🚀 Early Adopter Price: $39/mo for lifeClaim Your Price →
IT Risk Fundamentals
Coming Soon
Expected availability announced soon

This course is in active development. Preview the scope below and create a free account to be notified the moment it goes live.

Notify me
ISACA CertificatesAssociateComing Soon

IT Risk Fundamentals

The IT Risk Fundamentals Certificate covers the foundational concepts of IT risk management: risk taxonomy, frameworks (ISO 31000, COSO ERM, NIST RMF), risk identification, assessment, treatment, monitoring, and the alignment of IT risk with enterprise risk management.

Who Should Take This

IT generalists, junior risk practitioners, auditors, and business stakeholders who interact with IT risk management. Assumes basic IT and business literacy. Learners finish able to discuss IT risk using standard taxonomy, recognize the major risk frameworks, and participate in risk-treatment discussions.

What's Included in AccelaStudy® AI

Adaptive Knowledge Graph
Practice Questions
Lesson Modules
Console Simulator Labs
Exam Tips & Strategy
13 Activity Formats

Course Outline

1Risk Concepts
3 topics

Risk Definition

  • Define risk as the effect of uncertainty on objectives (ISO 31000) and identify why this differs from threat or vulnerability alone.
  • Identify the standard risk components: threat, vulnerability, likelihood, impact, asset value.

Inherent vs Residual Risk

  • Distinguish inherent risk (before controls) from residual risk (after controls) and identify the relationship to risk appetite.
  • Apply inherent-vs-residual reasoning to a sample finding where management asserts the residual risk is acceptable.

Risk Appetite and Tolerance

  • Distinguish risk appetite (the amount of risk an organization is willing to accept) from risk tolerance (the acceptable variance from a stated objective).
  • Apply risk-appetite framing to a board-level decision about adopting a new cloud platform under regulatory uncertainty.
  • Analyze an organization with stated low appetite but consistently high risk-acceptance rates and identify the cultural-vs-formal misalignment.
2Risk Frameworks
3 topics

ISO 31000

  • Identify ISO 31000 as the international standard for risk management and identify its principles, framework, and process structure.
  • Apply ISO 31000 process steps (establish context → identify → analyze → evaluate → treat → monitor → communicate) to a sample IT risk.

COSO ERM and NIST RMF

  • Identify COSO ERM as the dominant US enterprise risk framework and identify its five components (governance & culture, strategy, performance, review, communication).
  • Identify NIST Risk Management Framework (RMF) and identify its seven steps (prepare, categorize, select, implement, assess, authorize, monitor) for federal/regulated systems.

ISACA Risk IT

  • Identify the ISACA Risk IT framework and identify how it integrates with COBIT for IT-specific risk.
  • Compare ISO 31000, COSO ERM, NIST RMF, and Risk IT and identify which is most appropriate by organization type and regulatory context.
3Risk Identification
3 topics

Identification Techniques

  • Identify common risk-identification techniques: workshops, interviews, brainstorming, scenario analysis, threat modeling, third-party intelligence.
  • Apply technique selection: workshops for organizational risks, threat modeling for technical risks, scenario analysis for tail risks.

Common IT Risk Categories

  • Identify common IT risk categories: cybersecurity, operational, project, compliance, third-party, data privacy, business continuity.
  • Identify emerging IT risks: AI/ML risk, supply-chain compromise, ransomware, cloud-misconfiguration, identity-system compromise.

Risk Registers

  • Identify the standard fields of a risk register: ID, description, category, owner, likelihood, impact, controls, residual rating, treatment plan, due date.
  • Analyze a poorly-maintained risk register (stale entries, unclear owners, no treatment plans) and propose specific governance improvements.
4Risk Assessment
3 topics

Qualitative Assessment

  • Identify qualitative-assessment techniques: heat maps, ordinal scales (low/medium/high), descriptive narratives.
  • Identify the limitations of qualitative-only assessment: ambiguous boundaries, subjective scoring, false comparability.

Quantitative Assessment

  • Identify quantitative concepts: ALE (Annualized Loss Expectancy), SLE (Single Loss Expectancy), ARO (Annualized Rate of Occurrence) and the formula ALE = SLE × ARO.
  • Identify FAIR (Factor Analysis of Information Risk) as a structured quantitative approach and identify its key inputs (TEF, TCap, RS, vuln, LM).
  • Apply ALE calculation for a sample scenario (laptop theft, ransomware attack) using stated assumptions.

Hybrid Approaches

  • Identify hybrid assessment as the use of qualitative scales for breadth + quantitative analysis for the highest-impact risks.
  • Analyze a board-presentation scenario where pure qualitative ratings produced 'three reds' that the board could not act on, and propose a quantitative supplement.
5Risk Treatment and Controls
3 topics

Treatment Options

  • Identify the four standard risk-treatment responses: avoid (don't do the activity), mitigate (apply controls), transfer (insure, outsource), accept (with documentation).
  • Apply treatment-selection for a sample risk: when each response is appropriate and what justification is required.

Control Selection

  • Identify the four standard control categories (preventive, detective, corrective, deterrent) and identify representative IT controls for each.
  • Apply control-selection: identify primary and compensating controls for a 'access control' risk where MFA is technically infeasible for a specific legacy system.

