Sample questions
Certified in Risk and Information Systems Control CRISC practice questions
Match each risk response strategy to its definition.
Drag a concept onto its matching description — or click a concept then click the description.
Eliminate the activity that causes the risk
Reduce the likelihood or impact of the risk
Shift the risk to a third party, e.g., insurance
Acknowledge the risk and take no further action
Match each information security objective to its description.
Drag a concept onto its matching description — or click a concept then click the description.
Data is accessible only to authorized parties
Data is accurate and complete
Data is accessible when needed
Actions can be traced to individuals
A healthcare organization is migrating its electronic health records (EHR) system to a public cloud. The risk manager identifies several risks. Which TWO of the following are the MOST significant risks related to data privacy and regulatory compliance?
Trap 1: Potential for service downtime affecting patient care.
Downtime is an availability risk, not specifically privacy/compliance.
Trap 2: Loss of control over the cloud provider's internal access controls.
Loss of control is a general risk but not the most significant for privacy.
Trap 3: Vendor lock-in due to proprietary APIs.
Vendor lock-in is a business risk, not primarily privacy/compliance.
- A
Potential for service downtime affecting patient care.
Why wrong: Downtime is an availability risk, not specifically privacy/compliance.
- B
Data residency and jurisdiction issues.
Data may be stored in countries with inadequate privacy laws.
- C
Loss of control over the cloud provider's internal access controls.
Why wrong: Loss of control is a general risk but not the most significant for privacy.
- D
Insufficient encryption of data at rest and in transit.
Inadequate encryption directly risks data confidentiality and compliance.
- E
Vendor lock-in due to proprietary APIs.
Why wrong: Vendor lock-in is a business risk, not primarily privacy/compliance.
You are the IT risk manager at a multinational corporation that recently migrated its customer database to a cloud-based platform. The database contains personally identifiable information (PII) subject to GDPR. During a routine vulnerability scan, you discover that the database is accessible from the internet without encryption (port 1433 open). The cloud provider's shared responsibility model indicates that securing the database configuration is the customer's responsibility. You have identified the risk as high likelihood and high impact. The business owner argues that the database is only accessible to a limited IP range and that encryption would degrade performance. Which course of action should you recommend to treat the risk?
Trap 1: Transfer the risk by purchasing cyber insurance
Insurance does not prevent data exposure or GDPR fines.
Trap 2: Accept the risk because the IP restriction reduces likelihood
IP restriction may still be insufficient for GDPR; acceptance is not appropriate.
Trap 3: Implement a web application firewall (WAF) to monitor traffic
WAF does not enforce encryption on the database connection.
- A
Transfer the risk by purchasing cyber insurance
Why wrong: Insurance does not prevent data exposure or GDPR fines.
- B
Close the port or implement a VPN, and enforce encryption
This directly mitigates the vulnerability and ensures compliance.
- C
Accept the risk because the IP restriction reduces likelihood
Why wrong: IP restriction may still be insufficient for GDPR; acceptance is not appropriate.
- D
Implement a web application firewall (WAF) to monitor traffic
Why wrong: WAF does not enforce encryption on the database connection.
A multinational corporation is expanding its cloud infrastructure to include a new SaaS application that stores sensitive customer data. The vendor claims compliance with SOC 2 Type II and ISO 27001. The risk manager must determine if the remaining residual risk after vendor controls is within the company's risk appetite. Which of the following is the MOST critical next step?
Trap 1: Request the vendor's latest risk assessment report.
The vendor's risk assessment may not address the company's specific context.
Trap 2: Perform a pilot deployment and monitor for security incidents.
A pilot does not assess regulatory compliance before full deployment.
Trap 3: Accept the vendor's certifications as sufficient evidence of…
Certifications may not cover all specific regulatory requirements.
- A
Request the vendor's latest risk assessment report.
Why wrong: The vendor's risk assessment may not address the company's specific context.
- B
Conduct a data classification and legal review to identify applicable regulatory obligations.
