Skip to main Content

Certified in Risk and Information Systems Control

  • Course Code CRISC
  • Duration 4 days

Additional Payment Options

  • GTC 26 inc. VAT

    GTC, Global Knowledge Training Credit, please contact Global Knowledge for more details

Public Classroom Price


excl. VAT

Request Group Training Add to Cart

Course Delivery

This course is available in the following formats:

  • Company Event

    Event at company

  • Elearning (Self-paced)

    Self paced electronic learning

  • Public Classroom

    Traditional Classroom Learning

  • Virtual Learning

    Learning that is virtual

Request this course in a different delivery format.

Course Overview


CRISC is the only certification that prepares and enables IT professionals for the unique challenges of IT and enterprise risk management, and positions them to become strategic partners to the enterprise  helping enterprises accomplish business objectives by designing, implementing, monitoring and maintaining risk-based, efficient and effective IS controls.

The CRISC Exam Preparation course is an intensive, Four-day review program to prepare individuals who are planning to sit for the Certified in Risk and Information System Controls™ (CRISC) exam. The course focuses on the key points covered in the CRISC Review Manual 7th Edition and includes class lectures, group discussions, exam practice and answer debriefs. The course is intended for individuals with familiarity with and experience in IT and enterprise risk management.


 Public Events

These is delivered through the traditional classroom learning led by an instructor..

Course Schedule

    • Delivery Format: Virtual Learning
    • Date: 19-22 June, 2023

      Guaranteed  To Run

    • Location: Virtual


    • Delivery Format: Virtual Learning
    • Date: 14-17 August, 2023
    • Location: Virtual


    • Delivery Format: Virtual Learning
    • Date: 06-09 November, 2023
    • Location: Virtual


Target Audience


Individuals who are looking to build a greater understanding of the impact of IT risk and how it relates to their organization. It is for mid-career IT/IS audit, risk and security professionals.

Course Objectives


After completing this course you should be able to:

  • Identify the IT risk management strategy in support of business objectives and alignment with the Enterprise Risk Management (ERM) strategy.
  • Analyze and evaluate IT risk to determine the likelihood and impact on business objectives to enable risk-based decision making.
  • Determine risk response options and evaluate their efficiency and effectiveness to manage risk in alignment with business objectives.
  • Continuously monitor and report on IT risk and controls to relevant stakeholders to ensure the continued efficiency and effectiveness of the IT risk management strategy and its alignment with business objectives.

Course Content


This update to the CRISC exam content outline is based on changes in the work practices of IT risk professionals as well as market dynamics and trends that have placed an increased focus on organizational governance, continuous risk monitoring and reporting, information security and data privacy considerations for effective ITRM. These statements and domains are the results of extensive research, feedback, and validation from IT risk and control subject matter experts and prominent industry leaders from around the globe.

Below are the key domains, subtopics and tasks candidates will be tested on:

DOMAIN 1—Governance 26%

Organizational Governance A

  • Organizational Strategy, Goals, and Objectives
  • Organizational Structure, Roles, and Responsibilities
  • Organizational Culture
  • Policies and Standards
  • Business Processes
  • Organizational Assets

Risk Governance B

  • Enterprise Risk Management and Risk Management Framework
  • Three Lines of Defense
  • Risk Profile
  • Risk Appetite and Risk Tolerance
  • Legal, Regulatory, and Contractual Requirements
  • Professional Ethics of Risk Management

DOMAIN 2—IT Risk Assessment 20%

IT Risk Identification A

  • Risk Events (e.g., contributing conditions, loss result)
  • Threat Modelling and Threat Landscape
  • Vulnerability and Control Deficiency Analysis (e.g., root cause analysis)
  • Risk Scenario Development

IT Risk Analysis and Evaluation B

  • Risk Assessment Concepts, Standards, and Frameworks
  • Risk Register
  • Risk Analysis Methodologies
  • Business Impact Analysis
  • Inherent and Residual Risk

