Being Certified in Risk and Information Systems Control (CRISC) means being able to fill IT-related risk management roles and to effectively evaluate security threats and vulnerabilities of the organization’s people, processes and technology. CRISC professionals’ oversight augments the risks and cybersecurity preparedness of companies, and due to the rate at which cybercriminal activities are evolving, experts that possess the knowledge tested by the different domains in the CRISC exam can be, then, invaluable for a business. Through this certification, professionals can demonstrate competences in high-demand areas like the ability to identify and manage risks through the development, implementation and maintenance of appropriate information systems (IS) controls. The CRISC certification provided by the Information Systems Audit and Control Association (ISACA) caters to any risk analyst that may be asked to take a look at cybercriminal activity that could arise and impact a business’s critical services and related assets to ensure they remain as safe as is possible.
The CRISC Certification Domains
The job practice domains developed by the CRISC Task Force represent the basis for the exam and organize the knowledge required to earn the certification:
This domain focuses on the actions and requirements to collect information on a business in order identify potential or already-present risks, threats and vulnerabilities, as well as any other data that can aid risk analysis. An assessment of the real risks for an organization is only possible after the identification of threats and vulnerabilities, as well as the understanding of what the probabilities they can be exploited are and what information can be truly accessed, so as to understand the true impact to the organization. This set of questions, then, also cover the preparation of risk scenarios to understand the potential impact of risks to an organization, who are the stakeholder in an event, and what is the business risk tolerance. Risk awareness programs are also covered in this domain as they promote understanding of risks for all stakeholders.
This domain covers a key component of any risk management effort: an efficient security assessment program allows the identification of issues that might pose a threat to the organization so that related risks can be identified and their impact correctly quantified. Questions evolve around being mindful of the current and desired states of the IT risk environment to ensure reasonable appropriate controls. Risk scenarios are analyzed against the characteristics of the organization, its structure, infrastructure and policies. It also covers how to test current controls and effectively communicate the results of the assessment to management and other stakeholders.
This domain focuses on developing and implementing risk responses and applying various controls that can be used to mitigate business exposure. It also covers how to evaluate the effectiveness of the response in eradicating the threat agent and restoring the business processes to normal. Aligning response and mitigation with business objectives and ensuring all key elements (including cost and required speed of operation restoral) are taken into consideration. Also touched upon in this domain is the identification of clear accountability for all involved. Part of risk mitigation is also documenting controls and procedures as well as updating risk registers and ensuring established risk control policies have been followed during an incident.
This domain covers all that is required to continuously monitor IT risks and controls in place to constantly evaluate the effectiveness of the risk management strategy and its support to business objectives. It also covers reporting to stakeholders. Questions evolve around the value of metrics: monitoring and analyzing key risk indicators (KRIs) and their establishment to help indicate how risky an activity is as well as the ability to analyze key performance indicators (KPIs) that can be used to identify changes or trends related to the efficiency and effectiveness of controls. Knowledge of risk and compliance reporting requirements, monitoring tools and techniques of the trade can help organizations make cost-effective decisions to protect their digital assets.
To prepare for the newly-updated CRISC certification exam, the CRISC Certified in Risk and Information Systems Control All-in-One Exam Guide is available to offer coverage of all four exam domains as of June 2015. This book serves as a test preparation tool but can also be an on-the-job reference to be used well beyond the examination. Other study materials to assist you in preparing for the CRISC certification exam include those from ISACA:
It might also be a good idea to join the CRISC Exam Study community, as “[it] allows you to share ideas, experiences, questions and study resources with like-minded professionals,” says ISACA.
A number of courses is also available. The CRISC Online Review Course covers all four of the CRISC domains; alternatively, one can always take advantage of highly-effective third-party courses, like InfoSec Institute’s CRISC Boot Camp to help prepare for the CRISC Certification Exam, using ISACA Authorized Courseware including the CRISC Review Manual and CRISC Review Questions, Answers & Explanations Manual.
There is also the Virtual Instructor-Led Training from ISACA that features the CRISC Exam Prep Course and contains lectures, demonstrations and hand-on instruction. Don’t miss out on this essential training that has three separate sessions: 12-15 March 2018; 11-14 June 2018; 22-25 October 2018. Register today, if interested.
If your IT or business role includes managing security, operational and compliance considerations and if you are asked to assess risks and respond to them to restore promptly business functionalities, then a CRISC certification can be the right tool to guide through understanding what knowledge is required for the job. The four domains tested by this certification gives an understanding of all there is involved in assessing, identifying, responding and reporting risks for the best protection of business assets.