CRISC Cheat Sheet 2026

The 30 highest-yield CRISC facts, distilled from real exam questions. Print it, save it as a PDF, or study it here — free, no sign-up.

150 questions
240 min time limit
75.00% to pass
  1. Under the shared responsibility model for cloud services, who is responsible for classifying and protecting customer data stored in the cloud? The customer organization
  2. The BIGGEST danger associated with not having a strategy is: improper oversight of IT investment
  3. What is a Key Risk Indicator (KRI)? A metric that provides early warning signals of increasing risk exposure
  4. In IT risk assessment, exposure factor (EF) represents: The percentage of an asset's value lost if a threat event occurs
  5. Which control objective is MOST directly supported by implementing input validation in a web application? Preventing injection attacks and data integrity violations
  6. Which statement BEST reflects the purpose of a risk committee in IT risk governance? To provide oversight and strategic direction for risk management activities
  7. An organization terminates its relationship with a cloud vendor. Which action is MOST critical from a risk management perspective? Ensuring all organizational data is securely retrieved and deleted from vendor systems
  8. Which characteristic distinguishes a HIGH-QUALITY KRI from a poorly designed one? It is measurable, timely, and directly correlated to a specific risk
  9. When designing controls for a high-risk IT process, which approach provides the GREATEST assurance? Implementing both preventive and detective controls in combination
  10. A vendor risk scoring model should incorporate which combination of factors? Inherent risk level, control effectiveness, and residual risk rating
  11. When a critical control fails, which response is MOST aligned with CRISC best practices? Immediately activate compensating controls and assess residual risk
  12. Which metric best indicates the timeliness of risk response actions? Mean Time to Remediate (MTTR) for identified control deficiencies
  13. Which risk response option involves purchasing cyber liability insurance to cover potential losses? Risk transfer
  14. Which technique involves reviewing process flows to identify where IT risks could emerge? Business process analysis
  15. Which standard provides CRISC practitioners with guidance on information security controls monitoring and measurement? ISO/IEC 27004
  16. COBIT 2019 supports CRISC practitioners PRIMARILY by providing which capability? A governance and management framework for enterprise IT
  17. Which of the following will help you create a set of recovery time goals the MOST? Business impact analysis
  18. Which condition indicates that a control monitoring program is INEFFECTIVE? Control failures are only discovered after security incidents occur
  19. A control that automatically locks a user account after five failed login attempts is BEST classified as: Preventive technical control
  20. What is a risk scenario in the context of CRISC? A documented description of a threat that could negatively impact business objectives
  21. A company's IT risk governance structure is WEAK when which condition exists? Risk decisions are made without senior management involvement
  22. Residual risk that remains after mitigation controls are applied should be compared against which benchmark? The organization's defined risk tolerance
  23. What does the term 'risk universe' mean in CRISC? The complete set of risks that an organization could potentially face
  24. Which regulatory framework explicitly requires organizations to assess and manage third-party risks for financial institutions? FFIEC IT Examination Handbook (Third-Party Relationships)
  25. Which formula correctly represents Annualized Loss Expectancy (ALE)? ALE = SLE × ARO
  26. Where would the data ethics function MOST likely reside in an enterprise, based on the three lines of defense model? The second line of defense
  27. Which statement about risk acceptance is TRUE? It must be a deliberate, documented decision made by an authorized risk owner
  28. Which risk response is MOST appropriate for a low-likelihood, low-impact risk? Risk acceptance
  29. Which of the following elements will most strongly influence the kind of information security governance model a company chooses to implement? The organizational structure
  30. Which element MUST be included in a risk response plan to ensure accountability? Named owner responsible for implementing the response
Turn these facts into recall: