Free CTPRP Practice Questions
10 free, exam-style CTPRP (CTPRP) practice questions with answers and
explanations. No signup required. Work through them below, then take the
full free CTPRP practice test to study every exam domain.
Question 1
A regional bank outsources its mortgage loan processing to a third-party servicer. A federal regulator examines the bank and finds that the servicer has been charging borrowers undisclosed fees in violation of consumer protection law. The bank's compliance team argues they were unaware of the practice and had no involvement. Which of the following BEST describes the regulatory outcome?
- The regulator will pursue enforcement action solely against the servicer, as the bank had no direct involvement in the fee practice
- The bank will likely face regulatory consequences because it remains accountable for the activities its third party performs on its behalf
- The bank is protected from liability because the outsourcing contract transferred legal responsibility to the servicer
- The regulator will suspend enforcement until the bank can demonstrate it lacked knowledge of the servicer's practices
Show answer & explanation
Correct answer: B - The bank will likely face regulatory consequences because it remains accountable for the activities its third party performs on its behalf
Question 2
During initial vendor onboarding, a TPRM analyst determines that a new cloud storage vendor will handle large volumes of sensitive customer financial data. Before reviewing any of the vendor's security controls or policies, the analyst assigns the vendor a Tier 1 (High) classification. Which TPRM concept does this action correctly reflect?
- Residual risk rating, because the classification accounts for the data sensitivity after controls are applied
- Inherent risk tiering, because the classification is based on the nature of the activity and data exposure before any controls are evaluated
- Risk appetite, because the organization has decided it will not accept vendors who handle sensitive financial data
- Due diligence scoping, because the analyst has already completed the assessment and confirmed the tier is appropriate
Show answer & explanation
Correct answer: B - Inherent risk tiering, because the classification is based on the nature of the activity and data exposure before any controls are evaluated
Question 3
A financial services firm uses a third-party IT provider for core banking infrastructure. Unknown to the firm, the IT provider relies on a single cloud hosting company to deliver 90% of its services. The cloud hosting company experiences a prolonged outage, taking the IT provider - and the firm's core systems - offline. Which term MOST accurately describes the source of this risk to the financial services firm?
- Operational risk, because the outage directly disrupted the firm's ability to deliver services
- Fourth-party risk, because the disruption originated with a sub-contractor of the firm's direct vendor
- Strategic risk, because the firm's long-term goals were compromised by the IT provider's business model
- Concentration risk only, because the IT provider chose to consolidate hosting with a single provider
Show answer & explanation
Correct answer: B - Fourth-party risk, because the disruption originated with a sub-contractor of the firm's direct vendor
Question 4
A newly appointed TPRM director is asked to build the organization's vendor risk program from the ground up. She begins by documenting all existing vendor relationships across every business unit, capturing the services each vendor provides, the data they access, and who internally owns each relationship. Which of the six TPRM program components is she establishing FIRST?
- Risk Register
- Program Charter
- Vendor Inventory
- Vendor Classification Hierarchy
Show answer & explanation
Correct answer: C - Vendor Inventory
Question 5
A TPRM analyst is reviewing a SOC 2 Type II report for a high-risk SaaS vendor. The report covers a 12-month period, contains no qualified opinions, and addresses all five Trust Service Criteria. However, on closer reading, the analyst notices that the scope section explicitly excludes the vendor's secondary data center - the facility the vendor has confirmed is used to process the outsourcer's specific workloads. What is the MOST appropriate conclusion?
- The report provides sufficient assurance because it covers a full 12-month period with no qualifications
- The report provides sufficient assurance because all five Trust Service Criteria are addressed
- The report's assurance does not fully cover the outsourcer's risk exposure, and supplemental evidence for the excluded facility should be obtained
- The report should be rejected and the vendor should be required to obtain a new SOC 2 that includes all facilities
Show answer & explanation
Correct answer: C - The report's assurance does not fully cover the outsourcer's risk exposure, and supplemental evidence for the excluded facility should be obtained
Question 6
An outsourcer is negotiating a contract with a critical third-party data processor. The vendor's legal team pushes back on one particular clause, arguing it is overly burdensome and requesting its removal. Without this clause, the outsourcer would have no formal mechanism to independently verify the vendor's security controls beyond reviewing documents the vendor chooses to provide. Which contract provision is MOST likely being disputed?
