CertPrepNow
ISACACRISC4 domains

CRISC Exam Notes

Last-minute traps, must-know facts, and scenario tips for the ISACA Certified in Risk and Information Systems Control exam.

General Exam Tips

  • 1.Read the FULL question stem before reading options — CRISC questions embed critical business context (budget constraints, regulatory requirements, organizational culture) that determines which answer is correct.
  • 2.Watch for superlatives in every question: BEST, MOST, FIRST, PRIMARY. These change the answer. 'Which is a valid response?' vs 'Which is the BEST response?' often have different answers.
  • 3.When two options both seem correct, ask yourself: which one does a risk MANAGER choose, not a security engineer? CRISC always favors the governance and management perspective.
  • 4.Budget your time: 150 questions in 240 minutes = 96 seconds per question. Flag difficult questions and move on — do not let one hard scenario eat 4 minutes and cascade into a time crunch.
  • 5.Never leave a question blank. There is no penalty for guessing. If stuck, eliminate clearly wrong options and pick the most governance-aligned remaining choice.
  • 6.ISACA's preferred answer almost always involves: communicating to stakeholders, formal documentation, escalating to management, or aligning with business objectives — not implementing a technical fix.
  • 7.When the scenario mentions the board setting strategy or boundaries, the answer typically involves risk appetite. When it mentions management making operational decisions, the answer typically involves risk tolerance. But board questions also cover risk profile reporting and ERM oversight — always read the full context before defaulting to appetite.
  • 8.Treat the exam like a series of mini case studies, not trivia. The right answer fits the entire business context in the question, not just one isolated fact.
  • 9.Score 70%+ consistently on full 150-question mock exams (not just topic quizzes) before booking. The CRISC exam endurance factor is real — judgment degrades at question 100 if you haven't trained for it.
  • 10.Review EVERY wrong practice answer, not just the explanation. Ask yourself: What assumption led me to the wrong choice? That assumption pattern is likely to recur.
Domain 126% of exam

Governance

Must-Know Facts

  • Risk appetite is a BOARD-LEVEL strategic statement — the maximum risk the organization is willing to accept to achieve its objectives. The board sets it; it does not change frequently.
  • Risk tolerance is an OPERATIONAL boundary — the acceptable variation around specific risk targets that management defines. Tolerance must always fall WITHIN appetite. When risk exceeds tolerance, a response is triggered.
  • Three lines of defense: 1st line = business operations OWN and manage their risks day-to-day. 2nd line = risk management and compliance OVERSEE and set policy. 3rd line = internal audit provides INDEPENDENT assurance. External auditors are NOT part of the three lines.
  • Risk profile = a point-in-time snapshot of the organization's aggregate risk exposure across all domains. It is presented to the board to communicate overall risk posture.
  • ERM integrates ALL risk types (strategic, operational, financial, compliance, IT) into one coordinated framework. IT risk management must feed into ERM, not operate separately.
  • Governance frameworks you must distinguish: COBIT (IT governance, ISACA's own), ISO 31000 (foundational risk management principles), COSO ERM (enterprise risk and internal control), NIST RMF (federal/cybersecurity lifecycle).
  • Legal, regulatory, and contractual requirements create MANDATORY risk obligations — these override organizational risk appetite. The organization cannot simply 'accept' a regulatory compliance risk.
  • Organizational culture is a more powerful risk management tool than any policy. When policies exist but are ignored, the root cause is almost always culture and leadership failure, not policy wording.
  • Business process owners in the first line of defense are accountable for risk within their area — they cannot delegate that accountability to IT or the risk management function.
  • Risk governance components: ERM framework, three lines of defense, risk profile, risk appetite/tolerance framework, and legal/regulatory/contractual inventory.

