Career upgrade: Learn practical AI skills for better jobs and higher pay.
Level up
PracticeVideosBlogFlashcardsEspañol
All Practice Exams

100+ Free IT Risk Fundamentals Practice Questions

Pass your ISACA IT Risk Fundamentals Certificate (ITRF) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
ISACA does not publicly report pass rates Pass Rate
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0

An assessor uses the same scoring criteria for likelihood and impact across all risk assessments in the enterprise. What benefit does this PRIMARILY provide?

A
B
C
D
to track
Same family resources

Explore More ISACA Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

CISA

Practice QuestionsStudy Guide
2 blogs

CISM

Practice QuestionsStudy Guide
2 blogs

CRISC Certified in Risk and Information Systems Control

Practice Questions
1 blog

ISACA COBIT 2019 Foundation

Practice Questions
1 blog

ISACA AAIA Advanced in AI Audit

Practice Questions

ISACA AAIR Advanced in AI Risk

Practice Questions

More From This Family

Videos and articles for deeper review.

ArticleCISA Exam Guide 2026: FREE ISACA Study Plan + Practice28 min readArticleCISM Exam Guide 2026: FREE ISACA Study Plan + Practice30 min readArticleCOBIT 2019 Foundation 2026: Governance-First Prep6 min readArticleCRISC Exam Guide 2026: FREE ISACA Study Plan + Practice30 min read
2026 Statistics

Key Facts: IT Risk Fundamentals Exam

75

Exam Questions

Multiple-choice format

65%

Passing Score

About 49 correct answers

2 hr

Time Limit

PSI online proctored

$175

Member Fee

$225 non-member

6

Exam Domains

10/10/20/25/15/20% weighting

0

Prerequisites

Foundational certificate

The ISACA IT Risk Fundamentals Certificate (ITRF) is a foundational, online certificate with a 75-question, 2-hour exam delivered through PSI online proctoring at $175 for ISACA members or $225 for non-members. There are no prerequisites — it is built for students, career changers, and IT professionals new to risk who want grounding in IT risk concepts before pursuing CRISC. The exam covers six domains spanning IT risk concepts, governance, identification, assessment and analysis, response, and monitoring/reporting/communication. A 65% score is required to pass.

Sample IT Risk Fundamentals Practice Questions

Try these sample questions to test your IT Risk Fundamentals exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1Which statement best describes the difference between IT risk and business risk?
A.IT risk is a separate discipline that does not affect business outcomes
B.IT risk is a category of business risk that arises from the use, ownership, operation, involvement, or adoption of IT within an enterprise
C.Business risk only includes financial risk while IT risk covers everything technical
D.IT risk only matters to the technology department and is managed in isolation
Explanation: ISACA defines IT risk as a component of overall business risk — specifically, the business risk associated with the use, ownership, operation, involvement, influence, and adoption of IT within an enterprise. IT risk must therefore be integrated with enterprise risk management, not treated as a siloed technical concern.
2Which three properties make up the CIA triad in information security?
A.Control, Integrity, Auditability
B.Confidentiality, Integrity, Availability
C.Compliance, Identification, Authorization
D.Confidentiality, Identification, Accountability
Explanation: The CIA triad — Confidentiality, Integrity, and Availability — is the foundational model for evaluating information security risk. Confidentiality protects against unauthorized disclosure, integrity protects against unauthorized modification, and availability ensures authorized users can access systems and data when needed.
3In a simple risk equation, risk is most commonly modeled as a function of which factors?
A.Threat and asset value only
B.Threat, vulnerability, and impact (or asset value), influenced by likelihood
C.Probability and severity of audit findings
D.Vulnerability count divided by control count
Explanation: A common conceptual model expresses risk as a function of threat, vulnerability, and impact (asset value), with likelihood reflecting how plausible the threat exploiting the vulnerability is. Removing any factor — for example, eliminating the vulnerability or having no asset of value — drives the risk toward zero.
4What is the difference between inherent risk and residual risk?
A.Inherent risk is risk before controls; residual risk is the risk that remains after controls are applied
B.Inherent risk is the risk after controls; residual risk is the risk before controls
C.Inherent risk only applies to financial risks; residual risk only applies to IT risks
D.Inherent and residual risk are synonyms used interchangeably
Explanation: Inherent risk is the level of risk that exists in the absence of any controls or in the natural state of the activity. Residual risk is what remains after management has implemented controls to reduce, transfer, or otherwise treat the risk. Risk treatment success is measured by the gap between inherent and residual risk versus risk appetite.
5Which option best defines risk appetite?
A.The maximum allowable variance from a single objective
B.The amount of risk an enterprise is willing to accept in pursuit of its strategic objectives
C.The total amount of risk an enterprise can absorb before becoming insolvent
D.The historical loss data over the past three years
Explanation: Risk appetite is the broad amount of risk that an organization is willing to accept in pursuit of its mission and objectives, typically set by the board or executive leadership. It frames strategic decisions and is distinct from risk tolerance (variance around an objective) and risk capacity (the maximum risk the organization could absorb).
6Which statement best describes risk culture?
A.The set of automated controls implemented in production systems
B.The shared values, attitudes, and behaviors that determine how an organization identifies, communicates, and treats risk
C.The frequency at which risk reports are generated for the audit committee
D.The list of risks recorded in the risk register
Explanation: Risk culture is the collective values, attitudes, knowledge, and behaviors regarding risk shared by an enterprise's personnel. A strong risk culture encourages open identification and escalation of risk issues, while a weak culture suppresses bad news and breeds blind spots that no policy can fully compensate for.
7Which of the following best characterizes a risk event?
A.A theoretical scenario that has never occurred and never will
B.A specific occurrence — actual or hypothetical — that has the potential to affect the achievement of objectives
C.Only an event that results in a financial loss exceeding a defined threshold
D.A control that has been implemented to mitigate risk
Explanation: A risk event is a specific occurrence — already realized, in progress, or hypothetical — that may have positive or negative effects on the achievement of objectives. Risk events are the building blocks of risk identification, analysis, and scenario development.
8Which IT risk type focuses on harm to the organization's image, brand, and stakeholder trust?
A.Strategic risk
B.Compliance risk
C.Reputational risk
D.Financial risk
Explanation: Reputational risk is the risk that an event — such as a breach, outage, regulatory action, or unethical behavior — damages the organization's image, brand, or stakeholder trust. While reputational risk often follows from other risk types, it is tracked as its own category because the impact pathway and recovery dynamics differ.
9Which of the following is the best example of an IT risk that is also a strategic risk?
A.An expired SSL certificate causing a single-page outage
B.Failure to adopt cloud and AI capabilities causing the company to lose market share to competitors
C.A technician forgetting to lock the server-room door for one shift
D.A printer running out of toner before a meeting
Explanation: Strategic IT risk concerns whether the technology choices and capabilities support — or fail to support — the long-term direction and competitive position of the enterprise. Failure to adopt necessary technology is a textbook strategic IT risk because the consequence is loss of market position, not just an operational hiccup.
10Which standard defines risk as the 'effect of uncertainty on objectives'?
A.PCI DSS
B.ISO 31000
C.GDPR
D.SOX
Explanation: ISO 31000 defines risk as the 'effect of uncertainty on objectives,' where the effect can be positive, negative, or both, and uncertainty is the deficiency of information related to an event. This definition is widely referenced in enterprise and IT risk frameworks, including ISACA guidance.

