CRISC · topic practice

IT Risk Identification practice questions

Practise Certified in Risk and Information Systems Control CRISC IT Risk Identification practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: IT Risk Identification

What the exam tests

What to know about IT Risk Identification

IT Risk Identification questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common IT Risk Identification exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

IT Risk Identification questions

20 questions · select your answer, then reveal the explanation

Question 1mediummultiple choice
Read the full NAT/PAT explanation →

A company recently experienced a data breach due to an unpatched vulnerability in a public-facing web application. During the post-incident review, the IT risk manager notes that the vulnerability was identified by the vulnerability scanner six months ago but was not remediated because the patch required a critical database server restart. Which of the following is the BEST risk treatment decision to prevent a recurrence?

During a risk assessment, an organization identifies that its legacy ERP system has a high likelihood of failure during peak transaction periods. The system supports critical financial operations. The risk owner proposes to upgrade the system, but the project would take 18 months and require significant capital investment. The CEO questions whether the risk can be reduced to an acceptable level more quickly. Which of the following is the MOST appropriate immediate risk response?

An organization is considering migrating its customer database to a public cloud provider. Which of the following is the PRIMARY risk identification technique that should be used to identify potential data exposure risks?

An IT risk manager is reviewing the results of a recent risk assessment. The organization has a risk appetite that allows for low residual risk. One identified risk has an inherent risk score of 15 (on a scale of 1-25) and currently has no controls. Which of the following is the BEST recommendation for this risk?

Question 5hardmultiple choice
Read the full NAT/PAT explanation →

A multinational corporation uses a common identity management system (IdM) across all subsidiaries. During a risk assessment, it is discovered that the IdM system has a critical vulnerability that could allow privilege escalation. The patch requires a 4-hour downtime. The risk manager must decide the best course of action considering the organization's risk appetite of 'low' and the fact that the IdM system is critical for business operations. Which of the following is the BEST approach?

Which of the following is the BEST example of a key risk indicator (KRI) for the risk of unauthorized access to sensitive data?

A large retailer is implementing a new point-of-sale (POS) system. The project manager wants to identify risks related to payment card data security. Which risk identification technique would be MOST effective for this purpose?

During a risk assessment, an organization identifies that its remote workforce uses personal devices for work. The risk manager is concerned about data leakage. The organization has a risk appetite that is 'moderate' and wants to treat the risk. Which of the following is the MOST effective risk treatment option?

Which of the following is the PRIMARY purpose of a risk register?

Which TWO of the following are key risk identification techniques used to identify threats and vulnerabilities in IT systems? (Select exactly 2.)

Which THREE of the following are valid risk identification methods according to ISACA's Risk IT Framework? (Select exactly 3.)

Which TWO of the following are primary sources of risk identification for IT projects? (Select exactly 2.)

You are the IT risk manager for a mid-sized e-commerce company. The company processes credit card payments and stores customer data. Recently, the company experienced a security incident where an attacker exploited a SQL injection vulnerability in the web application, exfiltrating a database of customer records. The vulnerability was introduced three months ago during a feature upgrade. The development team claims they followed secure coding guidelines, but the vulnerability was missed due to insufficient testing. The company's risk appetite is moderate, and they have a risk management policy that requires risks to be treated within 30 days of identification. The CISO wants to know the most effective way to reduce the likelihood of similar incidents. You have assessed that the current risk score for web application vulnerabilities is 16 (High). The company has a bug bounty program, but it has not been effective. Which of the following courses of action would BEST address the root cause and reduce the risk?

Question 14mediummultiple choice
Read the full NAT/PAT explanation →

You are a risk analyst for a financial institution that uses a legacy mainframe system for core banking transactions. The mainframe is critical for daily operations, but it is no longer supported by the vendor. The system has known vulnerabilities that cannot be patched due to compatibility issues. The institution has a risk appetite that is very low for any disruption to core banking services. Recently, there was a minor outage caused by a hardware failure, which was resolved quickly, but it highlighted the system's fragility. The IT director proposes to migrate to a modern system, but the migration will take 2 years and cost $5 million. The board is concerned about the cost and timeline. You need to recommend an immediate risk treatment to reduce the likelihood of a major outage while the migration is underway. Which of the following is the BEST course of action?

A retail company recently deployed a point-of-sale (POS) system that processes credit card transactions. The system is connected to the corporate network and transmits transaction data to a payment processor over the internet. During a risk assessment, the IT risk manager identifies that the POS system is vulnerable to malware injection via unvalidated input from barcode scanners. Which of the following is the MOST appropriate risk mitigation strategy?

Question 16hardmultiple choice
Read the full NAT/PAT explanation →

A multinational corporation is expanding its cloud infrastructure to include a new SaaS application that stores sensitive customer data. The vendor claims compliance with SOC 2 Type II and ISO 27001. The risk manager must determine if the remaining residual risk after vendor controls is within the company's risk appetite. Which of the following is the MOST critical next step?

An organization is implementing a new identity and access management (IAM) system. The risk manager is tasked with identifying risks associated with the migration from legacy authentication to single sign-on (SSO). Which of the following is the GREATEST risk during this migration?

A financial institution uses a third-party cloud service for data analytics. The service has access to non-public personal information (NPI). During a risk assessment, the risk manager discovers that the cloud provider uses subprocessors without notifying the institution. The contract does not require notification of subprocessor changes. What should the risk manager do FIRST?

A healthcare organization is migrating its electronic health records (EHR) system to a public cloud. The risk manager identifies several risks. Which TWO of the following are the MOST significant risks related to data privacy and regulatory compliance?

You are the IT risk manager for a mid-sized e-commerce company that processes over 10,000 transactions per day. The company recently migrated its customer database from an on-premises SQL Server to a cloud-based PostgreSQL instance on AWS RDS. The database contains personally identifiable information (PII) including names, addresses, and credit card numbers (stored as encrypted tokens). The migration was performed by the DevOps team with minimal involvement from the security team. Two weeks after the migration, the company experienced a data breach where an attacker exfiltrated a subset of customer records. The forensic investigation revealed that the attacker exploited a misconfigured security group that allowed inbound traffic from the internet on port 5432 (PostgreSQL default port). Additionally, the database had a publicly accessible endpoint, and the master user password was weak (eight characters, no special characters). The attacker used a brute-force attack to guess the password. The security group has since been corrected, and the password has been changed to a strong one. The breach notification laws require reporting within 72 hours. The CEO wants to understand the root cause and prevent recurrence. As the risk manager, which of the following actions should you recommend as the MOST effective to prevent a similar incident?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused IT Risk Identification sessions

Start a IT Risk Identification only practice session

Every question in these sessions is drawn from the IT Risk Identification domain — nothing else.

Related practice questions

Related CRISC topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the CRISC exam test about IT Risk Identification?
IT Risk Identification questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just IT Risk Identification questions in a focused session?
Yes — the session launcher on this page draws every question from the IT Risk Identification domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other CRISC topics?
Use the topic links above to move to related areas, or go back to the CRISC question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the CRISC exam covers. They are not copied from any real exam or dump site.