ISACA's Certified in Risk and Information Systems Control (CRISC®) is the only credential focused on enterprise IT risk management. The content is based on the latest work practices and knowledge to keep certification holders ahead of the game in tackling real-world threats in today’s business landscape. CRISC validates your experience in building a well-defined, agile risk-management program, based on best practices to identify, analyse, evaluate, assess, prioritise and respond to risks. This enhances benefits realisation and delivers optimal value to stakeholders.

The CRISC exam is four hours in duration, contains 150 multiple-choice questions, and covers four areas called domains. Each domain is further detailed through supporting tasks. Read on below for the domains and their weightings.

A copy of ISACA’s Exam Candidate Guide can be downloaded here.

As well as passing the CRISC exam, there are additional criteria for certification. For example, a candidate must submit evidence of at least three years of professional experience in IT risk
management and IS control. If a candidate does not have the required experience, this may still be gained within five years after originally passing the CRISC exam. Please see the full additional criteria detailed on ISACA’s website.

Request Certification Information

Prepare for the Certified in Risk and Information Systems Control (CRISC) exam with training from Lumify Work, an Accredited Partner of ISACA.

Exam Content and Weightings

Following are the key domains, subtopics, and tasks on which CRISC candidates will be tested, with weightings.

Domain 1: Governance – (26%)

A. Organizational Governance

  1. Organizational Strategy, Goals, and Objectives

  2. Organizational Structure, Roles, and Responsibilities

  3. Organizational Culture

  4. Policies and Standards

  5. Business Processes

  6. Organizational Assets

B. Risk Governance

  1. Enterprise Risk Management and Risk Management Framework

  2. Three Lines of Defence

  3. Risk Profile

  4. Risk Appetite and Risk Tolerance

  5. Legal, Regulatory, and Contractual Requirements

  6. Professional Ethics of Risk Management

Domain 2: IT Risk Assessment – (20%)

A. IT RIsk Identification

  1. Risk Events (e.g., contributing conditions, loss result)

  2. Threat Modelling and Threat Landscape

  3. Vulnerability and Control Deficiency Analysis (e.g., root cause analysis)

  4. Risk Scenario Development

B. IT RIsk Analysis and Evaluation

  1. Risk Assessment Concepts, Standards, and Frameworks

  2. Risk Register

  3. Risk Analysis Methodologies

  4. Business Impact Analysis

  5. Inherent and Residual Risk

Domain 3: Risk Response and Reporting – (32%)

A. Risk Response

  1. Risk Treatment / Risk Response Options

  2. Risk and Control Ownership

  3. Third-Party Risk Management

  4. Issue, Finding, and Exception Management

  5. Management of Emerging Risk

B. Control Design and Implementation

  1. Control Types, Standards, and Frameworks

  2. Control Design, Selection, and Analysis

  3. Control Implementation

  4. Control Testing and Effectiveness Evaluation

C. Risk Monitoring and Reporting

  1. Risk Treatment Plans

  2. Data Collection, Aggregation, Analysis, and Validation

  3. Risk and Control Monitoring Techniques

  4. Risk and Control Reporting Techniques (heatmap, scorecards, dashboards)

  5. Key Performance Indicators

  6. Key Risk Indicators (KRIs)

  7. Key Control Indicators (KCIs)

Domain 4: Information Technology and Security – (22%)

A. Information Technology Principles

  1. Enterprise Architecture

  2. IT Operations Management (e.g., change management, IT assets, problems, incidents)

  3. Project Management

  4. Disaster Recovery Management (DRM)

  5. Data Lifecycle Management

  6. System Development Life Cycle (SDLC)

  7. Emerging Technologies

B. Information Security Principles

  1. Information Security Concepts, Frameworks, and Standards

  2. Information Security Awareness Training

  3. Business Continuity Management

  4. Data Privacy and Data Protection Principles

Supporting Tasks

  1. Collect and review existing information regarding the organisation’s business and IT environments.

  2. Identify potential or realised impacts of IT risk to the organisation’s business objectives and operations.

  3. Identify threats and vulnerabilities to the organisation’s people, processes, and technology.

  4. Evaluate threats, vulnerabilities, and risk to identify IT risk scenarios.

  5. Establish accountability by assigning and validating appropriate levels of risk and control ownership.

  6. Establish and maintain the IT risk register, and incorporate it into the enterprise-wide risk profile.

  7. Facilitate the identification of risk appetite and risk tolerance by key stakeholders.

  8. Promote a risk-aware culture by contributing to the development and implementation of security awareness training.

  9. Conduct a risk assessment by analysing IT risk scenarios and determining their likelihood and impact.

  10. Identify the current state of existing controls and evaluate their effectiveness for IT risk mitigation.

  11. Review the results of risk analysis and control analysis to assess any gaps between current and desired states of the IT risk environment.

  12. Facilitate the selection of recommended risk responses by key stakeholders.

  13. Collaborate with risk owners on the development of risk treatment plans.

  14. Collaborate with control owners on the selection, design, implementation, and maintenance of controls.

  15. Validate that risk responses have been executed according to risk treatment plans.

  16. Define and establish key risk indicators (KRIs).

  17. Monitor and analyse key risk indicators (KRIs).

  18. Collaborate with control owners on the identification of key performance indicators (KPIs) and key control indicators (KCIs).

  19. Monitor and analyse key performance indicators (KPIs) and key control indicators (KCIs).

  20. Review the results of control assessments to determine the effectiveness and maturity of the control environment.

  21. Report relevant risk and control information to applicable stakeholders to facilitate risk-based decision-making.

  22. Evaluate alignment of business practices with risk management and information security frameworks and standards.

Request Certification Information