About the IT Risk Fundamentals Exam

The ISACA IT Risk Fundamentals Certificate (ITRF) is a foundational online certificate validating entry-level knowledge of IT risk concepts and the end-to-end risk management lifecycle. The exam covers risk fundamentals (CIA triad, inherent vs residual risk, risk appetite/tolerance/capacity), governance and management (three lines of defense, ISO 31000, NIST RMF, COSO ERM), risk identification (threat sources, vulnerabilities, the risk register), assessment and analysis (qualitative scales, heatmaps, SLE/ALE/ROSI), response (avoid/mitigate/transfer/accept and the six control types), and monitoring/reporting/communication (KRIs, KCIs, dashboards, audit remediation). It serves as a companion path to the professional CRISC credential.

Assessment

75 multiple-choice questions covering Risk Introduction and Overview (10%), Risk Governance and Management (10%), Risk Identification (20%), Risk Assessment and Analysis (25%), Risk Response (15%), and Risk Monitoring, Reporting and Communication (20%)

Time Limit

2 hours

Passing Score

65%

Exam Fee

$175 member / $225 non-member (ISACA / PSI)

IT Risk Fundamentals Exam Content Outline

10%

Risk Introduction and Overview

IT risk as a category of business risk, CIA triad, risk equation (threat x vulnerability x asset value x likelihood), inherent vs residual risk, risk appetite vs tolerance vs capacity, risk culture, and risk types (operational, strategic, compliance, financial, reputational, technology, third-party, cyber, privacy)

10%

Risk Governance and Management

Board accountability, ERM committee, Chief Risk Officer (CRO), Business Impact Analysis (BIA), three lines of defense (operations, risk/compliance, internal audit), RACI for risk activities, ISO 31000 Principles/Framework/Process, COSO ERM 2017 components, NIST SP 800-37 RMF, and NIST SP 800-39 three-tier model

20%

Risk Identification

NIST 800-30 threat sources (adversarial, accidental, structural, environmental), vulnerability sources (configuration, design, missing patch), risk events, risk taxonomy, risk register columns (ID, description, category, owner, inherent likelihood/impact, controls, residual likelihood/impact, response, status, target date), and identification techniques

25%

Risk Assessment and Analysis

Qualitative analysis with 1-5 likelihood and impact scales and red/yellow/green heatmaps, quantitative analysis with SLE = AV x EF and ALE = SLE x ARO and ROSI, impact dimensions (financial, operational, regulatory, reputational, safety), and likelihood factors (threat capability, motivation, vulnerability severity, control effectiveness)