Common Traps

TrapChoosing risk tolerance when a question mentions the board setting strategy
RealityBoards set RISK APPETITE (the strategic maximum). Risk tolerance is the operational variation management defines within that appetite. Board = appetite. Management = tolerance. This distinction is tested multiple times per exam.
TrapAssuming the three lines of defense requires three separate organizational teams
RealityIn small organizations, one person can fulfill multiple line functions — but the FUNCTIONS must remain distinct. A single risk officer can be part of both 1st and 2nd line functions if roles are clearly separated.
TrapThinking IT risk governance drives business strategy
RealityIT risk governance ALIGNS WITH and SUPPORTS business strategy — it never drives it. Business objectives come first; risk management determines how to pursue those objectives safely.
TrapWhen staff ignore risk policies, thinking stronger policy language is the fix
RealityDocumented policies that are ignored signal a culture problem. The correct ISACA answer is to address leadership commitment and risk culture — not to rewrite the policy with more emphatic language.
TrapIncluding external auditors as the fourth line of defense
RealityExternal auditors and regulators are OUTSIDE the three lines model. The model has exactly three lines. Internal audit is the third. Do not extend this to four.
TrapTreating risk capacity and risk appetite as synonyms
RealityRisk capacity is the MAXIMUM risk the organization can absorb before its survival is threatened — it is the hard ceiling. Risk appetite is the amount of risk the organization CHOOSES to take to pursue objectives — it is set below capacity. Appetite < Capacity.

Confusing Pairs

Risk AppetiteRisk Tolerance

Appetite = board-level strategic maximum for the entire organization, expressed broadly (e.g., 'we accept moderate risk in technology innovation'). Tolerance = management-level operational threshold for a specific risk or metric, expressed with measurable limits (e.g., 'system downtime must not exceed 4 hours per quarter'). Tolerance must always fall within appetite. Exceeding tolerance triggers a risk response. Exceeding appetite triggers board escalation.

Risk ProfileRisk Register

Risk profile = the aggregated, high-level view of overall organizational risk exposure at a point in time — it is what you show the board. Risk register = the detailed operational repository of every identified risk with owner, rating, controls, and status — it is what practitioners manage daily. The risk register feeds the risk profile.

COBITISO 31000

COBIT = IT-specific governance framework from ISACA; maps IT processes to business goals; used to govern and manage IT. ISO 31000 = generic risk management standard applicable to ANY organization, ANY type of risk; provides principles and process for risk management. On CRISC, COBIT governs IT; ISO 31000 governs risk management process itself.

Organizational GovernanceRisk Governance

Organizational governance = strategy and objectives, organizational structure and roles, culture and ethics, policies and standards, business processes, and asset management. Risk governance = ERM framework, three lines of defense, risk profile, risk appetite/tolerance, and legal/regulatory requirements. Both are tested in Domain 1. Risk governance is the subset of organizational governance dealing specifically with risk.

Scenario Tips

If the question asks about:

The question says the board is asking what risks to accept in pursuit of new market expansion...

Answer:

This is a risk appetite question. The board is defining appetite — the strategic maximum risk for pursuing objectives. Answer with concepts related to ERM, strategy alignment, and the board's role in governance.

Distractor to avoid:

Do not choose risk tolerance (management-level) or risk acceptance (a treatment option for specific risks). Appetite is the board-level strategic framing.

If the question asks about:

A question describes a scenario where regulatory requirements conflict with the organization's risk appetite...

Answer:

Regulatory and legal requirements always override risk appetite. The organization must comply, then adjust risk appetite or tolerance accordingly. You cannot 'accept' a legal compliance violation.

Distractor to avoid:

Do not choose to escalate to the board to raise the risk appetite. Legal requirements are non-negotiable — the correct action is to ensure compliance controls are in place.

If the question asks about:

The CISO wants to implement a new security policy but business unit managers are resisting...

Answer:

The root issue is governance alignment and culture. The correct ISACA answer involves getting senior management or the board to mandate risk ownership and reinforce the risk-aware culture — not drafting stronger policy language.

