Certified in Risk and Information Systems Control (CRISC)

The Certified in Risk and Information Systems Control (CRISC) examination conducted by ISACA is designed for IT professionals who are aiming to get a hike in their Risk management career. CRISC is an acronym for Certified in Risk and Information Systems Control.  The ISACA website defines CRISC as “the most current and rigorous assessment available to evaluate the risk management proficiency of IT professionals and other employees within an enterprise or financial institute.’’

CRISC Exam Requirements

• An applicant must, first of all, have a minimum of three years of work experience in IT risk and information systems (IS) control. 
• He or she must have worked in two of the areas covered by the CRISC domains to include one between Risk Identification and Risk Assessment.

CRISC: Certified in Risk & Information Systems Control Sample Questions

CRISC Exam Format

Familiarising with the Exam format helps you understand the CRISC Exam Pattern. The Certified in Risk and Information Systems Control (CRISC) examination is a 4-hour long examination. The total number of questions in the examination is 150. Also, all of the CRISC Exam Questions are multiple-choice questions. This CRISC Exam Cost is $575 if you are a member, otherwise, you need to pay $760.Also, the CRISC Exam Passing Score is 450. However, the best part is that this examination available in  English, Spanish, and Chinese simplified languages.

Exam Registration

For registering yourself for the Certified in Risk and Information Systems Control (CRISC) certification examination follow the following steps:

• Go to the official website of Certified in Risk and Information Systems Control (CRISC).
• Click on Register now Option.
• You will be redirected to the registration page. Then, schedule your examination according to your comfort and requirement.
• Follow the prompt, complete the registration.
• Make the payment.
• You will receive a confirmation mail from ISACA.

For more information, click on Certified in Risk and Information Systems Control (CRISC) FAQ

CRISC Exam Outline

The CRISC Exam Syllabus covers descriptive details about the exam domains. These domains cover various subtopics to provide you better clarity about the exam. The CRISC Exam Topics are:

Domain 1—Governance – (26%)

A—ORGANIZATIONAL GOVERNANCE

1. Organizational Strategy, Goals, and Objectives
2. Organizational Structure, Roles and Responsibilities
3. Organizational Culture
4. Policies and Standards
5. Business Processes
6. Organizational Assets

B—RISK GOVERNANCE

1. Enterprise Risk Management and Risk Management Framework
2. Three Lines of Defense
3. Risk Profile
4. Risk Appetite and Risk Tolerance
5. Legal, Regulatory and Contractual Requirements
6. Professional Ethics of Risk Management

Domain 2—IT Risk Assessment – (20%)

A—IT RISK IDENTIFICATION

1. Risk Events (e.g., contributing conditions, loss result)
2. Threat Modelling and Threat Landscape
3. Vulnerability and Control Deficiency Analysis (e.g., root cause analysis)
4. Risk Scenario Development

B—IT RISK ANALYSIS AND EVALUATION

1. Risk Assessment Concepts, Standards and Frameworks
2. Risk Register
3. Risk Analysis Methodologies
4. Business Impact Analysis
5. Inherent and Residual Risk

Domain 3—Risk Response Mitigation – (32%)

A—RISK RESPONSE

1. Risk Treatment / Risk Response Options
2. Risk and Control Ownership
3. Third-Party Risk Management
4. Issue, Finding and Exception Management
5. Management of Emerging Risk

B—CONTROL DESIGN AND IMPLEMENTATION

1. Control Types, Standards and Frameworks
2. Control Design, Selection and Analysis
3. Control Implementation
4. Control Testing and Effectiveness Evaluation

C—RISK MONITORING AND REPORTING

1. Risk Treatment Plans
2. Data Collection, Aggregation, Analysis and Validation
3. Risk and Control Monitoring Techniques
4. Risk and Control Reporting Techniques (heatmap, scorecards, dashboards)
5. Key Performance Indicators
6. Key Risk Indicators (KRIs)
7. Key Control Indicators (KCIs)

Domain 4—Information technology and security – (22%)

A—INFORMATION TECHNOLOGY PRINCIPLES

1. Enterprise Architecture
2. IT Operations Management (e.g., change management, IT assets, problems, incidents)
3. Project Management
4. Disaster Recovery Management (DRM)
5. Data Lifecycle Management
6. System Development Life Cycle (SDLC)
7. Emerging Technologies

