CRISC is the only credential focused on enterprise IT risk management. ISACA’s Certified in Risk and Information Systems Control (CRISC) certification is ideal for mid-career IT/IS audit, risk and security professionals.
CRISC course content:
Domain 1: Governance 26% - Organizational Strategy, Goals, and Objectives - Organizational Structure, Roles, and Responsibilities - Organizational Culture - Policies and Standards - Business Processes - Organizational Assets
Organizational Governance A - Enterprise Risk Management and Risk Management Framework - Three Lines of Defense - Risk Profile - Risk Appetite and Risk Tolerance - Legal, Regulatory, and Contractual Requirements - Professional Ethics of Risk Management
Domain 2: IT Risk Assessment 20% - Risk Events (e.g., contributing conditions, loss result) - Threat Modelling and Threat Landscape - Vulnerability and Control Deficiency Analysis (e.g., root cause analysis) - Risk Scenario Development
IT Risk Identification A - Risk Assessment Concepts, Standards, and Frameworks - Risk Register - Risk Analysis Methodologies - Business Impact Analysis - Inherent and Residual Risk
Domain 3: Risk Response and Reporting 32% - Risk Treatment / Risk Response Options - Risk and Control Ownership - Third-Party Risk Management - Issue, Finding, and Exception Management - Management of Emerging Risk
Risk Response A - Control Types, Standards, and Frameworks - Control Design, Selection, and Analysis - Control Implementation - Control Testing and Effectiveness Evaluation
Control Design and Implementation B - Risk Treatment Plans - Data Collection, Aggregation, Analysis, and Validation - Risk and Control Monitoring Techniques - Risk and Control Reporting Techniques (heatmap, scorecards, dashboards) - Key Performance Indicators - Key Risk Indicators (KRIs) - Key Control Indicators (KCIs)
Domain 4: Information Technology and Security 22% - Enterprise Architecture - IT Operations Management (e.g., change management, IT assets, problems, incidents) - Project Management - Disaster Recovery Management (DRM) - Data Lifecycle Management - System Development Life Cycle (SDLC) - Emerging Technologies
Information Technology Principles A - Information Security Concepts, Frameworks, and Standards - Information Security Awareness Training - Business Continuity Management - Data Privacy and Data Protection Principles
CRISC vs CISA
Information Risk and Systems control focuses on how to assess the risk presented to a system, quantifying the risk, what's the impact to the system if the risk was realized, how to address the risk, what's the best way to treat the risk etc.
Information Systems Audit focuses more on whether you really do what you claim to do. In most cases than not, the outcome is a binary value - Yes or no. Supporting evidence could demonstrate the level of maturity for a control.
Keep in mind the 4 Ts of risk management - Treat, Tolerate, Transfer or Terminate. You can do any one of these 4, or in some cases, one or more.
Also keep in mind that risk can never be totally eliminated. It can only be reduced to an acceptable level.
You should also apply your managerial experience in attempting these exams as most CRISC questions train the mind to think like a manager
Join 4M+ learners. Unlock unlimited quizzes, wrong-answer tracking, flashcards + reminders, study guides, and 1-on-1 challenges.