Distractor to avoid:

Do not choose to update the policy or provide more training alone. When resistance exists, the solution is always leadership commitment and governance authority.

Last-Minute Facts

1Exam weight: 26% (Domain 1 is the second heaviest domain — together with Domain 3 they cover 58% of the exam)
2Risk appetite: board sets it, strategic level, rarely changes
3Risk tolerance: management sets it, operational level, has measurable thresholds
4Three lines: 1st = operations own risk, 2nd = risk/compliance oversee, 3rd = internal audit assures
5External auditors are NOT part of the three lines of defense
6COBIT = IT governance. ISO 31000 = risk management process. COSO ERM = enterprise risk. NIST RMF = federal/cybersecurity lifecycle
7Risk capacity > risk appetite — capacity is survival limit, appetite is chosen limit
Domain 222% of exam

Risk Assessment

Must-Know Facts

  • ALE = SLE x ARO. SLE (Single Loss Expectancy) = Asset Value x Exposure Factor. ARO = Annual Rate of Occurrence. This formula is tested directly with calculation questions.
  • Inherent risk = risk BEFORE any controls. Residual risk = risk AFTER controls are applied. You CANNOT calculate residual risk until controls are selected.
  • If residual risk still exceeds tolerance after controls, the FIRST action is to escalate to management for a formal decision — NOT to unilaterally add more controls or raise tolerance.
  • Qualitative = descriptive categories (High/Medium/Low), fast, subjective, uses expert judgment. Best when precise data is unavailable or when rapid assessment is needed.
  • Quantitative = dollar values using ALE formula, precise, requires reliable historical data. Best for cost-benefit analysis and presenting risk in financial terms to business stakeholders.
  • Semi-quantitative = numerical scales (1-5, 1-10) without full monetary conversion. A hybrid that provides more precision than qualitative without requiring full data for quantitative.
  • Risk register is a LIVING DOCUMENT requiring continuous updates — not a one-time project deliverable. Risk owners are responsible for keeping their entries current.
  • BIA identifies critical business processes and assesses impact of disruption in business terms (revenue loss, customer impact, regulatory penalties) — NOT IT system metrics. BIA MUST be completed before BCP or DRP.
  • Risk scenario development = combining threat source + vulnerability + affected asset + business impact. More comprehensive than threat modeling, which focuses only on attack vectors.
  • MTD (Maximum Tolerable Downtime) is established by BIA. RTO must be less than or equal to MTD. RPO determines backup frequency.

Common Traps

TrapCalculating residual risk without first selecting controls
RealityYou cannot determine residual risk until you know which controls will be applied. The sequence is: assess inherent risk → select controls → evaluate residual risk → compare to tolerance → decide if more treatment is needed.
TrapConfusing BIA as an IT-focused exercise that measures system downtime
RealityBIA measures BUSINESS impact in business terms: revenue loss per hour, regulatory penalties, customer attrition, reputational damage. IT metrics (uptime, RTO) are outputs of BIA, not inputs. The business drives BIA, not IT.
TrapTreating a risk register as a completed deliverable after the initial assessment
RealityThe risk register is never 'done.' Risk owners must continuously update it as risks change, new risks emerge, and controls are tested. A stale risk register is itself a governance failure.
TrapThinking qualitative assessment is always inferior to quantitative
RealityQualitative is the right choice when: historical data is unreliable, a quick initial prioritization is needed, or stakeholders lack financial modeling expertise. Quantitative is better when you need cost-benefit analysis or precise comparison. Neither is universally superior.
TrapConfusing risk scenario development with threat modeling
RealityThreat modeling focuses on identifying threat sources and attack vectors for a specific system. Risk scenario development is broader — it creates full narratives combining threat + vulnerability + asset + business impact to drive enterprise risk treatment decisions.

