Browse Certification Practice Tests by Exam Family

ISACA CRISC Practice Test

May 1, 2026

Try 12 Certified in Risk and Information Systems Control (CRISC) sample questions and practice-test preview prompts on IT risk identification, assessment, response, reporting, control design, and control monitoring.

On this page

Certified in Risk and Information Systems Control (CRISC) is ISACA’s enterprise IT risk credential. It is a good future QBank fit because candidates need to reason through risk scenarios, control options, monitoring, ownership, and reporting.

Use these 12 original sample questions for initial self-assessment. The full IT Mastery route for CRISC is not available yet; try the preview and use the Notify me form if this is your target route.

What this route should test

  • risk identification and assessment in technology-dependent processes
  • selecting risk response, treatment, and control options
  • monitoring whether controls are operating and still aligned to risk appetite
  • reporting risk in a way decision-makers can act on

Common candidate trap

CRISC questions usually ask for a risk-management decision, not a purely technical control. Look for risk ownership, business impact, likelihood, control effectiveness, residual risk, and whether the response fits risk appetite.

Sample Exam Questions

These questions are original IT Mastery preview items for enterprise IT risk and control reasoning. They are not official ISACA exam questions.

Question 1

Topic: risk identification

A new customer portal will connect to legacy billing data. What should the risk practitioner do first?

  • A. Disable the legacy system immediately
  • B. Identify business process, data, threat, vulnerability, dependency, and impact scenarios
  • C. Buy the newest security tool
  • D. Assume the vendor has handled all risks

Best answer: B

Explanation: Risk identification starts by understanding the business process, assets, dependencies, threats, vulnerabilities, and possible impacts. Controls come after the risk is understood.

Question 2

Topic: risk ownership

A business unit wants to accept residual risk above normal tolerance for a short-term launch. What should happen?

  • A. IT should accept the risk alone
  • B. The risk should be hidden until after launch
  • C. The control owner should delete the risk record
  • D. The appropriate business authority should make an informed, documented decision under governance rules

Best answer: D

Explanation: Risk decisions belong to accountable business authority. CRISC reasoning expects documentation, governance, and risk appetite alignment.

Question 3

Topic: control design

A risk assessment shows high likelihood of unauthorized changes to a critical application. Which response is most directly aligned?

  • A. Implement or strengthen change authorization, segregation, logging, and monitoring controls
  • B. Rename the application
  • C. Increase the number of dashboards
  • D. Remove all developer access without analysis

Best answer: A

Explanation: The control response should address the risk scenario. Authorization, segregation, logging, and monitoring reduce unauthorized change risk.

Question 4

Topic: risk assessment

Two risks have similar likelihood, but one could stop revenue processing for two days. What should drive prioritization?

  • A. Which risk has the shorter title
  • B. Which system has the newest technology
  • C. Business impact, criticality, exposure, and risk appetite
  • D. Alphabetical order

Best answer: C

Explanation: Risk assessment weighs impact and likelihood in business context. A revenue-processing outage can warrant higher priority even if likelihood is similar.

Question 5

Topic: key risk indicators

Which metric is most useful as a key risk indicator for privileged-access risk?

  • A. Number of office locations
  • B. Number of policy pages
  • C. Number of meetings held by IT
  • D. Percentage of privileged accounts without timely review or owner certification

Best answer: D

Explanation: A useful KRI signals risk exposure or control weakness. Unreviewed privileged accounts directly relate to privileged-access risk.

Question 6

Topic: control monitoring

A control was designed to review firewall rules quarterly, but no reviews occurred for two quarters. What is the best conclusion?

  • A. The risk no longer exists
  • B. The control is not operating as designed and residual risk may be higher
  • C. The control is automatically effective
  • D. Monitoring is unnecessary

Best answer: B

Explanation: Control design and control operation are different. If the review is not performed, the control may not reduce risk as expected.

Question 7

Topic: risk response

A risk is above appetite, but the proposed control costs more than the expected loss and disrupts operations. What should the risk practitioner recommend?

  • A. Evaluate alternative treatments, compensating controls, transfer, avoidance, or documented acceptance
  • B. Implement the expensive control automatically
  • C. Ignore the risk
  • D. Stop all business activity

Best answer: A

Explanation: Risk response should be proportionate and aligned to business context. Alternative treatments may reduce risk more efficiently.

Question 8

Topic: reporting

Executives receive a list of 400 technical vulnerabilities with no business context. What is the main reporting weakness?

  • A. The list is too short
  • B. The report includes technology details
  • C. It does not translate risk into business impact, priority, ownership, and decision needs
  • D. It has too many colours

Best answer: C

Explanation: Risk reporting should support decisions. Technical detail must be translated into risk priority, impact, accountability, and response options.

Question 9

Topic: third-party risk

A vendor hosts a business-critical service. What should be monitored after onboarding?

  • A. Only the vendor’s marketing page
  • B. Whether the vendor has a large office
  • C. Nothing after contract signing
  • D. Service performance, control assurance, incidents, compliance obligations, and risk changes

Best answer: D

Explanation: Third-party risk continues after onboarding. Monitoring should include performance, control evidence, incidents, obligations, and changing risk conditions.

Question 10

Topic: residual risk

After multifactor authentication is implemented, account-takeover risk is reduced but not eliminated. What remains?

  • A. No risk of any kind
  • B. Residual risk that should be assessed, documented, and monitored
  • C. A requirement to remove all accounts
  • D. A reason to stop risk reporting

Best answer: B

Explanation: Controls reduce risk; they rarely eliminate it. Residual risk must be understood and accepted or treated according to governance.

Question 11

Topic: control ownership

A control fails repeatedly because no team is accountable for performing it. What is the best response?

  • A. Assign clear control ownership, frequency, evidence expectations, and escalation
  • B. Remove the control from the risk register without review
  • C. Blame the audit team
  • D. Assume automation will happen later

Best answer: A

Explanation: Controls need owners and operating expectations. Without accountability, monitoring and remediation are weak.

Question 12

Topic: risk appetite

A risk metric exceeds the approved appetite threshold. What should happen?

  • A. The metric should be hidden
  • B. The threshold should be ignored
  • C. Escalate under the risk-governance process and decide whether to treat, accept, transfer, or avoid the risk
  • D. Automatically delete the risk

Best answer: C

Explanation: Risk appetite thresholds exist to trigger governance action. Exceeding appetite should lead to escalation and a treatment decision.

CRISC quick checklist

AreaWhat to check
Risk scenarioIdentify asset, threat, vulnerability, event, impact, and owner.
ResponseMatch treatment to appetite, business impact, cost, and feasibility.
ControlsSeparate control design from control operating effectiveness.
ReportingTranslate technical findings into decisions, owners, and business impact.
Revised on Monday, May 18, 2026
CISM
Updates