Certified in Risk and Information Systems Control - CRISC

Organizational Governance A

• Organizational strategy, goals and objectives
• Organizational structure, roles and responsibilities
• Organizational culture
• Policies and standards
• Business processes
• Organizational assets

Risk Governance B

• Enterprise risk management and risk management framework
• Three lines of defense
• Risk profile
• Risk appetite and risk tolerance
• Legal, regulatory and contractual requirements
• Professional ethics of risk management

• IT Risk Identification A

  • Risk events (e.g., contributing conditions, loss result)
  • Threat modeling and threat landscape
  • Vulnerability and control deficiency analysis (e.g., root cause analysis)
  • Risk scenario development

  IT Risk Analysis and Evaluation B

  • Risk assessment concepts, standards and frameworks
  • Risk register
  • Risk analysis methodologies
  • Business impact analysis
  • Inherent and residual risk

   

  Domain 3 – Risk Response and Reporting

  • Risk Response A

    • Risk treatment / risk response options
    • Risk and control ownership
    • Third-party risk management
    • Issue, finding and exception management
    • Management of emerging risk

    Control Design and Implementation B

    • Control types, standards and frameworks
    • Control design, selection and analysis
    • Control implementation
    • Control testing and effectiveness evaluation

    Risk Monitoring and Reporting C

    • Risk treatment plans
    • Data collection, aggregation, analysis and validation
    • Risk and control monitoring techniques
    • Risk and control reporting techniques (heatmap, scorecards and dashboards)
    • Key performance indicators
    • Key risk indicators (KRIs)
    • Key control indicators (KCIs)

   

  Domain 4 – Information Technology and Security

  • Information Technology Principles A

    • Enterprise architecture
    • IT operations management (e.g., change management, IT assets, problems and incidents)
    • Project management
    • Disaster recovery management (DRM)
    • Data lifecycle management
    • System development life cycle (SDLC)
    • Emerging technologies

    Information Security Principles B

    • Information security concepts, frameworks and standards
    • Information security awareness training
    • Business continuity management
    • Data privacy and data protection principles