Confusing Pairs

Inherent RiskResidual Risk

Inherent = raw exposure with ZERO controls applied. Residual = remaining exposure AFTER chosen controls operate. You compare inherent risk to risk appetite to decide if treatment is needed. You compare residual risk to risk tolerance to decide if treatment was sufficient. If residual exceeds tolerance: escalate to management.

Qualitative AssessmentQuantitative Assessment

Qualitative = fast, subjective, uses H/M/L categories, requires expert judgment, best for initial triage or when data is scarce. Quantitative = precise, uses ALE formula and dollar values, requires reliable historical data, best for cost-benefit analysis and board-level financial presentations. Semi-quantitative = numerical scales without full dollar conversion, bridges the gap.

Risk ScenarioThreat Modeling

Threat modeling = identify who might attack and how (attack vectors, adversary capabilities, attack paths). Risk scenario = full narrative: threat source + specific vulnerability + asset at risk + business impact if it occurs. Risk scenarios feed the risk register. Threat models feed risk scenario development. Scenarios are broader and business-focused.

MTDRTO

MTD (Maximum Tolerable Downtime) = how long the BUSINESS can survive without a process — established by BIA from business impact analysis. RTO (Recovery Time Objective) = the IT target for how fast to restore — must be equal to or less than MTD. MTD is the outer limit; RTO is the IT target within that limit.

Scenario Tips

If the question asks about:

A question gives you asset value, exposure factor, and annual rate of occurrence and asks for the appropriate annual risk figure...

Answer:

Calculate: SLE = Asset Value x Exposure Factor, then ALE = SLE x ARO. Example: $500,000 asset, 40% exposure factor, 0.5 ARO = SLE $200,000, ALE $100,000. Watch for ARO less than 1 (e.g., 0.5 = once every two years).

Distractor to avoid:

Do not multiply ALE by 100 to get a percentage. ARO of 0.5 means 0.5 occurrences per year (every two years), not 50%. Work through the formula step by step.

If the question asks about:

After controls are implemented, the residual risk still exceeds the organization's risk tolerance. What is the FIRST action?

Answer:

Escalate to management for a formal risk decision. Management can choose: implement additional controls, transfer the risk, or formally accept the excess risk with documented authorization. Do NOT unilaterally raise tolerance.

Distractor to avoid:

Many candidates jump straight to 'implement additional controls' — but the ISACA answer is to escalate first. Management makes the treatment decision, not the risk practitioner.

If the question asks about:

The question asks which risk assessment approach to use when the organization has limited historical incident data...

Answer:

Qualitative assessment. When reliable data is unavailable, qualitative methods using expert judgment and H/M/L categories are appropriate. Quantitative requires reliable data for the ALE formula to be meaningful.

Distractor to avoid:

Do not choose quantitative because it sounds more rigorous. Without reliable data, quantitative calculations produce false precision.

Last-Minute Facts

1ALE = SLE x ARO. SLE = Asset Value x Exposure Factor.
2ARO < 1.0 means the event happens LESS THAN ONCE per year (e.g., 0.25 = once every 4 years)
3BIA must come BEFORE BCP and DRP — always
4Risk register: living document, continuously updated, risk owner maintains it
5Residual risk cannot be calculated until controls are selected
6Qualitative: H/M/L, fast, subjective. Quantitative: $ values, needs data. Semi-quantitative: numbers without dollars.
7MTD (business) >= RTO (IT). RTO must fit within MTD.
8November 2025 update: Domain 2 weight increased from 20% to 22% — ISACA is testing analytical rigor and scenario construction more heavily than before.
Domain 332% of exam

