Free · No account needed · No credit card

Certified in Risk and Information Systems Control CRISC Practice Test

500 questions with instant explanations, domain breakdown, and wrong-answer analysis. Built for the real exam.

Instant feedback after each answer
Full explanations included
Domain score breakdown
Real exam: 240 min
Pass mark: 450%

Sample questions with explanations

This is exactly what you see during practice — question, options, and a full explanation after you answer.

Q1IT Risk Assessmentmedium
Full explanation →

During a risk assessment, an organization identifies that its primary data center is located in a flood-prone area. Which risk treatment option would best address this risk?

APurchase business interruption insurance
BMove all operations to a cloud provider
Implement flood barriers and redundant cooling systemsCorrect
DAccept the risk and document it in the risk register

Implementing flood barriers and redundant cooling systems directly reduces the likelihood and impact of a flood event on the data center's physical infrastructure. This is a risk mitigation strategy that proactively addresses the root cause of the risk (flooding) by hardening the…Read full explanation

Q2IT Risk Assessmenthard
Full explanation →

A risk assessment for a healthcare organization reveals a high likelihood of data breaches due to weak encryption on portable devices. The organization decides to deploy full-disk encryption and enforce multi-factor authentication. Which risk response strategy is being applied?

ATransfer
BAcceptance
CAvoidance
MitigationCorrect

Deploying full-disk encryption and multi-factor authentication directly reduces the likelihood and/or impact of data breaches from weak encryption on portable devices. This is the definition of risk mitigation — applying controls to lower risk to an acceptable level. The organiza…Read full explanation

Q3IT Risk Assessmenteasy
Full explanation →

Which of the following is the PRIMARY purpose of conducting a business impact analysis (BIA) during the IT risk assessment process?

To determine the criticality and recovery time objectives of business processesCorrect
BTo identify vulnerabilities in IT systems
CTo identify potential threat actors
DTo inventory all IT assets

Option B is correct because the BIA identifies critical business processes and their recovery priorities. Option A is wrong because vulnerability assessment is separate. Option C is wrong because threats are identified in threat modeling. Option D is wrong because asset inventory…Read full explanation

Untimed Practice

Answer at your own pace. Explanation and domain tag shown immediately after each answer.

Timed Practice

Countdown timer starts immediately. Results and domain scores shown at the end — just like the real exam.

Why practice here?

Full explanations on every question

Not just the right answer — you get exactly why each wrong option is wrong, so you learn the concept, not the answer.

Domain score breakdown

After each session see your score by exam domain so you know exactly where to focus study time.

100% free, forever

No subscription, no trial, no email wall. Start a session in under 10 seconds.

Exam-style questions

Scenario-based, precise wording, realistic distractors — written to match what you actually see on exam day.

← All CRISC questionsCRISC exam guideStudy guidePractice by domain