CCNA IT Risk Assessment Questions

75 of 130 questions · Page 1/2 · IT Risk Assessment · Answers revealed

1
MCQmedium

A financial services company uses a legacy mainframe system for core banking transactions. The risk assessment identifies that the system does not support modern encryption standards, and data is transmitted in clear text over internal networks. The IT department has proposed implementing network segmentation and encryption at the application layer using a middleware solution. However, the cost is high and the project would take 18 months. Meanwhile, the company is planning to migrate to a new core system in two years. The risk appetite for data confidentiality is low. As the risk practitioner, what is the MOST appropriate risk response?

A.Implement compensating controls such as strict network access controls and monitoring.
B.Transfer the risk by purchasing cyber insurance covering data breach incidents.
C.Accept the risk because the system will be replaced in two years.
D.Avoid the risk by accelerating the migration to the new system within 18 months.
AnswerA

Compensating controls reduce risk immediately.

Why this answer

The correct response is to implement compensating controls such as strict network access controls and monitoring. Given the low risk appetite for data confidentiality, the 18-month delay for the middleware solution is unacceptable, and the two-year migration timeline leaves a significant exposure window. Compensating controls like VLAN segmentation, ACLs, and continuous traffic monitoring can reduce the likelihood of exploitation of the clear-text transmission without requiring changes to the legacy mainframe itself.

Exam trap

The trap here is that candidates may confuse 'accepting the risk' with a valid response when a migration is planned, but the low risk appetite for data confidentiality makes acceptance inappropriate, and they may overlook that compensating controls can be implemented quickly and cost-effectively to reduce exposure.

How to eliminate wrong answers

Option B is wrong because cyber insurance transfers financial risk but does not reduce the likelihood or impact of a data breach; the low risk appetite for confidentiality requires a control that protects the data, not just compensates for losses. Option C is wrong because accepting the risk for two years violates the stated low risk appetite for data confidentiality, as clear-text transmission over internal networks is a direct exposure that could lead to a breach. Option D is wrong because accelerating the migration to 18 months is not feasible without a detailed project plan and budget, and it still leaves a gap; moreover, 'avoiding' risk by accelerating does not address the immediate exposure during the migration period.

2
Multi-Selecteasy

Which TWO of the following are examples of inherent risk?

Select 2 answers
A.Risk of unauthorized access due to weak password policy
B.Risk of data breach due to unencrypted sensitive data
C.Residual risk after implementing firewalls
D.Risk appetite defined by the board
E.Risk reduction achieved by multifactor authentication
AnswersA, B

This is a risk that exists without controls.

Why this answer

Inherent risk is the risk that exists in the absence of any controls or mitigations. Option A describes the risk of unauthorized access due to a weak password policy, which is a vulnerability present before any compensating controls (like multifactor authentication) are applied. Option B describes the risk of a data breach due to unencrypted sensitive data, which is a direct exposure that exists before encryption controls are implemented.

Both represent the raw, uncontrolled risk level.

Exam trap

The trap here is confusing inherent risk with residual risk or control effectiveness; candidates often pick options that describe the result of controls (like risk reduction) or the state after controls (residual risk) instead of the raw, uncontrolled exposure.

3
MCQhard

A risk assessment for a healthcare organization reveals a high likelihood of data breaches due to weak encryption on portable devices. The organization decides to deploy full-disk encryption and enforce multi-factor authentication. Which risk response strategy is being applied?

A.Transfer
B.Acceptance
C.Avoidance
D.Mitigation
AnswerD

Controls reduce risk.

Why this answer

Deploying full-disk encryption and multi-factor authentication directly reduces the likelihood and/or impact of data breaches from weak encryption on portable devices. This is the definition of risk mitigation — applying controls to lower risk to an acceptable level. The organization is actively reducing the vulnerability, not transferring, accepting, or avoiding the risk.

Exam trap

The trap here is that candidates often confuse 'avoidance' with 'mitigation' — avoidance eliminates the risk by discontinuing the activity (e.g., banning portable devices), while mitigation reduces the risk through controls like encryption and MFA.

How to eliminate wrong answers

Option A is wrong because risk transfer involves shifting the financial burden of a loss to a third party (e.g., cyber insurance), not implementing technical controls like encryption or MFA. Option B is wrong because risk acceptance means acknowledging the risk and taking no proactive action to reduce it, which contradicts the decision to deploy new security measures. Option C is wrong because risk avoidance would mean ceasing the use of portable devices entirely or eliminating the process that creates the risk, not strengthening the protection on those devices.

4
MCQmedium

An organization uses a qualitative risk assessment methodology. During a recent assessment, several risks were rated as 'high' due to vague definitions. What is the BEST way to improve the accuracy of the assessment?

A.Switch to a quantitative methodology
B.Assign a single expert to rate all risks
C.Use historical loss data as the primary input
D.Define clear and objective rating criteria for likelihood and impact
AnswerD

Clear criteria reduce subjectivity and improve consistency across assessors.

Why this answer

Vague rating criteria lead to inconsistent and subjective risk scores. By defining clear and objective rating criteria for likelihood and impact, the organization ensures that all assessors apply the same standards, reducing ambiguity and improving the accuracy of the qualitative assessment.

Exam trap

The trap here is that candidates often assume quantitative methods are always more accurate, but the question specifically highlights vague definitions as the root cause, which is best addressed by refining the qualitative criteria rather than changing the methodology.

How to eliminate wrong answers

Option A is wrong because switching to a quantitative methodology does not address the root cause of vague definitions; it introduces new requirements for numerical data that may not be available or reliable, and does not inherently improve the consistency of risk ratings. Option B is wrong because assigning a single expert to rate all risks introduces personal bias and does not eliminate the underlying problem of vague criteria; it merely centralizes the subjectivity. Option C is wrong because historical loss data is often incomplete, not directly applicable to emerging threats, and may not reflect current control effectiveness; using it as the primary input does not resolve the ambiguity in rating definitions.

5
MCQeasy

A risk assessment that assigns monetary values to assets and calculates expected loss is called:

A.Qualitative
B.Semi-quantitative
C.Comprehensive
D.Quantitative
AnswerD

Quantitative assigns monetary values.

Why this answer

A quantitative risk assessment assigns specific monetary values to assets and calculates expected loss using formulas such as Single Loss Expectancy (SLE) = Asset Value (AV) × Exposure Factor (EF), and Annualized Loss Expectancy (ALE) = SLE × Annualized Rate of Occurrence (ARO). This approach provides objective, numeric risk metrics that support cost-benefit analysis for risk mitigation decisions.

Exam trap

The trap here is that candidates often confuse 'semi-quantitative' with 'quantitative' because both use numbers, but semi-quantitative methods use ordinal scales or weighted scores (e.g., 1-5) rather than actual monetary values and expected loss calculations.

How to eliminate wrong answers

Option A is wrong because qualitative risk assessment uses subjective ratings (e.g., high, medium, low) rather than monetary values and does not calculate expected loss numerically. Option B is wrong because semi-quantitative risk assessment uses ordinal scales or weighted scores to approximate risk levels, but it does not assign precise monetary values or compute expected loss with formulas like SLE and ALE. Option C is wrong because 'comprehensive' is not a recognized category of risk assessment methodology in the CRISC framework; it describes scope, not the quantitative vs. qualitative distinction.

6
MCQeasy

When assessing IT risks, which of the following is the PRIMARY purpose of developing risk scenarios?

A.To calculate the exact financial loss
B.To identify specific threats and vulnerabilities that could impact objectives
C.To satisfy regulatory compliance
D.To create a business continuity plan
AnswerB

Core purpose of scenario development.

Why this answer

The primary purpose of developing risk scenarios in IT risk assessment is to identify specific threats and vulnerabilities that could impact business objectives. Risk scenarios provide a structured narrative that links threat sources, vulnerabilities, and potential impacts, enabling a focused analysis of how adverse events might occur. This is foundational for prioritizing risks and determining appropriate controls, rather than for calculating exact losses, compliance, or continuity planning.

Exam trap

The trap here is that candidates often confuse the purpose of risk scenarios with downstream activities like financial quantification or compliance, when the core goal is to systematically identify and articulate how threats and vulnerabilities can materialize into risk events.

How to eliminate wrong answers

Option A is wrong because risk scenarios are not designed to calculate exact financial loss; they are qualitative or semi-quantitative constructs that estimate potential impact ranges, not precise monetary values. Option C is wrong because while risk scenarios may support compliance efforts, satisfying regulatory requirements is a secondary benefit, not the primary purpose of scenario development. Option D is wrong because creating a business continuity plan is a separate process that may use risk scenarios as input, but the primary purpose of scenarios is to identify and analyze risks, not to produce continuity plans.

7
MCQeasy

An IT manager is identifying risks for a new cloud application. Which of the following is the BEST source for identifying specific threats relevant to cloud services?

A.Employee suggestions
B.Internal audit findings
C.Vendor marketing materials
D.Industry threat reports
AnswerD

Industry reports provide relevant and current threat data.

Why this answer

Industry threat reports (Option D) are the BEST source because they aggregate real-world threat intelligence specific to cloud environments, such as data from the Cloud Security Alliance (CSA) or Verizon DBIR, detailing attack vectors like misconfigured APIs, insecure interfaces, and shared technology vulnerabilities. Unlike internal or vendor sources, these reports provide empirical, up-to-date data on threats actively targeting cloud services, enabling a risk assessment grounded in actual incident patterns rather than assumptions or marketing claims.

Exam trap

The trap here is that candidates may choose internal audit findings (Option B) thinking they are authoritative, but they fail to recognize that internal audits are retrospective and limited to existing controls, whereas industry threat reports provide forward-looking, external threat intelligence essential for identifying emerging cloud-specific risks.

How to eliminate wrong answers

Option A is wrong because employee suggestions are subjective, anecdotal, and lack the systematic, evidence-based threat data needed for a formal risk assessment; they may reflect personal biases or limited visibility into cloud-specific attack patterns. Option B is wrong because internal audit findings focus on compliance gaps and control deficiencies within the organization's existing environment, not on emerging or external threats specific to cloud service models (IaaS, PaaS, SaaS) like side-channel attacks or provider-side vulnerabilities. Option C is wrong because vendor marketing materials are promotional and designed to highlight product strengths, not to disclose realistic threat scenarios; they often downplay risks such as multi-tenancy isolation failures or shared responsibility model ambiguities.

8
MCQeasy

A multinational corporation is assessing the risk of a new cloud-based customer relationship management (CRM) system. The risk manager conducts a qualitative risk assessment using a risk matrix that plots likelihood vs. impact. Which of the following is the PRIMARY benefit of using a qualitative approach over a quantitative approach in this context?

A.It provides precise monetary values for risk exposure.
B.It reduces the time required for data collection and analysis.
C.It allows for easy comparison of risks across different business units.
D.It eliminates the need for expert judgment.
AnswerB

Qualitative assessment is faster due to less data requirement.

Why this answer

In a qualitative risk assessment, the risk manager uses subjective ratings (e.g., high, medium, low) for likelihood and impact rather than gathering hard financial data. This approach significantly reduces the time and effort needed for data collection and analysis because it avoids the complex calculations, historical loss data gathering, and monetary valuation required by quantitative methods. For a new cloud-based CRM system, where historical incident data may be scarce, qualitative assessment enables a faster initial risk evaluation.

Exam trap

The trap here is that candidates often confuse 'qualitative' with 'easier to compare' (Option C) or think it provides monetary precision (Option A), when in reality the primary benefit is speed and reduced data collection effort, especially for new or cloud-based systems where quantitative data is scarce.

How to eliminate wrong answers

Option A is wrong because qualitative assessments do not provide precise monetary values; they use ordinal scales (e.g., high/medium/low) rather than dollar amounts, which is the defining characteristic of quantitative analysis. Option C is wrong because while qualitative matrices can facilitate comparison, the primary benefit over quantitative is not ease of comparison—quantitative methods actually allow more objective cross-unit comparisons via normalized financial metrics. Option D is wrong because qualitative approaches still heavily rely on expert judgment; they do not eliminate it, and in fact, they depend on subjective input from stakeholders and SMEs.

9
Matchingmedium

Match each key risk indicator (KRI) to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Measures availability risk

Measures access control risk

Measures vulnerability management risk

Measures security awareness risk

Why these pairings

KRIs are metrics that provide early warning of increasing risk exposure.

