CRISC: Certified in Risk and Information Systems Control

CRISC is the only certification that prepares and enables IT professionals for the unique challenges of IT and enterprise risk management, and positions them to become strategic partners to the enterprise. The official Certified Risk Information Systems Control (CRISC) certification is a powerful manifestation of proficiency and expertise regarding various areas of risk. As well as this, CRISC demonstrates a commitment to IT security operations and enterprises, and a willingness to deliver quality within their profession. CRISC has been established as one of the most desirable and preferable IT security certifications worldwide.


The CRISC designation is designed for IT risk, control and compliance practitioners, business analysts, project managers and other resected professionals. The highly respected certification demonstrates to employers that the holder is able to identify and evaluate IT risk, and help their enterprise accomplish its business objectives. CRISC has received over 15 global recognitions.


Professional experience within risk management/control for a minimum of 3 years is required for CRISC certification. You should have taken the CRISC training and be familiar with the CRISC job practice domains before taking the exam.

In order to apply for CRISC certification you must meet the necessary experience requirements as determined by ISACA

Learning outcomes 

Types of risk may vary, but with its key role as an agent of innovation, technology has become the most critical risk factor for today’s enterprises. Since, conducting a risk assessment is not something a typical information technology education includes, many IT professionals are lacking in knowledge that businesses increasingly deem imperative to determining their future success.

Since its introduction in 2010, more than 24,000 professionals have obtained ISACA®’s Certified in Risk and Information Systems Control™ (CRISC™) certification. The designation demonstrates to employers that the holder is able to identify, evaluate and manage information systems and technology risk, and help enterprises achieve their business objectives.

1. Identifying IT Risk

Proficiency in this realm validates the expertise required to identify the universeof IT risk in order to contribute to the execution of the IT risk management strategy, in support of business objectives and in alignment with the enterprise risk management (ERM) strategy.
Domain 1 confirms one’s ability to recognize and gauge threats and vulnerabilities to the organization’s people, processes and technology.

2. Assessing IT Risk

Exam success demonstrates the advanced ability to analyze and evaluate IT risk to determine the likelihood and impact on business objectives, in order to enable risk-based decision making.
Domain 2 attests to advanced skill in identifying the current state of existing controls and evaluating their effectiveness for IT risk mitigation.

3. Risk Response and Mitigation

This key job practice area verifies expertise in determining risk response options while evaluating their efficiency and effectiveness to manage risk in alignment with business objectives.
Domain 3 tests your ability to select and implement informed risk decisions that are well-aligned and enunciated throughout the organization.

4. Risk and Control Monitoring and Reporting

The final job practice area assesses your capacity to continuously monitor and report on IT risk and controls to relevant stakeholders, so as to ensure the effectiveness of the IT risk management strategy and its alignment with business objectives.
Domain 4 assesses your ability to define and establish key risk indicators (KRIs) and thresholds based on available data, to enable monitoring of changes in risk.

Course content

The CRISC exam will focus on the four domains of Certified Risk Information Systems Control. The CRISC domains encompasses:

Domain 1: Risk Identification

Risk Identification Objectives
Risk Identification Overview
Concepts of IT Risk
Risk Management Standards
Risk Identification Frameworks
Elements of Risk
Penetration Testing
Risk Scenarios
Communicating Risk
Risk Awareness
Organisational Structures and Culture
Risk within the Enterprise
Principles of Risk

Domain 2: Risk Assessment

Risk Assessment Objectives
Risk Assessment Overview
Risk Assessment Techniques
Risk Assessment Analysis
Control Assessment
Risk Evaluation and Impact Assessment
Risk and Control Analysis
Third Party Management
System Development Lifecycle
Developing Technologies
Enterprise Architecture

Domain 3: Risk Response and Mitigation

Risk Response and Mitigation Objectives
Risk Response and Mitigation Overview
Risk Response Options
Response Analysis
Risk Response Plans
Control Objectives and Practices
Control Ownership
Systems Control Design Implementation
Control and Countermeasures
Business Continuity
Disaster Recovery
Risk Accountability
Inherent and Residual Risk

Domain 4: Risk and Control Monitoring and Reporting

Risk and Control Monitoring and Reporting Objectives
Risk and Control Monitoring and Reporting Overview
Key Risk Indicators (KRIs)
Data Collection
Monitoring Controls
Control Assessments
Penetration Testing
Vulnerability Assessments
Third Party Assurance
Maturity Model Assessment
Techniques for Improvement
Capability Maturity Model
IT Risk Profile


Delegates will receive an official ISACA CRISC exam voucher to take the exam post course.

The exam tests delegate's knowledge of the four CRISC domains. It is marked using a 200-800 point scale, with 450 being the passing mark. The Certified Risk and Information Systems Control examination is a CBT (Computer-Based Testing) exam, which has 3 testing windows per year.

Read more about CRISC exam and certification 

Andre relevante kurs

14. mai
3 dager
Classroom Virtual Startgaranti