Back to Certified in Risk and Information Systems Control CRISC questions

Scenario-based practice

Hard Difficulty Questions

Practise Certified in Risk and Information Systems Control CRISC practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

20
scenario questions
CRISC
exam code
ISACA
vendor

Scenario guide

How to approach hard difficulty questions

These are the questions most candidates get wrong. They require connecting multiple concepts, reading tricky output, or knowing edge-case behaviour that isn't on most study cards. Practising them trains you to operate under uncertainty — a necessary skill on the real exam.

Quick answer

Hard Difficulty Questions questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Related practice questions

Related CRISC topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1hardmultiple choice
Read the full NAT/PAT explanation →

A multinational corporation is expanding its cloud infrastructure to include a new SaaS application that stores sensitive customer data. The vendor claims compliance with SOC 2 Type II and ISO 27001. The risk manager must determine if the remaining residual risk after vendor controls is within the company's risk appetite. Which of the following is the MOST critical next step?

Question 2hardmulti select
Full question →

Which THREE of the following are key components of an IT risk assessment report as per ISACA guidelines?

Question 3hardmultiple choice
Full question →

You are the IT risk manager for a mid-sized e-commerce company that processes over 10,000 transactions per day. The company recently migrated its customer database from an on-premises SQL Server to a cloud-based PostgreSQL instance on AWS RDS. The database contains personally identifiable information (PII) including names, addresses, and credit card numbers (stored as encrypted tokens). The migration was performed by the DevOps team with minimal involvement from the security team. Two weeks after the migration, the company experienced a data breach where an attacker exfiltrated a subset of customer records. The forensic investigation revealed that the attacker exploited a misconfigured security group that allowed inbound traffic from the internet on port 5432 (PostgreSQL default port). Additionally, the database had a publicly accessible endpoint, and the master user password was weak (eight characters, no special characters). The attacker used a brute-force attack to guess the password. The security group has since been corrected, and the password has been changed to a strong one. The breach notification laws require reporting within 72 hours. The CEO wants to understand the root cause and prevent recurrence. As the risk manager, which of the following actions should you recommend as the MOST effective to prevent a similar incident?

Question 4hardmultiple choice
Full question →

A company has implemented a risk mitigation plan that includes technical controls. However, six months later, the residual risk is still higher than expected. The risk practitioner suspects that the controls are not being followed. Which of the following is the BEST approach to verify this?

Question 5hardmultiple choice
Full question →

An organization uses a quantitative risk analysis method. The annualized rate of occurrence (ARO) for a specific threat is 0.5, and the single loss expectancy (SLE) is $200,000. What is the annualized loss expectancy (ALE)?

Question 6hardmulti select
Full question →

Which THREE of the following are key components of an effective risk reporting framework?

Question 7hardmultiple choice
Full question →

A company has a control that automatically rejects transactions over $10,000. During a review, it is found that 2% of transactions over $10,000 were approved due to a system glitch. The control owner says the glitch has been fixed. What should the risk practitioner do next?

Question 8hardmultiple choice
Full question →

Based on the risk register exhibit, which of the following is the MOST appropriate risk response for R-0042?

Exhibit

Refer to the exhibit.

```
[Risk Register Excerpt]
Risk ID: R-0042
Risk Description: Unauthorized access to customer PII due to weak database encryption
Inherent Risk Score: 16 (Likelihood: 4, Impact: 4)
Control: AES-256 encryption at rest (implemented)
Residual Risk Score: 8 (Likelihood: 2, Impact: 4)
Risk Appetite Threshold: 10
```
Question 9hardmultiple choice
Read the full NAT/PAT explanation →

A multinational organization is implementing a risk mitigation strategy for a critical system. The business impact analysis shows that downtime costs are extremely high. Which risk response strategy is MOST appropriate for this scenario?

Question 10hardmulti select
Full question →

Which THREE of the following are key components of an effective risk treatment plan?

Question 11hardmultiple choice
Read the full NAT/PAT explanation →

A multinational corporation has deployed a centralized log management system that collects security events from all subsidiaries. The CRO notices that the number of critical alerts from the Asia-Pacific region has dropped significantly over the past week. Upon investigation, the log source status shows that 30% of the devices in that region have not sent any logs in 48 hours. What is the MOST likely cause?

Question 12hardmultiple choice
Full question →

During a risk assessment, an organization identifies that its legacy ERP system has a high likelihood of failure during peak transaction periods. The system supports critical financial operations. The risk owner proposes to upgrade the system, but the project would take 18 months and require significant capital investment. The CEO questions whether the risk can be reduced to an acceptable level more quickly. Which of the following is the MOST appropriate immediate risk response?

Question 13hardmultiple choice
Full question →

During a risk assessment, an organization identifies that its remote workforce uses personal devices for work. The risk manager is concerned about data leakage. The organization has a risk appetite that is 'moderate' and wants to treat the risk. Which of the following is the MOST effective risk treatment option?

Question 14hardmultiple choice
Read the full NAT/PAT explanation →

A multinational corporation uses a common identity management system (IdM) across all subsidiaries. During a risk assessment, it is discovered that the IdM system has a critical vulnerability that could allow privilege escalation. The patch requires a 4-hour downtime. The risk manager must decide the best course of action considering the organization's risk appetite of 'low' and the fact that the IdM system is critical for business operations. Which of the following is the BEST approach?

Question 15hardmulti select
Full question →

Which THREE of the following are valid risk identification methods according to ISACA's Risk IT Framework? (Select exactly 3.)

Question 16hardmultiple choice
Full question →

A financial institution is assessing the risk of a new real-time payment system. The risk manager calculates that the annualized loss expectancy (ALE) for a potential fraud scenario is $500,000. The cost to implement a fraud detection solution is $200,000 initially with $50,000 annual maintenance. The solution is expected to reduce the ALE by 80%. What is the net benefit of implementing the solution over three years?

Question 17hardmulti select
Full question →

Which TWO of the following are valid techniques for identifying risk in IT risk assessment?

Question 18hardmultiple choice
Full question →

A financial institution is implementing a new risk monitoring tool that aggregates data from multiple sources. The tool is expected to provide real-time dashboards for risk committees. However, during user acceptance testing, the dashboards show inconsistent data due to time zone differences across sources. What is the best approach to resolve this?

Question 19hardmulti select
Full question →

Which THREE of the following are common challenges when implementing a risk monitoring dashboard? (Select exactly three.)

Question 20hardmultiple choice
Full question →

A risk assessment for a healthcare organization reveals a high likelihood of data breaches due to weak encryption on portable devices. The organization decides to deploy full-disk encryption and enforce multi-factor authentication. Which risk response strategy is being applied?

These CRISC practice questions are part of Courseiva's free ISACA certification practice question bank. Courseiva provides original exam-style CRISC questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.