Risk Response and Reporting

Must-Know Facts

  • Domain 3 is 32% of the exam — the single heaviest domain. More questions fail or pass candidates here than anywhere else.
  • Four risk treatment options: Mitigate (reduce likelihood or impact via controls), Transfer (shift financial impact via insurance/outsourcing), Accept (formally acknowledge and bear the risk), Avoid (eliminate the risk-creating activity entirely).
  • Risk TRANSFER does NOT eliminate accountability. When you outsource a process or buy insurance, the financial impact shifts — but reputational risk and regulatory/legal responsibility typically remain with the originating organization.
  • Risk ACCEPTANCE is NOT risk IGNORANCE. Acceptance requires a formal, documented decision signed by an authorized risk owner. Failing to address a risk is a control failure, not acceptance.
  • Risk and control OWNERSHIP must be formally assigned. Risk owners are typically business process owners (1st line). Control owners ensure specific controls operate effectively. These roles can be different people.
  • KRIs are FORWARD-LOOKING — they signal when risk is approaching thresholds BEFORE problems occur. KPIs are BACKWARD-LOOKING — they measure past performance. KCIs measure control effectiveness specifically. A strong KPI does not prove low risk.
  • KRI design requirements: measurable with reliable data, relevant to specific risk tolerance boundaries, provides sufficient lead time for response, triggers a defined response when threshold is breached.
  • Third-party risk management lifecycle has five phases: selection/due diligence, contract requirements (SLAs, right-to-audit, data protection), onboarding controls, ongoing monitoring/reassessment, and exit/offboarding.
  • Risk reporting must match the audience: board gets strategic risk summaries tied to business objectives; management gets operational dashboards with KRI trends; regulators get compliance-focused reports.
  • Control testing methods by assurance level: Tabletop (discussion) < Walkthrough/Checklist < Simulation < Parallel Test < Full Interruption Test (highest assurance, most disruptive).

Common Traps

TrapThinking risk transfer via cyber insurance or outsourcing eliminates all risk
RealityTransfer shifts the financial burden only. The organization retains: reputational risk if an incident becomes public, regulatory accountability for data protection requirements, and operational responsibility if the vendor/insurer fails to perform. Transfer is not a clean escape.
TrapTreating risk acceptance as the easy default when you don't want to deal with a risk
RealityRisk acceptance requires explicit, documented authorization by a risk owner with appropriate authority. It is a conscious governance decision with a paper trail — not passive inaction. An undocumented decision to 'live with' a risk is a control deficiency.
TrapDesigning KRIs that only measure past incidents (e.g., 'number of breaches last month')
RealityA KRI measuring past incidents is actually a KPI (backward-looking). True KRIs signal future risk: examples include 'percentage of critical patches uninstalled for more than 30 days' or 'number of privileged accounts created without approval this week.' If it tells you what happened, it's a KPI. If it warns you what might happen, it's a KRI.
TrapEnding vendor risk management once the contract is signed
RealityContract signing is just one phase. Vendor risk requires ongoing monitoring, periodic reassessment (annually or after material changes), and a defined exit strategy. Third-party risk does not diminish over time — it evolves with the vendor's own risk profile.
TrapAssuming a control that exists on paper is an effective control
RealityControl design (is the control appropriate?) and control effectiveness (does the control actually work?) are two different things. A perfectly designed control that has never been tested provides false assurance. Testing is the only way to confirm effectiveness.
TrapSelecting risk avoidance whenever a risk seems high
RealityRisk avoidance means ELIMINATING the activity that creates the risk — stopping a product line, exiting a market, canceling a project. It is a drastic business decision, not a risk management technique. The exam uses avoidance when the risk outweighs the business benefit of the activity entirely.

Confusing Pairs

KRIs (Key Risk Indicators)KPIs (Key Performance Indicators)

KRI = forward-looking signal of emerging risk. Examples: 'unpatched critical systems trending up,' '% of access reviews overdue.' KPI = backward-looking measure of performance. Example: '98% system availability last quarter.' KCI = measures whether a specific control worked. Strong KPIs don't mean low risk — a process can perform well while risk quietly accumulates.

Risk MitigationRisk Transfer

Mitigation = implement controls to reduce the risk itself (likelihood or impact) — organization retains and manages the reduced risk. Transfer = shift the financial consequence to a third party (insurance, outsourcer) — risk still exists, organization keeps reputational/regulatory liability. Key question: Are you reducing the risk or just paying someone else if it happens?