15%

Risk Response

Four treatment strategies (avoid, reduce/mitigate, transfer/share, accept), six control types (preventive, detective, corrective, deterrent, compensating, recovery), control selection criteria (effectiveness, efficiency, cost-benefit), residual risk acceptance, and risk transfer through cyber insurance, contracts, and outsourcing

20%

Risk Monitoring, Reporting and Communication

Key Risk Indicators (KRIs) leading vs lagging, Key Control Indicators (KCIs), KPIs vs KRIs, risk dashboards, reporting cadence (board quarterly, executive monthly, operations near real-time), executive briefings vs technical deep dives, continuous monitoring, control effectiveness testing, and audit findings remediation tracking

How to Pass the IT Risk Fundamentals Exam

What You Need to Know

  • Passing score: 65%
  • Assessment: 75 multiple-choice questions covering Risk Introduction and Overview (10%), Risk Governance and Management (10%), Risk Identification (20%), Risk Assessment and Analysis (25%), Risk Response (15%), and Risk Monitoring, Reporting and Communication (20%)
  • Time limit: 2 hours
  • Exam fee: $175 member / $225 non-member

Keys to Passing

  • Complete 500+ practice questions
  • Score 80%+ consistently before scheduling
  • Focus on highest-weighted sections
  • Use our AI tutor for tough concepts

IT Risk Fundamentals Study Tips from Top Performers

1Memorize the four risk treatment strategies (avoid, reduce/mitigate, transfer/share, accept) and the six control types (preventive, detective, corrective, deterrent, compensating, recovery) — these show up across multiple domains
2Drill the quantitative formulas: SLE = AV x EF, ALE = SLE x ARO, and the basic ROSI formula. Be ready to compute ALE from given AV, EF, and ARO inputs
3Distinguish risk appetite (strategic willingness to take risk), risk tolerance (acceptable variance around an objective), and risk capacity (maximum the enterprise can absorb) — confusing them is a common exam trap
4Learn the three lines of defense: 1st = operational management owns risk, 2nd = risk and compliance provides oversight, 3rd = internal audit provides independent assurance
5Memorize NIST 800-30 threat sources (adversarial, accidental, structural, environmental) and the seven NIST RMF SP 800-37 steps (Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor)
6Study leading vs lagging KRIs with concrete examples, and understand the difference between KRIs, KCIs, and KPIs

Frequently Asked Questions

What is the ISACA IT Risk Fundamentals (ITRF) Certificate?

The ISACA IT Risk Fundamentals Certificate is an entry-level online certificate that validates foundational IT risk knowledge. It covers IT risk concepts, governance and management, identification, assessment and analysis, response, and monitoring, reporting and communication. It is a foundational companion to ISACA's professional CRISC credential and is intended for students, career changers, and IT professionals new to risk.

How many questions are on the IT Risk Fundamentals exam?

The exam contains 75 multiple-choice questions and gives candidates 2 hours to complete it. The passing score is 65%, which corresponds to roughly 49 correct answers. The exam is delivered online through PSI proctoring.

How much does the IT Risk Fundamentals exam cost?

The exam costs $175 USD for ISACA members and $225 USD for non-members. The fee includes one exam attempt; retakes follow ISACA's current ITRF policy. Online proctoring through PSI is included in the standard fee.

Are there any prerequisites for the IT Risk Fundamentals certificate?

No. The certificate has no formal prerequisites and no required experience. It is designed for entry-level learners, including students and career changers, who want grounding in IT risk concepts before pursuing the professional CRISC credential.

What domains does the IT Risk Fundamentals exam cover?

The exam covers six weighted domains: Risk Introduction and Overview (10%), Risk Governance and Management (10%), Risk Identification (20%), Risk Assessment and Analysis (25%), Risk Response (15%), and Risk Monitoring, Reporting and Communication (20%). Topics span the CIA triad, ISO 31000, NIST RMF (SP 800-37), NIST 800-30, COSO ERM 2017, the risk register, KRIs and KCIs, and risk treatment strategies.

How is the IT Risk Fundamentals exam different from CRISC?

ITRF is a foundational certificate aimed at building IT risk literacy with no prerequisites and a 75-question, 2-hour exam. CRISC is ISACA's professional certification in risk and information systems control, with stricter eligibility and a longer, more advanced exam. ITRF is the natural starting point on the way to CRISC.

How should I prepare for the ITRF exam?

Plan for 20-40 hours over 2-4 weeks. Read ISACA's IT Risk Fundamentals study guide, review ISO 31000 (Principles, Framework, Process), NIST SP 800-30 and SP 800-37, and COSO ERM 2017 components. Memorize the four risk treatment strategies, six control types, and quantitative formulas (SLE = AV x EF, ALE = SLE x ARO). Take practice exams to validate readiness against the 65% pass mark.