Data classification and legal review determine if additional controls are needed.
- C
Perform a pilot deployment and monitor for security incidents.
Why wrong: A pilot does not assess regulatory compliance before full deployment.
- D
Accept the vendor's certifications as sufficient evidence of control effectiveness.
Why wrong: Certifications may not cover all specific regulatory requirements.
An organization is implementing a new identity and access management (IAM) system. The risk manager is tasked with identifying risks associated with the migration from legacy authentication to single sign-on (SSO). Which of the following is the GREATEST risk during this migration?
Trap 1: Users may reuse strong passwords across multiple systems.
Password reuse is a risk but not the greatest during migration.
Trap 2: Users may experience increased convenience, leading to reduced…
Convenience is not a direct risk; it is a benefit.
Trap 3: Help desk call volumes may increase due to SSO authentication…
SSO typically reduces help desk calls.
- A
Users may reuse strong passwords across multiple systems.
Why wrong: Password reuse is a risk but not the greatest during migration.
- B
Users may experience increased convenience, leading to reduced security awareness.
Why wrong: Convenience is not a direct risk; it is a benefit.
- C
Legacy authentication accounts may remain active, creating orphan accounts.
Orphan accounts are a high-risk security issue if not disabled.
- D
Help desk call volumes may increase due to SSO authentication failures.
Why wrong: SSO typically reduces help desk calls.
Which THREE of the following are key components of an IT risk assessment report as per ISACA guidelines?
Trap 1: Detailed results of control testing
Control testing results are part of control assessments.
Trap 2: Cost-benefit analysis of risk responses
Cost-benefit analysis is performed during risk response selection.
- A
Detailed results of control testing
Why wrong: Control testing results are part of control assessments.
- B
Cost-benefit analysis of risk responses
Why wrong: Cost-benefit analysis is performed during risk response selection.
- C
Identified risk scenarios and their risk levels
Risk scenarios and levels are core to the assessment report.
- D
Residual risk after implementing controls
Residual risk is a key output.
- E
Recommended risk response options
Recommendations are part of the report.
You are the IT risk manager for a mid-sized e-commerce company that processes over 10,000 transactions per day. The company recently migrated its customer database from an on-premises SQL Server to a cloud-based PostgreSQL instance on AWS RDS. The database contains personally identifiable information (PII) including names, addresses, and credit card numbers (stored as encrypted tokens). The migration was performed by the DevOps team with minimal involvement from the security team. Two weeks after the migration, the company experienced a data breach where an attacker exfiltrated a subset of customer records. The forensic investigation revealed that the attacker exploited a misconfigured security group that allowed inbound traffic from the internet on port 5432 (PostgreSQL default port). Additionally, the database had a publicly accessible endpoint, and the master user password was weak (eight characters, no special characters). The attacker used a brute-force attack to guess the password. The security group has since been corrected, and the password has been changed to a strong one. The breach notification laws require reporting within 72 hours. The CEO wants to understand the root cause and prevent recurrence. As the risk manager, which of the following actions should you recommend as the MOST effective to prevent a similar incident?
Trap 1: Deploy an intrusion detection system (IDS) to monitor database…
IDS detects but does not prevent the misconfiguration or weak password.
Trap 2: Hire a dedicated database administrator to review all database…
Weekly reviews are manual and may not catch misconfigurations in time.
Trap 3: Conduct quarterly security audits of cloud infrastructure…
Quarterly audits are too infrequent to prevent incidents.
- A
Implement infrastructure-as-code (IaC) security scanning and policy enforcement in the CI/CD pipeline to prevent insecure configurations.
Automated enforcement prevents misconfigurations from being deployed.
- B
Deploy an intrusion detection system (IDS) to monitor database traffic for brute-force attempts.
Why wrong: IDS detects but does not prevent the misconfiguration or weak password.
- C
Hire a dedicated database administrator to review all database configurations weekly.
Why wrong: Weekly reviews are manual and may not catch misconfigurations in time.