10
MCQmedium

A university is implementing a new online learning management system (LMS) that will store student records, grades, and personal information. During the risk assessment, the IT team identifies that the LMS vendor's default configuration allows students to see each other's email addresses in the class roster. This could lead to privacy violations under FERPA regulations. The vendor states that this feature can be disabled in the settings but doing so will require manual configuration for each course. The university has a moderate risk appetite and wants to launch the system within two weeks. Which of the following is the MOST appropriate risk response?

A.Transfer the risk by requiring students to sign a consent form allowing email disclosure.
B.Avoid the risk by selecting a different LMS vendor that does not have this issue.
C.Reduce the risk by disabling the feature globally through a script or administrative override before launch.
D.Accept the risk because the exposure is limited to email addresses and not grades.
AnswerC

Quick mitigation without launch delay.

Why this answer

Option C is the most appropriate risk response because it reduces the privacy risk by disabling the email visibility feature globally via a script or administrative override, aligning with the university's moderate risk appetite and two-week launch deadline. This approach directly addresses the FERPA violation without requiring manual per-course configuration, enabling a timely deployment while maintaining control over student data exposure.

Exam trap

The trap here is that candidates may choose 'Accept the risk' (Option D) by underestimating the regulatory weight of FERPA, assuming email addresses are low-risk, while failing to recognize that any PII exposure, even seemingly minor, can trigger compliance violations and reputational damage.

How to eliminate wrong answers

Option A is wrong because transferring risk via student consent forms does not eliminate the FERPA violation; FERPA prohibits disclosure of personally identifiable information (PII) like email addresses without prior written consent, and requiring consent for a default exposure shifts liability but still violates regulatory compliance if consent is not obtained for all students. Option B is wrong because avoiding the risk by selecting a different LMS vendor would likely delay the launch beyond two weeks, contradicting the university's timeline and moderate risk appetite, and may introduce other unassessed risks. Option D is wrong because accepting the risk ignores that email addresses are considered PII under FERPA, and the exposure could lead to privacy violations and regulatory penalties, which is inconsistent with a moderate risk appetite that seeks to mitigate rather than tolerate such compliance risks.

11
MCQeasy

An organization has a risk appetite that is risk-averse. Which risk treatment option would be most aligned with this appetite?

A.Avoid the risk by discontinuing the activity
B.Mitigate the risk with controls
C.Accept the risk
D.Transfer the risk through insurance
AnswerA

Avoidance aligns with risk-averse appetite.

Why this answer

A risk-averse organization prioritizes avoiding exposure to threats. Discontinuing the activity that introduces the risk (option A) eliminates the threat source entirely, ensuring no residual risk remains. This aligns directly with a risk-averse appetite, where even low-probability, high-impact events are unacceptable.

Exam trap

The trap here is that candidates often confuse 'risk transfer' with 'risk elimination,' assuming insurance removes all risk, when in fact it only covers financial loss, leaving operational and reputational risks intact.

How to eliminate wrong answers

Option B is wrong because mitigating with controls reduces risk to an acceptable level but does not eliminate it; residual risk remains, which contradicts a fully risk-averse stance. Option C is wrong because accepting risk means the organization retains the full exposure, which is contrary to a risk-averse appetite that seeks to avoid any potential loss. Option D is wrong because transferring risk through insurance shifts financial liability but does not remove the operational threat; the organization still faces the event's consequences, such as downtime or reputational damage, which a risk-averse entity would find unacceptable.

12
MCQhard

During a risk assessment, a risk manager is evaluating the effectiveness of a firewall rule set. The manager notes that the firewall logs show a high number of dropped packets from a specific IP range, but no policy changes have been made. The manager suspects the firewall rule set may be misconfigured. Which of the following should the manager do FIRST?

A.Conduct a penetration test on the firewall.
B.Immediately block the IP range.
C.Review the change management records for the firewall.
D.Update the risk register with a new risk.
AnswerC

Change records can reveal if unauthorized or incorrect changes were made.

Why this answer

Option C is correct because the first step when a misconfiguration is suspected without any known policy changes is to verify the change management records. This ensures that any recent modifications to the firewall rule set are accounted for, ruling out unauthorized or undocumented changes before proceeding with more invasive actions like penetration testing or blocking IP ranges.

Exam trap

The trap here is that candidates often jump to immediate remediation (blocking the IP range) or escalation (updating the risk register) without first investigating the root cause through change management records, which is the foundational step in IT risk assessment.

How to eliminate wrong answers

Option A is wrong because conducting a penetration test on the firewall is an intrusive and resource-intensive step that should only be performed after verifying that no recent changes have been made; it could also disrupt operations if the misconfiguration is severe. Option B is wrong because immediately blocking the IP range is a reactive measure that may disrupt legitimate traffic and does not address the root cause of the suspected misconfiguration; it should only be considered after confirming the issue through change records. Option D is wrong because updating the risk register with a new risk is premature without first understanding the cause of the dropped packets; the risk register should be updated only after the misconfiguration is confirmed and its impact assessed.

13
MCQmedium

Based on the exhibit, what is the MOST appropriate immediate risk response?

A.Transfer the risk
B.Accept the risk
C.Implement compensating controls
D.Ignore the risk
AnswerC

Compensating controls reduce risk until a patch is available.

Why this answer

The exhibit indicates a critical vulnerability in a core network device (e.g., a Cisco router with a known CVE in its IOS) that is actively being exploited. Implementing compensating controls, such as deploying an access control list (ACL) to block the exploit's specific traffic pattern or enabling Control Plane Policing (CoPP), immediately reduces the attack surface while a permanent patch is scheduled. This is the most appropriate response because it directly mitigates the risk without waiting for a vendor fix or accepting potential compromise.

Exam trap

The trap here is that candidates often confuse 'accept the risk' as a valid immediate response when the question emphasizes 'immediate,' failing to recognize that compensating controls are the correct first step to reduce exposure before acceptance or transfer can be considered.

How to eliminate wrong answers

Option A is wrong because transferring the risk (e.g., via cyber insurance) does not reduce the immediate technical exposure; the vulnerability remains exploitable on the device. Option B is wrong because accepting the risk would leave the critical network infrastructure open to active exploitation, which is unacceptable given the severity and known exploit. Option D is wrong because ignoring the risk is not a valid risk response in CRISC; it represents negligence and violates the principle of due care, especially when a technical control can be rapidly applied.

14
MCQmedium

Based on the exhibit, which vulnerability poses the HIGHEST risk to the organization?

A.CVE-2022-9876 on the file server
B.CVE-2023-5678 on the web server
C.CVE-2023-1234 on the critical server
D.All vulnerabilities pose equal risk
AnswerC

Unpatched critical vulnerability with high CVSS score.

Why this answer

Option A is correct because the critical server has an unpatched remote code execution vulnerability with a CVSS score of 9.8, indicating high exploitability and impact. Option B is wrong because the web server vulnerability is patched, so risk is mitigated. Option C is wrong because the file server vulnerability is medium severity and has compensating controls, reducing risk.

Option D is wrong because this is an exhibit question; the answer is among the listed vulnerabilities.

15
MCQmedium

An organization has received a critical vulnerability alert for a web application firewall. The risk owner is on leave. What should the risk manager do?

A.Escalate to the designated alternate risk owner for decision.
B.Apply the patch immediately without consultation.
C.Accept the risk since the impact is unknown.
D.Wait for the risk owner to return to avoid overstepping authority.
AnswerA

Proper escalation ensures accountability and timely response.

Why this answer

When the risk owner is unavailable, the risk manager must ensure that risk decisions are still made in a timely manner, especially for critical vulnerabilities. Escalating to the designated alternate risk owner is the correct action because it maintains the chain of accountability and enables an informed decision on whether to apply mitigations, such as patching the WAF, without unnecessary delay.

Exam trap

The trap here is that candidates may assume immediate patching (Option B) is always the correct response for a critical vulnerability, but CRISC emphasizes that risk decisions must be made by the designated risk owner or their alternate, not unilaterally by the risk manager.

How to eliminate wrong answers

Option B is wrong because applying the patch immediately without consultation bypasses the risk owner's authority and could introduce unintended side effects, such as breaking WAF rules or causing service disruption, without a proper risk assessment. Option C is wrong because accepting the risk when the impact is unknown violates the principle of informed risk acceptance; the risk manager must first gather information or escalate to someone with the authority to accept or reject the risk. Option D is wrong because waiting for the risk owner to return could leave a critical vulnerability unaddressed for an extended period, increasing the likelihood of exploitation and violating incident response timelines.

16
MCQhard

You are the IT risk manager for a multinational corporation with a hybrid cloud environment. The company uses AWS for its primary infrastructure and maintains an on-premises data center for legacy applications. Recently, the security team detected that a contractor's credentials were used to access an S3 bucket containing personally identifiable information (PII) of European customers. The contractor had been granted access to this bucket six months ago for a data migration project that has since been completed. The access was not revoked. The security team has implemented an automated process to review and revoke access for contractors after project completion, but this process has not been applied retroactively. The company is subject to GDPR. Which of the following is the BEST course of action to address the immediate risk?

A.Conduct a forensic investigation to determine if any data was exfiltrated, then update the incident response plan.
B.Immediately revoke the contractor's access and initiate a review of all contractor accounts to revoke any unnecessary permissions.
C.Manually review access rights for all contractors and revoke those not needed, starting with the most sensitive systems.
D.Update the automated access review process to include all existing contractor accounts and schedule it to run weekly.
AnswerB

This directly mitigates the immediate risk of unauthorized access.

Why this answer

The immediate risk is that the contractor still has active access to an S3 bucket containing PII, which violates GDPR's principle of data minimization and access control (Article 5(1)(f)). Revoking the contractor's access now stops any ongoing unauthorized access, and initiating a review of all contractor accounts addresses the systemic failure to apply the automated process retroactively. This directly mitigates the risk of further data exposure without delay.

Exam trap

The trap here is that candidates may choose a forensic or process-improvement option (A or D) because they seem thorough, but the question asks for the BEST course of action to address the immediate risk, which is to stop the active unauthorized access first before investigating or improving long-term processes.

How to eliminate wrong answers

Option A is wrong because conducting a forensic investigation first delays the immediate action needed to stop ongoing unauthorized access; while forensics may be needed later, the priority is to revoke access to prevent further potential data exfiltration. Option C is wrong because manually reviewing all contractors starting with the most sensitive systems is slower and less efficient than immediately revoking the known risky access and then performing a broader review; it also fails to address the fact that the automated process should be applied retroactively. Option D is wrong because updating the automated process to include existing accounts and scheduling it weekly does not address the immediate risk of the contractor's current active access; it only prevents future occurrences, leaving the current vulnerability open.

17
MCQhard

Based on the exhibit, which risk should be treated first according to the risk rating?

A.R003, because the likelihood is highest
B.R002, because the impact is highest
C.All three should be treated simultaneously
D.R001, because it has the highest risk level
AnswerD

R001 has level 15, the highest.

Why this answer

Option D is correct because risk treatment priority is determined by the risk level, which is a function of both likelihood and impact. In the exhibit, R001 has the highest risk level (e.g., 16), calculated as likelihood × impact, making it the most critical to address first. This aligns with the CRISC principle of prioritizing risks with the highest residual risk rating.

Exam trap

The trap here is that candidates often confuse 'highest likelihood' or 'highest impact' with 'highest risk level,' but CRISC emphasizes that risk level is the product of both factors, not any single component.

How to eliminate wrong answers

Option A is wrong because R003 has the highest likelihood but not the highest risk level; risk treatment prioritizes risk level, not likelihood alone. Option B is wrong because R002 has the highest impact but not the highest risk level; impact alone does not determine priority without considering likelihood. Option C is wrong because simultaneous treatment is inefficient and contradicts the risk management principle of prioritizing based on risk level; resources should be allocated to the highest-rated risk first.

18
MCQmedium

A company outsourced its payroll processing to a third-party vendor. During the risk assessment, it was found that the vendor's data centers are in a country with weak data protection laws. What is the BEST way to treat this risk?

A.Terminate the contract and bring payroll in-house
B.Purchase cyber insurance to cover potential losses
C.Require contractual clauses and verify compliance
D.Accept the risk because the vendor has never had a breach
AnswerC

Contractual obligations with verification help manage the risk while maintaining operations.

