Back to Certified in Risk and Information Systems Control CRISC

ISACA exam questions

Certified in Risk and Information Systems Control CRISC practice test

Practise questions on cloud computing concepts covering service models, deployment types, and essential characteristics for the CRISC exam.

500
practice questions
4
topics covered
CRISC
exam code
ISACA
vendor

Study modes

Three ways to study

Start with the Study Sheet to learn the material, switch to Practice Tests for active recall, then take a Mock Exam to simulate the real thing.

Study Sheet

All 500 questions with correct answers and explanations already visible. Read at your own pace — no time pressure.

Start reading →

Practice Test

Answer first, then see feedback and explanation. Tracks your score per session. Best for active recall and identifying weak areas.

Mock Exam

Full timed simulation with countdown. Answers hidden until the end. Includes all question types just like the real exam.

Start mock exam →

Study Sheet

All 500 CRISC questions with answers

Every question in the bank, paginated 75 per page. Correct answers and full explanations are revealed upfront — ideal for first-pass learning and pre-exam review.

7 pages · 75 questions per page · 500 total

Domain practice

Study CRISC by domain

Each domain has its own study sheet and practice test. Target the areas where you're weakest instead of repeating questions you already know.

All domains with question counts →

Related practice questions

Study CRISC by topic

Topic pages go deep on individual concepts — each one covers a specific exam topic with questions, explanations, and study notes.

Courseiva uses original exam-style practice questions created for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps. Learn the difference →

Sample questions

Certified in Risk and Information Systems Control CRISC practice questions

Start practice test

Match each risk response strategy to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Eliminate the activity that causes the risk

Reduce the likelihood or impact of the risk

Shift the risk to a third party, e.g., insurance

Acknowledge the risk and take no further action

Match each information security objective to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Data is accessible only to authorized parties

Data is accurate and complete

Data is accessible when needed

Actions can be traced to individuals

A healthcare organization is migrating its electronic health records (EHR) system to a public cloud. The risk manager identifies several risks. Which TWO of the following are the MOST significant risks related to data privacy and regulatory compliance?

Question 4mediummultiple choice
Read the full NAT/PAT explanation →

You are the IT risk manager at a multinational corporation that recently migrated its customer database to a cloud-based platform. The database contains personally identifiable information (PII) subject to GDPR. During a routine vulnerability scan, you discover that the database is accessible from the internet without encryption (port 1433 open). The cloud provider's shared responsibility model indicates that securing the database configuration is the customer's responsibility. You have identified the risk as high likelihood and high impact. The business owner argues that the database is only accessible to a limited IP range and that encryption would degrade performance. Which course of action should you recommend to treat the risk?

Question 5hardmultiple choice
Read the full NAT/PAT explanation →

A multinational corporation is expanding its cloud infrastructure to include a new SaaS application that stores sensitive customer data. The vendor claims compliance with SOC 2 Type II and ISO 27001. The risk manager must determine if the remaining residual risk after vendor controls is within the company's risk appetite. Which of the following is the MOST critical next step?

An organization is implementing a new identity and access management (IAM) system. The risk manager is tasked with identifying risks associated with the migration from legacy authentication to single sign-on (SSO). Which of the following is the GREATEST risk during this migration?

Which THREE of the following are key components of an IT risk assessment report as per ISACA guidelines?

You are the IT risk manager for a mid-sized e-commerce company that processes over 10,000 transactions per day. The company recently migrated its customer database from an on-premises SQL Server to a cloud-based PostgreSQL instance on AWS RDS. The database contains personally identifiable information (PII) including names, addresses, and credit card numbers (stored as encrypted tokens). The migration was performed by the DevOps team with minimal involvement from the security team. Two weeks after the migration, the company experienced a data breach where an attacker exfiltrated a subset of customer records. The forensic investigation revealed that the attacker exploited a misconfigured security group that allowed inbound traffic from the internet on port 5432 (PostgreSQL default port). Additionally, the database had a publicly accessible endpoint, and the master user password was weak (eight characters, no special characters). The attacker used a brute-force attack to guess the password. The security group has since been corrected, and the password has been changed to a strong one. The breach notification laws require reporting within 72 hours. The CEO wants to understand the root cause and prevent recurrence. As the risk manager, which of the following actions should you recommend as the MOST effective to prevent a similar incident?

A financial institution uses a third-party cloud service for data analytics. The service has access to non-public personal information (NPI). During a risk assessment, the risk manager discovers that the cloud provider uses subprocessors without notifying the institution. The contract does not require notification of subprocessor changes. What should the risk manager do FIRST?

After implementing a new web application, the risk owner reports that the residual risk level is still above the risk appetite. Which of the following should be the risk practitioner's FIRST action?

During a review, a risk practitioner discovers that a key control for a high-risk process is not operating effectively. The risk owner is reluctant to invest in additional controls due to budget constraints. What should the risk practitioner do FIRST?

A company has implemented a risk mitigation plan that includes technical controls. However, six months later, the residual risk is still higher than expected. The risk practitioner suspects that the controls are not being followed. Which of the following is the BEST approach to verify this?

Order the steps for implementing a risk treatment plan.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Arrange the steps for performing a risk assessment in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Order the steps for incident response handling.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Put the steps for developing an information security policy in order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Sequence the steps for implementing a new control based on risk assessment findings.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Arrange the steps for performing a vulnerability assessment.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Order the steps for change management in an IT environment.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 20mediummultiple choice
Read the full IT Risk Assessment explanation →

During a risk assessment, an organization identifies that its primary data center is located in a flood-prone area. Which risk treatment option would best address this risk?

An organization uses a quantitative risk analysis method. The annualized rate of occurrence (ARO) for a specific threat is 0.5, and the single loss expectancy (SLE) is $200,000. What is the annualized loss expectancy (ALE)?

During a control monitoring review, the auditor finds that a control designed to detect unauthorized access has not triggered any alerts in six months. What should the risk practitioner do first?

Which TWO of the following are appropriate actions when a control deficiency is identified during monitoring? (Select exactly two.)

An organization has a risk indicator that shows the number of failed login attempts per day. The threshold is 100. Last week, the number spiked to 200 on two days. What does this indicate?

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

Exam question guide

How to use these CRISC questions

Use these questions as active recall, not passive reading. Try the question first, review the answer choices, then open the explanation and connect the result back to the exam topic.

Quick answer

Tests understanding of cloud service models, deployment types, and characteristics like scalability and elasticity.

IaaS, PaaS, SaaS service model definitions and use cases

Public, private, hybrid cloud deployment distinctions

Key cloud characteristics: on-demand, broad network access

Metered usage and resource pooling concepts

These CRISC practice questions are part of Courseiva's free ISACA certification practice question bank. Courseiva provides original exam-style CRISC questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.