Certified in Risk and Information Systems Control

Individuals who are looking to build a greater understanding of the impact of IT risk and how it relates to their organization. It is for mid-career IT/IS audit, risk and security professionals.

After completing this course you should be able to:

• Identify the IT risk management strategy in support of business objectives and alignment with the Enterprise Risk Management (ERM) strategy.
• Analyze and evaluate IT risk to determine the likelihood and impact on business objectives to enable risk-based decision making.
• Determine risk response options and evaluate their efficiency and effectiveness to manage risk in alignment with business objectives.
• Continuously monitor and report on IT risk and controls to relevant stakeholders to ensure the continued efficiency and effectiveness of the IT risk management strategy and its alignment with business objectives.

This update to the CRISC exam content outline is based on changes in the work practices of IT risk professionals as well as market dynamics and trends that have placed an increased focus on organizational governance, continuous risk monitoring and reporting, information security and data privacy considerations for effective ITRM. These statements and domains are the results of extensive research, feedback, and validation from IT risk and control subject matter experts and prominent industry leaders from around the globe.

Below are the key domains, subtopics and tasks candidates will be tested on:

DOMAIN 1—Governance 26%

Organizational Governance A

• Organizational Strategy, Goals, and Objectives
• Organizational Structure, Roles, and Responsibilities
• Organizational Culture
• Policies and Standards
• Business Processes
• Organizational Assets

Risk Governance B

• Enterprise Risk Management and Risk Management Framework
• Three Lines of Defense
• Risk Profile
• Risk Appetite and Risk Tolerance
• Legal, Regulatory, and Contractual Requirements
• Professional Ethics of Risk Management

DOMAIN 2—IT Risk Assessment 20%

IT Risk Identification A

• Risk Events (e.g., contributing conditions, loss result)
• Threat Modelling and Threat Landscape
• Vulnerability and Control Deficiency Analysis (e.g., root cause analysis)
• Risk Scenario Development

IT Risk Analysis and Evaluation B

• Risk Assessment Concepts, Standards, and Frameworks
• Risk Register
• Risk Analysis Methodologies
• Business Impact Analysis
• Inherent and Residual Risk

DOMAIN 3—Risk Response and Reporting 32%

Risk Response A

• Risk Treatment / Risk Response Options
• Risk and Control Ownership
• Third-Party Risk Management
• Issue, Finding, and Exception Management
• Management of Emerging Risk

Control Design and Implementation B

• Control Types, Standards, and Frameworks
• Control Design, Selection, and Analysis
• Control Implementation
• Control Testing and Effectiveness Evaluation

Risk Monitoring and Reporting C

• Risk Treatment Plans
• Data Collection, Aggregation, Analysis, and Validation
• Risk and Control Monitoring Techniques
• Risk and Control Reporting Techniques (heatmap, scorecards, dashboards)
• Key Performance Indicators
• Key Risk Indicators (KRIs)
• Key Control Indicators (KCIs)

DOMAIN 4—Information Technology and Security 22%

Information Technology Principles A

• Enterprise Architecture
• IT Operations Management (e.g., change management, IT assets, problems, incidents)
• Project Management
• Disaster Recovery Management (DRM)
• Data Lifecycle Management
• System Development Life Cycle (SDLC)
• Emerging Technologies

Information Security Principles B

• Information Security Concepts, Frameworks, and Standards
• Information Security Awareness Training
• Business Continuity Management
• Data Privacy and Data Protection Principles

Secondary Classifications

Supporting Tasks

1. Collect and review existing information regarding the organization’s business and IT environments.
2. Identify potential or realized impacts of IT risk to the organization’s business objectives and operations.
3. Identify threats and vulnerabilities to the organization’s people, processes, and technology.
4. Evaluate threats, vulnerabilities, and risk to identify IT risk scenarios.
5. Establish accountability by assigning and validating appropriate levels of risk and control ownership.
6. Establish and maintain the IT risk register, and incorporate it into the enterprise-wide risk profile.
7. Facilitate the identification of risk appetite and risk tolerance by key stakeholders.
8. Promote a risk-aware culture by contributing to the development and implementation of security awareness training.
9. Conduct a risk assessment by analyzing IT risk scenarios and determining their likelihood and impact.
10. Identify the current state of existing controls and evaluate their effectiveness for IT risk mitigation.
11. Review the results of risk analysis and control analysis to assess any gaps between current and desired states of the IT risk environment.
12. Facilitate the selection of recommended risk responses by key stakeholders.
13. Collaborate with risk owners on the development of risk treatment plans.
14. Collaborate with control owners on the selection, design, implementation, and maintenance of controls.
15. Validate that risk responses have been executed according to risk treatment plans.
16. Define and establish key risk indicators (KRIs).
17. Monitor and analyze key risk indicators (KRIs).
18. Collaborate with control owners on the identification of key performance indicators (KPIs) and key control indicators (KCIs).
19. Monitor and analyze key performance indicators (KPIs) and key control indicators (KCIs).
20. Review the results of control assessments to determine the effectiveness and maturity of the control environment.
21. Report relevant risk and control information to applicable stakeholders to facilitate risk-based decision-making.
22. Evaluate alignment of business practices with risk management and information security frameworks and standards.

Attendees should meet the following prerequisites:

• There are no prerequisite to take the CRISC exam; however, in order to apply for CRISC certification you must meet the necessary experience requirements as determined by ISACA
  

Recommended as preparation for the following exam:

• ISACA CRISC Certification Exam

Please Note: Three (3) or more years of experience in IT risk management and IS control. No experience waivers or Substitutions.

Courseware is provided in a digital format, the voucher for courseware access is distributed prior to the start of the class

The CRISC exam is not included in this training course and candidates must book their Computer-Based Testing (CBT) exam session directly with ISACA. Our experience shows that delegates have the highest chance of success if they sit the exam approximately two to four weeks after completing the training course.