Why this answer

The best way to treat this risk is to implement contractual controls that require the vendor to adhere to data protection standards equivalent to the company's requirements, and to verify compliance through audits or certifications. This directly addresses the root cause—weak local data protection laws—by imposing enforceable obligations on the vendor, rather than transferring, avoiding, or accepting the risk without mitigation. Contractual clauses with compliance verification are a recognized risk mitigation technique in third-party risk management, as they create a legal framework for data protection regardless of the vendor's jurisdiction.

Exam trap

The trap here is that candidates often confuse risk treatment options—mistaking risk transfer (insurance) or risk avoidance (termination) for the most appropriate response, when the question specifically asks for the 'best way to treat' a risk that can be mitigated through contractual and compliance controls.

How to eliminate wrong answers

Option A is wrong because terminating the contract and bringing payroll in-house may not be feasible or cost-effective, and it does not address the risk assessment's finding that the vendor's location has weak data protection laws—it avoids the risk rather than treating it with a balanced, business-aligned response. Option B is wrong because purchasing cyber insurance transfers the financial impact of a breach but does not reduce the likelihood or severity of the data protection risk; it is a risk transfer technique, not a risk treatment that addresses the underlying control weakness. Option D is wrong because accepting the risk based solely on the vendor's historical lack of breaches ignores the inherent risk from weak data protection laws and violates the principle of due care; risk acceptance requires a formal decision with documented justification, not passive reliance on past performance.

19
MCQmedium

During a qualitative risk assessment, the risk owner rates the likelihood of a threat as 'high' and the impact as 'medium'. According to standard risk matrices, what is the resulting risk level?

A.Low
B.High
C.Medium
D.Critical
AnswerB

High likelihood and medium impact yields high risk.

Why this answer

In a standard 3x3 or 5x5 risk matrix, a 'high' likelihood combined with a 'medium' impact typically maps to a 'high' risk level. This is because the risk level is determined by the intersection of likelihood and impact, and the product or matrix cell for these two ratings falls into the high category, indicating a significant risk that requires management attention.

Exam trap

The trap here is that candidates often confuse 'medium' impact with a 'medium' overall risk level, failing to account for the multiplicative or matrix-based escalation when likelihood is high.

How to eliminate wrong answers

Option A (Low) is wrong because a 'high' likelihood with a 'medium' impact does not produce a low risk level; low risk would require both likelihood and impact to be low. Option C (Medium) is wrong because while 'medium' impact is present, the 'high' likelihood elevates the overall risk above medium in standard matrices. Option D (Critical) is wrong because critical risk typically requires both likelihood and impact to be 'high' or 'very high', not a mix of 'high' and 'medium'.

20
MCQhard

A financial institution uses a quantitative risk assessment for a core banking system. The annual loss expectancy (ALE) is calculated as $500,000 with a single loss expectancy (SLE) of $2,500,000. What is the annualized rate of occurrence (ARO)?

A.5.0
B.2.0
C.0.5
D.0.2
AnswerD

ARO = ALE / SLE = 0.2.

Why this answer

The annualized rate of occurrence (ARO) is derived from the formula ALE = SLE × ARO. Given ALE = $500,000 and SLE = $2,500,000, solving for ARO yields $500,000 / $2,500,000 = 0.2. This means the core banking system is expected to experience a loss event once every five years on average.

Exam trap

The trap here is that candidates often mistakenly invert the formula, dividing SLE by ALE to get 5.0, or confuse ARO with a percentage, leading to 0.5, instead of correctly applying ALE = SLE × ARO to solve for ARO.

How to eliminate wrong answers

Option A is wrong because 5.0 would result from incorrectly dividing SLE by ALE (2,500,000 / 500,000), which reverses the formula. Option B is wrong because 2.0 would come from dividing ALE by a misapplied factor or confusing ARO with a multiplier. Option C is wrong because 0.5 would arise from misplacing the decimal or assuming a 50% chance per year, which does not match the calculated ratio.

21
MCQhard

Your organization is undergoing a merger and acquisition. The IT risk assessment team is tasked with evaluating the target company's IT environment. During the assessment, you discover that the target company uses a legacy ERP system that is no longer supported by the vendor. They have no disaster recovery plan for this system, and it contains financial data critical to the merged entity. The integration timeline is aggressive, and replacing the system would delay the merger by 18 months. The executive team is reluctant to delay. What is the BEST risk treatment option?

A.Avoid the risk by excluding the legacy system from the merger and migrating data to a new system.
B.Accept the risk because the system has been running for years without issue.
C.Mitigate by developing a disaster recovery plan and implementing compensating controls such as regular backups and manual procedures.
D.Transfer the risk to the target company's previous owners.
AnswerC

Addresses key weaknesses without delaying merger.

Why this answer

Option C is correct because the legacy ERP system contains critical financial data and cannot be replaced without an 18-month delay, making risk mitigation the most practical approach. Developing a disaster recovery plan and implementing compensating controls (e.g., regular backups, manual procedures) reduces the likelihood and impact of a system failure while allowing the merger to proceed on schedule. This aligns with the CRISC principle of treating risk by reducing residual risk to an acceptable level without blocking business objectives.

Exam trap

The trap here is that candidates may choose Option B (accept the risk) because the system has been stable historically, but CRISC expects you to recognize that unsupported systems with no DR plan represent an unmanaged risk that requires active mitigation, not passive acceptance.

How to eliminate wrong answers

Option A is wrong because excluding the legacy system and migrating data to a new system would effectively replace it, causing the same 18-month delay the executive team wants to avoid; this is a risk avoidance strategy that is not feasible given the aggressive timeline. Option B is wrong because accepting the risk based solely on historical uptime ignores the fact that the system is unsupported, has no disaster recovery plan, and contains critical financial data—past performance does not guarantee future reliability, especially without vendor patches or support. Option D is wrong because transferring risk to the target company's previous owners is impractical post-acquisition; contractual indemnification may exist, but it does not address the ongoing operational risk of the unsupported system within the merged entity, and such transfer is typically limited to legal liability, not technical risk.

22
MCQhard

A company has a low risk appetite but high risk tolerance. Which of the following scenarios is consistent with this situation?

A.The company avoid controls and accepts high risk
B.The company invests heavily in cybersecurity controls but accepts some residual risk
C.The company has aggressive growth targets and accepts any IT risk
D.The company invests minimally in controls and has low residual risk
AnswerB

Low appetite drives control investment; high tolerance allows acceptance of remaining risk within bounds.

Why this answer

A low risk appetite means the company is unwilling to accept high levels of risk, while high risk tolerance indicates it can absorb the financial or operational impact of residual risk that remains after controls are applied. Investing heavily in cybersecurity controls reduces inherent risk to a low residual level, aligning with the low appetite, and the acceptance of some residual risk is consistent with the high tolerance. This scenario reflects a balanced approach where controls are prioritized to meet appetite, and tolerance allows for manageable leftover risk.

Exam trap

The trap here is confusing risk appetite (the willingness to take risk) with risk tolerance (the capacity to withstand risk), leading candidates to incorrectly associate high tolerance with accepting high risk, when in fact high tolerance allows for acceptance of residual risk after controls are applied.

How to eliminate wrong answers

Option A is wrong because avoiding controls and accepting high risk directly contradicts a low risk appetite, which demands risk reduction, not acceptance of high risk. Option C is wrong because aggressive growth targets and accepting any IT risk ignore the low risk appetite, which would reject unmitigated high-risk initiatives. Option D is wrong because investing minimally in controls would leave high inherent risk unaddressed, resulting in residual risk that exceeds a low appetite, and low residual risk cannot be achieved without adequate controls.

23
MCQeasy

Which of the following is the BEST indicator that an organization's IT risk assessment process is effective?

A.The risk register contains a large number of risks
B.Risk appetite statements are clearly defined
C.Risk assessments are performed annually
D.Risk treatment plans are implemented within agreed timelines
AnswerD

Implementation shows action.

Why this answer

The effectiveness of an IT risk assessment process is ultimately measured by whether identified risks are actually treated within agreed timelines. Option D directly demonstrates that the organization moves from risk identification to remediation, closing the risk management loop. Without timely implementation of treatment plans, even the most thorough risk assessments provide no reduction in actual risk exposure.

Exam trap

The trap here is that candidates confuse inputs or prerequisites (like risk appetite or scheduled assessments) with the output-based evidence of effectiveness, which is the actual closure of risk treatment actions within agreed timelines.

How to eliminate wrong answers

Option A is wrong because a large number of risks in the register does not indicate effectiveness; it may indicate poor risk aggregation, excessive risk tolerance, or failure to treat risks. Option B is wrong because clearly defined risk appetite statements are a prerequisite for effective risk assessment, not a measure of the assessment process itself. Option C is wrong because performing risk assessments annually only indicates compliance with a schedule, not that the assessments are accurate, actionable, or lead to risk reduction.

24
MCQmedium

A healthcare organization is implementing a new electronic health records (EHR) system. During the risk assessment, the risk practitioner discovers that the system's access control mechanism allows any authenticated user to view patient records without additional authorization checks. This violates the principle of least privilege and could lead to unauthorized disclosure of protected health information (PHI). The IT team proposes implementing role-based access control (RBAC), but it will require significant changes to the system configuration and user training. The project manager is concerned about delays to the go-live date. The organization has a moderate risk appetite but must comply with HIPAA regulations. Which of the following actions should the risk practitioner recommend FIRST?

A.Accept the risk because the likelihood of unauthorized access is low.
B.Implement a temporary compensating control, such as logging and monitoring all accesses to patient records, and proceed with go-live while RBAC is developed.
C.Proceed with the go-live as scheduled and plan to implement RBAC in a future upgrade.
D.Delay the go-live until RBAC is fully implemented to ensure compliance.
AnswerB

Compensating controls reduce risk while avoiding delays.

Why this answer

Option B is correct because it balances the immediate need to go live with the critical requirement to protect PHI. Logging and monitoring all accesses acts as a detective compensating control, providing visibility into unauthorized disclosures while the more robust RBAC preventive control is developed. This approach aligns with the organization's moderate risk appetite and HIPAA compliance obligations by not accepting the risk outright, but also not delaying the project unnecessarily.

Exam trap

The trap here is that candidates often choose 'accept the risk' (A) or 'delay go-live' (D) because they focus on either risk appetite or compliance in isolation, failing to recognize that compensating controls can bridge the gap between operational urgency and regulatory requirements.

How to eliminate wrong answers

Option A is wrong because accepting the risk of unauthorized PHI disclosure violates HIPAA's requirement for appropriate administrative, physical, and technical safeguards, and the likelihood of unauthorized access is not low given that any authenticated user can view records. Option C is wrong because proceeding with go-live without any compensating control and planning RBAC for a future upgrade leaves a known high-risk vulnerability unaddressed, which is not acceptable under HIPAA's 'addressable' implementation specifications. Option D is wrong because delaying go-live until RBAC is fully implemented, while technically compliant, is overly conservative for an organization with a moderate risk appetite and ignores the possibility of using compensating controls to mitigate the risk in the interim.

25
MCQmedium

An organization's risk register contains a risk with a very high impact but very low likelihood. The risk response strategy should be:

A.Mitigate
B.Avoid
C.Transfer
D.Accept
AnswerD

Acceptance is common for low-likelihood, high-impact risks.

Why this answer

When a risk has very high impact but very low likelihood, the most cost-effective response is often acceptance, because the probability of occurrence is so low that the cost of mitigation, avoidance, or transfer would exceed the expected benefit. Accepting the risk means the organization formally acknowledges it and monitors it, but does not allocate resources to reduce or transfer it. This aligns with the principle of risk appetite and cost-benefit analysis in IT risk management.

Exam trap

The trap here is that candidates mistakenly choose 'Mitigate' or 'Transfer' for any high-impact risk, failing to weigh the low likelihood against the cost of the response, which is a core concept in risk treatment decisions.

How to eliminate wrong answers

Option A is wrong because mitigation involves reducing the likelihood or impact through controls, which would incur ongoing costs that are not justified for a risk with very low likelihood. Option B is wrong because avoidance means eliminating the risk entirely by discontinuing the activity, which is an extreme measure that would likely disrupt business operations unnecessarily for a low-probability event. Option C is wrong because transfer (e.g., insurance or outsourcing) typically involves premium payments or contractual costs that are not warranted when the likelihood of the risk materializing is negligible.