Cost-Benefit and Trade-offs

  • Identify the cost-benefit principle in control selection: the cost of the control should not exceed the expected loss reduction.
  • Analyze a control-recommendation that exceeds the asset value and propose a more proportionate response.
6Risk Monitoring and Reporting
3 topics

KRIs and Metrics

  • Identify Key Risk Indicators (KRIs) and identify common IT KRIs (patch latency, MFA coverage %, days since last DR test, vendor concentration).
  • Apply KRI selection that ties indicators to risks rather than operational vanity metrics.

Reporting and Escalation

  • Identify common risk-reporting cadences and audiences: operational dashboards, monthly risk-committee reports, quarterly board reports.
  • Apply escalation criteria: when a risk-rating change should trigger executive review vs routine update.

Continuous Risk Management

  • Identify continuous risk management as the use of automated controls + telemetry to detect new risks and verify treatments without waiting for the next assessment cycle.
  • Identify the role of GRC tooling (ServiceNow GRC, Archer, MetricStream, Hyperproof, Drata, Vanta) in continuous risk management.
  • Analyze an organization that runs a thorough annual risk assessment but no continuous monitoring and identify the typical gaps surfaced by a real incident.
7Specialized IT Risk Topics
8 topics

Third-Party and Supply-Chain Risk

  • Identify third-party risk concepts: vendor due diligence, SOC 2 Type II reliance, ongoing monitoring, sub-processor flow-down, fourth-party concentration.
  • Identify common supply-chain attack vectors: compromised dependencies (npm/pip/Maven), CI/CD compromise, hardware implants, open-source maintainer takeover.
  • Apply third-party risk classification by data access, integration depth, and operational dependency, and identify the differing review cadence.

Cyber Risk Quantification

  • Identify FAIR (Factor Analysis of Information Risk) as a structured cyber-risk quantification approach and identify its core inputs (TEF, vulnerability, primary loss, secondary loss).
  • Apply FAIR-style quantification to a sample ransomware scenario and identify the data sources for each input.
  • Analyze a cyber-insurance renewal where the insurer demanded specific controls (MFA on all admin accounts, EDR on all endpoints) and identify the underlying risk-quantification logic.

Emerging Risk: AI/ML

  • Identify AI/ML-specific risks: training-data poisoning, model theft, prompt injection, hallucination-driven incorrect outputs, regulatory uncertainty (EU AI Act, US EO).
  • Apply AI risk-classification using NIST AI RMF or the EU AI Act tiers to a sample customer-support chatbot.

Project and Program Risk

  • Identify common IT project risks: scope creep, integration risk, change-management risk, vendor risk, dependency risk.
  • Apply pre-mortem technique: assume the project failed in 12 months and brainstorm the most likely causes, then assess them as risks.

Crisis and Resilience

  • Identify business continuity and disaster recovery as resilience disciplines closely tied to risk management.
  • Identify common BCP/DR metrics: RTO (recovery time objective), RPO (recovery point objective), MTPD (maximum tolerable period of disruption).
  • Apply scenario testing for a top-3 enterprise risk: tabletop exercise, full simulation, post-event review feeding back into risk register.

IT Risk Career

  • Identify common IT-risk career paths: IT risk analyst, IT risk manager, GRC analyst, BISO (Business Information Security Officer), CISO.
  • Identify the certification ladder: IT Risk Fundamentals → CRISC → CISM/CISSP → ISACA executive credentials.
  • Apply continuous-learning sources for IT risk: ISACA Journal, Risk Management Society, NIST publications, FAIR Institute, sector-specific advisories.

Risk Communication

  • Identify common risk-communication failures: technical jargon to executives, false precision in qualitative reports, anchoring on single scenarios.
  • Apply audience-aware risk reporting: executive summary with monetized impact + KRI dashboard, working-level register with detailed treatment plans, board-level slide with top-5 strategic risks.
  • Analyze a 'risk fatigue' organizational dynamic where every quarter the same risks reappear without progress, and identify root causes (treatments not funded, ownership unclear, KRIs misaligned).

Risk Culture

  • Identify the components of a healthy risk culture: tone-from-the-top, psychological safety to escalate, transparent reporting, learning from failures.
  • Apply risk-culture assessment using survey-based and behavioral signals (near-miss reporting rates, time-to-escalate, post-incident blame patterns).

Scope

Included Topics

  • Risk concepts: threat, vulnerability, likelihood, impact, inherent vs residual risk.
  • Risk frameworks: ISO 31000, COSO ERM, NIST RMF, ISACA Risk IT.
  • Risk identification techniques: workshops, scenario analysis, threat modeling, brainstorming.
  • Risk assessment: qualitative, quantitative, hybrid approaches.
  • Risk treatment: avoid, mitigate, transfer, accept; control selection.
  • Risk monitoring: KRIs, registers, dashboards, escalation.
  • Third-party and supply-chain risk basics.
  • Risk culture and risk appetite.

Not Covered

  • Quantitative risk modeling beyond conceptual depth (Monte Carlo, FAIR).
  • Industry-specific risk taxonomies in detail.

IT Risk Fundamentals is coming soon

Adaptive learning that maps your knowledge and closes your gaps.

Create Free Account to Be Notified