CRISC · topic practice

Risk Response and Reporting practice questions

Practise Certified in Risk and Information Systems Control CRISC Risk Response and Reporting practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Risk Response and Reporting

What the exam tests

What to know about Risk Response and Reporting

Risk Response and Reporting questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Risk Response and Reporting exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Risk Response and Reporting questions

20 questions · select your answer, then reveal the explanation

A security team is considering implementing a control to prevent unauthorized access to a critical database. Which type of control is most appropriate for this objective?

The risk team is evaluating the cost-effectiveness of a proposed control that will reduce the annualized loss expectancy (ALE) for a cyber attack from $500,000 to $100,000. The annual cost of the control is $150,000. What is the net benefit of implementing this control?

A Key Control Indicator (KCI) for a firewall rule review process shows an exception rate of 15% for the past quarter, exceeding the acceptable threshold of 10%. What is the most appropriate immediate action for the control owner?

An organization uses a Key Risk Indicator (KRI) that tracks the average number of days to patch critical vulnerabilities. The KRI has been trending upward over the last three months, from 15 days to 30 days, while the risk appetite threshold is 20 days. Which conclusion is most appropriate?

When implementing a new access control system, which activity is essential during the change management process?

An IT risk manager is preparing a quarterly risk report for the CISO. Which type of reporting structure does this represent?

An organization is implementing a continuous monitoring solution for its network. Which of the following is an example of continuous monitoring?

During a control implementation project, the risk manager discovers that the resource requirements have increased significantly, making the original cost-benefit analysis invalid. What should the risk manager do first?

Which of the following best describes the purpose of a risk heat map in an IT risk report?

A critical vendor is being onboarded. The vendor risk appetite policy requires SOC 2 Type II reports for critical vendors. The vendor has provided a SOC 2 Type I report. What should the risk manager do?

An organization's IT risk team is promoting a risk-aware culture. Which initiative is most likely to encourage employees to report security incidents without fear?

Which of the following is a leading indicator that the risk of a credential-based attack may be increasing?

An organization is integrating IT risk into its enterprise risk management (ERM) program. Which TWO of the following are key benefits of this integration?

A risk manager is designing a third-party risk management program. Which THREE factors should be considered when determining the risk tier of a vendor?

Which TWO of the following are examples of detective controls?

An organization is implementing a new access control system to protect sensitive data. Which type of control is most appropriate for preventing unauthorized access?

A risk manager is evaluating the cost-effectiveness of a proposed control. The control costs $50,000 annually to implement and maintain. The current annual loss expectancy (ALE) for the risk is $200,000, and the control is expected to reduce the ALE by 70%. What is the net benefit (or loss) of implementing the control?

Which of the following is a Key Control Indicator (KCI) that measures the effectiveness of a firewall?

An organization is planning to implement a new security control. The project manager must ensure changes to existing systems are properly managed. Which process is most critical to include in the implementation plan?

Which type of control testing is typically performed on a continuous basis using automated tools?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Risk Response and Reporting sessions

Start a Risk Response and Reporting only practice session

Every question in these sessions is drawn from the Risk Response and Reporting domain — nothing else.

Related practice questions

Related CRISC topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the CRISC exam test about Risk Response and Reporting?
Risk Response and Reporting questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Risk Response and Reporting questions in a focused session?
Yes — the session launcher on this page draws every question from the Risk Response and Reporting domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other CRISC topics?
Use the topic links above to move to related areas, or go back to the CRISC question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the CRISC exam covers. They are not copied from any real exam or dump site.