26
Multi-Selecthard

Which THREE of the following are typical components of a risk scenario?

Select 3 answers
A.Impact
B.Threat source
C.Probability
D.Vulnerability
E.Control
AnswersA, B, D

Describes the consequence of the event.

Why this answer

Impact is a typical component of a risk scenario because it defines the magnitude of harm to assets or business objectives if a threat exploits a vulnerability. In IT risk assessment, impact is quantified in terms of financial loss, reputational damage, or operational disruption, and it directly influences risk level calculations. Without impact, a risk scenario would lack the consequence necessary for prioritization and decision-making.

Exam trap

The trap here is that candidates confuse the components of a risk scenario (threat source, vulnerability, impact) with the elements of risk analysis (probability, control effectiveness), leading them to incorrectly select Probability or Control as scenario components.

27
Multi-Selecteasy

Which TWO of the following are key elements that should be included in an IT risk assessment report?

Select 2 answers
A.A list of identified risks and their ratings
B.Recommendations for risk treatment
C.Copies of vendor contracts
D.Network topology diagrams
E.Detailed financial budgets of the IT department
AnswersA, B

Risk inventory is fundamental.

Why this answer

Option A is correct because the IT risk assessment report must document all identified risks along with their inherent and residual risk ratings (typically using a qualitative or quantitative scale such as 1-5 for likelihood and impact). This provides a clear, prioritized view of the risk landscape, enabling stakeholders to understand which risks require immediate attention. Without this list and ratings, the report lacks the foundational data needed for decision-making.

Exam trap

The trap here is that candidates confuse supporting documentation (like vendor contracts or network diagrams) with the core required elements of a risk assessment report, which must focus on risk identification, ratings, and treatment recommendations.

28
MCQmedium

During a risk assessment for a cloud migration project, the IT risk manager identifies that the organization lacks visibility into the cloud provider's security controls. Which approach should the risk manager recommend to address this risk?

A.Obtain a third-party audit report (e.g., SOC 2 Type II).
B.Request the provider to self-attest their controls.
C.Accept the risk based on the provider's reputation.
D.Conduct a penetration test on the provider's infrastructure.
AnswerA

Provides independent assurance of control effectiveness.

Why this answer

A SOC 2 Type II report provides an independent, third-party assessment of a cloud provider's controls over a period of time, directly addressing the lack of visibility by offering verifiable evidence of control effectiveness. This is the standard approach for gaining assurance over a provider's security posture without relying on internal access or self-reporting.

Exam trap

The trap here is that candidates may choose penetration testing (D) as a direct technical solution, not realizing that cloud providers typically restrict such testing and that a SOC 2 report is the established, non-invasive method for gaining visibility into a provider's controls.

How to eliminate wrong answers

Option B is wrong because self-attestation lacks independent verification and is inherently biased, providing no reliable assurance to the risk manager. Option C is wrong because accepting risk based solely on reputation ignores the specific control environment and does not provide any evidence or visibility into actual security practices. Option D is wrong because conducting a penetration test on the provider's infrastructure is typically prohibited by the provider's terms of service and would not be feasible or authorized without a contractual agreement, nor does it replace the need for ongoing control assurance.

29
MCQhard

A multinational organization is assessing the risk of a new cloud service that stores data across multiple geographic regions. The service provider offers standard contractual terms and does not commit to specific data residency requirements. What is the primary risk that should be evaluated?

A.Service availability and uptime commitments.
B.Non-compliance with data protection regulations due to data location uncertainty.
C.Unauthorized access to data by cloud provider employees.
D.Inadequate encryption of data at rest and in transit.
AnswerB

Without data residency commitments, the organization may violate laws requiring data to stay within certain jurisdictions.

Why this answer

Compliance with data protection regulations (Option D) is the primary risk because data residency impacts legal obligations, especially under GDPR and similar laws.

30
MCQeasy

Based on the exhibit, which of the following is the MOST likely risk scenario?

A.A denial-of-service attack on the SSH service
B.A brute-force attack targeting the root account
C.A successful privilege escalation by an insider
D.A misconfigured firewall allowing unauthorized access
AnswerB

Multiple failed password attempts in quick succession suggest a brute-force attack.

Why this answer

The exhibit shows repeated failed login attempts for the root account, which is a classic indicator of a brute-force attack. SSH logs typically record authentication failures, and a high frequency of 'Failed password for root' entries from a single source IP strongly suggests an automated password guessing attempt. This aligns with the risk scenario of a brute-force attack targeting the root account.

Exam trap

The trap here is that candidates may confuse authentication failure logs with network-level attacks (DoS or firewall misconfiguration) or assume that any failed login implies a successful breach, when in fact the logs only show the attempt, not the outcome.

How to eliminate wrong answers

Option A is wrong because a denial-of-service attack on the SSH service would manifest as connection timeouts, resource exhaustion, or service unavailability, not repeated authentication failure logs. Option C is wrong because a successful privilege escalation by an insider would show evidence of a normal user account gaining elevated privileges (e.g., via sudo or kernel exploit), not repeated root login attempts. Option D is wrong because a misconfigured firewall allowing unauthorized access would result in unexpected network traffic reaching the server, but the logs specifically show authentication failures, not firewall rule violations or allowed connections from unauthorized IPs.

31
MCQhard

A company is evaluating control effectiveness for a critical system. The control fails 10% of the time when tested. The inherent risk level is 'high'. What is the effect on residual risk?

A.Residual risk is unchanged
B.Residual risk is high
C.Residual risk is low
D.Residual risk is medium
AnswerB

Control failure rate of 10% does not sufficiently reduce inherent risk.

Why this answer

Residual risk is the risk remaining after controls are applied. With a control that fails 10% of the time and an inherent risk level of 'high', the residual risk remains high because the control is not sufficiently effective to reduce the risk to a lower level. In risk assessment, a control with a 10% failure rate is considered ineffective for a high inherent risk, leaving the residual risk unchanged at high.

Exam trap

The trap here is that candidates mistakenly think a control that works 90% of the time is effective enough to reduce residual risk, but for a high inherent risk, even a 10% failure rate leaves the residual risk high because the control is not sufficiently reliable.

How to eliminate wrong answers

Option A is wrong because residual risk is not unchanged; it is directly affected by control effectiveness, and a failing control does not reduce the inherent risk. Option C is wrong because residual risk cannot be low when the control fails 10% of the time and the inherent risk is high; low residual risk would require a highly effective control. Option D is wrong because medium residual risk would imply a moderate reduction, but a 10% failure rate for a high inherent risk does not achieve that; the risk remains high.

32
MCQeasy

An IT risk manager is facilitating a brainstorming session to identify threats. Which technique is BEST suited for identifying a wide range of potential threats?

A.Conduct a facilitated workshop with cross-functional stakeholders
B.Use a standard threat checklist
C.Review historical incident logs
D.Interview the heads of each department individually
AnswerA

Collaborative workshops leverage diverse expertise and are effective for threat identification.

Why this answer

A facilitated workshop with cross-functional stakeholders is best suited for brainstorming because it leverages diverse perspectives from IT, business, legal, and operations teams to identify a wide range of threats, including emerging and non-obvious ones. This collaborative approach aligns with the CRISC emphasis on qualitative risk assessment techniques that surface unknown unknowns, which static checklists or historical data cannot capture.

Exam trap

The trap here is that candidates often choose a standard threat checklist (Option B) because it seems systematic and comprehensive, but the question asks for the technique BEST suited for identifying a wide range of potential threats, which requires creative, collaborative exploration beyond predefined lists.

How to eliminate wrong answers

Option B is wrong because a standard threat checklist is inherently limited to predefined threats and cannot identify novel or context-specific threats that emerge from the unique environment or technology stack. Option C is wrong because reviewing historical incident logs only reveals threats that have already materialized, missing latent or future-oriented threats that have not yet occurred. Option D is wrong because interviewing department heads individually lacks the synergistic cross-pollination of ideas that occurs in a group workshop, often resulting in siloed perspectives and missed interdependencies.

33
MCQhard

During a risk assessment, the risk team identifies that a legacy system has multiple known vulnerabilities that cannot be patched. The system is critical for operations. Which of the following risk treatment options is MOST appropriate?

A.Accept the risk and monitor
B.Remediate by applying patches from the vendor
C.Avoid the risk by decommissioning the system
D.Mitigate by implementing compensating controls
AnswerD

Reduces risk while preserving system functionality.

Why this answer

Since the legacy system cannot be patched (Option B is impossible) and is critical for operations (decommissioning would disrupt the business, making Option C too drastic), the most appropriate treatment is to implement compensating controls. These controls, such as network segmentation, strict access controls, or an application-layer firewall, reduce the likelihood or impact of exploitation without modifying the vulnerable system itself, aligning with the risk mitigation strategy.

Exam trap

The trap here is that candidates often choose 'Accept the risk and monitor' (Option A) because they confuse 'acceptance' with a valid risk response for unpatched systems, failing to recognize that acceptance requires a formal decision and compensating controls when vulnerabilities are known and exploitable on critical assets.

How to eliminate wrong answers

Option A is wrong because accepting the risk without active monitoring or compensating controls is inappropriate when known, exploitable vulnerabilities exist on a critical system; passive acceptance increases exposure unnecessarily. Option B is wrong because the scenario explicitly states the system cannot be patched, making remediation via vendor patches technically infeasible. Option C is wrong because decommissioning a critical system would avoid the risk but at the cost of severe operational disruption, which is not the most appropriate response when compensating controls can reduce risk while maintaining operations.

34
Multi-Selectmedium

An organization is conducting a risk assessment of its remote access infrastructure. Which THREE of the following are typical components of a risk assessment report? (Select THREE.)

Select 3 answers
A.Risk register with identified risks and ratings
B.Detailed network architecture diagrams
C.Logs of all remote access sessions
D.Legal disclaimers
E.Recommended control improvements
AnswersA, D, E

The risk register is a key component of the report.

Why this answer

A risk register is a core component of a risk assessment report because it formally documents each identified risk, its likelihood, impact, and risk rating (e.g., using a 5x5 matrix). This provides a structured, auditable record that supports decision-making and compliance with frameworks like ISO 31000 or NIST SP 800-30.

Exam trap

The trap here is that candidates confuse operational data (like logs or network diagrams) with risk assessment outputs, forgetting that a risk assessment report is a strategic summary, not a dump of raw technical details.

35
Multi-Selectmedium

Which TWO controls are most effective for reducing the risk of data leakage from endpoints in a remote work environment?

Select 2 answers
A.Conduct regular phishing simulation campaigns.
B.Implement Data Loss Prevention (DLP) software.
C.Enforce complex password policies for local accounts.
D.Require full-disk encryption on all laptops.
E.Use a VPN for all remote connections.
AnswersB, D

DLP monitors and controls data movement, directly reducing leakage risk.

Why this answer

Data Loss Prevention (DLP) software is highly effective because it monitors, detects, and blocks unauthorized transfers of sensitive data (e.g., PII, IP) from endpoints by inspecting content in motion, at rest, and in use. Full-disk encryption (FDE) protects data at rest by rendering the drive unreadable without the decryption key, mitigating leakage if a device is lost or stolen. Together, they address both active exfiltration and passive physical theft.

Exam trap

ISACA often tests the misconception that a VPN provides comprehensive data protection, but in reality it only secures data in transit, not data at rest or data in use on the endpoint.

36
MCQmedium

During an IT risk assessment for a new cloud-based customer relationship management (CRM) system, the risk practitioner identifies that the vendor's data center is located in a country with different data protection regulations. Which of the following is the MOST appropriate next step?

A.Conduct a legal review to assess regulatory implications and contractual safeguards.
B.Recommend migrating to a different cloud provider.
C.Implement technical controls to encrypt data in transit and at rest.
D.Accept the risk because the vendor is compliant with industry standards.
AnswerA

Legal review ensures compliance and identifies necessary controls.

