CRISC - Certified in Risk and Information Systems Control

The CRISC (Certified in Risk and Information Systems Control) course is tailored for IT and business professionals responsible for identifying, assessing, and managing risks through the implementation and maintenance of information systems controls. This certification is ideal for those aiming to enhance their expertise in IT risk management and to ensure that their organization's IT and business systems are resilient and aligned with strategic goals.

The course is structured around four critical domains:

1. Governance: This domain focuses on the strategic alignment of IT risk with business objectives. It covers how governance and organizational culture influence IT risk management.

2. IT Risk Assessment: In this domain, learners acquire the skills needed to identify, assess, and evaluate IT risks. This includes learning about threat modeling, vulnerability analysis, and developing risk scenarios.

3. Risk Response and Reporting: This domain teaches how to design and implement effective risk response strategies. It also covers how to communicate risk to stakeholders and how to align risk responses with business goals.

4. Information Technology and Security: This domain ensures learners are proficient in IT security principles, emphasizing the need for strong controls to protect information systems and ensure business continuity.

By mastering these domains, participants become well-equipped to enhance their organization's risk management practices, making them invaluable assets in any organization aiming to mitigate IT-related risks effectively.

Course Prerequisites

To successfully undertake the CRISC course, the following prerequisites are recommended:

• Basic Understanding of Risk Management Concepts:

  • Familiarity with key risk management terminology and principles.

• IT Systems and Infrastructure Knowledge:

  • Basic understanding of IT systems, networks, and infrastructure components.

• Awareness of Business Processes:

  • Knowledge of how business processes function and their importance within an organization.

• Basic Governance, Risk, and Compliance (GRC) Knowledge:

  • Understanding of GRC principles and their relevance to IT and business operations.

• Interest in IT or Business Operations:

  • A genuine interest in IT risk management and a willingness to engage with complex concepts.

• Willingness to Learn:

  • Motivation to learn and apply risk management concepts to real-world scenarios.

While prior experience in risk management or IT is beneficial, it is not a strict requirement. The CRISC course is designed to provide a comprehensive education on IT risk management, making it accessible to motivated individuals with a strong desire to learn.

Target Audience for CRISC

The CRISC course is intended for professionals seeking to advance their careers in IT risk management, governance, and control monitoring. The target audience includes:

• IT Risk Managers

• Information Security Analysts

• Compliance Officers

• IT Auditors

• Chief Information Security Officers (CISOs)

• Governance, Risk, and Compliance (GRC) Professionals

• IT Consultants specializing in risk and security

• Cybersecurity Professionals

• IT Control Professionals

• Chief Compliance Officers

• Enterprise Risk Management Consultants

• IT Project Managers

• Data Protection Officers

• Network Security Managers

• IT Directors and Managers

• Security Architects and Engineers

• Business Analysts involved in IT projects

• IT Professionals aiming for a career in Risk and Information Systems Control

Learning Objectives - What You Will Learn in this CRISC Course

The CRISC course is designed to equip learners with the knowledge and skills necessary for effective enterprise risk management, ensuring alignment with business objectives. The key learning objectives include:

• Governance and Strategy:

  • Understand how organizational strategy, governance, and culture impact IT risk management. Learn to align IT objectives with business goals.

• IT Risk Assessment:

  • Develop the ability to identify, assess, and evaluate IT risk events using techniques such as threat modeling, vulnerability analysis, and risk scenario development.

• Risk Response and Mitigation:

  • Learn to develop risk response strategies, design and implement effective controls, and ensure these controls align with business objectives.

• Risk and Control Monitoring:

  • Master the use of monitoring techniques, including key risk indicators (KRIs), to continuously oversee and report on risk and control effectiveness.

• Compliance and Ethics:

  • Understand legal, regulatory, and contractual requirements affecting IT risk, and integrate ethical practices into risk management processes.

• Enterprise Risk Management Frameworks:

  • Gain knowledge of enterprise risk management frameworks to design and implement robust risk management processes.

• Emerging Technologies:

  • Assess the impact of emerging technologies on risk and controls, ensuring an up-to-date and proactive approach to risk management.

• Business Continuity and Disaster Recovery:

  • Learn the principles of business continuity management and disaster recovery to mitigate risks associated with IT service interruptions.

• Information Security and Data Protection:

  • Acquire knowledge of information security standards, frameworks, and data protection principles to safeguard organizational assets.

• Practical Application:

  • Apply risk assessment techniques to real-world scenarios, create risk treatment plans, and document risk management processes to ensure practical and effective risk management.

Course Outline:

DOMAIN 1—Governance 26%
Organizational Governance

• Organizational Strategy, Goals, and Objectives

• Organizational Structure, Roles, and Responsibilities

• Organizational Culture

• Policies and Standards

• Business Processes

• Organizational Assets

Risk Governance

• Enterprise Risk Management and Risk Management Framework

• Three Lines of Defense

• Risk Profile

• Risk Appetite and Risk Tolerance

• Legal, Regulatory, and Contractual Requirements

• Professional Ethics of Risk Management

DOMAIN 2—IT Risk Assessment 20%
IT Risk Identification

• Risk Events (e.g., contributing conditions, loss result)

• Threat Modelling and Threat Landscape

• Vulnerability and Control Deficiency Analysis (e.g., root cause analysis)

• Risk Scenario Development

IT Risk Analysis and Evaluation

• Risk Assessment Concepts, Standards, and Frameworks

• Risk Register

• Risk Analysis Methodologies

• Business Impact Analysis

• Inherent and Residual Risk

DOMAIN 3—Risk Response and Reporting 32%
Risk Response

• Risk Treatment / Risk Response Options

• Risk and Control Ownership

• Third-Party Risk Management

• Issue, Finding, and Exception Management

• Management of Emerging Risk

Control Design and Implementation

• Control Types, Standards, and Frameworks

• Control Design, Selection, and Analysis

• Control Implementation

• Control Testing and Effectiveness Evaluation

Risk Monitoring and Reporting

• Risk Treatment Plans

• Data Collection, Aggregation, Analysis, and Validation

• Risk and Control Monitoring Techniques

• Risk and Control Reporting Techniques (heatmap, scorecards, dashboards)

• Key Performance Indicators

• Key Risk Indicators (KRIs)

• Key Control Indicators (KCIs)

DOMAIN 4—Information Technology and Security 22%
Information Technology Principles

• Enterprise Architecture

• IT Operations Management (e.g., change management, IT assets, problems, incidents)

• Project Management

• Disaster Recovery Management (DRM)

• Data Lifecycle Management

• System Development Life Cycle (SDLC)

• Emerging Technologies

Information Security Principles

• Information Security Concepts, Frameworks, and Standards

• Information Security Awareness Training

• Business Continuity Management

• Data Privacy and Data Protection Principles