Risk AvoidanceRisk Acceptance

Avoidance = ELIMINATE the risk by stopping the activity creating it (exit the market, cancel the project). Acceptance = ACKNOWLEDGE the risk exists and decide to bear it without additional treatment — requires documented authorization. Avoidance removes the risk source. Acceptance retains the risk consciously.

Control OwnerRisk Owner

Risk owner = accountable for the RISK in their business domain (1st line, typically a business process manager). They decide on risk treatment and fund controls. Control owner = accountable for a specific CONTROL operating effectively (may be a technical or operational manager). One risk owner may have multiple control owners reporting to them on different controls addressing the same risk.

Compliance TestingSubstantive Testing

Compliance testing = confirms controls are operating as designed and procedures are being followed (Did people do the right thing?). Substantive testing = verifies the accuracy and completeness of the outputs — tests the data itself (Did the right outcome result?). Both are control testing methods; compliance tests the process, substantive tests the product.

Scenario Tips

If the question asks about:

The organization purchases cyber insurance to cover potential breach costs. What risk treatment is this?

Answer:

Risk transfer — the financial impact shifts to the insurer. But always note: reputational risk and regulatory accountability remain with the organization. Insurance does not transfer those.

Distractor to avoid:

Risk mitigation (wrong — mitigation reduces the risk through controls, not shifts financial burden). Risk acceptance (wrong — they are actively doing something about it, not just bearing it).

If the question asks about:

A vendor assessment reveals the cloud provider lacks adequate DR capabilities. What is the BEST course of action?

Answer:

Document the finding in the risk register and engage the vendor with a remediation plan and defined timeline. This is the ISACA balanced approach — address it formally without overreacting.

Distractor to avoid:

Immediately terminating the contract (too extreme without exploring remediation first) or simply accepting the risk (ignores a material control gap in a critical vendor) are both wrong. ISACA favors a structured, documented, remediation-oriented approach.

If the question asks about:

Management wants to know if a risk treatment option is appropriate before implementing it. What should the risk practitioner evaluate?

Answer:

Cost-benefit analysis: does the cost of the treatment (implementation + ongoing operation) justify the reduction in potential loss (ALE reduction)? Then confirm the resulting residual risk falls within risk tolerance.

Distractor to avoid:

Do not jump to the most secure option. CRISC is not about maximum security — it is about cost-effective risk management aligned with the organization's risk appetite and business objectives.

If the question asks about:

A metric shows the number of security incidents per quarter declined by 40%. A board member asks if this means risk has decreased. What should the risk manager say?

Answer:

Incident count is a lagging KPI, not a KRI. Lower past incidents do not guarantee lower future risk. Forward-looking KRIs (patch rates, access review completion, threat intelligence trends) are needed to assess whether risk is actually decreasing.

Distractor to avoid:

Do not simply confirm that risk has decreased based on incident counts alone. This is a KPI/KRI distinction question — one of the most common Domain 3 traps.

Last-Minute Facts

1Domain 3 = 32% of exam — the single highest-weight domain. Failing here sinks your total score.
2Four treatments: Mitigate (reduce), Transfer (shift financial impact), Accept (formalize and bear), Avoid (eliminate the activity).
3Risk transfer does NOT eliminate reputational or regulatory accountability.
4Risk acceptance REQUIRES documented, authorized sign-off — not passive inaction.
5KRI = forward-looking (leading indicator). KPI = backward-looking (lagging indicator). KCI = control effectiveness.
6Vendor risk has 5 phases: selection, contract, onboarding, ongoing monitoring, exit.
7Control testing assurance hierarchy: Tabletop < Walkthrough < Simulation < Parallel < Full Interruption
8Risk owner = accountable for the risk (business). Control owner = accountable for the control operating (may be technical).
9KRI must have: measurable data source, threshold tied to tolerance, sufficient lead time, defined response trigger.
Domain 420% of exam

