🚀 Launch Special: $29/mo for life --d --h --m --s Claim Your Price →
CRISC
Coming Soon
Expected availability announced soon

This course is in active development. Preview the scope below and create a free account to be notified the moment it goes live.

Notify me
CRISC ISACA Coming Soon

CRISC

The CRISC certification training teaches professionals how to establish governance, assess IT risk, design response strategies, and monitor controls, enabling effective risk management across enterprise environments.

240
Minutes
150
Questions
450/800
Passing Score
${'member': 575, 'non_member': 760}
Exam Cost

Who Should Take This

IT risk managers, auditors, and compliance analysts with at least three years of experience in risk assessment, control design, and monitoring should enroll. They seek to validate expertise, align risk programs with business objectives, and advance toward senior leadership roles in enterprise risk governance.

What's Covered

1 All domains and objectives in the ISACA Certified in Risk and Information Systems Control (CRISC) exam: Domain 1 Governance
2 , Domain 2 IT Risk Assessment
3 , Domain 3 Risk Response and Mitigation
4 , and Domain 4 Risk and Control Monitoring and Reporting

What's Included in AccelaStudy® AI

Adaptive Knowledge Graph
Practice Questions
Lesson Modules
Console Simulator Labs
Exam Tips & Strategy
20 Activity Formats

Course Outline

52 learning goals
1 Domain 1: Governance
4 topics

Risk governance framework

  • Apply IT risk governance principles to establish organizational structures that define risk management roles, responsibilities, and escalation procedures.
  • Analyze enterprise risk management frameworks including COSO ERM, ISO 31000, and NIST RMF to determine their applicability to organizational IT risk governance.
  • Design IT risk governance policies that integrate with enterprise governance and define risk appetite, risk tolerance, and risk acceptance criteria.
  • Apply IT risk governance communication practices to ensure consistent risk terminology, reporting formats, and escalation criteria across the organization.

Risk strategy and culture

  • Evaluate organizational risk culture to assess awareness, attitude, and behavior toward IT risk across all levels of the enterprise.
  • Develop IT risk management strategies that align with business objectives, regulatory requirements, and stakeholder expectations.
  • Apply risk ownership assignment processes to ensure accountability for risk identification, assessment, treatment, and monitoring across the organization.
  • Evaluate the alignment of IT risk management strategy with industry best practices and peer organization benchmarks to identify improvement opportunities.

Regulatory and compliance risk

  • Analyze regulatory compliance requirements to identify IT risk implications and ensure controls address legal obligations across multiple jurisdictions.
  • Apply compliance monitoring mechanisms to track adherence to regulatory requirements and identify emerging compliance risks proactively.

Risk management integration with business processes

  • Evaluate the integration of IT risk management with enterprise business processes including strategic planning, budgeting, and project management.
  • Apply risk management principles to mergers, acquisitions, and divestitures to assess IT risk implications of organizational changes.
  • Design IT risk escalation procedures that ensure timely communication of risk threshold breaches to appropriate management levels.
2 Domain 2: IT Risk Assessment
3 topics

Risk identification

  • Apply risk identification techniques including threat modeling, event analysis, and scenario development to discover potential IT risk events systematically.
  • Analyze the IT environment including infrastructure, applications, data, and third-party dependencies to identify assets, threats, and vulnerabilities.
  • Evaluate emerging technology risks including cloud adoption, AI/ML systems, IoT deployments, and digital transformation initiatives for risk implications.
  • Apply risk register management practices to maintain a comprehensive inventory of identified risks with consistent categorization and prioritization.
  • Apply business impact analysis techniques to correlate IT risk scenarios with potential financial, operational, and reputational consequences for the organization.

Risk analysis and evaluation

  • Apply qualitative risk analysis techniques including risk matrices, Delphi method, and expert judgment to evaluate risk likelihood and impact.
  • Apply quantitative risk analysis methodologies including Monte Carlo simulation, FAIR analysis, and expected loss calculations to measure risk in financial terms.
  • Analyze the effectiveness of existing controls to determine residual risk levels and identify control gaps requiring additional treatment.
  • Design comprehensive risk assessment programs that combine qualitative and quantitative methods for risk-informed decision-making across the enterprise.
  • Evaluate risk aggregation methods to assess cumulative risk exposure across multiple risk scenarios and determine portfolio-level risk implications.

Technology and emerging risk assessment

  • Evaluate cloud computing risks including shared responsibility model gaps, data sovereignty, vendor lock-in, and multi-tenant security concerns.
  • Apply risk assessment techniques to AI and automation systems including algorithmic bias, model drift, and automated decision-making failures.
  • Analyze supply chain and third-party technology risks including dependency mapping, concentration risk, and cascading failure scenarios.
  • Design risk assessment programs for digital transformation initiatives that address legacy system integration, data migration, and organizational change risks.
3 Domain 3: Risk Response and Mitigation
3 topics

Risk response options

  • Evaluate risk response options including avoidance, mitigation, sharing, transfer, and acceptance to select cost-effective treatments aligned with risk appetite.
  • Apply cyber insurance and risk transfer mechanisms to evaluate coverage adequacy, policy terms, and residual risk implications for the organization.
  • Design risk treatment plans that document selected responses, implementation timelines, resource requirements, and expected residual risk levels.
  • Analyze cost-benefit tradeoffs of risk treatment options to recommend economically justified risk responses that align with organizational budget constraints.

