The Certified in Risk and Information Systems Control® (CRISC®) exam consists of 150 questions covering 4 job practice domains, all testing your knowledge and ability on real-life job practices leveraged by expert professionals.
Below are the key domains, subtopics and tasks candidates will be tested on:
- Domain 1: Governance
- Domain 2: Risk Assessment
- Domain 3: Risk Response and Reporting
- Domain 4: Technology and Security
SUPPORTING TASKS
- Collect and review existing information regarding the organization’s business and IT environments.
- Identify potential or realized impacts of IT risk to the organization’s business objectives and operations.
- Identify threats and vulnerabilities to the organization’s people, processes and technology.
- Evaluate threats, vulnerabilities and risk to identify IT risk scenarios.
- Establish accountability by assigning and validating appropriate levels of risk and control ownership.
- Establish and maintain the IT risk register and incorporate it into the enterprise-wide risk profile.
- Facilitate the identification of risk appetite and risk tolerance by key stakeholders.
- Promote a risk-aware culture by contributing to the development and implementation of security awareness training.
- Conduct a risk assessment by analyzing IT risk scenarios and determining their likelihood and impact.
- Identify the current state of existing controls and evaluate their effectiveness for IT risk mitigation.
- Review the results of risk analysis and control analysis to assess any gaps between current and desired states of the IT risk environment.
- Facilitate the selection of recommended risk responses by key stakeholders.
- Collaborate with risk owners on the development of risk treatment plans.
- Collaborate with control owners on the selection, design, implementation and maintenance of controls.
- Validate that risk responses have been executed according to risk treatment plans.
- Define and establish key risk indicators (KRIs).
- Monitor and analyze key risk indicators (KRIs).
- Collaborate with control owners on the identification of key performance indicators (KPIs) and key control indicators (KCIs).
- Monitor and analyze key performance indicators (KPIs) and key control indicators (KCIs).
- Review the results of control assessments to determine the effectiveness and maturity of the control environment.
- Report relevant risk and control information to applicable stakeholders to facilitate risk-based decision-making.
- Evaluate alignment of business practices with risk management and information security frameworks and standards.
