Risk and Information Systems Control (CRISC)

The CRISC Certification Training with InfosecTrain equips IT professionals to tackle the unique challenges of enterprise risk management, preparing them to serve as strategic partners within their organizations. As the industry’s leading certification in risk management, CRISC provides a rigorous, up-to-date evaluation of professionals’ expertise in managing risk and implementing IS controls. By earning CRISC, individuals demonstrate their ability to assess, understand, and address business risks effectively, empowering enterprises and financial institutions to strengthen their risk resilience and safeguard their operations.

DOMAIN 1: GOVERNANCE – 26%

A: ORGANIZATIONAL GOVERNANCE

• Organizational Strategy, Goals, and Objectives
• Organizational Structure, Roles and Responsibilities
• Organizational Culture
• Policies and Standards
• Business Processes
• Organizational Assets

B: RISK GOVERNANCE

• Enterprise Risk Management and Risk Management Framework
• Three Lines of Defense
• Risk Profile
• Risk Appetite and Risk Tolerance
• Legal, Regulatory and Contractual Requirements
• Professional Ethics of Risk Management

DOMAIN 2: IT RISK ASSESSMENT – 20%

A: IT RISK IDENTIFICATION

• Risk Events (e.g., contributing conditions, loss result)
• Threat Modelling and Threat Landscape
• Vulnerability and Control Deficiency Analysis (e.g., root cause analysis)
• Risk Scenario Development

B: IT RISK ANALYSIS AND EVALUATION

• Risk Assessment Concepts, Standards and Frameworks
• Risk Register
• Risk Analysis Methodologies
• Business Impact Analysis
• Inherent and Residual Risk

DOMAIN 3: RISK RESPONSE AND REPORTING – 32%

A: RISK RESPONSE

• Risk Treatment / Risk Response Options
• Risk and Control Ownership
• Third-Party Risk Management
• Issue, Finding and Exception Management
• Management of Emerging Risk

B: CONTROL DESIGN AND IMPLEMENTATION

• Control Types, Standards and Frameworks
• Control Design, Selection and Analysis
• Control Implementation
• Control Testing and Effectiveness Evaluation

C: RISK MONITORING AND REPORTING

• Risk Treatment Plans
• Data Collection, Aggregation, Analysis and Validation
• Risk and Control Monitoring Techniques
• Risk and Control Reporting Techniques (heatmap, scorecards, dashboards)
• Key Performance Indicators
• Key Risk Indicators (KRIs)
• Key Control Indicators (KCIs)

DOMAIN 4: INFORMATION TECHNOLOGY AND SECURITY – 22%

A: INFORMATION TECHNOLOGY PRINCIPLES

• Enterprise Architecture
• IT Operations Management (e.g., change management, IT assets, problems, incidents)
• Project Management
• Disaster Recovery Management (DRM)
• Data Lifecycle Management
• System Development Life Cycle (SDLC)
• Emerging Technologies

B: INFORMATION SECURITY PRINCIPLES

• Information Security Concepts, Frameworks and Standards
• Information Security Awareness Training
• Business Continuity Management
• Data Privacy and Data Protection Principles

• CEOs/CFOs
• Chief Audit Executives
• Audit Partners/Heads
• CIOs/CISOs
• Chief Compliance/Privacy/Risk Officers
• Security Managers/Directors/Consultants
• IT Directors/Managers/Consultants
• Audit Directors/Managers/Consultant

• Take the CRISC exam to demonstrate your information security knowledge. Even without meeting experience requirements, passing qualifies you to apply for certification within five years once experience criteria are met.
• Complete a minimum of 3 years in information systems auditing, control, or security within the CRISC job practice areas, with experience gained within the last 10 years. Candidates have up to 5 years from the passing date to apply for certification.
• Fulfill 120 Continuing Professional Education (CPE) hours every three years, with at least 20 hours per year. CPE hours may also count toward other ISACA certifications if requirements align.
• Uphold ISACA’s Code of Professional Ethics as a CRISC-certified professional, ensuring ethical conduct in both professional and personal activities.

• Identify the IT risk management strategy in support of business objectives and alignment with the Enterprise Risk Management (ERM) strategy.
• Analyze and evaluate IT risk to determine the likelihood and impact on business objectives to enable risk-based decision making.
• Determine risk response options and evaluate their efficiency and effectiveness to manage risk in alignment with business objectives.
• Continuously monitor and report on IT risk and controls to relevant stakeholders to ensure the continued efficiency and effectiveness of the IT risk management strategy and its alignment with business objectives.