The CRISC certification is tailored for IT professionals skilled in risk identification, assessment, evaluation, response, monitoring, and IS control design, implementation, and maintenance. It validates expertise in managing entity-specific risks and supports professionals in achieving business goals by designing, implementing, monitoring, and maintaining effective, risk-based IS controls.

• Governance (25%)
• IT Risk Assessment (20%)
• Risk Response and Reporting (32%)
• Information Technology and Security (22%)

DOMAIN 1—Governance 26%

Organizational Governance A

• Organizational Strategy, Goals, and Objectives
• Organizational Structure, Roles, and Responsibilities
• Organizational Culture
• Policies and Standards
• Business Processes
• Organizational Assets

Risk Governance B

• Enterprise Risk Management and Risk Management Framework
• Three Lines of Defense
• Risk Profile
• Risk Appetite and Risk Tolerance
• Legal, Regulatory, and Contractual Requirements
• Professional Ethics of Risk Management

DOMAIN 2—IT Risk Assessment 20%

IT Risk Identification A

• Risk Events (e.g., contributing conditions, loss result)
• Threat Modelling and Threat Landscape
• Vulnerability and Control Deficiency Analysis (e.g., root cause analysis)
• Risk Scenario Development

IT Risk Analysis and Evaluation B

• Risk Assessment Concepts, Standards, and Frameworks
• Risk Register
• Risk Analysis Methodologies
• Business Impact Analysis
• Inherent and Residual Risk

DOMAIN 3—Risk Response and Reporting 32%

Risk Response A

• Risk Treatment / Risk Response Options
• Risk and Control Ownership
• Third-Party Risk Management
• Issue, Finding, and Exception Management
• Management of Emerging Risk

Control Design and Implementation B

• Control Types, Standards, and Frameworks
• Control Design, Selection, and Analysis
• Control Implementation
• Control Testing and Effectiveness Evaluation

Risk Monitoring and Reporting C

• Risk Treatment Plans
• Data Collection, Aggregation, Analysis, and Validation
• Risk and Control Monitoring Techniques
• Risk and Control Reporting Techniques (heatmap, scorecards, dashboards)
• Key Performance Indicators
• Key Risk Indicators (KRIs)
• Key Control Indicators (KCIs)

DOMAIN 4—Information Technology and Security 22%

Information Technology Principles A

• Enterprise Architecture
• IT Operations Management (e.g., change management, IT assets, problems, incidents)
• Project Management
• Disaster Recovery Management (DRM)
• Data Lifecycle Management
• System Development Life Cycle (SDLC)
• Emerging Technologies

Information Security Principles B

• Information Security Concepts, Frameworks, and Standards
• Information Security Awareness Training
• Business Continuity Management

There is no prerequisite to take the CRISC exam; however, in order to apply for CRISC certification you must meet the necessary experience requirements as determined by ISACA

QAE (Questions, Answers and Explanations) is online available via a voucher which is part of the courseware.

The requirements for certification are:

• Pass the official  CRISC-exam
• Three (3) or more years of cumulative work experience performing the tasks of a CRISC professional across at least two (2) CRISC domains, of which one must be in Domain 1 or 2, is required for certification. There are no substitutions or experience waivers.

The exam lasts 4 hours and consists of 150 English Multiple Choice questions.

The examenvoucher for the official CRISC exam is not included in the price.