CRISC Domain 1: IT Risk Identification

January 31, 2018 by Dimitar Kostadinov

The CRISC Exam consists of 4 domains, and this writing focuses on the first one.

Often regarded as an adverse event, a risk is the likelihood of event to happen along with its concomitant consequences. A risk thrives on cybersecurity vulnerabilities, exploits and its ability to impact assets. Identifying risks presumably involves not only imminent threats, but also the mere opportunities for risks to become realized security threats.

Risk identification is a process that aims to identify all risk events in the project. Moreover, identifying IT risks is an integral part of the risk management life cycle, and it is the first of the four processes in this cycle, but it is also a process for discovering and documenting risks that exist in a corporate environment.

Within the context of CRISC, to identify the risk might mean:

  • Evaluate the IT assets
  • Determine the threats the IT assets are subject to
  • Identify the vulnerabilities associated with these assets
  • Map and document security controls in place at the moment
  • Interpret the risks, and vulnerabilities, and realize the consequences

In effect, identifying potential threats and vulnerabilities that are invariably connected to business, supporting processes, and associated data will contribute to the accurate evaluation of enterprise risk. Therefore, in addition to creating the risk management plan, risk planning determines how risks will be identified, analyzed, monitored, controlled, and mitigated.

Risk identification as a Process

First, one should collect information from every source, even hard-copy documents (see Risk Register). This is necessary because all risk scenarios must be identified.

Second, identification of legal and regulatory requirements is also advisable along with contractual requirements, organizational policies and standards related to IT systems. In doing so, it would be possible to be determined the impact of these components on the business objectives.

Risk Register (Where to look for risks)

It serves as a main point of reference for every risk-related action (for example, risk prioritization and response). A security expert should be able to trace and subsequently document all identified risks. The creation of an IT risk register will itemize each risk found.

The search for potential threats and vulnerabilities should not be limited to the IT infrastructure – its scope should be broad enough to include all people and processes directly or indirectly associated with IT assets. Usual places to look for identifying risks are: audit reports, incident management, public media, annual reports, press releases, vulnerability assessments / penetration tests, business continuity / disaster recovery plans, interviews and workshops, and threat intelligence services.

There are 3 methods to identify the risk:

1) Historical – it is contingent on lessons learned from past incidents

2) Systematic – what is specific about this approach is the fact that it is typically based on expert opinion. The goal is to inspect the entire array of business processes so that possible points of failure may come to the surface, if there are any

3) Inductive (Theoretical) analysis – this approach uses a new technology or process review to spot attack vectors

Key Risk Indicators (KRIs)

During the process that is the main subject of this article, one could choose to utilize various methods, one of which is finding Key Risk Indicators. KRIs are indicators of risk that function as an early warning system, allowing decision-makers to be aware of the fact that a high risk is emerging so that these people can take proactive steps early on to counter the identified potential risk before it actually turns itself into a loss; hence, within the context of risk identification, KRIs have a pre-emptive monitoring function.

Once the KRI set is complete, it initiates a balancing exercise between indicators for risk, root causes, and business impact in order to indicate the risk and predict its impact in the most precise way.

It should be noted that KRIs are the prime monitoring indicators at disposal to the enterprise, since they possess utmost quality of both indicating and predicting risks. In addition, KRIs can help decision-makers avoid relying on a large number of risks indicators that may lead to confusing results.

Some important types of risks:

– systemic risks – they affect an important business partner, but at the same time happen to a substantial group of organizations within a sector or industry (for instance, an 8-hour air traffic control computer outage will disrupt air traffic on a very large scale)

– contagious risks – they occur in a short span of time and at the same time affect a business partner’s enterprise

– operational risks – these risks happen during the organization’s regular, day-to-day operations or internal events, as a result of a failure associated with processes, people or technologies

– reporting risks – it is perhaps self-explanatory, but they are the direct consequence of inaccurate reporting, which in turn misleads decision-makers

With regard to IT risk scenarios, what will help to establish accountability is identifying key stakeholders. If a security specialist designs various IT risk scenarios based on all available information, he will be able to determine the level of potential influence on business objectives and activities. In essence, identifying the type and severity of IT risk contributes to the fulfillment of a company’s IT risk management program, which in turn facilitates business objectives and acts in alignment with the enterprise risk management strategy (i.e., ERM strategy). An actual alignment with business objectives may become reality, however, after key stakeholders and senior leadership manage to identify risk appetite and tolerance (through metric setting).

Exercise: Match the sentence halves

Match this half with its corresponding half here
1. Risk Register …function as an early warning system
2. Identify risk appetite and tolerance defined by senior leadership and key stakeholders …uses a new technology or process review to spot attack vectors
3. Operational Risks …is the likelihood of event and its consequences to happen
4. KRIs are indicators of risk that …serves as a main point of reference for every risk-related action
5. Identifying risks …occur during the regular, day-to-day operations or internal events
6. Inductive (Theoretical analysis) …to ensure alignment with business objectives
7. In the context of this writing, a risk …include imminent threats and opportunities for risks to become realized security threats

Reference List

cisco-latest-pdf (2016). ISACA CRISC questions & CRISC exam dumps. Available at (10/01/2018)

Firebrand Training Ltd (2017). ISACA: CRISC Certification (Certified in Risk and Information Systems Control). Available at (10/01/2018)

ISACA (2013). 2013 Candidate’s Guide to the CRISC TM Exam and Certification. Available at (10/01/2018)

ISACA (2015). Job Practice Areas 2015. Available at (10/01/2018) CRISC. (10/01/2018)

3arlgr3y (2016). CRISC | Module 2 – Risk Identification. Available at (10/01/2018)


CRISC Certification Exam Questions and Answers by Exam Labs /



  1. Risk Register serves as a main point of reference for every risk-related action.
  2. Identifying risk appetite and tolerance defined by senior leadership and key stakeholders ensures alignment with business objectives.
  3. Operational risks occur during the regular, day-to-day operations or internal events.
  4. KRIs are indicators of risk that function as an early warning system.
  5. Identifying risks include immanent threats and opportunities for risks to become realized security threats.
  6. Inductive (Theoretical) analysis is the likelihood of event and its consequences to happen.
  7. In the Context of this writing, a risk uses a new technology or process review to spot attack vectors.
Posted: January 31, 2018
Articles Author
Dimitar Kostadinov
View Profile

Dimitar Kostadinov applied for a 6-year Master’s program in Bulgarian and European Law at the University of Ruse, and was enrolled in 2002 following high school. He obtained a Master degree in 2009. From 2008-2012, Dimitar held a job as data entry & research for the American company Law Seminars International and its Bulgarian-Slovenian business partner DATA LAB. In 2011, he was admitted Law and Politics of International Security to Vrije Universiteit Amsterdam, the Netherlands, graduating in August of 2012. Dimitar also holds an LL.M. diploma in Intellectual Property Rights & ICT Law from KU Leuven (Brussels, Belgium). Besides legal studies, he is particularly interested in Internet of Things, Big Data, privacy & data protection, electronic contracts, electronic business, electronic media, telecoms, and cybercrime. Dimitar attended the 6th Annual Internet of Things European summit organized by Forum Europe in Brussels.

Leave a Reply

Your email address will not be published. Required fields are marked *