Back to Certified in Risk and Information Systems Control CRISC questions

Scenario-based practice

Refer to the Exhibit Practice Questions

Practise Certified in Risk and Information Systems Control CRISC practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

15
scenario questions
CRISC
exam code
ISACA
vendor

Scenario guide

How to approach refer to the exhibit practice questions

Practise exhibit-style questions that ask you to read a topology, table, command output or diagram before choosing the best answer.

Quick answer

Exhibit-style questions test whether you can read a topology, command output, diagram or table before choosing the best answer.

How to extract the relevant detail from an exhibit.

How topology, command output or routing information affects the answer.

How to avoid answering from memory before reading the evidence.

How to map the exhibit back to the exam objective.

Related practice questions

Related CRISC topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1hardmultiple choice
Full question →

Based on the risk register exhibit, which of the following is the MOST appropriate risk response for R-0042?

Exhibit

Refer to the exhibit.

```
[Risk Register Excerpt]
Risk ID: R-0042
Risk Description: Unauthorized access to customer PII due to weak database encryption
Inherent Risk Score: 16 (Likelihood: 4, Impact: 4)
Control: AES-256 encryption at rest (implemented)
Residual Risk Score: 8 (Likelihood: 2, Impact: 4)
Risk Appetite Threshold: 10
```
Question 2mediummultiple choice
Full question →

Refer to the exhibit. An organization has identified vulnerabilities on a critical server. The risk owner has limited resources and can remediate only one finding this quarter. Based on the information provided, which approach is the most appropriate risk assessment decision?

Exhibit

Refer to the exhibit.

Vulnerability Scan Report (excerpt):
Host: 10.10.50.100
Port: 443 (HTTPS)
Finding: SSL/TLS certificate uses SHA-1 signature algorithm (CVE-2015-7575)
Severity: Medium
Remediation: Replace certificate with SHA-256 or higher.

Host: 10.10.50.100
Port: 22 (SSH)
Finding: OpenSSH version 7.2 is vulnerable to CVE-2016-6515 (DoS)
Severity: Low
Remediation: Upgrade to OpenSSH 7.3 or later.
Question 3easymultiple choice
Study the full ACL explanation →

Refer to the exhibit. A risk practitioner is reviewing the access control list for a critical server. The ACL is applied inbound on the interface connecting to the internet. Which of the following is the MOST significant risk?

Exhibit

Refer to the exhibit.

Access List: ACL-01
10 deny ip host 10.1.1.10 any
20 permit tcp 10.1.1.0 0.0.0.255 any eq 443
30 permit udp 10.1.1.0 0.0.0.255 any eq 53
40 deny ip any any
Question 4mediummultiple choice
Full question →

Based on the exhibit, what is the primary risk to the organization?

Exhibit

Refer to the exhibit.
```
{
  "PolicyName": "S3PublicAccessBlock",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::customer-data/*"
    }
  ]
}
```
Question 5easymultiple choice
Full question →

Refer to the exhibit. What action should the risk practitioner recommend FIRST?

Exhibit

Refer to the exhibit.

```
Risk Monitoring Dashboard
KRI: Percentage of systems with critical patches not applied
Threshold: <5%
Current value: 8%
Trend: Increasing
Status: Red
```
Question 6hardmultiple choice
Full question →

Refer to the exhibit. The control test failed because unauthorized access attempts were detected. The remediation plan suggests additional logging. Is this remediation appropriate?

Exhibit

Refer to the exhibit.

```
Control Test Result: Access Control Review
Control ID: AC-01
Test Date: 2024-03-20
Expected Result: No unauthorized access attempts
Actual Result: 3 unauthorized access attempts detected
Status: Failed
Remediation: Implement additional logging
```
Question 7hardmultiple choice
Full question →

Based on the exhibit, which risk should be treated first according to the risk rating?

Exhibit

Refer to the exhibit.

```
Risk Register Extract:
Risk ID | Asset | Vulnerability | Threat | Current Control | Likelihood | Impact | Risk Level
R001    | WebApp | SQLi in login | Attacker | WAF | 3 | 5 | 15
R002    | DB Server | Weak password | Insider | Password policy | 2 | 4 | 8
R003    | Firewall | Misconfigured rule | External | Change management | 4 | 3 | 12
```

Risk Rating Matrix:
Likelihood (1-5) x Impact (1-5) = Risk Level (1-25). Thresholds: Low (1-6), Medium (7-12), High (13-25).
Question 8mediummultiple choice
Full question →

Refer to the exhibit. The SIEM alert triggered, but the security team did not respond because they were investigating another incident. What is the BEST way to prevent such monitoring gaps in the future?