Why this answer

When a cloud vendor's data center is in a jurisdiction with different data protection regulations, the immediate priority is to understand the legal and contractual implications before making any technical or risk acceptance decisions. A legal review will identify specific regulatory conflicts (e.g., GDPR vs. local law) and assess whether existing contractual safeguards (such as Standard Contractual Clauses or Binding Corporate Rules) adequately address the gap. This step ensures that subsequent risk treatment decisions are informed by compliance requirements rather than assumptions.

Exam trap

The trap here is that candidates often jump to technical controls (encryption) as a universal solution, overlooking that regulatory compliance is a legal and contractual issue that cannot be fully resolved by encryption alone.

How to eliminate wrong answers

Option B is wrong because recommending migration to a different cloud provider is premature without first understanding whether the current vendor's legal and contractual framework can be remediated; migration may be unnecessary or more costly than adjusting safeguards. Option C is wrong because implementing technical controls like encryption (e.g., TLS 1.3 for transit, AES-256 for at-rest) addresses data confidentiality but does not resolve regulatory compliance issues such as data residency, lawful access by foreign governments, or cross-border transfer restrictions. Option D is wrong because accepting risk based solely on vendor compliance with industry standards (e.g., ISO 27001) ignores the fact that regulatory requirements are jurisdiction-specific and may impose obligations beyond those standards.

37
Multi-Selecteasy

An organization is performing a business impact analysis (BIA) for its critical applications. Which TWO of the following are primary objectives of a BIA?

Select 2 answers
A.Prioritize recovery of business processes based on criticality.
B.Determine the likelihood of each threat event.
C.Identify the maximum acceptable outage (MAO) for each process.
D.Calculate the annualized loss expectancy (ALE).
E.Select appropriate risk response strategies.
AnswersA, C

BIA prioritizes processes for recovery.

Why this answer

Option A is correct because a primary objective of a BIA is to prioritize the recovery of business processes based on their criticality to the organization. This prioritization directly informs the recovery time objectives (RTOs) and resource allocation for each process, ensuring that the most critical functions are restored first during a disruption.

Exam trap

The trap here is that candidates confuse the BIA with the broader risk assessment process, mistakenly selecting options like determining threat likelihood or calculating ALE, which are distinct activities performed after the BIA is complete.

38
MCQmedium

A risk assessment reveals that a legacy system has a high vulnerability score but low business criticality. The cost to remediate is high. What is the MOST appropriate risk response?

A.Avoid the risk by decommissioning the system
B.Accept the risk and monitor it
C.Mitigate the vulnerability with a patch
D.Transfer the risk via a managed security service
AnswerB

Acceptance is appropriate when cost outweighs benefit.

Why this answer

Option B is correct because acceptance is appropriate when the cost of mitigation exceeds the potential loss. Option A is wrong because mitigation might not be cost-effective. Option C is wrong because avoidance might not be necessary.

Option D is wrong because transfer might not be possible for legacy systems.

39
MCQhard

A financial institution is assessing the risk of a new real-time payment system. The risk manager calculates that the annualized loss expectancy (ALE) for a potential fraud scenario is $500,000. The cost to implement a fraud detection solution is $200,000 initially with $50,000 annual maintenance. The solution is expected to reduce the ALE by 80%. What is the net benefit of implementing the solution over three years?

A.$1,000,000
B.$950,000
C.$800,000
D.$850,000
AnswerD

Correctly accounts for all costs and benefits.

Why this answer

The correct answer is D because the net benefit over three years is calculated as the reduction in ALE minus the total cost of the solution. The original ALE is $500,000 per year, and an 80% reduction saves $400,000 annually. Over three years, total savings are $1,200,000.

The total cost includes the initial $200,000 plus three years of maintenance at $50,000 each ($150,000), totaling $350,000. Net benefit = $1,200,000 - $350,000 = $850,000.

Exam trap

The trap here is that candidates often forget to include the annual maintenance costs over the full three-year period or mistakenly apply the 80% reduction to the total cost instead of the ALE, leading to incorrect net benefit calculations.

How to eliminate wrong answers

Option A is wrong because it incorrectly assumes the full ALE ($500,000) is saved each year without accounting for the 80% reduction factor, leading to an overestimation of $1,000,000 net benefit. Option B is wrong because it likely miscalculates the total cost or savings, perhaps omitting the initial implementation cost or misapplying the reduction percentage, resulting in $950,000. Option C is wrong because it may only consider the first year's net benefit or incorrectly subtract the total cost from a single year's savings, yielding $800,000.

40
Multi-Selecthard

Which THREE of the following are effective risk treatment strategies?

Select 3 answers
A.Accept the risk without any analysis
B.Avoid the risk by discontinuing the activity
C.Ignore the risk if it has not materialized yet
D.Implement compensating controls to reduce risk
E.Transfer the risk through outsourcing
AnswersB, D, E

Avoidance eliminates risk entirely.

Why this answer

Option B is correct because avoiding risk by discontinuing the activity is a recognized risk treatment strategy under the ISACA Risk IT framework. By ceasing the activity that introduces the risk, the organization eliminates the possibility of the risk event occurring, which is a valid and often necessary response when the risk exceeds the organization's risk appetite and cannot be cost-effectively mitigated or transferred.

Exam trap

The trap here is confusing 'ignoring' or 'uninformed acceptance' with the legitimate risk acceptance strategy, which requires documented analysis and approval, and assuming that risks that have not yet materialized can be safely disregarded.

41
Multi-Selecthard

Which THREE factors should be considered when determining the likelihood of a threat exploiting a vulnerability?

Select 3 answers
A.Ease of exploitation
B.Regulatory fines
C.Asset value
D.Existing controls
E.Threat actor capability
AnswersA, D, E

Easier exploitation increases likelihood.

Why this answer

Ease of exploitation (A) is a key factor because it directly influences how readily a threat actor can leverage a vulnerability. For example, a vulnerability with a public exploit script or one that requires only low privileges is far more likely to be exploited than one requiring complex, custom tooling. This aligns with the CVSS exploitability metrics (Attack Vector, Attack Complexity, Privileges Required, User Interaction) that quantify how easy it is to trigger the vulnerability.

Exam trap

The trap here is confusing factors that determine likelihood (probability of occurrence) with factors that determine impact (consequences), leading candidates to incorrectly select asset value or regulatory fines as likelihood inputs.

42
Multi-Selectmedium

An IT risk manager is performing a risk assessment for a new cloud service. Which TWO of the following are key inputs to the risk identification process? (Select TWO.)

Select 2 answers
A.Risk appetite statement
B.Threat intelligence feeds
C.Control testing results
D.Residual risk levels
E.Asset inventory
AnswersB, E

Threat intelligence helps identify potential threats.

Why this answer

Threat intelligence feeds (B) provide current information about emerging threats, attack vectors, and adversary tactics, which are essential for identifying relevant risks to the cloud service. An asset inventory (E) is a foundational input because it lists all assets (e.g., data, VMs, APIs) that could be affected, enabling the risk manager to map threats to specific resources. Both are direct inputs to the risk identification phase, as defined by the CRISC framework.

Exam trap

The trap here is that candidates often confuse risk identification inputs with outputs from later phases, such as control testing results (C) or residual risk levels (D), because they are familiar terms in the overall risk management process but are not used at the start of identification.

43
MCQmedium

You are the IT risk manager for a financial institution. During a routine vulnerability scan, you discover that a critical web application has a high-severity vulnerability that could allow remote code execution. The development team states that a patch is not yet available from the vendor, and the application is business-critical with no acceptable downtime. The risk owner wants to accept the risk. However, the organization's risk appetite is very low for security vulnerabilities. You have been asked to recommend a course of action. Which of the following should you recommend?

A.Transfer the risk by purchasing cyber insurance.
B.Decommission the application immediately.
C.Implement a web application firewall (WAF) with virtual patching to reduce exploitability.
D.Accept the risk as the team will monitor for patches.
AnswerC

Provides compensating control until patch is available.

Why this answer

Option C is correct because implementing a web application firewall (WAF) with virtual patching provides an immediate, compensating control that reduces the exploitability of the vulnerability without requiring application downtime. This aligns with the organization's low risk appetite by actively mitigating the risk while waiting for an official vendor patch, rather than passively accepting it.

Exam trap

The trap here is that candidates may confuse risk transfer (insurance) with risk mitigation, or assume that accepting risk is always valid when the risk owner agrees, ignoring the organization's stated risk appetite.

How to eliminate wrong answers

Option A is wrong because purchasing cyber insurance transfers financial risk, not technical risk; the vulnerability remains exploitable, and insurance does not prevent a breach or reduce the likelihood of exploitation. Option B is wrong because decommissioning the application immediately would cause unacceptable business downtime, contradicting the requirement that the application is business-critical with no acceptable downtime. Option D is wrong because accepting the risk while monitoring for patches violates the organization's very low risk appetite for security vulnerabilities; passive acceptance without active mitigation is not appropriate when the risk appetite is low.

44
MCQeasy

During a risk assessment, a risk owner is unsure about the likelihood rating for a specific threat. Which of the following is the BEST source of information to determine the likelihood?

A.Vendor documentation
B.The risk owner's personal opinion
C.The organization's financial statements
D.Historical incident data from industry reports
AnswerD

Provides objective data on actual occurrences.

Why this answer

Historical incident data from industry reports provides empirical evidence of threat frequency and impact across similar environments, making it the most objective and reliable source for determining likelihood. Unlike subjective opinions or unrelated financial data, industry reports aggregate real-world occurrences, enabling a data-driven risk assessment that aligns with the organization's threat landscape.

Exam trap

ISACA often tests the misconception that the risk owner's personal experience or vendor claims are sufficient for likelihood determination, but the correct approach relies on objective, historical data from industry sources to avoid bias and ensure repeatable risk scoring.

How to eliminate wrong answers

Option A is wrong because vendor documentation typically focuses on product capabilities, configurations, and known vulnerabilities, not on the frequency or probability of threat events in operational environments. Option B is wrong because the risk owner's personal opinion introduces subjective bias and lacks empirical evidence, which can lead to inaccurate likelihood ratings that do not reflect actual threat patterns. Option C is wrong because the organization's financial statements contain monetary data about assets and losses, but they do not provide historical frequency or probability metrics needed to assess threat likelihood.

45
MCQmedium

A company is implementing a new cloud-based customer relationship management (CRM) system. The IT risk manager needs to assess the risk of data exfiltration by a malicious insider at the cloud provider. Which risk assessment approach is most appropriate for this scenario?

A.Quantitative risk assessment using ALE and SLE
B.Application of the COSO ERM framework
C.Scenario analysis with a focus on likelihood and impact
D.Control self-assessment (CSA) against ISO 27001
AnswerC

Scenario analysis effectively evaluates specific threat scenarios like insider data exfiltration.

Why this answer

Scenario analysis is most appropriate because the risk of data exfiltration by a malicious insider at the cloud provider is a complex, low-frequency, high-impact threat that is difficult to quantify with historical data. This approach allows the risk manager to systematically evaluate specific attack paths (e.g., an insider with database access copying customer records) by focusing on likelihood and impact, which aligns with the qualitative nature of insider threat assessment in a cloud environment.

Exam trap

The trap here is that candidates often choose quantitative risk assessment (A) because it seems more rigorous, but they fail to recognize that insider threats at a cloud provider lack the historical data needed for ALE/SLE calculations, making scenario analysis the practical and most appropriate approach per CRISC best practices.

How to eliminate wrong answers

Option A is wrong because quantitative risk assessment using ALE and SLE requires reliable historical data on frequency and loss magnitude, which is typically unavailable for malicious insider threats at a cloud provider due to the rarity and variability of such events. Option B is wrong because the COSO ERM framework is an enterprise-level governance and internal control framework, not a specific risk assessment methodology for analyzing a discrete technical threat like data exfiltration by a cloud provider insider. Option D is wrong because control self-assessment (CSA) against ISO 27001 evaluates the effectiveness of existing controls against a standard, but it does not directly assess the likelihood and impact of a specific threat scenario like malicious insider data exfiltration.

46
MCQeasy

Which of the following is the BEST indicator that a control is effective in mitigating a risk?

A.Regular testing shows the control consistently reduces the risk to the desired level
B.The control is automated and runs daily
C.The control is documented in a policy
D.The cost of the control is lower than the potential loss
AnswerA

Testing provides evidence that the control is achieving its objective.

