Certified in Risk and Information Systems (CRISC)
Course Outline
Domain 1 – Risk Management
- Collect and review environmental risk data.
- Identify potential vulnerabilities to people, processes and assets.
- Develop IT scenarios based on information and potential impact to the organization.
- Identify key stakeholders for risk scenarios.
- Establish risk register.
- Gain senior leadership and stakeholder approval of the risk plan.
- Collaborate to create a risk awareness program and conduct training
Domain 2 – IT Risk Assessment
- Analyze risk scenarios to determine likelihood and impact.
- Identify current state of risk controls and their effectiveness.
- Determine gaps between the current state of risk controls and the desired state.
- Ensure risk ownership is assigned at the appropriate level.
- Communicate risk assessment data to senior management and appropriate stakeholders.
- Update the risk register with risk assessment data.
Domain 3 – Risk Response and Mitigation
- Align risk responses with business objectives.
- Develop consult with and assist risk owners with development risk
action plans. - Ensure risk mitigation controls are managed to acceptable levels.
- Ensure control ownership is appropriately assigned to establish
accountability. - Develop and document control procedures for effective control.
- Update the risk register.
- Validate that risk responses are executed according to risk action plans.
Domain 4 – Risk and Control Monitoring and Reporting
- Risk and control monitoring and reporting.
- Define key risk indicators (KRIs) and identify key performance indicators
(KPIs) to enable performance measurement key risk indicators (KRIs)
and key performance indicators (KPIs). - Determine the effectiveness of control assessments.
- Identify and report trends/changes to KRIs/KPIs that affect control
performance or the risk profile.