Control design and implementation

  • Apply control design principles to select preventive, detective, and corrective controls that address identified risks effectively and efficiently.
  • Analyze control implementation requirements to ensure controls integrate with existing processes, technologies, and organizational workflows without undue disruption.
  • Evaluate control effectiveness through testing, assessment, and validation to confirm that implemented controls reduce risk to acceptable levels.
  • Recommend control optimization strategies that balance risk reduction, operational impact, and cost considerations for sustainable risk management.
  • Apply automated control implementation techniques to deploy security controls efficiently across cloud, hybrid, and on-premises environments.

Business continuity and resilience risk

  • Evaluate business continuity risk management processes including BIA methodology, recovery strategy selection, and plan testing effectiveness.
  • Apply disaster recovery risk assessment techniques to evaluate recovery capabilities against defined RPO and RTO requirements.
  • Design organizational resilience strategies that integrate IT risk management with crisis management and business continuity planning.
4 Domain 4: Risk and Control Monitoring and Reporting
3 topics

Risk monitoring

  • Apply key risk indicator (KRI) frameworks to establish early warning mechanisms for changes in risk levels requiring management attention.
  • Implement continuous risk monitoring processes using automated tools, threat intelligence feeds, and environmental scanning to detect emerging risks.
  • Analyze risk trends and patterns to identify systemic issues, predict potential risk events, and inform proactive risk management decisions.
  • Design risk monitoring programs for third-party and supply chain risks including vendor performance tracking, security posture assessment, and incident notification.

Control monitoring

  • Apply control monitoring techniques including continuous control monitoring, exception reporting, and control self-assessment to verify ongoing control effectiveness.
  • Evaluate control deficiency remediation processes to assess timeliness, completeness, and effectiveness of corrective actions.
  • Analyze the impact of organizational changes on control effectiveness including technology migrations, process changes, and personnel transitions.
  • Apply continuous control monitoring automation tools to detect control failures, configuration drift, and unauthorized changes in real-time.

Risk reporting and communication

  • Apply risk reporting methodologies to communicate risk posture, treatment status, and emerging risks to stakeholders at appropriate levels of detail.
  • Design risk dashboards and metrics frameworks that enable data-driven risk management decisions by senior management and board-level stakeholders.
  • Evaluate the integration of IT risk reporting with enterprise risk management reporting to ensure consistency and comprehensiveness of risk communication.
  • Recommend improvements to risk communication strategies based on stakeholder feedback, reporting gaps, and evolving regulatory requirements.
  • Apply risk-informed decision support techniques to present risk data in formats that enable executive decision-making on IT investments and resource allocation.

Scope

Included Topics

  • All domains and objectives in the ISACA Certified in Risk and Information Systems Control (CRISC) exam: Domain 1 Governance (26%), Domain 2 IT Risk Assessment (20%), Domain 3 Risk Response and Mitigation (23%), and Domain 4 Risk and Control Monitoring and Reporting (31%).
  • Professional-level IT risk management including governance frameworks, risk appetite definition, risk identification and assessment, control design and implementation, risk monitoring, and risk reporting.
  • IT risk governance: organizational risk culture, risk management policies, enterprise risk management (ERM) integration, risk ownership and accountability, and regulatory compliance for risk.
  • Risk assessment methodologies: threat modeling, vulnerability analysis, risk scenario development, qualitative and quantitative assessment techniques, FAIR analysis, risk aggregation, and emerging technology risks.
  • Risk response strategies: control selection and implementation, risk mitigation planning, risk transfer mechanisms including cyber insurance, risk acceptance processes, and residual risk management.
  • Control monitoring and reporting: key risk indicators (KRIs), continuous monitoring, control testing, risk dashboards, executive risk reporting, and risk-informed decision-making.

Not Covered

  • IT audit planning, execution, and reporting procedures (covered by CISA).
  • Information security program development and operational management (covered by CISM).
  • Enterprise IT governance and value delivery at board level (covered by CGEIT).
  • Privacy risk assessment and data protection engineering (covered by CDPSE).
  • Actuarial and financial risk modeling beyond IT risk scope.

Official Exam Page

Learn more at ISACA

Visit

CRISC is coming soon

Adaptive learning that maps your knowledge and closes your gaps.

Create Free Account to Be Notified

Trademark Notice

ISACA®, CISA®, CISM®, CRISC®, CGEIT®, and CDPSE® are registered trademarks of ISACA. ISACA does not endorse this product.

AccelaStudy® and Renkara® are registered trademarks of Renkara Media Group, Inc. All third-party marks are the property of their respective owners and are used for nominative identification only.