- Validate your proficiencies for handling the challenges and responsibilities of a modern risk management expert with a CRISC, which focuses on these domains:
- Corporate IT Governance
- IT Risk Assessment
- Risk Response and Reporting
- Information Technology and Security
(CRISC) Certified in Risk and Information Systems Control
Become a Risk Management expert with CRISC® certification, focusing on Agile methods to enhance business resilience and optimize enterprise risk.
IT risk management professionals with at least 3 years of relevant professional work experience in IT risk and information systems control.
- Professionals preparing to become CRISC certified
- Risk practitioners
- Students or recent graduates
A. Organizational Governance
- Organizational Strategy, Goals, and Objectives.
- Organizational Structure, Roles and Responsibilities.
- Organizational Culture.
- Policies and Standards.
- Business Processes.
- Organizational Assets.
B. Risk Governance
- Enterprise Risk Management and Risk Management Framework.
- Three Lines of Defense.
- Risk Profile.
- Risk Appetite and Risk Tolerance.
- Legal, Regulatory and Contractual Requirements.
- Professional Ethics of Risk Management.
A. IT Risk Identification
- Risk Events (e.g., contributing conditions, loss result).
- Threat Modelling and Threat Landscape.
- Vulnerability and Control Deficiency Analysis (e.g., root cause analysis).
- Risk Scenario Development.
B. IT Risk Analysis and Evaluation
- Risk Assessment Concepts, Standards and Frameworks.
- Risk Register .
- Risk Analysis Methodologies.
- Business Impact Analysis
- Inherent and Residual Risk.
A. Risk Response
- Risk Treatment/Risk Response Options.
- Risk and Control Ownership.
- Third -Party Risk Management.
- Issue, Finding and Exception Management.
- Management of Emerging Risk.
B. Control Design and Implementation
- Control Types, Standards and Frameworks.
- Control Design, Selection and Analysis.
- Control Implementation.
- Control Testing and Effectiveness Evaluation.
C. Risk Monitoring and Reporting
- Risk Treatment Plans.
- Data Collection, Aggregation, Analysis and Validation.
- Risk and Control Monitoring Techniques.
- Risk and Control Reporting Techniques (heatmap, scorecards, dashboards).
- Key Performance Indicators.
- Key Risk Indicators (KRIs).
- Key Control Indicators (KCIs).
A. Information Technology Principles
- Enterprise Architecture.
- IT Operations Management (e.g., change management, IT assets, problems, incidents).
- Project Management.
- Disaster Recovery Management (DRM).
- Data Lifecycle Management.
- System Development Life Cycle (SDLC).
- Emerging Technologies.
B. Information Security Principles
- Information Security Concepts, Frameworks and Standards .
- Information Security Awareness Training.
- Business Continuity Management.
- Business Impact Analysis
- Data Privacy and Data Protection Principles.
| Length of exam | 4 hours |
| Number of questions | 150 |
| Question format | Multiple choice |
| Passing grade | 450 out of 800 points |
| Exam availability | English, Chinese Simplified, Spanish. |
| Testing center | PSI Testing Center |
Description
A Certified in Risk and Information Systems Control® (CRISC®) certification demonstrates your IT risk management expertise. By taking a proactive approach, you will learn how to enhance your organization’s business resilience, deliver stakeholder value and optimize risk management across the enterprise. As a CRISC, you will be ready to address emerging technology, including AI risk assessment and general best practices for risk management and mitigation related to AI data governance and ethics.
CPE Information:
- To maintain your CRISC, you must earn and report a minimum of 120 CPE hours every 3-year reporting cycle period.
- Earn and report an annual minimum 20 CPE hours. These hours must be appropriate to the currency or advancement of the CRISCs knowledge or ability to perform CRISC-related tasks.
- Comply with the annual CPE audit if selected
- Comply with ISACAs Code of Professional Ethics
