CRISC Domain #3 – Risk Response and Reporting
IT risk management is an area of IT that organizations have been focusing on increasingly over the years. Certified in Risk and Information Systems Control (CRISC) is an IT risk management certification that will verify that the cert holder understands how IT risk impacts and is related to their organization.
What is CRISC?
CRISC is an enterprise IT risk management certification hosted by ISACA. CRISC is intended for enterprise IT risk management professionals working in at least two of the CRISC domains for a minimum of three years. CRISC is currently the only enterprise IT risk management certification in existence. It verifies that the certificate holder has mid-career level knowledge of IT risk identification, assessment, monitoring and reporting, risk response and mitigation, and risk control. Earning this certification will make you an invaluable IT risk expert for your organization which may launch your career to even greater heights.
What has changed since the last CRISC exam version?
The 2021 version of the CRISC certification exam has had almost all of its domains changed. Below is a comparison of the new and previous CRISC Job Practices.
|Domains||Previous CRISC domains||New CRISC domains|
|1||IT Risk Identification 27%||Governance 26%|
|2||IT Risk Assessment 28%||IT Risk Assessment 20%|
|3||Risk Response Mitigation 23%||Risk Response and Reporting 32%|
|4||Risk and Control Monitoring and Reporting 22%||Information Technology and Security 22%|
As you can see, domain #3 has had a name change indicating a shift in focus in this domain from mitigation to reporting. It should also be noted that the domain now covers more material — namely a good-sized increase in respective exam material from 23% to 32%. This translates to around 13 more questions based upon this domain than the last CRISC exam version.
What is CRISC domain #3?
Domain #3 of the CRISC certification exam covers risk response and reporting, which is really where the rubber meets the proverbial road when it comes to IT risk management. Organizations become aware of what is beyond or within their control risk-wise by identifying and analyzing what may threaten organizational operations and internal and external factors that may impact the organization. This will only provide an organization with knowledge of the risk situation as it stands at that moment. What comes next is how to respond to these analyzed risks. From here, the organization may introduce new controls, enhance existing controls, and create a way to monitor and report on the risk to keep management informed.
What CRISC domain #3 IT risk response and reporting covers
This domain divides the material into three categories: risk response, control design and implementation, and risk monitoring and reporting. Each of these categories is made up of several sub-categories. Domain #3 represents 32% of the total exam content, translating into approximately 48 exam questions out of 150 possible multiple-choice questions. You will need to score a minimum of 450 out of 800 possible points to pass the CRISC certification exam.
Below is an outline of what this domain covers:
A. Risk response
3.1 Risk and control ownership
3.2 Risk treatment/risk response options
3.3 Third-party risk management
3.4 Issue, finding and exception management
3.5 Management of emerging risk
B. Control design and implementation
3.6 Control types, standards and frameworks
3.7 Control design, selection and analysis
3.8 Control implementation
3.9 Control testing and effectiveness evaluation
C. Risk monitoring and reporting
3.10 Risk treatment plans
3.11 Data collection, aggregation, analysis and validation
3.12 Risk and control monitoring techniques
3.13 Risk and control reporting techniques
3.14 Key performance indicators
3.15 Key risk indicators
3.16 Key control indicators
Learning objectives/task statements
By the time you have learned the material covered by CRISC domain #2, you should be able to explain the following:
- Collect and review existing information regarding the organization’s business and IT environments
- Identify potential or realized impacts of IT risk to the organization’s business objectives and operations
- Identify threats and vulnerabilities to the organization’s people, processes and technology
- Evaluate threats, vulnerabilities and risks to identify IT risk scenarios
- Establish accountability by assigning and validating the appropriate level of risk and control ownership
- Establish and maintain the IT risk register and incorporate it into the enterprise-wide risk profile
- Facilitate the identification of risk appetite and risk tolerance by key stakeholders
- Promote a risk-aware culture by contributing to the development and implementation of security awareness training
- Conduct a risk assessment by analyzing IT risk scenarios and determining their likelihood and impact
- Identify the current state of existing controls and evaluate their effectiveness for IT risk mitigation
- Review the results of risk analysis and control analysis to assess any gaps between current and desired states of the IT risk environment
- Facilitate the selection of recommended risk responses by key stakeholders
- Collaborate with risk owners on the development of risk treatment plans
- Collaborate with control owners on the selection, design, implementation and maintenance of controls
- Validate that risk response have been executed according to risk treatment plans
- Define and establish key risk indicators (KRIs)
- Monitor and analyze key risk indicators (KRIs)
- Collaborate with control owners on the identification of key performance indicators (KPIs) and key control indicators (KCIs)
- Monitor and analyze key performance indicators (KPIs) and key control indicators (KCIs)
- Review the results of control assessments to determine the effectiveness and maturity of the control environment
- Conduct aggregation, analysis and validation of risk and control data
- Report relevant risk and control information to applicable stakeholders to facilitate risk-based decision-making
- Evaluate emerging technologies and changes to the environment for threats, vulnerabilities and opportunities
Understanding domain #3 of CRISC
Domain #3 of the CRISC certification, risk response and reporting, is the largest of the CRISC domains of information accounting for 32% of all material covered. This translates into around 48 questions on the certification exam which is a marked increase from the amount of questions covering this domain in the last exam version, as well as several more learning objectives/task statements. Keep this in mind going forward in studying for the CRISC and you may want to spend a little extra time mastering this domain to compensate for its respective weight.
CRISC Exam Content Outline, ISACA
CRISC Review Manual, 7th ed, ISACA