CRISC · topic practice

IT Risk Assessment practice questions

Practise Certified in Risk and Information Systems Control CRISC IT Risk Assessment practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: IT Risk Assessment

What the exam tests

What to know about IT Risk Assessment

IT Risk Assessment questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common IT Risk Assessment exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

IT Risk Assessment questions

20 questions · select your answer, then reveal the explanation

An organization uses a 5×5 risk heat map to assess IT risks. Which of the following is the PRIMARY advantage of this qualitative approach?

A company is evaluating the risk of a data breach using the FAIR framework. The threat event frequency is estimated at 10 per year, and the vulnerability is 0.2. The primary loss per event is $50,000 and secondary loss is $20,000. What is the annualized loss expectancy (ALE)?

An organization has identified a high-risk IT process that, if continued, could result in significant regulatory fines. The risk owner recommends implementing additional controls. However, the cost of controls exceeds the potential financial loss. Which risk treatment option is MOST appropriate?

During an IT risk assessment, the risk practitioner calculates the inherent risk score for a critical application as 25 (on a 5×5 matrix). After evaluating control effectiveness, the residual risk score is 9. What can be inferred about the controls?

Which of the following is a detective control for an information system?

A quantitative risk assessment for a server shows an ARO of 0.5 and SLE of $200,000. What is the ALE, and what does it imply?

An organization is assessing the risk of a ransomware attack. The threat actor capability is high, but vulnerability is low due to strong patching. However, the business impact is severe. According to FAIR, which factor most directly influences Loss Event Frequency (LEF)?

Which risk treatment option involves eliminating the activity that creates the risk?

A risk practitioner is prioritizing IT risks for treatment. Which factor should be the PRIMARY basis for prioritization?

In the FAIR model, which component represents the probable frequency, within a given timeframe, that a threat agent will act against an asset?

Question 11mediummultiple choice
Read the full IT Risk Assessment explanation →

An organization uses a qualitative risk assessment and assigns a likelihood of '3' and impact of '4' on a 5-point scale. The heat map defines risk scores 12-25 as high. What is the risk rating?

Which type of control is designed to reduce the likelihood of a risk event occurring?

A risk assessment for a cloud migration identifies high inherent risk. The risk practitioner evaluates controls. Which TWO components are necessary to calculate residual risk?

An organization is performing a quantitative risk analysis using the FAIR framework. Which THREE of the following are direct components of the FAIR model?

An organization is evaluating risk treatment options for a critical vulnerability. Which TWO options would be considered risk mitigation?

A risk manager is using a 5×5 likelihood-impact matrix to assess a set of identified risks. What is the PRIMARY advantage of using this qualitative method?

Question 17mediummultiple choice
Read the full IT Risk Assessment explanation →

An organization uses the FAIR framework to calculate annualized loss expectancy (ALE) for a specific risk. Given that the single loss expectancy (SLE) is $50,000 and the annualized rate of occurrence (ARO) is 0.2, what is the ALE?

After implementing a set of controls for a critical risk, the residual risk is calculated. The risk owner argues that the residual risk remains high and requires further treatment. Which of the following BEST describes the relationship between inherent risk, control effectiveness, and residual risk?

Question 19mediummultiple choice
Read the full IT Risk Assessment explanation →

A risk assessment identifies a high-likelihood, high-impact risk associated with a legacy system. The business owner decides to decommission the system to eliminate the risk. Which risk treatment option is being applied?

During a quantitative risk analysis, the risk team calculates the loss event frequency (LEF) using the FAIR framework. If the threat event frequency (TEF) is 10 per year and the vulnerability (V) is 0.3, what is the LEF?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused IT Risk Assessment sessions

Start a IT Risk Assessment only practice session

Every question in these sessions is drawn from the IT Risk Assessment domain — nothing else.

Related practice questions

Related CRISC topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the CRISC exam test about IT Risk Assessment?
IT Risk Assessment questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just IT Risk Assessment questions in a focused session?
Yes — the session launcher on this page draws every question from the IT Risk Assessment domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other CRISC topics?
Use the topic links above to move to related areas, or go back to the CRISC question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the CRISC exam covers. They are not copied from any real exam or dump site.