CRISC Cheat Sheet 2026
The 30 highest-yield CRISC facts, distilled from real exam questions. Print it, save it as a PDF, or study it here — free, no sign-up.
150 questions
240 min time limit
75.00% to pass
- Under the shared responsibility model for cloud services, who is responsible for classifying and protecting customer data stored in the cloud? → The customer organization
- The BIGGEST danger associated with not having a strategy is: → improper oversight of IT investment
- What is a Key Risk Indicator (KRI)? → A metric that provides early warning signals of increasing risk exposure
- In IT risk assessment, exposure factor (EF) represents: → The percentage of an asset's value lost if a threat event occurs
- Which control objective is MOST directly supported by implementing input validation in a web application? → Preventing injection attacks and data integrity violations
- Which statement BEST reflects the purpose of a risk committee in IT risk governance? → To provide oversight and strategic direction for risk management activities
- An organization terminates its relationship with a cloud vendor. Which action is MOST critical from a risk management perspective? → Ensuring all organizational data is securely retrieved and deleted from vendor systems
- Which characteristic distinguishes a HIGH-QUALITY KRI from a poorly designed one? → It is measurable, timely, and directly correlated to a specific risk
- When designing controls for a high-risk IT process, which approach provides the GREATEST assurance? → Implementing both preventive and detective controls in combination
- A vendor risk scoring model should incorporate which combination of factors? → Inherent risk level, control effectiveness, and residual risk rating
- When a critical control fails, which response is MOST aligned with CRISC best practices? → Immediately activate compensating controls and assess residual risk
- Which metric best indicates the timeliness of risk response actions? → Mean Time to Remediate (MTTR) for identified control deficiencies
- Which risk response option involves purchasing cyber liability insurance to cover potential losses? → Risk transfer
- Which technique involves reviewing process flows to identify where IT risks could emerge? → Business process analysis
- Which standard provides CRISC practitioners with guidance on information security controls monitoring and measurement? → ISO/IEC 27004
- COBIT 2019 supports CRISC practitioners PRIMARILY by providing which capability? → A governance and management framework for enterprise IT
- Which of the following will help you create a set of recovery time goals the MOST? → Business impact analysis
- Which condition indicates that a control monitoring program is INEFFECTIVE? → Control failures are only discovered after security incidents occur
- A control that automatically locks a user account after five failed login attempts is BEST classified as: → Preventive technical control
- What is a risk scenario in the context of CRISC? → A documented description of a threat that could negatively impact business objectives
- A company's IT risk governance structure is WEAK when which condition exists? → Risk decisions are made without senior management involvement
- Residual risk that remains after mitigation controls are applied should be compared against which benchmark? → The organization's defined risk tolerance
- What does the term 'risk universe' mean in CRISC? → The complete set of risks that an organization could potentially face
- Which regulatory framework explicitly requires organizations to assess and manage third-party risks for financial institutions? → FFIEC IT Examination Handbook (Third-Party Relationships)
- Which formula correctly represents Annualized Loss Expectancy (ALE)? → ALE = SLE × ARO
- Where would the data ethics function MOST likely reside in an enterprise, based on the three lines of defense model? → The second line of defense
- Which statement about risk acceptance is TRUE? → It must be a deliberate, documented decision made by an authorized risk owner
- Which risk response is MOST appropriate for a low-likelihood, low-impact risk? → Risk acceptance
- Which of the following elements will most strongly influence the kind of information security governance model a company chooses to implement? → The organizational structure
- Which element MUST be included in a risk response plan to ensure accountability? → Named owner responsible for implementing the response
Turn these facts into recall: