Certified in Risk and Information Systems Control (CRISC)

ISACA’s Certified in Risk and Information Systems Control (CRISC) reflects the latest work practices and knowledge used by CRISC practitioners, changes in the business landscape and the heightened focus on corporate governance and enhanced business resilience.

CRISC certification verifies your knowledge and expertise in risk management. CRISC-certified professionals aid enterprises in understanding business risk and possess a technical understanding to implement the most useful information security procedures and controls.

Employers can rest assured that armed with CRISC, their IT team is following governance best practices and taking a proactive, agile approach to ITRM that mitigates risks and threats and optimizes resources and ROI.

What You'll Learn - CRISC Domains

The most effective way to pass the CRISC exam is to learn how it’s structured and what’s covered. There are four job practice domains featured in the examination developed by the CRISC Task Force as described below:

This domain breaks down into two governance subcategories:

Organizational Governance A

  • Organizational strategy, goals and objectives
  • Organizational structure, roles and responsibilities
  • Organizational culture
  • Policies and standards
  • Business processes
  • Organizational assets

Risk Governance B

  • Enterprise risk management and risk management framework
  • Three lines of defense
  • Risk profile
  • Risk appetite and risk tolerance
  • Legal, regulatory and contractual requirements
  • Professional ethics of risk management

This domain breaks down into two distinct sections:

IT Risk Identification A

  • Risk events (e.g., contributing conditions, loss result)
  • Threat modeling and threat landscape
  • Vulnerability and control deficiency analysis (e.g., root cause analysis)
  • Risk scenario development

IT Risk Analysis and Evaluation B

  • Risk assessment concepts, standards and frameworks
  • Risk register
  • Risk analysis methodologies
  • Business impact analysis
  • Inherent and residual risk

This domain is split into three sub-sections.

Risk Response A

  • Risk treatment/risk response options
  • Risk and control ownership
  • Third-party risk management
  • Issue, finding and exception management
  • Management of emerging risk

Control Design and Implementation B

  • Control types, standards and frameworks
  • Control design, selection and analysis
  • Control implementation
  • Control testing and effectiveness evaluation

Risk Monitoring and Reporting C

  • Risk treatment plans
  • Data collection, aggregation, analysis and validation
  • Risk and control monitoring techniques
  • Risk and control reporting techniques (heatmap, scorecards and dashboards)
  • Key performance indicators
  • Key risk indicators (KRIs)
  • Key control indicators (KCIs)

Split into two sections.

Information Technology Principles A

  • Enterprise architecture
  • IT operations management (e.g., change management, IT assets, problems and incidents)
  • Project management
  • Disaster recovery management (DRM)
  • Data lifecycle management
  • System development life cycle (SDLC)
  • Emerging technologies

Information Security Principles B

  • Information security concepts, frameworks and standards
  • Information security awareness training
  • Business continuity management
  • Data privacy and data protection principle

Professionals certified in CRISC create a greater understanding of information technology risks and how they impact an entire organization. Furthermore, they devise plans and strategies for mitigating those risks. CRISC professionals establish a common language to facilitate communication and understanding between the IT groups and stakeholders.

CISM Certification

Be ahead of the game in tackling real-world threats in today’s business landscape.

Who Needs To Attend

5 Days