By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.
The CRISC candidate should be familiar with the task statements relevant to each domain in the CRISC job practice. The tasks are supported by 41 knowledge statements that delineate each of the areas in which the risk practitioner must have a good understanding in order to perform the tasks. Many knowledge statements support tasks that cross domains.
The CRISC candidate should have knowledge of:
1. Laws, regulations, standards and compliance requirements 2. Industry trends and emerging technologies 3. Enterprise systems architecture (e.g., platforms, networks, applications, databases and operating systems) 4. Business goals and objectives 5. Contractual requirements with customers and third-party service providers 6. Threats and vulnerabilities related to: 6.1 Business processes and initiatives 6.2 Third-party management 6.3 Data management 6.4 Hardware, software and appliances 6.5 The system development life cycle (SDLC) 6.6 Project and program management 6.7 Business continuity and disaster recovery management (DRM) 6.8 Management of IT operations 6.9 Emerging technologies 7. Methods to identify risk 8. Risk scenario development tools and techniques 9. Risk identification and classification standards, and frameworks 10. Risk events/incident concepts (e.g., contributing conditions, lessons learned, loss result) 11. Elements of a risk register 12. Risk appetite and tolerance 13. Risk analysis methodologies (quantitative and qualitative) 14. Organizational structures 15. Organizational culture, ethics and behavior 16. Organizational assets (e.g., people, technology, data, trademarks, intellectual property) and business processes, including enterprise risk management (ERM) 17. Organizational policies and standards 18. Business process review tools and techniques 19. Analysis techniques (e.g., root cause, gap, cost-benefit, return on investment [ROI]) 20. Capability assessment models and improvement techniques and strategies 21. Data analysis, validation and aggregation techniques (e.g., trend analysis, modeling) 22. Data collection and extraction tools and techniques 23. Principles of risk and control ownership 24. Characteristics of inherent and residual risk 25. Exception management practices 26. Risk assessment standards, frameworks and techniques 27. Risk response options (i.e., accept, mitigate, avoid, transfer) and criteria for selection 28. Information security concepts and principles, including confidentiality, integrity and availability of information 29. Systems control design and implementation, including testing methodologies and practices 30. The impact of emerging technologies on design and implementation of controls 31. Requirements, principles, and practices for educating and training on risk and control activities 32. Key risk indicators (KRIs) 33. Risk monitoring standards and frameworks 34. Risk monitoring tools and techniques 35. Risk reporting tools and techniques 36. IT risk management best practices 37. Key performance indicator (KPIs) 38. Control types, standards, and frameworks 39. Control monitoring and reporting tools and techniques 40. Control assessment types (e.g., self-assessments, audits, vulnerability assessments, penetration tests, third-party assurance) 41. Control activities, objectives, practices and metrics related to: 41.1 Business processes 41.2 Information security, including technology certification and accreditation practices 41.3 Third-party management, including service delivery 41.4 Data management 41.5 The system development life cycle (SDLC) 41.6 Project and program management 41.7 Business continuity and disaster recovery management (DRM) 41.8 IT operations management 41.9 The information systems architecture (e.g., platforms, networks, applications, databases and operating systems)
Join 4M+ learners. Unlock unlimited quizzes, wrong-answer tracking, flashcards + reminders, study guides, and 1-on-1 challenges.