- D
Conduct quarterly security audits of cloud infrastructure configurations.
Why wrong: Quarterly audits are too infrequent to prevent incidents.
A financial institution uses a third-party cloud service for data analytics. The service has access to non-public personal information (NPI). During a risk assessment, the risk manager discovers that the cloud provider uses subprocessors without notifying the institution. The contract does not require notification of subprocessor changes. What should the risk manager do FIRST?
Trap 1: Report the incident to the data protection authority as a breach of…
The risk manager should first assess the risk internally.
Trap 2: Accept the risk since the vendor remains SOC 2 Type II certified.
Accepting risk without understanding subprocessor controls is not advisable.
Trap 3: Terminate the contract immediately to mitigate the risk of…
Immediate termination could disrupt business operations.
- A
Notify the vendor of the contract breach and request a list of all subprocessors and their compliance certifications.
First, understand the risk by obtaining information on subprocessors.
- B
Report the incident to the data protection authority as a breach of contract.
Why wrong: The risk manager should first assess the risk internally.
- C
Accept the risk since the vendor remains SOC 2 Type II certified.
Why wrong: Accepting risk without understanding subprocessor controls is not advisable.
- D
Terminate the contract immediately to mitigate the risk of unauthorized data access.
Why wrong: Immediate termination could disrupt business operations.
After implementing a new web application, the risk owner reports that the residual risk level is still above the risk appetite. Which of the following should be the risk practitioner's FIRST action?
Trap 1: Escalate directly to the board
Escalation is premature before attempting additional treatment options.
Trap 2: Update the risk register to reflect the residual risk
Updating the register is necessary, but the first action is to address the unacceptable residual risk.
Trap 3: Accept the residual risk
The residual risk exceeds appetite, so acceptance is not appropriate without further mitigation.
- A
Re-evaluate risk treatment options with the risk owner
The practitioner should collaborate with the risk owner to identify additional controls or modify existing ones.
- B
Escalate directly to the board
Why wrong: Escalation is premature before attempting additional treatment options.
- C
Update the risk register to reflect the residual risk
Why wrong: Updating the register is necessary, but the first action is to address the unacceptable residual risk.
- D
Accept the residual risk
Why wrong: The residual risk exceeds appetite, so acceptance is not appropriate without further mitigation.
During a review, a risk practitioner discovers that a key control for a high-risk process is not operating effectively. The risk owner is reluctant to invest in additional controls due to budget constraints. What should the risk practitioner do FIRST?
Trap 1: Accept the risk owner's decision
Accepting without escalation may violate risk appetite.
Trap 2: Document the deficiency and move on
Documentation alone does not address the risk.
Trap 3: Escalate directly to the board
Escalation should first go to senior management.
- A
Accept the risk owner's decision
Why wrong: Accepting without escalation may violate risk appetite.
- B
Document the deficiency and move on
Why wrong: Documentation alone does not address the risk.
- C
Communicate the risk exposure to senior management
Senior management needs to be aware of the risk and decide on additional funding.
- D
Escalate directly to the board
Why wrong: Escalation should first go to senior management.
A company has implemented a risk mitigation plan that includes technical controls. However, six months later, the residual risk is still higher than expected. The risk practitioner suspects that the controls are not being followed. Which of the following is the BEST approach to verify this?
Trap 1: Perform a new risk assessment
A new assessment may not focus on existing control performance.
Trap 2: Interview control owners
Interviews rely on self-reporting, which may be biased.
Trap 3: Review risk register updates
The register may not capture control performance.
- A
Perform a new risk assessment
Why wrong: A new assessment may not focus on existing control performance.
- B
Interview control owners
Why wrong: Interviews rely on self-reporting, which may be biased.
- C
Review risk register updates
Why wrong: The register may not capture control performance.
- D
Conduct a control testing and audit review
Testing provides direct evidence of control operation.