Why this answer

Option A is correct because the effectiveness of a control is ultimately measured by its ability to consistently reduce residual risk to the organization's defined risk appetite. Regular testing provides empirical evidence that the control is operating as intended and achieving the desired risk mitigation outcome, which is the primary goal of risk treatment.

Exam trap

The trap here is that candidates often confuse control attributes (automation, documentation, cost) with direct evidence of effectiveness, but only regular testing provides the empirical proof that the control is actually reducing risk to the desired level.

How to eliminate wrong answers

Option B is wrong because automation and frequency of execution do not guarantee that the control is actually reducing risk to the desired level; a control can run daily but still be misconfigured or ineffective. Option C is wrong because documentation in a policy only indicates intent or design, not operational effectiveness; a control may be well-documented yet never implemented or poorly executed. Option D is wrong because cost-benefit analysis (cost of control vs. potential loss) is a factor in control selection and justification, not a direct measure of its effectiveness in mitigating risk; a low-cost control can still be ineffective.

47
MCQmedium

A company has identified a risk of data exfiltration through an outdated encryption protocol. The risk assessment team determines that the likelihood is low, but the impact is very high. The company decides to update the encryption protocol. This risk response is an example of:

A.Risk transfer
B.Risk acceptance
C.Risk mitigation
D.Risk avoidance
AnswerC

Updating the encryption reduces the vulnerability, mitigating the risk.

Why this answer

Updating the encryption protocol directly reduces the vulnerability that could lead to data exfiltration, thereby lowering the likelihood or impact of the risk. This is the definition of risk mitigation, where controls are applied to reduce risk to an acceptable level. The action does not transfer, accept, or avoid the risk; it actively addresses the root cause.

Exam trap

The trap here is confusing risk mitigation with risk avoidance: candidates often think that updating a protocol 'avoids' the risk, but avoidance requires ceasing the risky activity entirely, whereas mitigation reduces the risk while continuing the activity.

How to eliminate wrong answers

Option A is wrong because risk transfer involves shifting the financial burden of a loss to a third party (e.g., cyber insurance or outsourcing), not updating a technical control like an encryption protocol. Option B is wrong because risk acceptance means formally acknowledging the risk and choosing to take no action, which contradicts the decision to update the protocol. Option D is wrong because risk avoidance would mean eliminating the activity that introduces the risk (e.g., discontinuing the use of the system or data transmission entirely), not updating the encryption to make it secure.

48
MCQeasy

An organization is performing a risk assessment for its new customer relationship management (CRM) system. Which of the following is the BEST way to identify threats to the CRM?

A.Perform a vulnerability scan on the CRM server.
B.Conduct a threat modeling workshop with the development team.
C.Run a penetration test against the CRM application.
D.Review the business impact analysis for the CRM.
AnswerB

Threat modeling systematically identifies potential threats.

Why this answer

Threat modeling is a proactive, structured approach that identifies potential threats by analyzing the CRM's design, data flows, and trust boundaries. Unlike vulnerability scanning or penetration testing, which find existing weaknesses, threat modeling uncovers threats early in the lifecycle, such as SQL injection via customer input fields or privilege escalation in role-based access controls. This aligns with the CRISC focus on risk identification before controls are implemented.

Exam trap

ISACA often tests the distinction between threat identification (proactive, design-focused) and vulnerability assessment (reactive, implementation-focused), leading candidates to choose a technical test like a penetration test over a collaborative workshop.

How to eliminate wrong answers

Option A is wrong because a vulnerability scan only identifies known technical weaknesses (e.g., missing patches, misconfigurations) on the CRM server, not the broader set of threats like business logic flaws, insider threats, or data leakage through API endpoints. Option C is wrong because penetration testing validates exploitability of existing vulnerabilities but is a reactive, point-in-time test that misses threats not yet present in the code or configuration. Option D is wrong because a business impact analysis (BIA) assesses the consequences of disruption (e.g., financial loss, reputational damage) but does not identify specific threat sources or threat events targeting the CRM.

49
MCQeasy

Which of the following is the PRIMARY purpose of conducting a business impact analysis (BIA) during the IT risk assessment process?

A.To determine the criticality and recovery time objectives of business processes
B.To identify vulnerabilities in IT systems
C.To identify potential threat actors
D.To inventory all IT assets
AnswerA

BIA focuses on business impact.

Why this answer

Option B is correct because the BIA identifies critical business processes and their recovery priorities. Option A is wrong because vulnerability assessment is separate. Option C is wrong because threats are identified in threat modeling.

Option D is wrong because asset inventory is part of asset management.

50
Multi-Selectmedium

Which TWO of the following are examples of risk avoidance?

Select 2 answers
A.Implementing a firewall
B.Purchasing cyber insurance
C.Accepting the risk
D.Migrating to a different technology platform
E.Discontinuing a high-risk business process
AnswersD, E

Changing platforms can avoid risks of the old platform.

Why this answer

Migrating to a different technology platform (Option D) is a risk avoidance strategy because it eliminates the risk entirely by moving away from the vulnerable or high-risk technology. For example, if an organization uses an outdated operating system with known unpatched vulnerabilities, migrating to a modern, supported platform removes the attack surface, avoiding the risk rather than mitigating or transferring it.

Exam trap

The trap here is that candidates confuse risk mitigation (e.g., implementing controls like firewalls) with risk avoidance, failing to recognize that avoidance requires completely eliminating the risk source, not just reducing it.

51
MCQmedium

During a risk assessment, an organization identifies that its primary data center is located in a flood-prone area. Which risk treatment option would best address this risk?

A.Purchase business interruption insurance
B.Move all operations to a cloud provider
C.Implement flood barriers and redundant cooling systems
D.Accept the risk and document it in the risk register
AnswerC

This is a mitigation action.

Why this answer

Implementing flood barriers and redundant cooling systems directly reduces the likelihood and impact of a flood event on the data center's physical infrastructure. This is a risk mitigation strategy that proactively addresses the root cause of the risk (flooding) by hardening the facility, which is the most effective treatment for a high-probability, high-impact physical threat.

Exam trap

The trap here is that candidates often confuse risk transfer (insurance) with risk mitigation, failing to recognize that insurance does not prevent operational downtime or data loss, whereas physical controls directly reduce the risk's likelihood and impact.

How to eliminate wrong answers

Option A is wrong because purchasing business interruption insurance is a risk transfer strategy that only compensates for financial loss after an incident, but does not reduce the probability or impact of the flood itself; it leaves the organization's operations vulnerable to downtime. Option B is wrong because moving all operations to a cloud provider is a risk avoidance strategy that may be overly drastic and costly, and it does not address the underlying risk assessment of the existing data center; it also introduces new risks such as vendor lock-in and data sovereignty issues. Option D is wrong because accepting the risk without any active controls is inappropriate for a flood-prone location with high potential for catastrophic damage; risk acceptance is typically reserved for low-impact or low-probability risks, not for a clearly identified physical threat that can be mitigated.

52
MCQhard

An organization uses a quantitative risk analysis method. The annualized rate of occurrence (ARO) for a specific threat is 0.5, and the single loss expectancy (SLE) is $200,000. What is the annualized loss expectancy (ALE)?

A.$400,000
B.$100,000
C.$100,000
D.$200,000
AnswerB

ALE = ARO * SLE.

Why this answer

The annualized loss expectancy (ALE) is calculated as ARO × SLE = 0.5 × $200,000 = $100,000. This represents the expected annual financial loss from the threat, factoring in both the frequency of occurrence and the impact per incident.

Exam trap

The trap here is that candidates may confuse ARO with a probability (0.5) and mistakenly multiply by 2 instead of 0.5, or they may ignore the ARO entirely and select the SLE as the ALE, failing to annualize the loss correctly.

How to eliminate wrong answers

Option A ($400,000) is wrong because it incorrectly multiplies SLE by 2 instead of 0.5, possibly confusing ARO with a rate greater than 1 or misapplying the formula. Option C ($100,000) is a duplicate of the correct answer and thus not a distinct wrong option, but in the context of the list it is technically correct; however, the question presents two identical values, so the trap is that candidates might see two identical answers and second-guess themselves. Option D ($200,000) is wrong because it assumes the ARO is 1 (i.e., the threat occurs once per year), ignoring the given ARO of 0.5, which halves the annual loss.

53
MCQmedium

During a risk assessment, a financial institution identifies that its online banking application uses an outdated encryption protocol. The likelihood of exploitation is high, and the impact is moderate. What should the risk owner do FIRST?

A.Implement a compensating control to mitigate the risk
B.Validate the risk rating with additional data
C.Transfer the risk via cyber insurance
D.Accept the risk as low priority
AnswerB

Validation ensures correct prioritization.

Why this answer

The risk owner's first responsibility is to ensure the risk assessment is accurate before deciding on a response. Validating the risk rating with additional data (option B) confirms that the high likelihood and moderate impact are correctly assessed, which is a prerequisite for selecting an appropriate treatment. Jumping to implement controls, transfer, or accept the risk without validation could lead to misallocation of resources or inadequate mitigation.

Exam trap

The trap here is that candidates often jump to selecting a risk treatment option (like implementing a control or transferring risk) without recognizing that the risk owner must first validate the risk rating to ensure the assessment is accurate and actionable.

How to eliminate wrong answers

Option A is wrong because implementing a compensating control is a risk treatment decision that should only occur after the risk rating is validated and a response strategy is chosen; acting prematurely may result in unnecessary or ineffective controls. Option C is wrong because transferring risk via cyber insurance is a specific treatment option that requires a validated risk rating to determine if transfer is cost-effective and appropriate; it is not the first step. Option D is wrong because accepting the risk as low priority contradicts the assessment's high likelihood and moderate impact, and acceptance should only be considered after validation confirms the rating and the risk is within the organization's appetite.

54
MCQhard

Based on the exhibit, which of the following poses the HIGHEST risk to the environment?

A.The web servers are in a public subnet
B.The communication between web and application servers is encrypted via HTTPS
C.The application servers use embedded credentials to access the database
D.The database has a direct SSH connection from the internet
AnswerD

Direct internet access to the database, even from a single IP, exposes a critical asset to external threats.

Why this answer

Option D is correct because a direct SSH connection from the internet to the database server bypasses all network segmentation and firewall controls, exposing the database to brute-force attacks, credential theft, and unauthorized remote access. SSH is a management protocol, not an application protocol, and its exposure on the internet creates a direct attack surface on the most sensitive data tier, which is the highest risk to the environment.

Exam trap

ISACA often tests the misconception that 'encryption always reduces risk' or that 'public subnets are inherently dangerous,' when in reality the highest risk is exposing management interfaces (like SSH) directly to the internet, not the application-layer exposure of web servers.

How to eliminate wrong answers

Option A is wrong because web servers are typically placed in a public subnet to serve traffic to users; this is a standard architectural design and not inherently high risk as long as proper security groups and WAFs are in place. Option B is wrong because HTTPS encryption between web and application servers protects data in transit from eavesdropping and tampering, which actually reduces risk rather than posing a risk. Option C is wrong because while embedded credentials are a security concern (they can be extracted from code), they do not expose the database to direct internet-based attacks and are a lower risk compared to an open SSH management channel from the internet.

55
MCQhard

During a risk assessment, the IT risk manager needs to prioritize risks for treatment. Which of the following risk characteristics should be weighted MOST heavily?

A.The degree to which the risk affects strategic business objectives
B.The ease of implementing mitigating controls
C.The likelihood that the threat will be exploited
D.The financial impact calculated in monetary terms
AnswerA

Risks that impact strategic objectives are of highest priority.

Why this answer

In CRISC, risk prioritization is fundamentally driven by alignment with strategic business objectives because IT risk management exists to protect the enterprise’s mission and goals. Even a high-likelihood or high-financial-impact risk may be deprioritized if it does not materially affect the organization’s strategic objectives, as the risk treatment decision must support business value and continuity. This weighting ensures that resources are allocated to risks that most threaten the enterprise’s ability to achieve its core mission.

Exam trap

ISACA often tests the misconception that financial impact or likelihood should be the primary weighting factor, but CRISC emphasizes that strategic alignment is the overriding criterion because risk treatment must support the enterprise’s overall business goals, not just minimize cost or probability.

