10 free, exam-style Certified in Risk and Information Systems Control (CRISC) practice questions with answers and explanations. No signup required. Work through them below, then take the full free CRISC practice test to study every exam domain.
These 10 free CRISC questions are organized by exam domain, so you can see how each part of the Certified in Risk and Information Systems Control blueprint is tested. Reveal the answer and explanation under each question.
An organization's board has approved a statement defining the amount of risk it is willing to accept in pursuit of its strategic objectives. Senior management must now define the acceptable level of variation permitted around that level for a specific objective. This acceptable variation is BEST described as:
Correct answer: A - Risk tolerance
Within an enterprise that has adopted the Three Lines Model, which function is responsible for providing INDEPENDENT assurance over the effectiveness of risk management and controls?
Correct answer: B - The internal audit function
A risk practitioner is explaining the distinction between the governance and management of IT risk to a new committee. Which statement BEST characterizes governance, as opposed to management?
Correct answer: C - Governance sets direction and provides oversight of the risk program
An organization is formalizing its internal documents. A document that states mandatory, measurable requirements for how a control objective must be met - for example, a minimum password length - is BEST classified as a:
Correct answer: D - Standard
After a risk assessment, a business unit decides to retain a low-impact risk because the cost of additional controls would exceed the potential loss. For this decision to be appropriate, it MUST be:
Correct answer: A - An informed decision made and documented by the risk owner
During a risk assessment, an analyst evaluates the level of risk that would exist if NO controls or mitigating measures were applied. The analyst is assessing:
Correct answer: B - Inherent risk
An asset is valued at $400,000. A specific threat would destroy an estimated 50% of the asset's value if it occurred, and it is expected to occur once every four years. What is the annualized loss expectancy (ALE)?
Correct answer: A - $50,000
A risk practitioner has been asked to begin developing IT risk scenarios for the enterprise. What should the practitioner do FIRST?
Correct answer: A - Understand the organization's business objectives and operating environment
Senior management wants risk results expressed in monetary terms so they can be compared directly against the cost of proposed controls. Which approach to risk analysis is MOST appropriate?
Correct answer: D - Quantitative analysis assigning numeric loss values
An organization purchases a cyber insurance policy to offset the potential financial loss from a data breach. This is an example of which risk response? Note that this response does NOT remove the organization's accountability for the residual and reputational risk.
Correct answer: D - Risk transfer
The CRISC exam also covers these domains. Drill them in the full free practice test:
Practice hundreds more CRISC questions with instant scoring, weak-area drills, and full exam simulations.