Order the steps for implementing a risk treatment plan.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Arrange the steps for performing a risk assessment in the correct order.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Order the steps for incident response handling.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Put the steps for developing an information security policy in order.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Sequence the steps for implementing a new control based on risk assessment findings.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Arrange the steps for performing a vulnerability assessment.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Order the steps for change management in an IT environment.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
During a risk assessment, an organization identifies that its primary data center is located in a flood-prone area. Which risk treatment option would best address this risk?
Trap 1: Purchase business interruption insurance
Insurance is a transfer, not mitigation.
Trap 2: Move all operations to a cloud provider
This is avoidance, but not the best treatment if operations are critical.
Trap 3: Accept the risk and document it in the risk register
Acceptance does not implement controls.
- A
Purchase business interruption insurance
Why wrong: Insurance is a transfer, not mitigation.
- B
Move all operations to a cloud provider
Why wrong: This is avoidance, but not the best treatment if operations are critical.
- C
Implement flood barriers and redundant cooling systems
This is a mitigation action.
- D
Accept the risk and document it in the risk register
Why wrong: Acceptance does not implement controls.
An organization uses a quantitative risk analysis method. The annualized rate of occurrence (ARO) for a specific threat is 0.5, and the single loss expectancy (SLE) is $200,000. What is the annualized loss expectancy (ALE)?
Trap 1: $400,000
This would be 2 * SLE.
Trap 2: $100,000
This would be SLE / ARO.
Trap 3: $200,000
This is the SLE.
- A
$400,000
Why wrong: This would be 2 * SLE.
- B
$100,000
ALE = ARO * SLE.
- C
$100,000
Why wrong: This would be SLE / ARO.
- D
$200,000
Why wrong: This is the SLE.
During a control monitoring review, the auditor finds that a control designed to detect unauthorized access has not triggered any alerts in six months. What should the risk practitioner do first?
Trap 1: Document the lack of alerts as evidence of effectiveness.
Lack of alerts does not prove effectiveness.
Trap 2: Redesign the control with different parameters.
May be unnecessary if control works.
Trap 3: Increase the frequency of monitoring.
Not addressing the root cause.
- A
Document the lack of alerts as evidence of effectiveness.
Why wrong: Lack of alerts does not prove effectiveness.
- B
Redesign the control with different parameters.
Why wrong: May be unnecessary if control works.
- C
Test the control to ensure it is functioning correctly.
Verifies control effectiveness.
- D
Increase the frequency of monitoring.
Why wrong: Not addressing the root cause.
Which TWO of the following are appropriate actions when a control deficiency is identified during monitoring? (Select exactly two.)
Trap 1: Increase the risk appetite
Should not be adjusted for control failures.
Trap 2: Ignore if the deficiency is minor
All deficiencies should be addressed.
Trap 3: Immediately terminate the control owner
Extreme and not appropriate.
- A
Increase the risk appetite
Why wrong: Should not be adjusted for control failures.
- B
Document the deficiency and its impact
Proper documentation is essential.
- C
Assign a remediation plan with deadlines
Ensures corrective action.
- D
Ignore if the deficiency is minor
Why wrong: All deficiencies should be addressed.
- E
Immediately terminate the control owner
Why wrong: Extreme and not appropriate.
An organization has a risk indicator that shows the number of failed login attempts per day. The threshold is 100. Last week, the number spiked to 200 on two days. What does this indicate?
Trap 1: The system is experiencing a denial-of-service attack.
Failed logins are not typical of DoS.
Trap 2: The password policy needs to be updated.
Not directly indicated by a spike.
Trap 3: Users have forgotten their passwords.
Could be, but security incident is more critical.
- A
The system is experiencing a denial-of-service attack.
Why wrong: Failed logins are not typical of DoS.
- B
There may be a brute-force attack in progress.
High failed logins suggest password guessing.
- C
The password policy needs to be updated.
Why wrong: Not directly indicated by a spike.
- D
Users have forgotten their passwords.
Why wrong: Could be, but security incident is more critical.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.