Top 10 CRISC Interview Questions [updated 2021]

Kurt Ellzey
December 13, 2021 by
Kurt Ellzey

This focus on a particular aspect of information security can be a tremendous asset to any company trying to either enhance their existing setup, potentially start from scratch, or prepare for a certification project. 

The CRISC certification (Certified in Risk and Information Systems Control) showcases that a person holding it specializes in IT Risk Management. With such a wealth of knowledge to draw on, we want to make sure during an interview that this person will be able to communicate to management and other departments and provide documentation on where we are and where we want to go from here.  

Earn your CRISC certification, guaranteed!

Earn your CRISC certification, guaranteed!

Enroll in a CRISC Boot Camp and earn one of the highest paying industry certifications — guaranteed.

1. How would you define information security risks and threats?

Information security risk can refer to multiple categories, but it boils down to a key idea: the damage caused by unauthorized actions associated with information or their associated systems. The scale, damage and specifics of the risk can vary to a ridiculous degree— from inconsequential to catastrophic. Threats, on the other hand, would be how the risks are carried out. So, for example, we may have an insider threat where a user may exfiltrate critical information out of the organization. The risk would be considered what kind of damage that information could do in the wrong hands.

2. Management wants to know how you would eliminate our information security risks.

Information Security Risk can rarely be removed entirely, whether by the number of people involved, the amount of money it would require or many other possibilities. The best that we can do is reduce risk to a level that the organization is either satisfied with or dealt with.

3. Who can be considered a Risk Stakeholder?

Risk stakeholders are people, groups or organizations that a particular decision would impact. For example, if you were trying to work out how much an organization should spend on protection against lightning strikes, you would need to talk with the executives. Still, you would also want to speak to maintenance crews, electricians, people in potentially bad locations and others. Everyone involved would contribute valuable information and potentially critical insight into a field that the person making the policy decision may not be familiar with.

4. How would you calculate ALE?

Annualized loss expectancy (ALE) can be worked out by multiplying a single loss expectancy (SLE) — how bad a single event can be — by the annualized rate of occurrence (ARO) (how often this event is likely to happen). Once an organization has this figure, the decision-makers can make an informed decision as to whether or not it is in the organization's best interests to mitigate the risk, reduce the risk or accept it.

5. What sort of process would you go through when beginning to build a new Control?

 Creating a control depends entirely on getting reliable answers to a large number of questions, such as: 

  • Do we plan to be proactive or reactive?
  • Is this an administrative action?
  • Is this something we can implement on the technical side?
  • Is this a physical element?
  • Are we preventing something from happening?
  • Is this supposed to correct something?
  • Are we trying to detect a problem?
  • Do we need to create a deterrent for something?
  • Do we have to compensate for a weakness?

Once we have an idea of the end goal, we can start building our controls. This may take a great deal of time, resources and feedback depending on how large the goal is, such as if we need to make an entire business continuity plan, but we will have a direction to start in.

6. How would you create responses or procedures in case of an emergency?

If we were looking at a disaster recovery plan, we would first want to see what the organization currently has active, such as a backup policy. If something already exists, we would not have to start from scratch, which allows us to move along much more quickly. We would also want to speak with the people that would be the people required to respond to the disaster and see what it would take to get them up and running as soon as possible. After we have our information, we can start creating our documentation and have it reviewed to see if there are any gaps in our understanding of the process or something that just may have been overlooked entirely.

7. Have you ever performed gap analysis?

Just as we mentioned above, gap analysis as a whole refers to being able to see where an organization is right now, where they need to get to and see if everything is covered. If the organization needs to comply with policies A-Z but completely forgets about Q, an audit can help to highlight that gap.

8. How would you present potentially bad news to executives?

Reports and deliverables can show hard numbers and facts about both good points and bad ones. Presenting this information to executives can be a tremendously challenging and intimidating task. Still, it has to be done and in a way where everyone can understand what is being said. Exceptionally bad news can be very hard for some people to take, especially in situations where it is visible that it is no one person's fault. Because of this, how that news is explained can completely change the way the information is handled. The tone and posture that the person presenting the information adopts can take a horrible situation and turn it into a productive meeting.

9. What is a KPI?

Key performance indicators are essential values to show "where we are right now." These values can come from a wide range of elements, such as how far along in operating system migration, how many hard drives in our storage have been swapped out in the last year, how often our website has gone down and more. Being able to show this information at a glance along a timeline can help us see how we are doing compared to where we were and any possible weaknesses we need to strengthen.

10. Why is Risk Ownership vital in a large organization?

A Risk Owner should be a person whose normal job it would be natural to cover a risk. For example, let's say that we had one person who was responsible for data restoration. As a result, when we implemented offsite, offline backup, they would certainly want to be involved with pulling tapes, verifying that they were all there and accurately labeled and delivered safely to the secure offsite storage. They would want to do this because their job depends on good data being available for restoration, or else they literally cannot reliably do their job. 

Earn your CRISC certification, guaranteed!

Earn your CRISC certification, guaranteed!

Enroll in a CRISC Boot Camp and earn one of the highest paying industry certifications — guaranteed.

Value of a CRISC certification for your career 

 A CRISC certification can help someone become a tremendous asset to any organization and one that can help reduce the risks involved across a wide range of fields. Being familiar with ever-evolving standards and how to get from here to there will make sure that they remain employed for a very long time.



Kurt Ellzey
Kurt Ellzey

Kurt Ellzey has worked in IT for the past 12 years, with a specialization in Information Security. During that time, he has covered a broad swath of IT tasks from system administration to application development and beyond. He has contributed to a book published in 2013 entitled "Security 3.0" which is currently available on Amazon and other retailers.