Free practice test · no sign-up
ISACA CRISCFree Certified in Risk and Information Systems Control practice test
10 real ISACA CRISC practice questions with instant answers and explanations — no account, no credit card, no email. Score yourself, then unlock the full bank of 599questions whenever you’re ready. The ISACA CRISC passing score is 450 / 800.
A newly established risk management program at a regional bank is failing to gain organizational buy-in. Business unit leaders routinely ignore its recommendations, and budget earmarked for risk mitigation is being diverted elsewhere. Which foundational element is MOST likely absent or inadequate?
Answer key
All 10 ISACA CRISC questions & answers
Prefer to just read the answers and explanations? Here’s the full key for this free ISACA CRISC test.
Q1. A newly established risk management program at a regional bank is failing to gain organizational buy-in. Business unit leaders routinely ignore its recommendations, and budget earmarked for risk mitigation is being diverted elsewhere. Which foundational element is MOST likely absent or inadequate?
Correct answer: B. Visible commitment from senior leadership
When senior leaders visibly champion a risk program, it carries authority and organizational weight. Without that backing, the program lacks credibility, and department heads feel free to deprioritize it or redirect its funding. A control audit calendar helps assess existing controls but does not compel behavioral change. Detailed policy documents alone cannot enforce compliance or inspire cultural adoption. Employee training raises awareness but cannot substitute for the organizational authority that executive sponsorship provides.
Q2. Following the implementation of several risk treatment measures, a cloud service provider's risk team needs to confirm that the remaining exposure is within acceptable bounds and does not pose unacceptable threats to the organization. Which activity BEST characterizes what the risk team is performing?
Correct answer: D. Tracking residual risk levels
After risk treatments have been applied, what remains is residual risk — the exposure that persists despite controls. Ensuring that residual risk stays within tolerable boundaries is a monitoring activity. Approving risk treatments is an earlier decision-making step before treatments are deployed. Risk assessment occurs when potential risks are identified and evaluated for likelihood and impact. Risk identification is the very first step in the risk management cycle, preceding evaluation and treatment.
Q3. A manufacturing firm has signed a multi-year agreement with a key supplier for an essential component. That supplier is now experiencing serious financial instability, raising concerns about its ability to honor the contract. Which category of risk is the firm primarily exposed to?
Correct answer: D. Credit
Credit risk arises when a counterparty may fail to meet its contractual or financial obligations. Here, the supplier's financial deterioration creates the possibility that it will default on deliveries, directly fitting the definition of credit risk. Market risk relates to losses from shifts in economic conditions such as price movements, which is not the supplier's issue. Operational risk covers breakdowns in internal processes or systems rather than third-party default. Compliance risk concerns failure to adhere to laws and regulations, which is unrelated to the core concern here.
Q4. After deploying a new security platform to protect its IT environment, an organization experiences multiple breaches due to unexpected failures in the system. The internal audit team is called upon to examine the situation and propose remediation steps. Within the Three Lines of Defense framework, which line does the internal audit team occupy?
Correct answer: B. Third line of defense
Internal audit constitutes the third line of defense, providing independent and objective assurance that governance, risk management, and internal controls are operating as intended. The second line — comprising risk management and compliance functions — monitors and guides risk activities but is part of the management structure and lacks full independence. The first line consists of operational teams (such as IT security staff) who own and directly execute controls on a day-to-day basis. There is no formally recognized fourth line of defense in the standard three-lines model.
Q5. A firm undertaking a comprehensive review of its risk management practices wants to capture a holistic picture of its current risk exposure — encompassing the nature of each risk, how likely it is to materialize, and the potential consequences. What concept are they trying to characterize?
Correct answer: D. Risk profile
A risk profile is a consolidated view of an organization's overall risk exposure, cataloguing the types of risks present, their likelihood, and potential impact. It enables informed, evidence-based decision-making across the enterprise. Risk appetite refers to the level of risk the organization is willing to accept in pursuit of its objectives. Risk posture describes the current state of the organization's risk management practices and controls. Risk capacity is the maximum amount of risk the organization can absorb without threatening financial viability.
Q6. An HR policy at a company mandates thorough background checks for all personnel who can access customer records. During peak hiring seasons, however, hiring managers routinely pressure HR to skip the final verification steps so that new staff can start sooner. Which symptom of a deficient risk culture does this situation illustrate?
Correct answer: A. A gap between the organization's declared risk appetite and actual employee behavior
The organization has a clearly stated policy — thorough background checks — that reflects its formal risk appetite. Managers bypassing this process reveal that actual behavior diverges from that stated position. This inconsistency between written policy and real-world conduct is a hallmark of weak risk culture. The scenario does not indicate missing leadership communication; the policy itself shows leadership has set expectations. The issue is not about tolerance thresholds lacking formal approval; they exist but are being ignored. Nor does the scenario depict a blame culture — it describes non-compliance with risk policy.
Q7. An enterprise has deliberately chosen a specific set of controls as part of its risk management program. What is the fundamental purpose of implementing these controls?
Correct answer: A. Reduce or neutralize identified risks
Controls are mechanisms designed to continuously assess and manage organizational risks, acting as safeguards that reduce the likelihood or impact of adverse events. Their primary purpose is to mitigate specific risks. Recovery from disruptive events is addressed by continuity or disaster recovery plans — a specific type of control, but not the general answer to this question. Controls can be poorly implemented, so they do not automatically demonstrate compliance or management oversight; their existence alone does not confirm either.
Q8. A financial institution is evaluating potential new investments and must first determine the upper boundary of risk it can absorb without endangering its financial health. This assessment relies on the institution's total financial strength and available resources. What concept is the institution attempting to quantify?
Correct answer: D. Risk capacity
Risk capacity is the objective maximum level of risk an organization can sustain without jeopardizing its financial stability, determined by the organization's financial resources and strength. Risk appetite is the chosen level of risk the organization is willing to accept to pursue its strategic goals — a subjective, deliberate choice rather than an upper boundary. Risk tolerance reflects acceptable variance around specific decisions or targets. Actual risk refers to the risk currently being realized or observed in operations.
Q9. A food delivery company recently rolled out updates to several of its key business processes. The team is now gathering employee input through structured conversations and examining system usage metrics to determine how well the changes have worked and where further refinement is needed. Which phase of the business process review cycle does this activity represent?
Correct answer: B. Feedback and evaluation
Collecting employee perspectives and analyzing usage data after changes have been deployed is characteristic of the feedback and evaluation phase, where the goal is to measure effectiveness and surface opportunities for further improvement. Scheduling and implementing changes has already occurred since the updates have been deployed. Identifying potential improvements is a step that precedes implementation. Documenting and evaluating existing processes is the initial phase of a process review, carried out before any changes are made.
Q10. A healthcare organization is building an IT risk management framework with a focus on ensuring that all risk management activities can be independently examined and verified by both internal reviewers and external assessors. This property is essential for the organization's transparency and accountability. Which characteristic are they prioritizing?
Correct answer: B. Auditable
Auditability means that risk management activities are formally documented and traceable, allowing internal and external parties to independently verify that procedures were followed and controls were effective. Justifiable means that decisions can be explained or defended, but it does not inherently require the structured evidence trail that enables independent review. Enforced means that rules or policies are applied consistently, but enforcement alone does not make activities reviewable after the fact. Compliant means adhering to applicable rules and standards, yet compliance status alone does not ensure that activities are verifiable by third parties.
Exam facts and objectives sourced from the official ISACA certification page. Last reviewed June 2026.
Ready for the full ISACA CRISC bank? Start free.
599 questions, timed mock exams, and missed-question review — 30 free questions, no card.
Start free trial