Back to Certified in Risk and Information Systems Control CRISC questions

Scenario-based practice

Select Two (Multi-Select) Questions

Practise Certified in Risk and Information Systems Control CRISC practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

20
scenario questions
CRISC
exam code
ISACA
vendor

Scenario guide

How to approach select two (multi-select) questions

Multi-select questions tell you to 'Choose TWO' or 'Choose THREE'. Getting partial credit is not a thing — you must select all correct answers with no incorrect ones. The stem always states how many to choose, so trust it. These questions require precision, not best-guess elimination.

Quick answer

Select Two (Multi-Select) Questions questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Related practice questions

Related CRISC topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1mediummulti select
Full question →

A healthcare organization is migrating its electronic health records (EHR) system to a public cloud. The risk manager identifies several risks. Which TWO of the following are the MOST significant risks related to data privacy and regulatory compliance?

Question 2hardmulti select
Full question →

Which THREE of the following are key components of an IT risk assessment report as per ISACA guidelines?

Question 3mediummulti select
Full question →

Which TWO of the following are appropriate actions when a control deficiency is identified during monitoring? (Select exactly two.)

Question 4hardmulti select
Full question →

Which THREE of the following are key components of an effective risk reporting framework?

Question 5mediummulti select
Full question →

A risk assessment for a financial trading platform has identified a high-risk vulnerability in the order matching engine. The risk owner has recommended implementing compensating controls rather than fixing the underlying code. Which TWO of the following are valid compensating controls? (Choose two.)

Question 6hardmulti select
Full question →

Which THREE of the following are key components of an effective risk treatment plan?

Question 7mediummulti select
Full question →

Which TWO of the following are key risk identification techniques used to identify threats and vulnerabilities in IT systems? (Select exactly 2.)

Question 8mediummulti select
Full question →

Which TWO of the following are effective risk mitigation strategies for reducing the likelihood of a ransomware attack?

Question 9mediummulti select
Full question →

Which TWO of the following are essential components of an effective control monitoring program?

Question 10easymulti select
Full question →

Which TWO of the following are primary sources of risk identification for IT projects? (Select exactly 2.)

Question 11hardmulti select
Full question →

Which THREE of the following are valid risk identification methods according to ISACA's Risk IT Framework? (Select exactly 3.)

Question 12easymulti select
Full question →

Which TWO of the following are examples of inherent risk?

Question 13mediummulti select
Full question →

Which THREE of the following are key components of a risk assessment report?

Question 14hardmulti select
Full question →

Which TWO of the following are valid techniques for identifying risk in IT risk assessment?

Question 15mediummulti select
Full question →

Which TWO of the following are key components of an effective risk and control monitoring program? (Select exactly two.)

Question 16hardmulti select
Full question →

Which THREE of the following are common challenges when implementing a risk monitoring dashboard? (Select exactly three.)

Question 17mediummulti select
Full question →

Which THREE of the following are characteristics of leading key risk indicators (KRIs)?

Question 18easymulti select
Full question →

Which TWO of the following are examples of detective controls?

Question 19hardmulti select
Full question →

An organization is implementing a quantitative risk assessment for its customer database. Which TWO elements are essential for calculating the annualized loss expectancy (ALE)?

Question 20mediummulti select
Full question →

Which TWO of the following are primary objectives of control monitoring?

These CRISC practice questions are part of Courseiva's free ISACA certification practice question bank. Courseiva provides original exam-style CRISC questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.