Domain 2: Risk Assessment Review — 20 of 61

Domain 2 – Section A Review: Risk Identification

CRISC Domain 2 — Risk Assessment Section A Review 20–25 min
If you misidentify the risk, everything that follows is wrong.

Domain 2 Section A tests whether you can:

  • Separate threat, vulnerability, event, and loss
  • Recognize control deficiencies
  • Identify root causes
  • Build complete risk scenarios
  • Align risk identification to business impact

This review blends all of those.

Take your time.


10 scenario-based questions


Question 1

A customer support team receives a phishing email after missing required security training. The attacker uses the phishing email to gain unauthorized access to sensitive client data, resulting in client notification costs.

Which item is the risk event?

A. Lack of training
B. Phishing email
C. Client notification costs
D. Unauthorized access to sensitive client data

Answer & reasoning

Correct: D

A = contributing condition
B = threat action
C = loss result
D = risk event


Question 2

A. Design deficiency
B. Operating deficiency
C. Threat modeling gap
D. Asset classification error

Answer & reasoning

Correct: B

The control exists but is not functioning as intended.


Question 3

The industry experiences a surge in ransomware attacks targeting cloud platforms. The organization plans a cloud migration.

What should occur FIRST?

A. Reassess exposure considering the evolving threat landscape
B. Deploy additional endpoint protection
C. Escalate to regulators
D. Delay migration

Answer & reasoning

Correct: A

Threat landscape shift → structured reassessment before implementation.


Question 4

A. Weak password policy
B. External attacker
C. External attacker exploits weak password policy to gain unauthorized access to financial systems, resulting in reporting delays
D. Reporting delays

Answer & reasoning

Correct: C

Includes threat, vulnerability, event, and impact.


Question 5

A. Weak scanning tools
B. Lack of accountability structure
C. Inadequate threat modeling
D. High risk appetite

Answer & reasoning

Correct: B

Recurring issues often indicate structural accountability gaps.


Question 6

A. Weak ERM
B. Excessive tolerance
C. Poor asset classification
D. Narrow threat modeling scope

Answer & reasoning

Correct: D

Threat modeling must include internal and external sources.


Question 7

A vendor outage causes payroll delays and employee dissatisfaction.

What is the loss result?

A. Vendor outage
B. Payroll system failure
C. Employee dissatisfaction
D. Lack of due diligence

Answer & reasoning

Correct: C

A = threat event
B = risk event
C = loss result
D = contributing condition


Question 8

A. Threat source
B. Business impact
C. Vulnerability
D. Control deficiency

Answer & reasoning

Correct: A

The scenario lacks a defined threat source.


Question 9

A. Design deficiency
B. Operating deficiency
C. Risk event
D. Threat source

Answer & reasoning

Correct: A

If a control does not exist, it is a design deficiency.


Question 10

A. Replace individual failed systems
B. Assess systemic root cause and infrastructure lifecycle governance
C. Increase monitoring
D. Escalate to regulators

Answer & reasoning

Correct: B

Recurring failures suggest structural lifecycle management weakness, not isolated technical defects.


Section A master pattern

When answering Domain 2 Section A questions:

  • Separate threat, vulnerability, event, and loss.
  • Identify recurring patterns.
  • Distinguish design vs operation.
  • Look for root causes.
  • Build complete, business-aligned scenarios.
  • Reassess when the threat landscape changes.

If you fix the wrong layer, you will choose the wrong answer.

Next Module Module 17: Risk Assessment Concepts, Standards & Frameworks