CRISC · topic practice

Information Technology and Security practice questions

Practise Certified in Risk and Information Systems Control CRISC Information Technology and Security practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Information Technology and Security

What the exam tests

What to know about Information Technology and Security

Information Technology and Security questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Information Technology and Security exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Information Technology and Security questions

20 questions · select your answer, then reveal the explanation

A large retail company is implementing a new cloud-based inventory management system. The system will store sensitive customer data and integrate with existing on-premises ERP. The risk manager is asked to identify the most critical risk to address in the shared responsibility model. Which risk is MOST likely to be overlooked?

An energy company is integrating its IT network with OT systems for real-time monitoring. The risk manager is assessing the expanded attack surface. Which risk should be given the HIGHEST priority due to its potential for physical consequences?

A risk manager is designing an IT risk management programme. Which document should be created FIRST to guide the overall approach to risk management?

A financial institution is adopting AI for credit scoring. The model is currently a black box and requires explainability for regulatory compliance. Which risk is MOST critical to address?

During a solution architecture review, the Architecture Review Board (ARB) identifies that a new application communicates with a legacy system using plain text over a public network. Which risk treatment option is MOST appropriate?

A risk manager is calculating the probable financial impact of a ransomware attack using the FAIR model. Which factor is MOST critical to estimate the annual loss exposure?

Which COBIT 2019 domain objective focuses on ensuring that risk is optimized through evaluation, direction, and monitoring?

A hospital is deploying IoT medical devices that connect to the network. Which risk is MOST concerning from a cybersecurity perspective?

A power utility is required to comply with NERC CIP standards. Which of the following is a primary objective of these standards?

A company is migrating critical applications to the cloud. The risk manager is assessing the shared responsibility model. Which risk is the customer typically responsible for?

Which of the following is a key component of an IT risk management programme that documents identified risks, their likelihood, and impact?

An organization is considering cyber insurance to transfer residual risk. Which factor would MOST significantly influence the premium?

A risk manager is integrating the NIST Cybersecurity Framework with the organization's risk management processes. Which TWO functions of the NIST CSF directly support risk assessment?

A manufacturing company is evaluating the risks of connecting its OT network to the IT network. Which THREE risks are MOST significant due to IT/OT convergence?

An organization is planning to adopt post-quantum cryptography. Which TWO considerations are MOST important for migration planning?

Which COBIT 2019 governance objective focuses on ensuring that the enterprise's risk appetite and tolerance are understood, articulated, and communicated, and that risk is managed appropriately?

A risk practitioner is designing an IT risk management programme. Which of the following is the BEST sequence of components to establish?

An organization is reviewing its enterprise architecture to identify risks. In which IT architecture layer would a risk related to data classification and data sovereignty be primarily addressed?

An Architecture Review Board (ARB) is evaluating a new solution architecture for a customer-facing web application. Which of the following is the PRIMARY risk the ARB should consider?

When assessing cloud computing risk, which of the following is a key concern related to data sovereignty?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Information Technology and Security sessions

Start a Information Technology and Security only practice session

Every question in these sessions is drawn from the Information Technology and Security domain — nothing else.

Related practice questions

Related CRISC topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the CRISC exam test about Information Technology and Security?
Information Technology and Security questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Information Technology and Security questions in a focused session?
Yes — the session launcher on this page draws every question from the Information Technology and Security domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other CRISC topics?
Use the topic links above to move to related areas, or go back to the CRISC question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the CRISC exam covers. They are not copied from any real exam or dump site.