DOMAIN 3—Risk Response and Reporting 32%

Risk Response A

  • Risk Treatment / Risk Response Options
  • Risk and Control Ownership
  • Third-Party Risk Management
  • Issue, Finding, and Exception Management
  • Management of Emerging Risk

Control Design and Implementation B

  • Control Types, Standards, and Frameworks
  • Control Design, Selection, and Analysis
  • Control Implementation
  • Control Testing and Effectiveness Evaluation

Risk Monitoring and Reporting C

  • Risk Treatment Plans
  • Data Collection, Aggregation, Analysis, and Validation
  • Risk and Control Monitoring Techniques
  • Risk and Control Reporting Techniques (heatmap, scorecards, dashboards)
  • Key Performance Indicators
  • Key Risk Indicators (KRIs)
  • Key Control Indicators (KCIs)

DOMAIN 4—Information Technology and Security 22%

Information Technology Principles A

  • Enterprise Architecture
  • IT Operations Management (e.g., change management, IT assets, problems, incidents)
  • Project Management
  • Disaster Recovery Management (DRM)
  • Data Lifecycle Management
  • System Development Life Cycle (SDLC)
  • Emerging Technologies

Information Security Principles B

  • Information Security Concepts, Frameworks, and Standards
  • Information Security Awareness Training
  • Business Continuity Management
  • Data Privacy and Data Protection Principles

Secondary Classifications

Supporting Tasks

  1. Collect and review existing information regarding the organization’s business and IT environments.
  2. Identify potential or realized impacts of IT risk to the organization’s business objectives and operations.
  3. Identify threats and vulnerabilities to the organization’s people, processes, and technology.
  4. Evaluate threats, vulnerabilities, and risk to identify IT risk scenarios.
  5. Establish accountability by assigning and validating appropriate levels of risk and control ownership.
  6. Establish and maintain the IT risk register, and incorporate it into the enterprise-wide risk profile.
  7. Facilitate the identification of risk appetite and risk tolerance by key stakeholders.
  8. Promote a risk-aware culture by contributing to the development and implementation of security awareness training.
  9. Conduct a risk assessment by analyzing IT risk scenarios and determining their likelihood and impact.
  10. Identify the current state of existing controls and evaluate their effectiveness for IT risk mitigation.
  11. Review the results of risk analysis and control analysis to assess any gaps between current and desired states of the IT risk environment.
  12. Facilitate the selection of recommended risk responses by key stakeholders.
  13. Collaborate with risk owners on the development of risk treatment plans.
  14. Collaborate with control owners on the selection, design, implementation, and maintenance of controls.
  15. Validate that risk responses have been executed according to risk treatment plans.
  16. Define and establish key risk indicators (KRIs).
  17. Monitor and analyze key risk indicators (KRIs).
  18. Collaborate with control owners on the identification of key performance indicators (KPIs) and key control indicators (KCIs).
  19. Monitor and analyze key performance indicators (KPIs) and key control indicators (KCIs).
  20. Review the results of control assessments to determine the effectiveness and maturity of the control environment.
  21. Report relevant risk and control information to applicable stakeholders to facilitate risk-based decision-making.
  22. Evaluate alignment of business practices with risk management and information security frameworks and standards.

Course Prerequisites


Attendees should meet the following prerequisites:

  • There are no prerequisite to take the CRISC exam; however, in order to apply for CRISC certification you must meet the necessary experience requirements as determined by ISACA

Test Certification


Recommended as preparation for the following exam:

  • ISACA CRISC Certification Exam

Please Note: Three (3) or more years of experience in IT risk management and IS control. No experience waivers or Substitutions.

Further Information


Courseware is provided in a digital format, the voucher for courseware access is distributed prior to the start of the class

The CRISC exam is not included in this training course and candidates must book their Computer-Based Testing (CBT) exam session directly with ISACA. Our experience shows that delegates have the highest chance of success if they sit the exam approximately two to four weeks after completing the training course.


Cookie Control toggle icon