Top 10 CRISC Interview Questions

October 19, 2017 by Tyra Appleby


CRISC is the Certified in Risk and Information Systems Control certification. This certification verifies you have the skills to manage enterprise security risks. Having a CRISC can enhance your cybersecurity experience, and makes you eligible to apply for compliance risk managerial jobs.

Interview Questions

Below are 10 interview questions to help CRISC holders prepare for their next job interview.

1. What procedure should be adhered to when an employee violates company policy?

This means we must first identify what the violation was by reviewing the offense and the company policy. Often, policy makes suggestions on how to deal with non-compliant employees. If it does not, it is best to identify the impact of the violation. For more minor offenses, it is acceptable to provide the offender with additional training. For more egregious offenses, it is best to review the employee’s overall work history and make a decision if additional training is enough, or if this needs to be escalated to a more severe punishment.

2. What is a whistleblower, and what is the best way to protect them?

Whistleblowers are employees who report policy violations. There are laws in place to protect whistleblowers, but as the compliance manager, you want to ensure they are free from potential retaliation from coworkers or managers. That may mean having an impromptu training session on how to treat coworkers that report violations.

3. What are the most important points of an effective compliance program?

An effective compliance program ensures rules and regulations are properly identified and documented.

4. Which skillset is most important: attention to detail, effective communication or critical thinking?

There is no right or wrong answer here, but this question shows how you view things. All three of these items are important, but you should determine which you believe to be the most important and be prepared to justify why.

5. If you were given a multitude of tasks that had to be completed by the end of the day, how would you prioritize them?

This is another question to evaluate how you handle stress and conflict. In order to answer it effectively, you must understand the needs of the company. Your answer should state you would prioritize tasks based on business needs, completing items that directly feed into the most urgent business needs first.

6. Describe the OWASP Top 10 Vulnerabilities

This list is updated yearly with the current top 10 application security risks. Cross-site scripting is one item that has consistently been on the list year after year. But others on the most current list include injections such as SQL, OS and LDAP, security misconfigurations, sensitive data exposure and under-protected APIs.

7. What are some types of fraud that criminals engage in?

This question is specific to the industry. If you are interviewing for a compliance manager role at a bank, you should list fraud specific to the banking industry, which might include things like phishing attempts to gain login credentials. Make sure you do some research on the current threats to your specific industry before your interview.

8. How do you handle conflict?

Conflict is unavoidable in this type of position. You will be asked this question. It is important to show you are capable of handling and defusing conflict.

9. How do you feel about change management?

This is a question to test how you feel about policy. Change management is important to ensuring a smooth transition during changes in the business environment.

10. How would you address a company executive asking you to violate some aspect of company policy?

The best way to answer this is to first state you would never violate company policy, even at the risk of upsetting your boss. You would instead educate them on the policy and stress the importance of following policy at all times.


The CRISC certification will help qualify you as a compliance manager. As a candidate, prepare for your interview so you are well versed in policy, rules and regulations specific to your industry. It is especially impressive if you can give full names and version numbers to policies specific to your industry during the interview process.

Posted: October 19, 2017
Articles Author
Tyra Appleby
View Profile

Tyra Appleby is a CISSP certified lover of all things cybersecurity. After serving 4 years in the Navy as a Cryptologic Technician, she continued supporting various DoD and government agencies as a Systems Security Engineer. She has a passion for writing and research, particularly in the areas of Reverse Engineering and Digital Forensics. When she’s not working, you can find her at the beach with her Rottweiler Ava.

Leave a Reply

Your email address will not be published. Required fields are marked *