B—INFORMATION SECURITY PRINCIPLES

1. Information Security Concepts, Frameworks and Standards
2. Information Security Awareness Training
3. Business Continuity Management
4. Data Privacy and Data Protection Principles

Supporting tasks

1. Collect and review existing information regarding the organization’s business and IT environments.
2. Identify potential or realized impacts of IT risk to the organization’s business objectives and operations.
3. Identify threats and vulnerabilities to the organization’s people, processes and technology.
4. Evaluate threats, vulnerabilities and risk to identify IT risk scenarios.
5. Establish accountability by assigning and validating appropriate levels of risk and control ownership.
6. Establish and maintain the IT risk register and incorporate it into the enterprise-wide risk profile.
7. Facilitate the identification of risk appetite and risk tolerance by key stakeholders.
8. Promote a risk-aware culture by contributing to the development and implementation of security awareness training.
9. Conduct a risk assessment by analyzing IT risk scenarios and determining their likelihood and impact.
10. Identify the current state of existing controls and evaluate their effectiveness for IT risk mitigation.
11. Review the results of risk analysis and control analysis to assess any gaps between current and desired states of the IT risk environment.
12. Facilitate the selection of recommended risk responses by key stakeholders.
13. Collaborate with risk owners on the development of risk treatment plans.
14. Collaborate with control owners on the selection, design, implementation and maintenance of controls.
15. Validate that risk responses have been executed according to risk treatment plans.
16. Define and establish key risk indicators (KRIs).
17. Monitor and analyze key risk indicators (KRIs).
18. Collaborate with control owners on the identification of key performance indicators (KPIs) and key control indicators (KCIs).
19. Monitor and analyze key performance indicators (KPIs) and key control indicators (KCIs).
20. Review the results of control assessments to determine the effectiveness and maturity of the control environment.
21. Report relevant risk and control information to applicable stakeholders to facilitate risk-based decision-making.
22. Evaluate alignment of business practices with risk management and information security frameworks and standards.

Preparatory Guide for Certified in Risk and Information Systems Control (CRISC)

To help you with your CRISC Exam Preparation, our experts have curated a CRISC Exam Study Guide. Let’s begin:

Refer the Exam Guide

To clear any examination it is very important to know the course content and outline. The CCRISC Exam Guide covers the modules which you should prepare and practice. Also, it provides essential CRISC exam information required to prepare for the exam. The CRISC Exam Objectives are:

• 26% DOMAIN 1 – GOVERNANCE
• 20% DOMAIN 2 – IT RISK ASSESSMENT
• 32% DOMAIN 3 – RISK RESPONSE AND REPORTING
• 22% DOMAIN 4 – INFORMATION TECHNOLOGY AND SECURITY

Learning Resources

It is very important to prepare from the right resources. To clear any examination all you need to work hard but efficiently and in a smart manner. To help you out we have provided learning resources for Certified in Risk and Information Systems Control (CRISC).

Instructor-Led Test Preparation

This a training offered by ISACA, it will help you in your preparation for the examination. You get to choose between two types of CRISC Exam Preparation Training Course:

• In-Person Training & Conferences
• Customized, On-Site Corporate Training

Reference Books

ISACA, also offers reference books and eBooks’ which you can use in your preparation. You can check these books here:

• Question, Answers & Explanations Database-12 Month Subscription
• CRISC Review Manual, 6th Edition

Along with these books, it also offers sample papers which will give you an insight in the examination. You can also refer to books which are available on all leading websites.

• CRISC Certified in Risk and Information Systems Control All-in-One Exam Guide

Join a Community

Engaging oneself in a study group will encourage and help the candidate to learn more. The discussions in the group will help them to develop the necessary knowledge required to clear the examination. Interacting with the people who have the same career path will be an added advantage. We would suggest you join the CRISC exam prep online forum. It will you in clearing your doubts and it will also connect out people having the same aim as you.

Step 4: Practice Test with Testprep Training

To ace anything you need to practice it and for the practice, you need sample papers and test series which will give you the experience of the real-time examination. CRISC Exam Practice Questions will actually help you identify the aspects of your preparation you need to work upon. After completing your preparation you should be taking sample papers and practice tests. This will help you with self-assessment and bring out a confident person in you on the day of the exam.  Start preparing now with CRISC Mock Exams!