Classes
Certified in Risk and Information Systems Control (CRISC) Certification

Subject: Certifications

🧩 2 Practice Tests & Quizzes 📘 4 Study Guides
Introduction

CRISC is the only credential focused on enterprise IT risk management. ISACA’s Certified in Risk and Information Systems Control (CRISC) certification is ideal for mid-career IT/IS audit, risk and security professionals.

CRISC course content:

Domain 1: Governance 26%
- Organizational Strategy, Goals, and Objectives
- Organizational Structure, Roles, and Responsibilities
- Organizational Culture
- Policies and Standards
- Business Processes
- Organizational Assets

Organizational Governance A
- Enterprise Risk Management and Risk Management Framework
- Three Lines of Defense
- Risk Profile
- Risk Appetite and Risk Tolerance
- Legal, Regulatory, and Contractual Requirements
- Professional Ethics of Risk Management

Domain 2: IT Risk Assessment 20%
- Risk Events (e.g., contributing conditions, loss result)
- Threat Modelling and Threat Landscape
- Vulnerability and Control Deficiency Analysis (e.g., root cause analysis)
- Risk Scenario Development

IT Risk Identification A
- Risk Assessment Concepts, Standards, and Frameworks
- Risk Register
- Risk Analysis Methodologies
- Business Impact Analysis
- Inherent and Residual Risk

Domain 3: Risk Response and Reporting 32%
- Risk Treatment / Risk Response Options
- Risk and Control Ownership
- Third-Party Risk Management
- Issue, Finding, and Exception Management
- Management of Emerging Risk

Risk Response A
- Control Types, Standards, and Frameworks
- Control Design, Selection, and Analysis
- Control Implementation
- Control Testing and Effectiveness Evaluation

Control Design and Implementation B
- Risk Treatment Plans
- Data Collection, Aggregation, Analysis, and Validation
- Risk and Control Monitoring Techniques
- Risk and Control Reporting Techniques (heatmap, scorecards, dashboards)
- Key Performance Indicators
- Key Risk Indicators (KRIs)
- Key Control Indicators (KCIs)

Domain 4: Information Technology and Security 22%
- Enterprise Architecture
- IT Operations Management (e.g., change management, IT assets, problems, incidents)
- Project Management
- Disaster Recovery Management (DRM)
- Data Lifecycle Management
- System Development Life Cycle (SDLC)
- Emerging Technologies

Information Technology Principles A
- Information Security Concepts, Frameworks, and Standards
- Information Security Awareness Training
- Business Continuity Management
- Data Privacy and Data Protection Principles

CRISC vs CISA

Information Risk and Systems control focuses on how to assess the risk presented to a system, quantifying the risk, what's the impact to the system if the risk was realized, how to address the risk, what's the best way to treat the risk etc.

Information Systems Audit focuses more on whether you really do what you claim to do. In most cases than not, the outcome is a binary value - Yes or no. Supporting evidence could demonstrate the level of maturity for a control.

Keep in mind the 4 Ts of risk management - Treat, Tolerate, Transfer or Terminate. You can do any one of these 4, or in some cases, one or more.

Also keep in mind that risk can never be totally eliminated. It can only be reduced to an acceptable level.

You should also apply your managerial experience in attempting these exams as most CRISC questions train the mind to think like a manager


Latest Practice Tests / Quizzes
📝 CRISC Assessment Test
📝 CRISC Glossary
⚡ Recently practiced quizzes in this class
Latest Study Guides
📄 General Information About CRISC Exam You Should Know
📄 41 Knowledge Statements
📄 IT Risk Management Good Practices
Exam Survival Guides
Survival guide for this class coming soon.