

CRISC: Certified in Risk and Information Systems Control
Course Information

Course Name
CRISC: Certified in Risk and Information Systems Control

Exam code
CRISC

Duration
4 Days
Certification
Overview
A Certified in Risk and Information Systems Control® (CRISC®) certification demonstrates your IT risk management expertise. By taking a proactive approach, you will learn how to enhance your organization’s business resilience, deliver stakeholder value and optimize risk management across the enterprise. As a CRISC, you will be ready to address emerging technology, including AI risk assessment and general best practices for risk management and mitigation related to AI data governance and ethics.
Audience Profile
The CRISC Certification is intended for:
IT risk management professionals with at least 3 years of relevant professional work experience in IT risk and information systems control including:
- Security Directors/Managers/Consultants
- Compliance/Risk/Privacy Directors and Managers
- IT Audit Directors/Managers/Consultants
- Compliance/Risk/Control Staff
Prerequisites
The Certified in Risk and Information Systems Control (CRISC) certification does not have formal prerequisites to take the exam. However, to earn the certification, you must meet specific experience requirements.
To become CRISC certified, you must have at least 3 years of work experience in at least two of the four CRISC domains:
- Governance
- IT Risk Assessment
- Risk Response and Reporting
- Information Technology and Security
Course Outline
The governance module interrogates your knowledge of information about an organization’s business and IT environments, organizational strategy, goals and objectives, and examines potential or realized impacts of IT risk to the organization’s business objectives and operations, including Enterprise Risk Management and Risk Management Framework.
ORGANIZATIONAL GOVERNANCE
- Organizational Strategy, Goals, and Objectives
- Organizational Structure, Roles and Responsibilities
- Organizational Culture
- Policies and Standards
- Business Processes
- Organizational Assets
RISK GOVERNANCE
- Enterprise Risk Management and Risk Management Framework
- Three Lines of Defense
- Risk Profile
- Risk Appetite and Risk Tolerance
- Legal, Regulatory and Contractual Requirements
- Professional Ethics of Risk Management
This module will certify your knowledge of threats and vulnerabilities to the organization’s people, processes and technology as well as the likelihood and impact of threats, vulnerabilities and risk scenarios.
IT RISK IDENTIFICATION
- Risk Events (e.g., contributing conditions, loss result)
- Threat Modelling and Threat Landscape
- Vulnerability and Control Deficiency Analysis (e.g., root cause analysis)
- Risk Scenario Development
IT RISK ANALYSIS AND EVALUATION
- Risk Assessment Concepts, Standards and Frameworks
- Risk Register
- Risk Analysis Methodologies
- Business Impact Analysis
- Inherent and Residual Risk
This module deals with the development and management of risk treatment plans among key stakeholders, the evaluation of existing controls and improving effectiveness for IT risk mitigation, and the assessment of relevant risk and control information to applicable stakeholders.
RISK RESPONSE
- Risk Treatment / Risk Response Options
- Risk and Control Ownership
- Third-Party Risk Management
- Issue, Finding and Exception Management
- Management of Emerging Risk
CONTROL DESIGN AND IMPLEMENTATION
- Control Types, Standards and Frameworks
- Control Design, Selection and Analysis
- Control Implementation
- Control Testing and Effectiveness Evaluation
RISK MONITORING AND REPORTING
- Risk Treatment Plans
- Data Collection, Aggregation, Analysis and Validation
- Risk and Control Monitoring Techniques
- Risk and Control Reporting Techniques (heatmap, scorecards, dashboards)
- Key Performance Indicators
- Key Risk Indicators (KRIs)
- Key Control Indicators (KCIs)
In this module we interrogate the alignment of business practices with Risk Management and Information Security frameworks and standards, as well as the development of a risk-aware culture and implementation of security awareness training.
INFORMATION TECHNOLOGY PRINCIPLES
- Enterprise Architecture
- IT Operations Management (e.g., change management, IT assets, problems, incidents)
- Project Management
- Disaster Recovery Management (DRM)
- Data Lifecycle Management
- System Development Life Cycle (SDLC)
- Emerging Technologies
INFORMATION SECURITY PRINCIPLES
- Information Security Concepts, Frameworks and Standards
- Information Security Awareness Training
- Business Continuity Management
