Certified in Risk and Information Systems Control (CRISC) Certification Training

This domain breaks down into two governance subcategories:

Organizational Governance A

• Organizational strategy, goals, and objectives
• Organizational structure, roles, and responsibilities
• Organizational culture
• Policies and standards
• Business processes
• Organizational assets

Risk Governance B

• Enterprise risk management and risk management framework
• Three lines of defense
• Risk profile
• Risk appetite and risk tolerance
• Legal, regulatory and contractual requirements
• Professional ethics of risk management

This domain breaks down into two distinct sections:

IT Risk Identification A

• Risk events (e.g., contributing conditions, loss result)
• Threat modeling and threat landscape
• Vulnerability and control deficiency analysis (e.g., root cause analysis)
• Risk scenario development

IT Risk Analysis and Evaluation B

• Risk assessment concepts, standards, and frameworks
• Risk register
• Risk analysis methodologies
• Business impact analysis
• Inherent and residual risk

This domain is split into three sub-sections.

Risk Response A

• Risk treatment/risk response options
• Risk and control ownership
• Third-party risk management
• Issue, finding, and exception management
• Management of emerging risk

Control Design and Implementation B

• Control types, standards, and frameworks
• Control design, selection, and analysis
• Control implementation
• Control testing and effectiveness evaluation

Risk Monitoring and Reporting C

• Risk treatment plans
• Data collection, aggregation, analysis, and validation
• Risk and control monitoring techniques
• Risk and control reporting techniques (heatmap, scorecards, and dashboards)
• Key performance indicators
• Key risk indicators (KRIs)
• Key control indicators (KCIs)

This domain is split into two sections.

Information Technology Principles A

• Enterprise architecture
• IT operations management (e.g., change management, IT assets, problems, and incidents)
• Project management
• Disaster recovery management (DRM)
• Data lifecycle management
• System development life cycle (SDLC)
• Emerging technologies

Information Security Principles B

• Information security concepts, frameworks, and standards
• Information security awareness training
• Business continuity management
• Data privacy and data protection principle

• Duration: 4 Hours
• Number of questions: 150
• Question format: Multiple Choice
• Passing marks: 450 out of 800
• Exam language: English, French, German, Hebrew, Italian, Japanese, Korean, Spanish, Turkish, Chinese