ISACA · Risk-Fund
Validates foundational IT risk knowledge, covering risk governance and management, risk identification, risk assessment and analysis, risk response, and risk monitoring, reporting, and communication, including IT risk terminology and general risk management practices.
Questions
616
Duration
120 minutes
Passing Score
65%
Difficulty
FoundationalLast Updated
Feb 2026
Use this Risk-Fund practice exam to prepare for IT Risk Fundamentals Certificate with realistic questions, detailed explanations, and focused study modes. The practice bank includes 616 questions for ISACA Risk-Fund, so you can review the exam steadily instead of relying on one long cram session.
As you practice, pay extra attention to patterns in your missed answers. Start with short sessions to identify weak areas, then move into timed quizzes once your accuracy is consistent.
The explanations are especially useful when you want to connect exam wording to the responsibilities and scenarios described in the official certification guidance. Use the free preview first, then unlock the full question bank when you are ready to build a complete study routine.
The ISACA IT Risk Fundamentals Certificate is a foundational-level credential designed to validate comprehensive knowledge of IT risk terminology, concepts, and general risk management practices as they apply to information and technology (I&T). The certificate covers the full lifecycle of IT risk management—from governance and risk identification through assessment, analysis, response, and ongoing monitoring and communication. It is aligned with ISACA's globally recognized IT risk framework and provides a structured understanding of how organizations identify, assess, and respond to risks that could affect I&T-related assets and operations.
Introduced by ISACA in 2020, this certificate serves as an accessible entry point into the IT risk discipline, offering structured learning across six clearly defined domains. Candidates who earn the certificate demonstrate that they can apply foundational risk concepts in real-world scenarios, understand risk governance structures, and communicate risk findings effectively. It is also recognized as a stepping stone toward ISACA's more advanced Certified in Risk and Information Systems Control (CRISC) certification.
The IT Risk Fundamentals Certificate is designed for professionals who are new to IT risk management or looking to formalize and validate their foundational knowledge in the field. This includes entry-level IT risk analysts, IT auditors, compliance specialists, security professionals, and technology staff who want to develop fluency in risk terminology and practices. It is equally appropriate for non-IT professionals—such as business analysts or internal auditors—who interact with IT risk processes and need a structured understanding of the discipline.
Organizations seeking to upskill entire teams in baseline risk awareness will also find this certificate relevant, as ISACA offers group and corporate training options. There are no formal prerequisites, making it accessible to candidates at any stage of their career who have an interest in IT risk management.
There are no formal prerequisites for the IT Risk Fundamentals Certificate. ISACA allows any candidate to register and sit for the exam at any time, with no prior certifications, education requirements, or work experience mandated. This open-access model reflects the foundational nature of the credential.
While no experience is required, candidates will benefit from a general familiarity with information technology concepts and basic organizational structures. Those with exposure to IT audit, cybersecurity, compliance, or governance functions may find the material more intuitive. ISACA recommends using its official study resources—particularly the IT Risk Fundamentals Study Guide and the online course available through the ISACA Perform platform—to prepare for the exam, regardless of prior background.
The IT Risk Fundamentals exam consists of 75 questions delivered over a 120-minute testing window. Questions are a blend of multiple-choice and performance-based formats; performance-based questions are set in a virtual lab-style environment that tests applied knowledge rather than rote recall. The exam is delivered online and is remotely proctored, allowing candidates to sit from any location with a compatible internet connection.
The passing score is 65% or higher. Registration is continuous—there are no application windows or deadlines—and candidates can schedule a testing appointment as early as 48 hours after payment of the exam fee. Exam eligibility remains valid for 12 months from the date of registration. Appointments can be scheduled up to 90 days in advance, and free rescheduling is permitted with at least 48 hours' notice. The exam fee is US$175 for ISACA members and US$225 for non-members.
Earning the IT Risk Fundamentals Certificate signals to employers a verified baseline competency in IT risk management, making candidates more competitive for roles such as IT risk analyst, compliance analyst, IT auditor, and risk assessment consultant. Because the credential is issued by ISACA—a globally recognized authority in IT governance, risk, and audit—it carries credibility across industries including financial services, healthcare, government, and technology. The certificate is particularly valuable as a credential for professionals transitioning into risk-focused roles or seeking to differentiate themselves early in their careers.
The IT Risk Fundamentals Certificate is explicitly positioned by ISACA as a pathway toward the Certified in Risk and Information Systems Control (CRISC) certification, one of the most valued and highest-paying IT certifications globally; CRISC holders report average salaries exceeding $150,000 annually. The foundational certificate itself strengthens candidacy for IT risk roles that typically command salaries in the $85,000–$120,000 range, depending on geography and experience level. Demand for IT risk professionals continues to grow as organizations face increasing regulatory requirements, cyber threats, and digital transformation risks.
