ALREADY HAVE A CRISC CERTIFICATION? LOG IN TO MYISACA

What is covered on the CRISC exam?

The Certified in Risk and Information Systems Control® (CRISC®) exam consists of 150 questions covering 4 job practice domains, all testing your knowledge and ability on real-life job practices leveraged by expert professionals.

Below are the key domains, subtopics and tasks candidates will be tested on:

26%
Domain 1

Governance
22
Domain 2

Risk Assessment
32%
Domain 3

Risk Response and Reporting
20%
Domain 4

Technology and Security
GET YOUR EXAM CANDIDATE GUIDE ACCESS EXAM PREP MATERIALS
Illustration of a certificate on the wall with man in front

ISACA’S commitment

Since its inception in 2010, more than 46,000 people have obtained ISACA’s CRISC certification to validate their expertise in using governance best practices and continuous risk monitoring and reporting. The domains, subtopics and tasks are the results of extensive research, feedback and validation from subject matter experts and prominent industry leaders from around the globe.

Job practice areas tested for and validated by a CRISC certification

26% DOMAIN 1 – GOVERNANCE

The governance domain interrogates your knowledge of information about an organization’s business and IT environments, organizational strategy, goals and objectives, and examines potential or realized impacts of IT risk to the organization’s business objectives and operations, including Enterprise Risk Management and Risk Management Framework.

A—ORGANIZATIONAL GOVERNANCE

  1. Strategy, Goals, and Objectives
  2. Organizational Structure, Roles, and Responsibilities
  3. Organizational Culture and Ethics
  4. Policies and Standards
  5. Business Processes and Resilience (e.g., DRP, BCP)
  6. Organizational Asset Management

B—RISK GOVERNANCE

  1. Enterprise Risk Management (ERM)
  2. Lines of Defense
  3. Risk Profile
  4. Risk Appetite and Risk Tolerance
  5. Risk Frameworks, Legal, Regulatory, and Contractual Requirements

22% DOMAIN 2 – RISK ASSESSMENT

This domain will certify your knowledge of threats and vulnerabilities to the organization’s people, processes and technology as well as the likelihood and impact of threats, vulnerabilities and risk scenarios.

A—RISK IDENTIFICATION

  1. Risk Events
  2. Threat Modeling and Threat Landscape
  3. Vulnerability Management
  4. Risk Scenario Development and Evaluation

B—RISK ANALYSIS

  1. Risk Assessment Concepts and Standards
  2. Business Impact Analysis (BIA)
  3. Risk Register
  4. Risk Analysis Methodologies
  5. Inherent and Residual Risk

32% DOMAIN 3 – RISK RESPONSE AND REPORTING

This domain deals with the development and management of risk treatment plans among key stakeholders, the evaluation of existing controls and improving effectiveness for IT risk mitigation, and the assessment of relevant risk and control information to applicable stakeholders.

A—RISK RESPONSE

  1. Risk Response Options
  2. Risk and Control Ownership
  3. Vendor/Supply Chain Risk Management
  4. Issues, Findings, Exceptions and Exemptions Management

B—CONTROL DESIGN AND IMPLEMENTATION

  1. Control Frameworks, Types, and Standards
  2. Control Design, Selection, Implementation, and Analysis
  3. Control Testing Methodologies

C—RISK MONITORING AND REPORTING

  1. Risk Action Plans
  2. Data Collection, Aggregation, Analysis, and Validation
  3. Risk and Control Metrics (e.g., KRIs, KCIs, KPIs)
  4. Risk and Control Monitoring Techniques
  5. Risk and Control Reporting Techniques (e.g., heatmap, scorecards, dashboards)
  6. Monitoring and Reporting of Emerging Risks

20% DOMAIN 4 – TECHNOLOGY AND SECURITY

In this domain we interrogate the alignment of business practices with Risk Management and Information Security frameworks and standards, as well as the development of a risk-aware culture and implementation of security awareness training.

A—Technology and Security

  1. Technology Principles
  2. Technology Roadmaps and Enterprise Architecture (EA)
  3. Operations Management (e.g., change management, assets, DevOps, problems, incidents)
  4. System Development Life Cycle (SDLC)
  5. Data Lifecycle Management
  6. Portfolio and Project Management (e.g. Agile)
  7. Technology Resilience and Disaster Response/Recovery
  8. Emerging Technologies

B—INFORMATION SECURITY PRINCIPLES

  1. Security Concepts, Frameworks, and Standards
  2. Security/Risk Awareness and Training
  3. Data Privacy and Data Protection Principles

SUPPORTING TASKS

  1. Collect, review, and evaluate existing information regarding the organization’s business and information system environments.
  2. Identify potential or realized impacts of information system risk to the organization’s business objectives and operations.
  3. Identify threats and vulnerabilities to the organization’s people, processes, and technologies.
  4. Evaluate threats, vulnerabilities, and risk to create information system risk scenarios.
  5. Establish accountability by assigning and validating appropriate levels of risk and control ownership.
  6. Maintain or establish the information system risk register and incorporate it into the enterprisewide risk profile.
  7. Assist key stakeholders in the selection of risk appetite and tolerance thresholds and the impact on business objectives.
  8. Promote a risk-aware culture by contributing to the development and implementation of security/risk awareness and training.
  9. Conduct a risk assessment by analyzing information system risk scenarios and events to generate a risk score/rating.
  10. Identify the current state of existing controls and evaluate their effectiveness for information system risk treatment.
  11. Determine if risk exceeds appetite and tolerance thresholds to recommend treatment options and rectify concerns.
  12. Review the results of risk and/or control analysis to assess any gaps between current and desired states of the risk environment.
  13. Collaborate with risk owners on the development of risk treatment plans.
  14. Collaborate with control owners on the selection, design, implementation, and maintenance of controls.
  15. Validate that risk responses have been executed according to risk action plans.
  16. Define, implement, and refine key risk indicators (KRIs).
  17. Collaborate with control owners on the identification and refinement of key performance indicators (KPIs) and key control indicators (KCIs).
  18. Monitor and analyze key risk indicators (KRIs), key performance indicators (KPIs), and key control indicators (KCIs).
  19. Review the results of control assessments to determine the adequacy, effectiveness, and maturity of the control environment.
  20. Conduct aggregation, analysis, and validation of risk and control data.
  21. Report relevant risk and control information to applicable stakeholders to facilitate risk-based decision-making.
  22. Evaluate emerging technologies and changes to the environment for threats, vulnerabilities, and opportunities.
  23. Evaluate alignment of business practices with risk management frameworks, standards, and regulations.
  24. Facilitate tabletop exercises to verify and identify gaps in risk scenarios, capabilities, and responses.

Getting ready for the exam

ISACA offers a variety of CRISC exam preparation resources including group training, self-paced training and study resources in various languages to help you prepare for your CRISC certification exam. We also have our online Engage community where you can reach out to peers for CRISC exam guidance. Choose what works for your schedule and your studying needs.

ACCESS ALL CRISC EXAM PREP MATERIALS

ISACA glossary and CRISC translations

Some CRISC terms can be lost in translation. That is why ISACA has translated our CRISC Terminology List into numerous languages, ensuring learners fully understand the materials. Please see the list of translations below. To learn more about key industry terms, please explore the ISACA glossary here.

Chinese Simplified | Korean | Spanish