How to eliminate wrong answers

Option B is wrong because the ease of implementing mitigating controls is a tactical implementation consideration, not a primary risk prioritization factor; prioritizing based on ease can lead to treating low-impact risks while ignoring critical strategic threats. Option C is wrong because likelihood alone is insufficient—a threat with high likelihood but negligible business impact should not be weighted more heavily than a lower-likelihood risk that could cripple strategic objectives. Option D is wrong because financial impact in isolation ignores non-monetary strategic factors such as reputational damage, regulatory compliance, or competitive advantage, which may be more critical to the enterprise’s survival than a simple dollar figure.

56
MCQmedium

Based on the exhibit, what is the primary risk to the organization?

A.Unauthorized modification of customer data
B.Data loss due to accidental deletion
C.Unauthorized disclosure of sensitive customer data
D.Denial of service due to excessive read requests
AnswerC

Public access exposes data to anyone on the internet.

Why this answer

The exhibit shows a database server with customer data accessible via a web application that uses unencrypted HTTP (port 80) and has direct internet exposure. This configuration allows an attacker to intercept traffic or exploit the lack of encryption to read sensitive customer data in transit, making unauthorized disclosure the primary risk. The core reasoning is that unencrypted HTTP exposes data to eavesdropping and man-in-the-middle attacks, directly violating confidentiality requirements for sensitive customer information.

Exam trap

The trap here is that candidates often focus on the database server's role (e.g., modification or deletion risks) instead of recognizing that the unencrypted HTTP exposure directly enables unauthorized disclosure of data in transit, which is the most immediate and severe risk to confidentiality.

How to eliminate wrong answers

Option A is wrong because unauthorized modification of customer data requires write access or injection vulnerabilities (e.g., SQL injection), but the exhibit only shows read access via HTTP without any indication of write capabilities or input validation flaws. Option B is wrong because data loss due to accidental deletion typically involves lack of backups or improper access controls on delete operations, whereas the exhibit highlights unencrypted read access and internet exposure, not deletion risks. Option D is wrong because denial of service due to excessive read requests would require a resource exhaustion scenario (e.g., lack of rate limiting or DDoS protection), but the primary risk from unencrypted HTTP is data exposure, not availability.

57
MCQhard

A government agency is migrating its critical applications to a public cloud infrastructure. The risk assessment reveals that the cloud provider uses shared tenancy, and the agency's sensitive data will be stored alongside other customers' data. The agency has a very low risk appetite for data leakage and must comply with strict data sovereignty laws. The cloud provider offers data encryption at rest and in transit, as well as dedicated hardware security modules (HSMs) for key management. However, the provider's physical datacenters are located in another country with different legal frameworks. As the risk practitioner, which of the following should be the PRIMARY risk response?

A.Avoid the risk by keeping sensitive data on-premises and using the cloud only for non-sensitive workloads.
B.Reduce the risk by negotiating a contract that includes specific data handling clauses and audit rights.
C.Transfer the risk by requiring the provider to maintain a large cyber insurance policy.
D.Accept the risk after verifying the provider's compliance certifications.
AnswerA

Avoidance is appropriate given low risk appetite.

Why this answer

Option A is correct because the agency's very low risk appetite for data leakage and strict data sovereignty laws cannot be adequately mitigated by encryption or contractual measures when the physical datacenters are in a foreign jurisdiction with different legal frameworks. Shared tenancy in a public cloud inherently increases the attack surface for side-channel attacks and misconfiguration risks, and even with encryption at rest (e.g., AES-256) and in transit (e.g., TLS 1.3), the cloud provider's staff or foreign legal authorities could potentially access decryption keys or compel key disclosure. Avoiding the risk by keeping sensitive data on-premises eliminates the exposure to foreign legal frameworks and shared tenancy, directly aligning with the agency's risk appetite.

Exam trap

The trap here is that candidates often overestimate the effectiveness of encryption and contractual controls, failing to recognize that physical jurisdiction and shared tenancy introduce residual risks that cannot be fully mitigated, making avoidance the only appropriate response for a very low risk appetite.

How to eliminate wrong answers

Option B is wrong because negotiating data handling clauses and audit rights reduces but does not eliminate the risk; the provider's physical location in another country means local laws (e.g., the US CLOUD Act or EU GDPR cross-border transfer restrictions) could override contractual terms, and shared tenancy still exposes the data to potential side-channel attacks or misconfiguration by other tenants. Option C is wrong because transferring risk via cyber insurance does not prevent data leakage or address sovereignty laws; insurance only provides financial compensation after a breach, which is unacceptable for an agency with a very low risk appetite for data leakage. Option D is wrong because accepting the risk after verifying compliance certifications (e.g., ISO 27001, SOC 2) is insufficient; certifications attest to controls at a point in time but do not guarantee protection against foreign legal compulsion or shared tenancy vulnerabilities, and acceptance contradicts the stated very low risk appetite.

58
Multi-Selecthard

Which TWO of the following are valid techniques for identifying risk in IT risk assessment?

Select 2 answers
A.SWOT analysis
B.Brainstorming sessions
C.Residual risk assessment
D.Risk aggregation
E.Monte Carlo simulation
AnswersA, B

SWOT helps identify strengths, weaknesses, opportunities, and threats.

Why this answer

SWOT analysis (Strengths, Weaknesses, Opportunities, Threats) is a structured technique used to identify both internal and external risk factors during IT risk assessment. It helps uncover threats that could exploit weaknesses, as well as opportunities that might mitigate risks, making it a valid identification method.

Exam trap

The trap here is confusing risk identification techniques (like SWOT and brainstorming) with risk analysis or evaluation techniques (like residual risk assessment, risk aggregation, and Monte Carlo simulation), which are applied after risks have already been identified.

59
Drag & Dropmedium

Order the steps for change management in an IT environment.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Change management includes request, approval, testing, implementation, and review.

60
MCQmedium

An organization maintains a risk register. Which of the following updates should be made on an ongoing basis?

A.Continuously add new risks as they are identified
B.Update controls only when an incident occurs
C.Revise risk levels only after an internal audit
D.Update the register only during the annual risk assessment
AnswerA

An effective risk register is a living document updated whenever new risks arise.

Why this answer

A risk register is a living document that must be updated continuously to reflect the current threat landscape. New risks can emerge from changes in technology, business processes, or external threats, and failing to capture them promptly leaves the organization exposed to unmitigated vulnerabilities.

Exam trap

The trap here is that candidates often assume risk registers are updated only during formal assessment cycles, but the CRISC exam emphasizes that risk management is a continuous process requiring real-time updates as new risks are identified.

How to eliminate wrong answers

Option B is wrong because controls should be reviewed and updated proactively based on risk changes, not only reactively after an incident occurs. Option C is wrong because risk levels should be revised whenever new information or changes in the environment affect the likelihood or impact, not only after an internal audit. Option D is wrong because an annual update cycle is too infrequent; risks can emerge or change significantly within a year, and the register must be maintained on an ongoing basis to remain relevant.

61
Multi-Selecthard

A risk practitioner is evaluating the effectiveness of existing risk mitigation controls for a critical financial application. Which THREE of the following are key indicators that controls are operating effectively?

Select 3 answers
A.Control testing results show 95% pass rate over the last quarter.
B.Audit findings for the application have been resolved within the agreed remediation timeline.
C.All control owners have completed annual training on their responsibilities.
D.The application's uptime is 99.9% as per service level agreement.
E.The number of security incidents related to the application has decreased by 30% year-over-year.
AnswersA, B, C

Testing pass rate demonstrates control operation.

Why this answer

A is correct because control testing results showing a 95% pass rate over the last quarter provide direct, quantitative evidence that the controls are functioning as intended. This metric is a primary indicator of control effectiveness in risk management frameworks, as it measures the actual performance of control activities against defined criteria. A pass rate of 95% suggests that the vast majority of control tests met their objectives, indicating reliable operation of the controls for the critical financial application.

Exam trap

The trap here is that candidates often confuse outcome-based metrics (like uptime or incident reduction) with direct control effectiveness indicators, failing to recognize that only control testing results and audit remediation timelines provide direct evidence of control operation and corrective action.

62
Multi-Selecthard

Which TWO of the following are characteristics of quantitative risk analysis compared to qualitative risk analysis? (Select 2)

Select 2 answers
A.It is always easier to communicate to non-technical stakeholders
B.It produces results in monetary values or percentages
C.It supports cost-benefit analysis of controls
D.It requires less specialized expertise to perform
E.It relies solely on expert judgment without numerical data
AnswersB, C

Quantitative outputs are numerical, e.g., ALE, SLE.

Why this answer

Quantitative risk analysis uses numerical data to assign monetary values or percentages to risk components such as asset value, exposure factor, and annualized loss expectancy. This allows for precise, data-driven comparisons and prioritization of risks based on financial impact.

Exam trap

The trap here is that candidates often confuse 'easier to communicate' with quantitative analysis because numbers seem objective, but in reality, qualitative ratings are usually simpler for non-technical audiences to grasp without specialized training.

63
MCQhard

During a quantitative risk analysis, the risk practitioner determines that the single loss expectancy (SLE) for a ransomware attack is $500,000 and the annualized rate of occurrence (ARO) is 0.4. The organization has a risk appetite that accepts annual losses up to $150,000. What is the recommended action?

A.Purchase insurance to cover the potential loss
B.Accept the risk because it is within the organization's risk appetite
C.Reassess using qualitative analysis because the ARO is not precise
D.Implement controls to reduce the likelihood or impact until ALE is below $150,000
AnswerD

Since ALE exceeds appetite, controls are necessary to bring residual risk within tolerance.

Why this answer

The ALE is $500,000 * 0.4 = $200,000, which exceeds the risk appetite of $150,000. Therefore, additional controls are needed to reduce either SLE or ARO. Option A is incorrect because residual risk is not yet acceptable; option B is not justified by cost; option D is only if risk is within appetite.

64
MCQmedium

After a risk assessment, the risk owner decides to mitigate a high-risk finding by implementing additional access controls. What should the risk manager do NEXT?

A.Update the risk register with the mitigation actions taken.
B.Accept the residual risk on behalf of the organization.
C.Reassess the residual risk level after controls are implemented.
D.Close the risk issue and move to the next priority.
AnswerC

Ensures the mitigation is effective and risk is within tolerance.

Why this answer

After mitigation controls are implemented, the risk manager must reassess the residual risk level to determine whether the controls have effectively reduced the risk to an acceptable level. This step ensures that the risk treatment decision is validated and that any remaining exposure is understood before updating the risk register or closing the issue.

Exam trap

The trap here is that candidates often confuse the order of risk management steps, assuming the risk register update (Option A) is the immediate next action, when in fact the residual risk reassessment must occur first to ensure the mitigation was effective.

How to eliminate wrong answers

Option A is wrong because updating the risk register with mitigation actions should occur after the residual risk has been reassessed, not before; the register must reflect the validated post-control risk level. Option B is wrong because accepting residual risk is a decision made by the risk owner, not the risk manager, and it should only occur after the residual risk has been reassessed and found to be within the organization's risk appetite. Option D is wrong because closing the risk issue without reassessing the residual risk ignores the possibility that the implemented controls may be ineffective or introduce new risks, violating the principle of continuous risk monitoring.

65
MCQeasy

A multinational corporation is conducting a risk assessment for its new online payment platform. The platform processes transactions in multiple currencies and stores sensitive customer financial data. The risk team has identified that the encryption algorithm used for data at rest is outdated and could be vulnerable to advanced attacks. The company's risk appetite is low for data breaches. The security team recommends upgrading the encryption to a modern standard, but the upgrade will require a 48-hour downtime impacting all global transactions. The business unit is concerned about revenue loss during the downtime. As the risk practitioner, what is the BEST course of action to balance security and business continuity?

A.Accept the risk and delay the upgrade until the next scheduled maintenance window in three months.
B.Plan the upgrade during a low-traffic period and implement compensating controls such as additional monitoring during the downtime.
C.Outsource the payment processing to a third-party vendor that already uses modern encryption.
D.Implement the upgrade immediately to mitigate the vulnerability, accepting the revenue loss.
AnswerB

This reduces risk while minimizing business disruption.

