What is the CRISC difference?
The Certified in Risk and Information Systems Control® (CRISC®) exam consists of 150 questions covering 4 job practice domains, all testing your knowledge and ability on real-life job practices leveraged by expert professionals.
ISACA’S commitment
Since its inception in 2010, more than 23,000 people have obtained ISACA’s CRISC certification to validate their expertise in using governance best practices and continuous risk monitoring and reporting. The domains, subtopics and tasks are the results of extensive research, feedback and validation from subject matter experts and prominent industry leaders from around the globe.
Job practice areas tested for and validated by a CRISC certification
The governance domain interrogates your knowledge of information about an organization’s business and IT environments, organizational strategy, goals and objectives, and examines potential or realized impacts of IT risk to the organization’s business objectives and operations, including Enterprise Risk Management and Risk Management Framework.
A—ORGANIZATIONAL GOVERNANCE
- Organizational Strategy, Goals, and Objectives
- Organizational Structure, Roles and Responsibilities
- Organizational Culture
- Policies and Standards
- Business Processes
- Organizational Assets
B—RISK GOVERNANCE
- Enterprise Risk Management and Risk Management Framework
- Three Lines of Defense
- Risk Profile
- Risk Appetite and Risk Tolerance
- Legal, Regulatory and Contractual Requirements
- Professional Ethics of Risk Management
This domain will certify your knowledge of threats and vulnerabilities to the organization’s people, processes and technology as well as the likelihood and impact of threats, vulnerabilities and risk scenarios.
A—IT RISK IDENTIFICATION
- Risk Events (e.g., contributing conditions, loss result)
- Threat Modelling and Threat Landscape
- Vulnerability and Control Deficiency Analysis (e.g., root cause analysis)
- Risk Scenario Development
B—IT RISK ANALYSIS AND EVALUATION
- Risk Assessment Concepts, Standards and Frameworks
- Risk Register
- Risk Analysis Methodologies
- Business Impact Analysis
- Inherent and Residual Risk
This domain deals with the development and management of risk treatment plans among key stakeholders, the evaluation of existing controls and improving effectiveness for IT risk mitigation, and the assessment of relevant risk and control information to applicable stakeholders.
A—RISK RESPONSE
- Risk Treatment / Risk Response Options
- Risk and Control Ownership
- Third-Party Risk Management
- Issue, Finding and Exception Management
- Management of Emerging Risk
B—CONTROL DESIGN AND IMPLEMENTATION
- Control Types, Standards and Frameworks
- Control Design, Selection and Analysis
- Control Implementation
- Control Testing and Effectiveness Evaluation
C—RISK MONITORING AND REPORTING
- Risk Treatment Plans
- Data Collection, Aggregation, Analysis and Validation
- Risk and Control Monitoring Techniques
- Risk and Control Reporting Techniques (heatmap, scorecards, dashboards)
- Key Performance Indicators
- Key Risk Indicators (KRIs)
- Key Control Indicators (KCIs)
In this domain we interrogate the alignment of business practices with Risk Management and Information Security frameworks and standards, as well as the development of a risk-aware culture and implementation of security awareness training.
A—INFORMATION TECHNOLOGY PRINCIPLES
- Enterprise Architecture
- IT Operations Management (e.g., change management, IT assets, problems, incidents)
- Project Management
- Disaster Recovery Management (DRM)
- Data Lifecycle Management
- System Development Life Cycle (SDLC)
- Emerging Technologies
B—INFORMATION SECURITY PRINCIPLES
- Information Security Concepts, Frameworks and Standards
- Information Security Awareness Training
- Business Continuity Management
- Data Privacy and Data Protection Principles
- Collect and review existing information regarding the organization’s business and IT environments.
- Identify potential or realized impacts of IT risk to the organization’s business objectives and operations.
- Identify threats and vulnerabilities to the organization’s people, processes and technology.
- Evaluate threats, vulnerabilities and risk to identify IT risk scenarios.
- Establish accountability by assigning and validating appropriate levels of risk and control ownership.
- Establish and maintain the IT risk register and incorporate it into the enterprise-wide risk profile.
- Facilitate the identification of risk appetite and risk tolerance by key stakeholders.
- Promote a risk-aware culture by contributing to the development and implementation of security awareness training.
- Conduct a risk assessment by analyzing IT risk scenarios and determining their likelihood and impact.
- Identify the current state of existing controls and evaluate their effectiveness for IT risk mitigation.
- Review the results of risk analysis and control analysis to assess any gaps between current and desired states of the IT risk environment.
- Facilitate the selection of recommended risk responses by key stakeholders.
- Collaborate with risk owners on the development of risk treatment plans.
- Collaborate with control owners on the selection, design, implementation and maintenance of controls.
- Validate that risk responses have been executed according to risk treatment plans.
- Define and establish key risk indicators (KRIs).
- Monitor and analyze key risk indicators (KRIs).
- Collaborate with control owners on the identification of key performance indicators (KPIs) and key control indicators (KCIs).
- Monitor and analyze key performance indicators (KPIs) and key control indicators (KCIs).
- Review the results of control assessments to determine the effectiveness and maturity of the control environment.
- Report relevant risk and control information to applicable stakeholders to facilitate risk-based decision-making.
- Evaluate alignment of business practices with risk management and information security frameworks and standards.
Training Details
Training will be held at the IDEL site or a remote site.
Dedicated arrangement for a group of trainees.
40 Hours 5 days
Trainer Nabil Khalil, He holds a master’s degree in computer information systems from the University of Toronto, Canada, and holds an international license certificate in examining networks and systems, in addition to an MSS certificate from EC University New York and from many international institutions in information security and systems. He contributed to the development of international policies for information security and protection, the strategy for responding to information technology security incidents, the strategy for business continuity in many government and private sectors, the legal requirements related to information security, and the development of the training material for the information security awareness project in the financial sector. He also trained information security officers in The public and private sectors, and auditing by adopting best practices within, ITIL, ISO, CMM, COBIT, and he is a member of ISACA, and one of the international authors in information security affiliated with the international organization EC-Council and a certified trainer from EC-Council and Microsoft Corporation, in addition to a trainer Certified Instructor ITIL, IOS 27001, and 24 years of practical experience
Pass the certification exam
Submit application to demonstrate experience requirements
Adhere to the Code of Professional Ethics >
Adhere to the Continuing Professional Education Policy >
Compliance with the Information Systems Auditing Standards >
The CRISC Certification is required for everyone who manages, monitors, or evaluates an organization’s information technology and business systems. Individuals may wish to become CRISC certified depending on their own professional aspirations or personal ambitions.
IS/IT auditors/consultants
IT Compliance Managers
Chief Compliance Officers
Chief Risk & Privacy Officers
Security heads/directors
Security managers/architects
CRISC RESOURCE
CRISC DATASHEET
Exam Candidate Guide
Free CRISC Practice Quiz
