CRISC · topic practice

Scenario practice questions

Practise Certified in Risk and Information Systems Control CRISC Scenario practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Scenario

What the exam tests

What to know about Scenario

Scenario questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Scenario exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Scenario questions

20 questions · select your answer, then reveal the explanation

Question 1hardmulti select
Read the full Scenario explanation →

Which THREE of the following are key components of an IT risk assessment report as per ISACA guidelines?

Question 2mediummulti select
Read the full Scenario explanation →

A risk assessment for a financial trading platform has identified a high-risk vulnerability in the order matching engine. The risk owner has recommended implementing compensating controls rather than fixing the underlying code. Which TWO of the following are valid compensating controls? (Choose two.)

Question 3hardmultiple choice
Read the full NAT/PAT explanation →

A multinational organization is implementing a risk mitigation strategy for a critical system. The business impact analysis shows that downtime costs are extremely high. Which risk response strategy is MOST appropriate for this scenario?

Question 4mediummultiple choice
Read the full Scenario explanation →

A company is implementing a new cloud-based customer relationship management (CRM) system. The IT risk manager needs to assess the risk of data exfiltration by a malicious insider at the cloud provider. Which risk assessment approach is most appropriate for this scenario?

Question 5hardmulti select
Read the full Scenario explanation →

Which THREE of the following are valid risk identification methods according to ISACA's Risk IT Framework? (Select exactly 3.)

Question 6hardmultiple choice
Read the full Scenario explanation →

A financial institution is assessing the risk of a new real-time payment system. The risk manager calculates that the annualized loss expectancy (ALE) for a potential fraud scenario is $500,000. The cost to implement a fraud detection solution is $200,000 initially with $50,000 annual maintenance. The solution is expected to reduce the ALE by 80%. What is the net benefit of implementing the solution over three years?

Question 7mediummultiple choice
Read the full Scenario explanation →

A retail company is assessing the risk of a POS malware attack. Which approach would BEST quantify the potential financial impact?

Question 8mediummultiple choice
Read the full NAT/PAT explanation →

A hospital uses a patient portal that allows patients to access their medical records. The portal has experienced multiple brute-force login attempts. The risk manager wants to identify the most critical risk scenario. Which of the following should be prioritized?

Question 9hardmultiple choice
Read the full Scenario explanation →

Based on the exhibit, what is the MOST likely risk scenario?

Exhibit

Refer to the exhibit.
```
2023-11-15 14:23:45 [CRITICAL] Failed login attempt for user 'admin' from IP 10.0.0.5
2023-11-15 14:23:46 [CRITICAL] Failed login attempt for user 'admin' from IP 10.0.0.5
2023-11-15 14:23:47 [CRITICAL] Failed login attempt for user 'admin' from IP 10.0.0.5
... (repeated 100 times in 5 minutes)
2023-11-15 14:28:45 [INFO] Successful login for user 'admin' from IP 10.0.0.5
```
Question 10mediummultiple choice
Read the full Scenario explanation →

During a risk assessment, the risk manager identifies that the likelihood of a cyber-attack is high due to recent industry trends. However, the existing controls are deemed effective in reducing impact. Which of the following is the MOST appropriate risk response?

Question 11easymultiple choice
Read the full Scenario explanation →

A smart manufacturing company has deployed hundreds of IoT sensors and actuators across its production line. These devices are connected directly to the corporate network without any segmentation and communicate using unencrypted protocols. A third-party vendor manages all IoT devices and has administrative access from their own network. Recently, the IT team detected unusual outbound traffic from the IoT segment to unknown IP addresses on the internet. The risk manager is leading a risk identification workshop. Based on this scenario, what is the most critical risk to the organization that should be identified and documented?

Question 12mediummultiple choice
Read the full Scenario explanation →

A retail company is identifying risks in its supply chain. Which approach is most effective for identifying previously unknown risks?

Question 13easymultiple choice
Read the full Scenario explanation →

An organization uses a third-party SaaS provider for payroll processing. Which of the following is the BEST technique to identify risks associated with this vendor?

Question 14easymultiple choice
Read the full Scenario explanation →

When assessing IT risks, which of the following is the PRIMARY purpose of developing risk scenarios?

Question 15hardmultiple choice
Read the full Scenario explanation →

A company has a low risk appetite but high risk tolerance. Which of the following scenarios is consistent with this situation?

Question 16hardmulti select
Read the full Scenario explanation →

Which THREE of the following are typical components of a risk scenario?

Question 17mediummultiple choice
Read the full Scenario explanation →

During a risk assessment for a new financial application, the risk manager identifies that the application processes sensitive customer data and is accessible from the internet. Which of the following is the MOST appropriate risk scenario to document?

Question 18hardmultiple choice
Read the full Scenario explanation →

A company's control monitoring shows that a detective control has been 100% effective for the past year. However, a recent incident revealed that a data breach went undetected for three months. What is the MOST likely cause?

Question 19hardmulti select
Read the full Scenario explanation →

Which TWO risk identification techniques are most appropriate for identifying emerging risks from new technologies?

Question 20hardmultiple choice
Read the full Scenario explanation →

During a risk assessment of a legacy system, the assessor finds that no control is currently in place. The inherent risk level is 'critical'. The residual risk will be:

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Scenario sessions

Start a Scenario only practice session

Every question in these sessions is drawn from the Scenario domain — nothing else.

Related practice questions

Related CRISC topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the CRISC exam test about Scenario?
Scenario questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Scenario questions in a focused session?
Yes — the session launcher on this page draws every question from the Scenario domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other CRISC topics?
Use the topic links above to move to related areas, or go back to the CRISC question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the CRISC exam covers. They are not copied from any real exam or dump site.