- The data return and destruction clause
- The incident notification timeline clause
- The right-to-audit clause
- The sub-contracting notification clause
Show answer & explanation
Correct answer: C - The right-to-audit clause
Question 7
A critical payment processing vendor's SLA guarantees 99.9% system availability. During a business continuity review, the outsourcer's TPRM team asks the vendor to confirm its Recovery Time Objective and Recovery Point Objective for its primary processing platform. The vendor states its RTO is 4 hours and its RPO is 15 minutes. Assuming a major outage occurs at 9:00 AM, which of the following BEST describes what these commitments mean?
- The system must be restored by 1:00 PM, and no more than 15 minutes of transaction data may be lost
- The system must be restored within 15 minutes, and no more than 4 hours of transaction data may be lost
- The vendor will begin recovery efforts within 4 hours and will restore a data backup from no earlier than 15 minutes prior to the outage
- The system will be fully operational within 4 hours, and any data entered in the last 15 minutes before the outage may need to be re-entered
Show answer & explanation
Correct answer: A - The system must be restored by 1:00 PM, and no more than 15 minutes of transaction data may be lost
Question 8
A TPRM assessment of a high-risk vendor reveals a critical finding: the vendor has no multi-factor authentication (MFA) enabled for any remote access to systems that process the outsourcer's customer data. The vendor acknowledges the gap and submits a remediation plan committing to full MFA deployment within 60 days. Thirty days later, the vendor sends an email stating the remediation is complete. What is the MOST appropriate next step for the outsourcer's TPRM team?
- Close the finding and update the risk register, as the vendor has confirmed remediation in writing
- Request and independently validate evidence of MFA deployment before closing the finding
- Escalate to senior management, because 60-day remediation timelines for critical findings are non-compliant with program standards
- Schedule the finding for review at the next annual assessment cycle to confirm sustained compliance
Show answer & explanation
Correct answer: B - Request and independently validate evidence of MFA deployment before closing the finding
Question 9
A healthcare organization uses a SaaS-based patient scheduling platform hosted entirely by the vendor on the vendor's cloud infrastructure. Following a configuration error made by the outsourcer's own IT team, unauthorized staff members gain access to patient appointment records. The outsourcer's CISO argues the vendor is responsible for the data exposure because the platform is the vendor's product and runs on the vendor's infrastructure. Which principle does the CISO's argument MOST directly contradict?
- The shared responsibility model, under which the outsourcer retains accountability for its data and user access configuration regardless of the cloud model
- The right-to-audit principle, under which the outsourcer should have verified the vendor's access controls before deployment
- The inherent risk tiering principle, because SaaS platforms are considered lower risk and require less oversight
- The principle of least privilege, which requires the vendor to restrict all non-administrative access by default
Show answer & explanation
Correct answer: A - The shared responsibility model, under which the outsourcer retains accountability for its data and user access configuration regardless of the cloud model
Question 10
A TPRM program manager presents two metrics to the risk committee: (1) 87% of scheduled third-party assessments were completed on time last quarter, and (2) 23% of Tier 1 vendors have not had a security assessment in over 18 months. Which of the following BEST classifies these two metrics and explains why the second is more urgent?
- Both are KPIs; the second is more urgent because it indicates the program team needs additional staffing resources
- The first is a KPI measuring program efficiency; the second is a KRI signalling elevated risk exposure that may require immediate remediation action
- The first is a KRI measuring vendor compliance; the second is a KPI indicating the program is underperforming against its assessment schedule
- Both are KRIs; the second is more urgent because overdue assessments represent a breach of regulatory requirements
Show answer & explanation
Correct answer: B - The first is a KPI measuring program efficiency; the second is a KRI signalling elevated risk exposure that may require immediate remediation action