CRISC · topic practice

IT Risk Assessment practice questions

Risk questions require you to match the scenario characteristics to the correct response strategy. The probability-impact combination drives the choice — avoid or mitigate high combinations, accept low ones.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: IT Risk Assessment

What the exam tests

What to know about IT Risk Assessment

Risk management questions test risk identification, qualitative vs quantitative analysis, risk response strategies (avoid, transfer, mitigate, accept), and risk registers.

Risk identification techniques: brainstorming, SWOT, Delphi technique, and historical data review.

Qualitative analysis: probability-impact matrix, risk categorisation, and urgency assessment.

Quantitative analysis: EMV (Expected Monetary Value), Monte Carlo simulation, and sensitivity analysis.

Risk response strategies and when each is appropriate based on impact and probability.

Watch out for

Common IT Risk Assessment exam traps

  • Confusing risk avoidance (eliminate the cause) with risk transfer (shift consequence to another party).
  • Treating a risk with low probability and high impact the same as one with high probability and low impact.
  • Forgetting that residual risk remains after mitigation and must be accepted or further treated.
  • Selecting risk acceptance for a high-impact, high-probability risk — acceptance is for low-impact or unavoidable risks.

Practice set

IT Risk Assessment questions

20 questions · select your answer, then reveal the explanation

During a risk assessment, an organization identifies that its primary data center is located in a flood-prone area. Which risk treatment option would best address this risk?

A risk assessment for a healthcare organization reveals a high likelihood of data breaches due to weak encryption on portable devices. The organization decides to deploy full-disk encryption and enforce multi-factor authentication. Which risk response strategy is being applied?

Which of the following is the PRIMARY purpose of conducting a business impact analysis (BIA) during the IT risk assessment process?

A retail company is assessing the risk of a POS malware attack. Which approach would BEST quantify the potential financial impact?

A risk assessor is evaluating a third-party cloud service provider. Which of the following is the MOST important factor to consider when assessing the risk of data exfiltration?

An organization has a risk appetite that is risk-averse. Which risk treatment option would be most aligned with this appetite?

During a risk assessment, a financial institution identifies that its online banking application uses an outdated encryption protocol. The likelihood of exploitation is high, and the impact is moderate. What should the risk owner do FIRST?

Question 8hardmultiple choice
Read the full NAT/PAT explanation →

A multinational corporation is assessing the risk of non-compliance with GDPR. Which of the following is the BEST approach to quantify the potential fine?

Which of the following is the BEST indicator that an organization's IT risk assessment process is effective?

Question 10mediummultiple choice
Read the full IT Risk Assessment explanation →

A risk assessment reveals that a legacy system has a high vulnerability score but low business criticality. The cost to remediate is high. What is the MOST appropriate risk response?

An organization uses a quantitative risk analysis method. The annualized rate of occurrence (ARO) for a specific threat is 0.5, and the single loss expectancy (SLE) is $200,000. What is the annualized loss expectancy (ALE)?

Question 12mediummultiple choice
Read the full IT Risk Assessment explanation →

During a risk assessment for a cloud migration project, the IT risk manager identifies that the organization lacks visibility into the cloud provider's security controls. Which approach should the risk manager recommend to address this risk?

A financial institution is assessing the risk of a new real-time payment system. The risk manager calculates that the annualized loss expectancy (ALE) for a potential fraud scenario is $500,000. The cost to implement a fraud detection solution is $200,000 initially with $50,000 annual maintenance. The solution is expected to reduce the ALE by 80%. What is the net benefit of implementing the solution over three years?

An organization is performing a risk assessment for its new customer relationship management (CRM) system. Which of the following is the BEST way to identify threats to the CRM?

Question 15mediummultiple choice
Read the full IT Risk Assessment explanation →

After a risk assessment, the risk owner decides to mitigate a high-risk finding by implementing additional access controls. What should the risk manager do NEXT?

Question 16hardmultiple choice
Read the full NAT/PAT explanation →

An organization has a legacy system that cannot be patched due to vendor end-of-life. The system processes non-critical data. The risk manager has determined that the likelihood of exploitation is low, but the impact would be high. Which risk response strategy is MOST appropriate?

During a risk assessment, the risk manager identifies a vulnerability in a web application that could allow SQL injection. The development team states they will fix it in the next release, which is six months away. What should the risk manager do?

Question 18mediummultiple choice
Read the full IT Risk Assessment explanation →

A risk manager is evaluating the risk associated with a new third-party vendor that will have access to customer data. The vendor has been in business for 10 years and holds ISO 27001 certification. Which factor should be given the MOST weight when determining the vendor's risk level?

Which TWO of the following are valid techniques for identifying risk in IT risk assessment?

Which THREE of the following are key components of a risk assessment report?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused IT Risk Assessment sessions

Start a IT Risk Assessment only practice session

Every question in these sessions is drawn from the IT Risk Assessment domain — nothing else.

Related practice questions

Related CRISC topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the CRISC exam test about IT Risk Assessment?
Risk management questions test risk identification, qualitative vs quantitative analysis, risk response strategies (avoid, transfer, mitigate, accept), and risk registers.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just IT Risk Assessment questions in a focused session?
Yes — the session launcher on this page draws every question from the IT Risk Assessment domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other CRISC topics?
Use the topic links above to move to related areas, or go back to the CRISC question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the CRISC exam covers. They are not copied from any real exam or dump site.