5 sample questions with answers and explanations. Start a practice session to test yourself across all 616 questions.
Preview — answers shown1. A technology startup implements the NIST Cybersecurity Framework 2.0 and must establish its cybersecurity risk management strategy, roles, and policies before implementing technical controls. Which CSF function addresses these foundational activities? (Select one!)
Explanation
Govern is the new function added in NIST CSF 2.0 that addresses establishing cybersecurity risk management strategy, roles, policies, and oversight. This function provides the foundation for the other five functions by setting organizational context and governance structures. Identify focuses on understanding cybersecurity risks to systems, assets, and capabilities. Protect involves implementing safeguards for critical services. Detect addresses identifying cybersecurity events. The Govern function must be established first to provide the strategic direction and governance framework that guides all other cybersecurity activities.
2. An energy company implements continuous risk monitoring for its industrial control systems. The security team tracks failed authentication attempts to supervisory control systems. During normal operations, failed login attempts average 5 per day. The monitoring system uses a three-tier threshold model with green zone below 10 attempts daily, yellow zone between 10-25 attempts daily, and red zone above 25 attempts daily. On Monday, the system detects 18 failed login attempts. What action should the security team take? (Select one!)
Explanation
The yellow or amber zone indicates the metric is approaching threshold limits and requires investigation. With 18 failed attempts, the system has exceeded the green zone (below 10) and entered the yellow zone (10-25), signaling potential risk increase that needs attention before it escalates to critical levels. Yellow zone metrics trigger investigation and monitoring but not necessarily immediate escalation. The metric has clearly exceeded green zone limits which represent normal acceptable levels. The red zone threshold is 25 attempts, and 18 has not exceeded this level requiring immediate escalation. One day of yellow zone readings does not indicate false positives or improper baseline settings, it indicates the early warning system is functioning as designed by detecting increased activity before it becomes critical.
3. A vulnerability assessment identifies CVE-2024-12345 affecting the organization's web application servers. The security team confirms the vulnerability exists but no known exploits are currently available. What should the risk analyst do next? (Select one!)
Explanation
Conducting risk assessment is correct because vulnerability identification must be followed by risk assessment that evaluates risk factors including likelihood of exploitation, potential business impact, and appropriate response actions. Simply identifying a vulnerability does not automatically indicate high risk. Immediate patching without risk assessment may disrupt critical business operations unnecessarily. Closing the report ignores the potential for future exploit development. Waiting for vendor guidance delays appropriate risk evaluation and response planning.
4. An airline company establishes a three-tier threshold model for monitoring failed authentication attempts to critical flight scheduling systems. The system generates 50-100 failed attempts daily (green zone), investigation triggers at 150 attempts (yellow zone), and immediate escalation occurs at 250 attempts (red zone). On Monday, the system records 180 failed authentication attempts. What action should risk management take? (Select one!)
Explanation
At 180 failed attempts, the system is in the yellow or amber zone, which indicates the metric is approaching but has not exceeded the critical threshold. Yellow zone triggers require investigation to determine the cause and close monitoring to see if the trend continues toward the red zone. Taking no action is inappropriate because the threshold has moved beyond the green zone. Immediate executive escalation is premature as the red zone threshold of 250 has not been reached. Emergency shutdown is an extreme overreaction when the situation calls for investigation and monitoring, not immediate crisis response.
5. A financial institution implements COBIT 2019 governance framework. The board evaluates strategic options, provides direction to management on risk approach, and monitors achievement of risk objectives. Which COBIT governance activity does the board perform? (Select one!)
Explanation
EDM03 (Ensured Risk Optimization) is the governance-level risk process in COBIT 2019 where the board Evaluates strategic options, Directs management on risk approach, and Monitors achievement of objectives. This follows the EDM (Evaluate-Direct-Monitor) governance model. APO12 (Managed Risk) is the management-level risk process following PBRM (Plan-Build-Run-Monitor). DSS05 focuses on security services management. MEA03 addresses compliance management. COBIT clearly distinguishes governance (board responsibility, EDM domain) from management (executive responsibility, APO/BAI/DSS/MEA domains).
Certified Information Security Manager (CISM)
CISM · 1196 questions
Certified Information Systems Auditor (CISA)
CISA · 895 questions
Certified in Risk and Information Systems Control (CRISC)
CRISC · 761 questions
Certified Data Privacy Solutions Engineer (CDPSE)
CDPSE · 749 questions
IoT Fundamentals Certificate
IoT-Fund · 630 questions
IT Audit Fundamentals Certificate
IT-Audit-Fund · 627 questions
$17.99
One-time access to this exam