Certified in Risk and Information Systems Control (CRISC)

Learning Objectives

Knowledge of:

1. laws, regulations, standards and compliance requirements
2. industry trends and emerging technologies
3. enterprise systems architecture (e.g., platforms, networks, applications, databases and operating systems)
4. business goals and objectives
5. contractual requirements with customers and third-party service providers
6. threats and vulnerabilities related to:
   1. 6.1. business processes and initiatives
   2. 6.2. third-party management
   3. 6.3. data management
   4. 6.4. hardware, software and appliances
   5. 6.5. the system development life cycle (SDLC)
   6. 6.6. project and program management
   7. 6.7. business continuity and disaster recovery management (DRM)
   8. 6.8. management of IT operations
   9. 6.9. emerging technologies
7. methods to identify risk
8. risk scenario development tools and techniques
9. risk identification and classification standards, and frameworks
10. risk events/incident concepts (e.g., contributing conditions, lessons learned, loss result)
11. elements of a risk register
12. risk appetite and tolerance
13. risk analysis methodologies (quantitative and qualitative)
14. organizational structures
15. organizational culture, ethics and behavior
16. organizational assets (e.g., people, technology, data, trademarks, intellectual property) and business processes, including enterprise risk management (ERM)
17. organizational policies and standards
18. business process review tools and techniques
19. analysis techniques (e.g., root cause, gap, cost-benefit, return on investment [ROI])
20. capability assessment models and improvement techniques and strategies
21. data analysis, validation and aggregation techniques (e.g., trend analysis, modeling)
22. data collection and extraction tools and techniques
23. principles of risk and control ownership
24. characteristics of inherent and residual risk
25. exception management practices
26. risk assessment standards, frameworks and techniques
27. risk response options (i.e., accept, mitigate, avoid, transfer) and criteria for selection
28. information security concepts and principles, including confidentiality, integrity and availability of information
29. systems control design and implementation, including testing methodologies and practices
30. the impact of emerging technologies on design and implementation of controls
31. requirements, principles, and practices for educating and training on risk and control activities
32. key risk indicators (KRIs)
33. risk monitoring standards and frameworks
34. risk monitoring tools and techniques
35. risk reporting tools and techniques
36. IT risk management best practices
37. key performance indicator (KPIs)
38. control types, standards, and frameworks
39. control monitoring and reporting tools and techniques
40. control assessment types (e.g., self-assessments, audits, vulnerability assessments, penetration tests, third-party assurance)
41. control activities, objectives, practices and metrics related to:
    1. 41.1. business processes
    2. 41.2. information security, including technology certification and accreditation practices
    3. 41.3. third-party management, including service delivery
    4. 41.4. data management
    5. 41.5. the system development life cycle (SDLC)
    6. 41.6. project and program management
    7. 41.7. business continuity and disaster recovery management (DRM)
    8. 41.8. IT operations management
    9. 41.9. the information systems architecture (e.g., platforms, networks, applications, databases and operating systems)

General Information

A CRISC job practice analysis has been completed, resulting in a new CRISC job practice which reflects the vital and evolving responsibilities of IT risk and IS control practitioners. A job practice serves as the basis for the exam and the requirements to earn the certification. This new job practice consists of task and knowledge statements representing the work performed in IT risk identification, assessment, response, mitigation and monitoring. These statements and domains are the result of extensive research, feedback, and validation from IT risk and control subject matter experts and prominent industry leaders from around the globe.

The below job practice is organized by domains that will be tested for the first time on the June 2015 CRISC exam. The major change to the CRISC job practice is the combining of IT risk and control tasks within the domains which resulted in a decrease from five (5) to four (4) domains. Starting in June 2015, the CRISC exam will contain 150 questions testing the new job practice.

The requirements for CRISC Certification are:

Certification is granted initially to individuals who have successfully completed the CRISC exam and meet the following work experience requirements in the fields of risk management and IS control. A minimum of at least three (3) years of cumulative work experience performing the tasks of a CRISC professional across at least three (3) CRISC domains is required for certification. There are no substitutions or experience waivers. Once a CRISC candidate has passed the CRISC certification exam and has met the work experience requirements, the final step is to complete and submit the CRISC Application for Certification. Experience must have been gained within the 10-year period preceding the application date for certification or within five years from the date of initially passing the examination. Retaking and passing the examination will be required if the application for certification is not submitted within five years from the passing date of the examination. All experience must be verified independently with employers.

How do I get started with CRISC Training?

If you are willing to take the challenge and obtain a CRISC certification, our experts will ensure a valuable experience, whereby your needs will be met and you will become part of our global network.

Contact us to begin with the first step.