- Data Privacy and Data Protection Principles
Overview
Overview
A Certified in Risk and Information Systems Control® (CRISC®) certification demonstrates your IT risk management expertise. By taking a proactive approach, you will learn how to enhance your organization’s business resilience, deliver stakeholder value and optimize risk management across the enterprise. As a CRISC, you will be ready to address emerging technology, including AI risk assessment and general best practices for risk management and mitigation related to AI data governance and ethics.
Audience Profile
Audience Profile
The CRISC Certification is intended for:
IT risk management professionals with at least 3 years of relevant professional work experience in IT risk and information systems control including:
- Security Directors/Managers/Consultants
- Compliance/Risk/Privacy Directors and Managers
- IT Audit Directors/Managers/Consultants
- Compliance/Risk/Control Staff
Prerequisities
Prerequisites
The Certified in Risk and Information Systems Control (CRISC) certification does not have formal prerequisites to take the exam. However, to earn the certification, you must meet specific experience requirements.
To become CRISC certified, you must have at least 3 years of work experience in at least two of the four CRISC domains:
- Governance
- IT Risk Assessment
- Risk Response and Reporting
- Information Technology and Security
At Course Completion
Course Outline
Course Outline
The governance module interrogates your knowledge of information about an organization’s business and IT environments, organizational strategy, goals and objectives, and examines potential or realized impacts of IT risk to the organization’s business objectives and operations, including Enterprise Risk Management and Risk Management Framework.
ORGANIZATIONAL GOVERNANCE
- Organizational Strategy, Goals, and Objectives
- Organizational Structure, Roles and Responsibilities
- Organizational Culture
- Policies and Standards
- Business Processes
- Organizational Assets
RISK GOVERNANCE
- Enterprise Risk Management and Risk Management Framework
- Three Lines of Defense
- Risk Profile
- Risk Appetite and Risk Tolerance
- Legal, Regulatory and Contractual Requirements
- Professional Ethics of Risk Management
This module will certify your knowledge of threats and vulnerabilities to the organization’s people, processes and technology as well as the likelihood and impact of threats, vulnerabilities and risk scenarios.
IT RISK IDENTIFICATION
- Risk Events (e.g., contributing conditions, loss result)
- Threat Modelling and Threat Landscape
- Vulnerability and Control Deficiency Analysis (e.g., root cause analysis)
- Risk Scenario Development
IT RISK ANALYSIS AND EVALUATION
- Risk Assessment Concepts, Standards and Frameworks
- Risk Register
- Risk Analysis Methodologies
- Business Impact Analysis
- Inherent and Residual Risk
This module deals with the development and management of risk treatment plans among key stakeholders, the evaluation of existing controls and improving effectiveness for IT risk mitigation, and the assessment of relevant risk and control information to applicable stakeholders.
RISK RESPONSE
- Risk Treatment / Risk Response Options
- Risk and Control Ownership
- Third-Party Risk Management
- Issue, Finding and Exception Management
- Management of Emerging Risk
CONTROL DESIGN AND IMPLEMENTATION
- Control Types, Standards and Frameworks
- Control Design, Selection and Analysis
- Control Implementation
- Control Testing and Effectiveness Evaluation
RISK MONITORING AND REPORTING
- Risk Treatment Plans
- Data Collection, Aggregation, Analysis and Validation
- Risk and Control Monitoring Techniques
- Risk and Control Reporting Techniques (heatmap, scorecards, dashboards)
- Key Performance Indicators
- Key Risk Indicators (KRIs)
- Key Control Indicators (KCIs)
In this module we interrogate the alignment of business practices with Risk Management and Information Security frameworks and standards, as well as the development of a risk-aware culture and implementation of security awareness training.
INFORMATION TECHNOLOGY PRINCIPLES
- Enterprise Architecture
- IT Operations Management (e.g., change management, IT assets, problems, incidents)
- Project Management
- Disaster Recovery Management (DRM)
- Data Lifecycle Management
- System Development Life Cycle (SDLC)
- Emerging Technologies
INFORMATION SECURITY PRINCIPLES
- Information Security Concepts, Frameworks and Standards
- Information Security Awareness Training
- Business Continuity Management
- Data Privacy and Data Protection Principles