Technology and Security

Must-Know Facts

  • Zero Trust Architecture core principle: 'Never trust, always verify' — every access request is authenticated and authorized regardless of network location or prior session. This is NOT the same as blocking all external access.
  • Recovery site types: Hot site = fully operational, near-real-time data replication, highest cost, shortest RTO (hours). Warm site = infrastructure ready but data must be loaded, moderate cost and RTO (hours to days). Cold site = empty facility, lowest cost, longest RTO (days to weeks).
  • Disaster Recovery testing methods from least to most assurance: Tabletop discussion, Walkthrough/checklist review, Simulation (role-play without actual failover), Parallel test (activate recovery while production runs), Full interruption test (actual cutover — most disruptive, highest assurance).
  • SDLC security integration: security requirements, design, controls, and testing must be integrated at EVERY phase — not bolted on during QA testing at the end. Vulnerabilities caught late cost exponentially more to fix.
  • Cloud shared responsibility model: cloud provider secures physical infrastructure, hypervisor, and facilities. Customer is responsible for data classification, access controls, configurations, application security, and understanding data sovereignty/jurisdiction.
  • Change management: ALL changes — including emergency changes — must be assessed for risk impact before implementation. The approval process may be expedited for emergencies, but the risk assessment step cannot be skipped entirely.
  • Data lifecycle management stages: creation, classification, storage, use, sharing, archival, and destruction. Controls must be appropriate to data classification at every stage.
  • Emerging technology risks: Cloud = shared responsibility gaps, data sovereignty. AI/ML = bias, transparency, adversarial manipulation. IoT = expanded attack surface, patching complexity. Blockchain = immutability challenges, key management.
  • Enterprise architecture frameworks (TOGAF, Zachman) align IT architecture with business strategy — architecture decisions (cloud vs on-premise, centralized vs distributed) create risk trade-offs that must be assessed.
  • Project risk management: project risks that exceed project-level tolerance must be escalated to the enterprise risk register. Project risk management feeds organizational risk management.

Common Traps

TrapInterpreting Zero Trust as 'block everything external and trust everything internal'
RealityZero Trust rejects both the 'internal = trusted' and 'external = untrusted' assumptions. It verifies EVERY request regardless of origin. Lateral movement within a network is exactly what Zero Trust is designed to prevent — an internal request gets the same scrutiny as an external one.
TrapChoosing cold site when the question emphasizes fast recovery
RealityCold site has the LONGEST RTO (days to weeks) and LOWEST cost. If the scenario involves a critical system where MTD is measured in hours, cold site is wrong. The RTO from a cold site must fit within the BIA-established MTD for that system. When in doubt: lower cost = longer recovery, higher cost = faster recovery.
TrapThinking security in SDLC is primarily a testing-phase activity
RealitySecurity belongs in REQUIREMENTS (capture security needs), DESIGN (build security architecture), DEVELOPMENT (secure coding), TESTING (security testing), DEPLOYMENT (hardened configs), and MAINTENANCE (patches, vulnerability management). The classic CRISC trap is a scenario where 'security testing was added to the QA phase' — this is always presented as a risk management failure.
TrapAssuming cloud migration transfers all security responsibility to the cloud provider
RealityThe shared responsibility model explicitly keeps the customer responsible for: data, access management, application security, and configurations. The provider handles infrastructure. Many cloud breaches occur because customers assume their provider is handling security they are actually responsible for.
TrapSkipping or abbreviating risk assessment for emergency IT changes
RealityEmergency changes require an expedited approval process but NOT an eliminated risk assessment. CRISC questions that describe bypassing change management due to urgency are describing a control failure, regardless of time pressure.

