CRISC Domain #2 – IT Risk Assessment
IT risk management is an area of IT that organizations have been focusing on increasingly over the years. Certified in Risk and Information Systems Control (CRISC) is an IT risk management certification that will verify that the cert holder understands how IT risk impacts and is related to their organization.
What is CRISC?
CRISC is an enterprise IT risk management certification hosted by ISACA. It is for enterprise IT risk management professionals working in at least two of the CRISC domains for a minimum of three years. CRISC is currently the only enterprise IT risk management certification in existence. It verifies that the certification holder has mid-career level knowledge of IT risk identification, assessment, monitoring and reporting, risk response and mitigation and risk control. Earning this certification will make you an invaluable IT risk expert for your organization which may launch your career to even greater heights.
What has changed since the last CRISC exam version?
The 2021 version of the CRISC certification exam has had almost all of its domains changed. Below is a comparison of the new and previous CRISC Job Practices.
|Domains||Previous CRISC domains||New CRISC domains|
|1||IT Risk Identification 27%||Governance 26%|
|2||IT Risk Assessment 28%||IT Risk Assessment 20%|
|3||Risk Response Mitigation 23%||Risk Response and Reporting 32%|
|4||Risk and Control Monitoring and Reporting 22%||Information Technology and Security 22%|
As you can see, the respective weight of Domain #2 has been reduced a noticeable amount since the last CRISC exam version — namely from 28% to 20%. This may seem like a negligible reduction of exam material, but in terms of exam questions, this amounts to around 12 fewer exam questions covering Domain #2 material.
What is CRISC domain #2?
Domain #2 of the CRISC certification exam covers IT risk assessment, an important aspect of IT risk management. Professionals working in IT risk management determine the likelihood and impact of IT risk on organizational objectives by analyzing and evaluating IT risk. This enables the organization to enable IT risk-based decision-making. This domain discusses:
- IT risk identification
- Understanding the organization’s threat landscape and emerging risk
- Analyzing and evaluating identified risk
What does CRISC domain #2 IT risk assessment cover?
This domain categorizes the material it covers into the two broad elements of IT risk assessment — IT risk identification and IT risk analysis and evaluation. Both categories are made up of subcategories (four and five, respectively). Domain #2 represents 20% of the total exam content translating into approximately 30 exam questions out of 150 possible multiple-choice questions. You will need to score a minimum of 450 out of 800 possible points to pass the CRISC certification exam.
Below is an outline of what this domain covers:
A. IT risk identification
2.1 Risk events
2.2 Threat modeling and threat landscape
2.3 Vulnerability and control deficiency analysis
2.4 Risk scenario development
B. IT risk analysis and evaluation
2.5 Risk assessment concepts, standards and frameworks
2.6 Risk register
2.7 Risk analysis methodologies
2.8 Business impact analysis
2.9 Inherent and residual risk
Learning objectives/task statements
By the time you have learned the material covered by CRISC domain #2, you should be able to explain the following:
- Identify potential or realized impacts of IT risk to the organization’s business objectives and operations
- Identify threats and vulnerabilities to the organization’s people, processes and technology
- Evaluate threats, vulnerabilities and risks to identify IT risk scenarios
- Establish and maintain the IT risk register and incorporate it into the enterprise-wide risk profile
- Facilitate the identification of risk appetite and risk tolerance by key stakeholders
- Promote a risk-aware culture by contributing to the development and implementation of security awareness training
- Conduct a risk assessment by analyzing IT risk scenarios and determining their likelihood and impact
- Identify the current state of existing controls and evaluate their effectiveness for IT risk mitigation
- Review the results of risk analysis and control analysis to assess any gaps between current and desired states of the IT risk environment
- Collaborate with control owners on the selection, design, implementation and maintenance of controls
- Collaborate with control owners on the identification of key performance indicators (KPIs) and key control indicators (KCIs)
- Review the results of control assessments to determine the effectiveness and maturity of the control environment
- Conduct aggregation, analysis and validation of risk and control data
- Report relevant risk and control information to applicable stakeholders to facilitate risk-based decision-making
- Evaluate emerging technologies and changes to the environment for threats, vulnerabilities and opportunities
- Evaluate alignment of business practices with risk management and information security frameworks and standards
Understanding CRISC domain #2
CRISC is an IT risk management certification that verifies that the certification holder has a mid-career level hands-on experience level in at least two of the four domains of information and has mastered this level of knowledge. IT risk management has been increasingly moved to the forefront of organizational culture, and this domain covers an integral part of it — IT risk assessment. Organizations know this and will be willing to give your job candidacy more consideration if you master this domain and earn the CRISC certification.
- CRISC Exam Content Outline, ISACA
- CRISC Review Manual, 7th ed, ISACA