Exhibit

Refer to the exhibit.

```
SIEM Alert: High Severity
Rule: Multiple Failed Logins
Threshold: 10 failures in 5 minutes
Triggered at: 2024-03-15 14:23:45
Source IP: 192.168.1.100
Target: DC01
Event Count: 15 failures in 4 minutes
```
Question 9hardmultiple choice
Full question →

Based on the exhibit, what is the MOST likely risk scenario?

Exhibit

Refer to the exhibit.
```
2023-11-15 14:23:45 [CRITICAL] Failed login attempt for user 'admin' from IP 10.0.0.5
2023-11-15 14:23:46 [CRITICAL] Failed login attempt for user 'admin' from IP 10.0.0.5
2023-11-15 14:23:47 [CRITICAL] Failed login attempt for user 'admin' from IP 10.0.0.5
... (repeated 100 times in 5 minutes)
2023-11-15 14:28:45 [INFO] Successful login for user 'admin' from IP 10.0.0.5
```
Question 10hardmultiple choice
Full question →

Based on the exhibit, which control is most critical to address first to reduce the risk of unauthorized access?

Exhibit

Refer to the exhibit.

Control Self-Assessment (CSA) Results for Access Management:
- User access recertification completed within 90 days: 92% (target: 95%)
- Terminated employee accounts disabled within 24 hours: 98% (target: 99%)
- Privileged access reviews completed quarterly: 100% (target: 100%)
- Segregation of duties conflicts resolved within 30 days: 85% (target: 90%)
Question 11hardmultiple choice
Full question →

Refer to the exhibit. Given the organization's risk appetite is Low, which risk response is most appropriate?

Exhibit

Refer to the exhibit.
Risk Register Excerpt:
Asset: Customer Database
Inherent Risk (Likelihood: High, Impact: High) => High
Control Set: Access controls (effective), Encryption (effective), Intrusion Detection (moderate)
Current Residual Risk: Medium
Mitigation Options:
A. Implement additional monitoring (cost: $50k, reduces residual to Low)
B. Accept the residual risk (cost: $0)
C. Transfer via cyber insurance (premium: $30k)
D. Avoid by discontinuing database operations (cost: $2M)
What is the most appropriate risk response given the current residual risk is Medium and the organization's risk appetite is Low?
Question 12hardmultiple choice
Full question →

Based on the firewall log exhibit, which of the following conclusions is MOST appropriate for risk identification?

Exhibit

Refer to the exhibit.

Exhibit (Firewall Log):
```
2024-02-10 08:23:45 DENY TCP 10.0.1.15 3389 203.0.113.50 443
2024-02-10 08:23:46 DENY TCP 10.0.1.15 3389 203.0.113.50 443
2024-02-10 08:23:47 DENY TCP 10.0.1.15 3389 203.0.113.50 443
2024-02-10 08:23:48 ALLOW TCP 10.0.1.10 443 198.51.100.20 3389
```
Question 13hardmultiple choice
Full question →

Based on the exhibit, which of the following poses the HIGHEST risk to the environment?

Exhibit

Refer to the exhibit.

Architecture description:
The organization has a three-tier web application: web servers (public subnet), application servers (private subnet), and database servers (private subnet). The web servers communicate with application servers via HTTPS. Application servers query the database using SQL with embedded credentials. The database has direct internet access for remote administration via SSH, but access is restricted to a single IP address of the DBA's home office.
Question 14hardmultiple choice
Full question →

Refer to the exhibit. Based on the control test results, which of the following is the most immediate risk?

Exhibit

Risk Control Matrix (RCM) Extract - Control Test Results
Date: 2024-11-20
Process: Order-to-Cash
Test ID: OTC-001
Control Description: Segregation of duties between order entry and credit approval.
Test Result: FAIL
Finding: User ID 'jdoe' performed both order entry and credit approval on transaction ID 78965.
Test ID: OTC-002
Control Description: Automatic validation of credit limit within ERP.
Test Result: PASS
Test ID: OTC-003
Control Description: Monthly reconciliation of accounts receivable.
Test Result: NOT TESTED
Question 15mediummultiple choice
Full question →

Based on the exhibit, which of the following risks is MOST indicated by the policy configuration?

Exhibit

Refer to the exhibit.

Exhibit:
```
# show security policies
policy from zone: untrust to zone: trust
  rule 1: source-address any, destination-address 10.0.1.0/24, application ssh, deny
  rule 2: source-address any, destination-address 10.0.1.5, application http, permit
  rule 3: source-address 192.168.2.0/24, destination-address 10.0.1.10, application mysql, permit
counter: 1245 hits
```

These CRISC practice questions are part of Courseiva's free ISACA certification practice question bank. Courseiva provides original exam-style CRISC questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.