ExamworthyExamworthy
Open the appStart free

ISACA

Certified in Risk and Information Systems Control (CRISC) (CRISC) practice questions

Risk-focused ISACA certification covering governance, IT risk assessment, risk response and reporting, and the technology and security knowledge a risk practitioner needs, with a worked explanation on every practice question.

Practise CRISC freeUnlock the full bank - $19

New to CRISC? Read the how to pass Certified in Risk and Information Systems Control (CRISC) study guide for a domain breakdown, a study plan, and exam-day tips.

Revising? The CRISC cheat sheet puts the domain weightings, key facts, and easy-to-confuse traps on one printable page.

Study guideCRISC cheat sheet
150
Questions
240 min
Time allowed
450 / 800
Pass mark
$760
Exam cost (USD)
290
Practice questions

Exam domains and weighting

The CRISC blueprint is split across 4 domains. See the official exam guide for the authoritative breakdown.

CRISC exam domain weighting - each domain's share of the exam. Full breakdown with links below.
CRISC domains by share of the exam
DomainWeight
Governance26%
Risk Assessment22%
Risk Response and Reporting32%
Information Technology and Security20%

Free sample questions

No account needed. Every question has a worked explanation, just like the full bank.

Free sampleGovernancemedium

A risk practitioner is asked to demonstrate that the IT risk management approach supports the organisation's strategy. Which action provides the strongest evidence of strategic alignment?

  • ADeriving risk appetite, tolerance and treatment priorities directly from the approved strategic objectives Correct
  • BMapping each identified IT risk scenario to the specific business objectives it could impair
  • CCounting how many IT risk scenarios were closed within the agreed remediation window
  • DPublishing the IT risk register to every department head on a fixed monthly schedule
Strategic alignment is proven when risk appetite, tolerance and treatment priorities are derived from approved strategic objectives. Alignment means the strategy drives the risk decisions, so deriving appetite, tolerance and treatment priorities from the approved objectives makes business intent the controlling input rather than an afterthought layered onto technical activity.

Why A is correct: When appetite, tolerance and priorities flow from the approved strategic objectives, the risk approach is demonstrably governed by strategy rather than run as an isolated technical exercise.

Why B is wrong: Mapping risks to objectives is useful and tempting because it shows traceability, but it documents exposure rather than proving the overall approach is steered by strategy.

Why C is wrong: Closure rates measure operational efficiency of treatment, so they look like progress, yet they say nothing about whether the work served the organisation's strategic goals.

Why D is wrong: Wide distribution improves transparency and feels like good governance, but circulating a register does not show that risk decisions are anchored to business strategy.

Free sampleGovernancemedium

The board has approved a new strategy to expand into regulated overseas markets within two years. How should the risk practitioner adjust the IT risk management approach to stay aligned with this strategy?

  • AFreeze the existing risk register until the overseas expansion has been fully completed and reviewed
  • BReassess risk appetite and tolerance so they reflect the new regulatory and market exposures created by the expansion Correct
  • CIncrease the frequency of vulnerability scans across all current production systems
  • DDelegate all new market risk decisions to the local teams once each overseas office opens
When strategy changes, realign the risk approach by reassessing appetite and tolerance against the new objectives and exposures. Strategic objectives define the boundaries of acceptable risk, so a major shift such as regulated overseas expansion requires appetite and tolerance to be reassessed; otherwise the approach stays calibrated to a strategy the organisation has abandoned.

Why A is wrong: Freezing the register feels cautious during change, but it lets the approach drift out of step with a strategy whose risk profile is shifting right now.

Why B is correct: A new strategic direction changes what the organisation is willing to accept, so revisiting appetite and tolerance keeps the risk approach matched to the objectives the board has just set.

Why C is wrong: More frequent scanning is a sound technical control and sounds proactive, yet it addresses operational hygiene rather than realigning the approach with the new strategy.

Why D is wrong: Local delegation can speed decisions and seems pragmatic, but handing off without realigned appetite breaks the link between enterprise strategy and risk choices.

Free sampleGovernancemedium

Senior management complains that the IT risk function operates in isolation and rarely informs strategic planning. Which change would best embed the risk management approach within the organisation's strategy and objectives?

  • ASchedule additional technical risk workshops for the IT operations team each quarter
  • BRequire the risk team to produce a longer, more detailed monthly risk report
  • CEmbed the risk practitioner in the strategic planning cycle so risk input shapes objectives as they are set Correct
  • DMove the risk function to report directly to the chief information officer instead
Integration with strategy is achieved by placing risk input inside the planning cycle so it shapes objectives as they form. Alignment is structural, not cosmetic, so embedding risk input where objectives are actually decided ensures strategy and risk are weighed together rather than risk being bolted on once the plan is fixed.

Why A is wrong: More technical workshops build operational skill and look constructive, but they deepen the silo rather than connecting risk activity to strategic planning.

Why B is wrong: A richer report seems like better communication, yet adding length without a seat at the planning table still leaves risk reacting after strategy is set.

Why C is correct: Bringing the risk practitioner into the planning cycle lets risk considerations inform objectives while they are being formed, which integrates the approach with strategy at source.

Why D is wrong: Changing the reporting line may raise the function's profile and feels decisive, but it does not by itself bring risk insight into strategic decision making.

Frequently asked questions

How many questions are on the CRISC exam?
The Certified in Risk and Information Systems Control (CRISC) (CRISC) exam has 150 questions and runs for 240 minutes. The format is multiple choice, computer-based at psi testing centres or remote proctored.
What score do I need to pass CRISC?
The pass mark is 450 / 800. Examworthy gives you a per-domain readiness score so you can see which domains are holding you back before you book.
How much does the CRISC exam cost?
The exam costs 760 USD to sit. Practising on Examworthy is free to start, with a worked explanation on every question.
How does Examworthy help me prepare for CRISC?
Every practice question carries a worked explanation and a per-distractor rationale, mapped to the official blueprint domains. You learn why each answer is right or wrong, not just the letter.
Is Examworthy affiliated with ISACA?
No. Examworthy is not affiliated with or endorsed by ISACA. Our questions are original, blueprint-aligned practice material; we never reproduce live exam items.

Related certifications

More certifications you can practise on Examworthy, related to Certified in Risk and Information Systems Control (CRISC).

Browse all certifications
Start practising freeOfficial ISACA exam guide

Examworthy is not affiliated with or endorsed by ISACA. All questions are original, blueprint-aligned practice material. We never reproduce live exam items. CRISC and related marks belong to their respective owners.