Why this answer

Option B is the best course of action because it balances the need to mitigate a high-risk encryption vulnerability with business continuity. By scheduling the upgrade during a low-traffic period and implementing compensating controls (e.g., enhanced monitoring and intrusion detection), the organization reduces the likelihood of exploitation during the 48-hour downtime while minimizing revenue loss. This aligns with the low risk appetite for data breaches and demonstrates a risk-based decision that treats the vulnerability without accepting unacceptable exposure.

Exam trap

The trap here is that candidates often choose immediate remediation (Option D) without considering business impact, failing to recognize that risk management requires balancing security with operational continuity through compensating controls and scheduling.

How to eliminate wrong answers

Option A is wrong because delaying the upgrade for three months while the encryption algorithm is known to be vulnerable to advanced attacks directly contradicts the company's low risk appetite for data breaches; it effectively accepts a high residual risk that could lead to a catastrophic data breach. Option C is wrong because outsourcing payment processing introduces new risks, such as loss of direct control over sensitive customer financial data, potential compliance issues (e.g., GDPR, PCI DSS), and the complexity of vendor risk management, which does not inherently resolve the immediate vulnerability in the existing platform. Option D is wrong because implementing the upgrade immediately without considering traffic patterns or compensating controls would cause significant revenue loss from a 48-hour global transaction halt, which is not a balanced approach; it ignores the business impact and fails to apply risk treatment options like mitigation through scheduling and compensating controls.

66
Multi-Selectmedium

Which TWO of the following are key outputs of a risk assessment process?

Select 2 answers
A.Risk register
B.Risk treatment plan
C.Business continuity plan
D.Control design documentation
E.Audit report
AnswersA, B

Risk register is a direct output of risk assessment.

Why this answer

The risk register is a key output of the risk assessment process because it formally documents identified risks, their assessed likelihood and impact, risk scores, and ownership. This output serves as the central repository for all risk information generated during the assessment, enabling ongoing risk tracking and reporting.

Exam trap

The trap here is that candidates often confuse the risk treatment plan as a separate post-assessment activity, but CRISC explicitly recognizes it as a key output of the risk assessment process because the assessment directly informs and documents the chosen treatment strategies.

67
MCQmedium

A risk manager is evaluating the risk associated with a new third-party vendor that will have access to customer data. The vendor has been in business for 10 years and holds ISO 27001 certification. Which factor should be given the MOST weight when determining the vendor's risk level?

A.The vendor's years in operation.
B.The vendor's ISO 27001 certification.
C.The sensitivity and volume of data the vendor will access.
D.The contractual terms for data protection.
AnswerC

Data sensitivity directly impacts risk magnitude.

Why this answer

The sensitivity and volume of data directly determine the potential impact of a breach, which is a core component of inherent risk. Even with strong controls like ISO 27001, the risk level is primarily driven by the value and quantity of the asset at risk (customer data). In IT risk assessment, the asset's criticality and exposure outweigh historical or certification-based indicators when calculating residual risk.

Exam trap

The trap here is that candidates overvalue certifications and tenure as proxies for security, while the CRISC exam emphasizes that risk is fundamentally tied to the asset's value and exposure, not just the vendor's credentials.

How to eliminate wrong answers

Option A is wrong because years in operation are a proxy for stability, not a direct measure of security posture or the specific risk from data access; a mature vendor can still have weak controls for a particular data type. Option B is wrong because ISO 27001 certification indicates a management system is in place, but it does not guarantee that controls are effectively implemented for the specific data sensitivity or volume, nor does it eliminate the need to assess the asset's inherent risk. Option D is wrong because contractual terms are a risk mitigation mechanism, not a primary risk factor; they define remedies and obligations but do not change the inherent risk posed by the data access itself.

68
MCQeasy

Which risk assessment method uses a matrix to plot likelihood and impact to determine risk level?

A.Delphi technique
B.Annual loss expectancy
C.Qualitative
D.Quantitative
AnswerC

Qualitative assessment uses risk matrices.

Why this answer

The qualitative risk assessment method uses a matrix to plot likelihood and impact, typically with ordinal scales (e.g., high, medium, low) to derive a risk level. This approach is subjective and relies on expert judgment rather than numerical values, making it distinct from quantitative methods.

Exam trap

The trap here is that candidates confuse the qualitative risk matrix with the Delphi technique, which is a consensus-building method, or mistakenly think Annual Loss Expectancy (ALE) is plotted on a matrix, when in fact ALE is a quantitative output.

How to eliminate wrong answers

Option A is wrong because the Delphi technique is a structured communication method for achieving consensus among experts, not a risk assessment method that uses a likelihood-impact matrix. Option B is wrong because Annual Loss Expectancy (ALE) is a quantitative metric calculated as Single Loss Expectancy (SLE) multiplied by Annualized Rate of Occurrence (ARO), not a matrix-based qualitative approach. Option D is wrong because quantitative risk assessment uses numerical values (e.g., monetary amounts, percentages) and formulas like ALE, not a subjective matrix of likelihood and impact.

69
MCQhard

A risk assessment for a cloud migration project identifies that the cloud provider does not support encryption keys managed by the customer. Which of the following risk scenarios is MOST directly related to this finding?

A.Service availability disruption
B.Data loss due to misconfiguration
C.Unauthorized access by cloud provider employees
D.Non-compliance with data residency requirements
AnswerC

Directly related to key management control.

Why this answer

When the cloud provider does not support customer-managed encryption keys, the provider retains control over the key material. This means that provider employees with administrative access to the key management system could potentially decrypt and access customer data, leading to unauthorized access. This directly creates a risk scenario of unauthorized access by cloud provider employees, as the customer loses the ability to enforce separation of duties and key sovereignty.

Exam trap

The trap here is that candidates often confuse encryption key management with data residency or misconfiguration risks, but the core issue is that provider-managed keys eliminate the customer's ability to prevent the provider from decrypting their data, directly enabling unauthorized access by provider employees.

How to eliminate wrong answers

Option A is wrong because service availability disruption is typically caused by outages, DDoS attacks, or resource exhaustion, not by the lack of customer-managed encryption keys. Option B is wrong because data loss due to misconfiguration (e.g., public S3 buckets, incorrect retention policies) is a separate risk that can occur regardless of who manages the encryption keys. Option D is wrong because non-compliance with data residency requirements is about where data is stored geographically, not about who controls the encryption keys; even with provider-managed keys, data can be stored in compliant regions.

70
MCQhard

The policy in the exhibit is intended to enforce what security control?

A.Data classification
B.Access control
C.Encryption at rest
D.Encryption in transit
AnswerD

aws:SecureTransport enforces HTTPS for data in transit.

Why this answer

The policy explicitly requires TLS 1.2 or higher for all data transmissions, which enforces encryption in transit. This ensures that data is protected from interception or tampering while moving across networks, as opposed to being stored (at rest) or managed via classification or access rules.

Exam trap

The trap here is that candidates confuse 'encryption in transit' with 'encryption at rest' because both involve encryption, but the policy's focus on transmission protocols (TLS) clearly distinguishes it as a network-layer control.

How to eliminate wrong answers

Option A is wrong because data classification involves labeling data based on sensitivity, not enforcing encryption during transmission. Option B is wrong because access control governs who can view or modify data, not how data is encrypted while moving. Option C is wrong because encryption at rest protects stored data on disk or in databases, not data in transit over a network.

71
MCQhard

A large enterprise uses a risk matrix with impact categories (very low, low, medium, high, very high) and likelihood (rare, unlikely, possible, likely, almost certain). A risk identified has a 'likely' likelihood and 'high' impact. According to the matrix, risks with this combination are classified as 'high' risk. The risk appetite statement requires that all high risks have a response plan within 30 days. However, the risk owner argues that due to effective compensating controls, the residual risk is only 'medium'. Which of the following is the BEST course of action?

A.Formalize the risk treatment plan and include the compensating controls in the risk register.
B.Implement additional controls to ensure the residual risk becomes low.
C.Accept the risk as is, since controls reduce it to acceptable level.
D.Document the residual risk as medium and extend the response deadline beyond 30 days.
AnswerA

Formalizing the plan and documenting controls shows that the risk is managed and residual risk is acceptable.

Why this answer

Option B is correct because the organization should formally document the compensating controls and update the risk register to reflect residual risk. This ensures that the risk management process captures the true risk position. Option A is wrong because extending the deadline does not address the residual risk.

Option C is unnecessary if residual risk is within appetite. Option D lacks formality and may not satisfy the requirement.

72
MCQeasy

Which of the following is the BEST indicator that a risk assessment should be performed outside the normal cycle?

A.A new regulation is proposed
B.An employee leaves the company
C.A major IT infrastructure change
D.The annual budget is approved
AnswerC

Introduces new risks that need assessment.

Why this answer

A major IT infrastructure change introduces new or altered assets, data flows, and threat surfaces that were not considered in the previous risk assessment cycle. This change can invalidate existing control assumptions and risk ratings, making an ad-hoc assessment necessary to identify and evaluate emerging risks before they materialize.

Exam trap

The trap here is confusing routine operational events (like employee turnover or budget cycles) with events that fundamentally change the risk profile, leading candidates to overlook the necessity of an ad-hoc assessment triggered by a significant technical change.

How to eliminate wrong answers

Option A is wrong because a proposed regulation is not yet enacted; risk assessments are triggered by compliance requirements only after the regulation is finalized and effective. Option B is wrong because an employee departure is a personnel event that typically triggers an access review or segregation-of-duties check, not a full risk assessment outside the normal cycle. Option D is wrong because budget approval is a financial planning event that does not directly alter the risk landscape; it may enable risk treatment actions but does not itself require a new risk assessment.

73
Multi-Selecteasy

Which TWO of the following are key inputs to a risk assessment?

Select 2 answers
A.Asset inventory
B.Threat intelligence feeds
C.Employee satisfaction survey
D.Business continuity plan
E.Risk appetite statement
AnswersA, B

Identifies what needs to be protected.

74
Multi-Selectmedium

Which THREE of the following are key components of a risk assessment report?

Select 3 answers
A.Risk register with identified risks
B.Copies of vendor contracts
C.Recommended risk response actions
D.Network topology diagram
E.Risk analysis (likelihood and impact)
AnswersA, C, E

The risk register lists all identified risks and their attributes.

Why this answer

A risk register is a core component of a risk assessment report because it formally documents each identified risk, its owner, status, and tracking information. This register serves as the authoritative record that links risk identification to subsequent analysis and response activities, ensuring traceability throughout the risk management lifecycle.

Exam trap

The trap here is that candidates confuse supporting artifacts (like network diagrams or contracts) with mandatory report components, but the CRISC exam specifically tests that the risk assessment report must include the risk register, risk analysis, and risk response recommendations as its key deliverables.

75
MCQhard

A multinational corporation is migrating critical applications to a public cloud provider. The IT risk manager needs to design a risk assessment approach that addresses shared responsibility. Which of the following is the MOST appropriate approach?

A.Assess only the cloud provider's security controls
B.Assume that the provider's controls cover all risks
C.Perform a data leakage risk assessment for each application
D.Map controls to the shared responsibility model and assess both sides
AnswerD

This ensures all areas are covered according to the provider's model.

Why this answer

In a public cloud shared responsibility model, the cloud provider secures the infrastructure (e.g., physical security, hypervisor), while the customer secures their data, configurations, and access controls. Option D is correct because it requires mapping each control to the specific party responsible (customer vs. provider) and assessing both sides, ensuring no gaps in coverage. This approach aligns with the CSA Cloud Controls Matrix and NIST SP 800-146, which mandate joint accountability.

Exam trap

The trap here is that candidates assume the cloud provider is fully responsible for all security, overlooking the customer's contractual and operational obligations under the shared responsibility model, which is a core CRISC concept for cloud risk assessments.

How to eliminate wrong answers

Option A is wrong because assessing only the provider's controls ignores customer-side responsibilities like IAM policies, encryption key management, and application-layer security, leading to unmitigated risks. Option B is wrong because assuming the provider covers all risks violates the shared responsibility model; the provider explicitly disclaims responsibility for customer data and configurations in their SLA (e.g., AWS Shared Responsibility Model). Option C is wrong because a data leakage risk assessment is too narrow; it omits other critical risks such as misconfigured network ACLs, insecure APIs, and compliance violations (e.g., GDPR data residency).

Page 1 of 2 · 130 questions totalNext →

Ready to test yourself?

Try a timed practice session using only IT Risk Assessment questions.