-compliance. What is the BEST course of action?

Question 66mediummultiple choice
Read the full NAT/PAT explanation →

A multinational corporation has adopted a risk mitigation strategy for its key suppliers by requiring them to maintain ISO 27001 certification. During an audit, the risk manager discovers that one critical supplier lost its certification six months ago but did not report it, as contractually required. The supplier still has adequate security controls in place, and the relationship is strategically important. The CEO wants to avoid contract termination. What is the MOST appropriate risk response?

Question 67hardmultiple choice
Read the full Risk Response and Mitigation explanation →

A financial institution is implementing a new online banking platform. The risk assessment identified that the platform will handle sensitive customer data and must comply with GDPR and local banking regulations. The project team proposes encrypting all data at rest and in transit, implementing multi-factor authentication (MFA), and conducting quarterly penetration tests. However, the risk owner is concerned about the residual risk of a sophisticated phishing attack that could bypass MFA. The board has a low risk appetite. What is the BEST way to address this residual risk?

Question 68hardmultiple choice
Read the full NAT/PAT explanation →

A healthcare organization is migrating its electronic health records (EHR) system to a cloud provider. The risk assessment shows that the cloud provider has strong security certifications (e.g., SOC 2 Type II, ISO 27001). However, the organization's legal team is concerned about data sovereignty laws that require patient data to remain within the country. The cloud provider's data centers are located in three regions: one in-country, and two outside. The project manager proposes using only the in-country data center. The IT director warns that this will increase latency and reduce redundancy. The risk manager must propose a response. Which is the BEST option?

Question 69easymulti select
Read the full Risk Response and Mitigation explanation →

A risk practitioner is reviewing the organization's risk response strategies for a high-value asset. Which TWO of the following are examples of risk mitigation techniques? (Choose two.)

Question 70hardmultiple choice
Read the full Risk Response and Mitigation explanation →

Refer to the exhibit. Given the organization's risk appetite is Low, which risk response is most appropriate?

Exhibit

Refer to the exhibit.
Risk Register Excerpt:
Asset: Customer Database
Inherent Risk (Likelihood: High, Impact: High) => High
Control Set: Access controls (effective), Encryption (effective), Intrusion Detection (moderate)
Current Residual Risk: Medium
Mitigation Options:
A. Implement additional monitoring (cost: $50k, reduces residual to Low)
B. Accept the residual risk (cost: $0)
C. Transfer via cyber insurance (premium: $30k)
D. Avoid by discontinuing database operations (cost: $2M)
What is the most appropriate risk response given the current residual risk is Medium and the organization's risk appetite is Low?
Question 71mediummultiple choice
Read the full NAT/PAT explanation →

A multinational corporation has recently experienced a significant increase in phishing attacks targeting its employees. The attacks have caused several data breaches, resulting in regulatory fines and reputational damage. The organization has implemented security awareness training for all employees, but the number of successful attacks remains high. Additionally, the organization's risk appetite for cybersecurity incidents is Low. The CRO has asked you to recommend a risk response. You have the following options:

A. Accept the risk because the training has reduced the likelihood, and further controls are too expensive. B. Transfer the risk by outsourcing all email and security operations to a managed security service provider (MSSP). C. Implement technical controls such as advanced email filtering and multi-factor authentication (MFA) to reduce the likelihood and impact of phishing attacks. D. Avoid the risk by discontinuing the use of email for business communications.

Which course of action is most appropriate given the organization's risk appetite and the current situation?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

CRISC Practice Test 1 — 10 Questions→CRISC Practice Test 2 — 10 Questions→CRISC Practice Test 3 — 10 Questions→CRISC Practice Test 4 — 10 Questions→CRISC Practice Test 5 — 10 Questions→CRISC Practice Exam 1 — 20 Questions→CRISC Practice Exam 2 — 20 Questions→CRISC Practice Exam 3 — 20 Questions→CRISC Practice Exam 4 — 20 Questions→Free CRISC Practice Test 1 — 30 Questions→Free CRISC Practice Test 2 — 30 Questions→Free CRISC Practice Test 3 — 30 Questions→CRISC Practice Questions 1 — 50 Questions→CRISC Practice Questions 2 — 50 Questions→CRISC Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

IT Risk IdentificationRisk Response and MitigationRisk and Control Monitoring and ReportingIT Risk Assessment

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Risk Response and Mitigation setsAll Risk Response and Mitigation questionsCRISC Practice Hub