CRISC - Certified In Risk And Information System Control Training Course

ISACA’s Certified in Risk and Information Systems Control™ (CRISC®) certification indicates expertise in identifying and managing enterprise IT risk and implementing and maintaining information systems controls. Gain instant recognition and credibility with CRISC and boost your career! If you are a mid-career IT professional with a focus on IT and cyber risk and control, CRISC can get you the leverage you need to grow in your career.

This update to the CRISC exam content outline is based on changes in the work practices of IT risk professionals as well as market dynamics and trends that have placed an increased focus on organizational governance, continuous risk monitoring and reporting, information security and data privacy considerations for effective ITRM. These statements and domains are the results of extensive research, feedback, and validation from IT risk and control subject matter experts and prominent industry leaders from around the globe.

Below are the key domains, subtopics and tasks candidates will be tested on:

• Organizational Strategy, Goals, and Objectives
• Organizational Structure, Roles, and Responsibilities
• Organizational Culture
• Policies and Standards
• Business Processes
• Organizational Assets

• Enterprise Risk Management and Risk Management Framework
• Three Lines of Defense
• Risk Profile
• Risk Appetite and Risk Tolerance
• Legal, Regulatory, and Contractual Requirements
• Professional Ethics of Risk Management

• Risk Events (e.g., contributing conditions, loss result)
• Threat Modelling and Threat Landscape
• Vulnerability and Control Deficiency Analysis (e.g., root cause analysis)
• Risk Scenario Development

• Risk Assessment Concepts, Standards, and Frameworks
• Risk Register
• Risk Analysis Methodologies
• Business Impact Analysis
• Inherent and Residual Risk

• Risk Treatment / Risk Response Options
• Risk and Control Ownership
• Third-Party Risk Management
• Issue, Finding, and Exception Management
• Management of Emerging Risk

• Control Types, Standards, and Frameworks
• Control Design, Selection, and Analysis
• Control Implementation
• Control Testing and Effectiveness Evaluation

• Risk Treatment Plans
• Data Collection, Aggregation, Analysis, and Validation
• Risk and Control Monitoring Techniques
• Risk and Control Reporting Techniques (heatmap, scorecards, dashboards)
• Key Performance Indicators
• Key Risk Indicators (KRIs)
• Key Control Indicators (KCIs)

• Enterprise Architecture
• IT Operations Management (e.g., change management, IT assets, problems, incidents)
• Project Management
• Disaster Recovery Management (DRM)
• Data Lifecycle Management
• System Development Life Cycle (SDLC)
• Emerging Technologies

• Information Security Concepts, Frameworks, and Standards
• Information Security Awareness Training
• Business Continuity Management
• Data Privacy and Data Protection Principles