Confusing Pairs

Hot SiteCold Site

Hot site = fully operational replica with near-real-time data, production-ready, highest cost, activate in hours. Cold site = bare facility with power/cooling but no equipment or data, lowest cost, takes days to weeks to become operational. Warm site sits between both. Selection must align with BIA-defined MTD and RTO for each critical system.

BCPDRP

BCP = Business Continuity Plan — covers people, processes, facilities, communications, AND technology. Addresses all disruptions to business operations. DRP = Disaster Recovery Plan — IT-specific subset of BCP focused on restoring technology systems and data. DRP is a component INSIDE the BCP, not a peer. BCP > DRP. BIA must precede both.

Zero Trust ArchitecturePerimeter Security

Perimeter security = trust everything inside the network perimeter, block everything outside. Zero Trust = no implicit trust based on network location, verify every access request regardless of origin, apply least privilege and micro-segmentation. ZTA was developed specifically because perimeter security fails when insiders are compromised or perimeter is breached.

Parallel TestFull Interruption Test

Parallel test = activate recovery site while production continues running — both systems operate simultaneously, no disruption to production. Full interruption test = actually cut over to the recovery site, shutting down production — highest assurance of recovery capability, highest disruption risk. Full interruption is the gold standard for DR testing confidence.

Scenario Tips

If the question asks about:

The question asks which recovery site to select for a system where the BIA identifies an MTD of 2 hours...

Answer:

Select a hot site. An MTD of 2 hours means the business cannot tolerate more than 2 hours of downtime. Only a hot site provides RTO measured in hours. Warm sites take hours to days; cold sites take days to weeks.

Distractor to avoid:

Cost-based reasoning fails here. The BIA drives recovery site selection, not budget. If you choose cold site to save money when MTD is 2 hours, you are guaranteeing a BIA violation.

If the question asks about:

An organization is migrating critical workloads to a public cloud. Which risk consideration is MOST important from a governance perspective?

Answer:

Shared responsibility model and data sovereignty requirements. The governance question is about clarity of who is responsible for what, and whether regulatory requirements for data jurisdiction are being met.

Distractor to avoid:

Cost savings, vendor reputation, and technical performance are important but are operational/financial considerations. Governance concerns center on accountability, compliance, and risk ownership clarity.

If the question asks about:

A developer proposes adding security requirements to the QA/testing phase of the SDLC to streamline development. What is the PRIMARY risk?

Answer:

Vulnerabilities discovered during testing are significantly more expensive and difficult to remediate than those caught in requirements or design. This is the 'cost of late discovery' principle — security issues compound the further they travel through the SDLC.

Distractor to avoid:

Testing delays (A) and team resistance (C) are secondary. The CRISC answer is always the strategic/financial risk to the organization from the governance failure of ignoring security-by-design.

Last-Minute Facts

1Zero Trust = verify every access request, regardless of location or prior auth. NOT = block external traffic.
2Hot site: highest cost, hours RTO. Warm site: moderate cost, hours-to-days. Cold site: lowest cost, days-to-weeks RTO.
3DR testing order (least to most assurance): Tabletop, Walkthrough, Simulation, Parallel, Full Interruption
4Full Interruption = most disruptive but highest assurance. Parallel = less disruptive but less assurance.
5Cloud: provider secures infrastructure. Customer secures data, configs, access. Shared responsibility does NOT mean equal responsibility.
6SDLC security: must be in ALL phases — requirements, design, build, test, deploy, maintain.
7Emergency changes: expedited approval is OK. Skipping risk assessment is NOT OK.
8DRP is a SUBSET of BCP. BCP > DRP. BIA before both.
9Data lifecycle: creation, classification, storage, use, sharing, archival, destruction — controls at every stage.
10IRP vs DRP: IRP contains and eradicates an active security incident while systems are still running. DRP activates after a disruption to restore operations. IRP may TRIGGER DRP but they are distinct plans.

Feeling confident?

Put your knowledge to the test with a timed CRISC mock exam.