CRISC Domain #4 – Information Technology and Security
IT risk management is an area of increasing importance for many organizations, which follows a general societal trend of emphasizing risk management. Certified in Risk and Information Systems Control (CRISC) is an IT risk management certification that will verify that the cert holder understands how IT risk impacts and is related to their organization. Much of the information covered by this domain is foundational information technology and information security principles and knowledge. Those who work primarily in IT risk management will find this information to give them a better perspective of how IT risk management fits into the big picture of IT.
What is CRISC?
CRISC is an enterprise IT risk management certification hosted by ISACA. CRISC is intended for enterprise IT risk management professionals working in at least two of the CRISC domains for a minimum of three years. CRISC is currently the only enterprise IT risk management certification in existence. It verifies that the cert holder has mid-career level knowledge of IT risk identification, assessment, monitoring and reporting, risk response and mitigation and risk control. Earning this certification will make you an invaluable IT risk expert for your organization which may launch your career to even greater heights.
What has changed since the last CRISC exam version?
The 2021 version of the CRISC certification exam has had almost all of its domains changed. Below is a comparison of the new and previous CRISC Job Practices.
|Domains||Previous CRISC domains||New CRISC domains|
|1||IT Risk Identification 27%||Governance 26%|
|2||IT Risk Assessment 28%||IT Risk Assessment 20%|
|3||Risk Response Mitigation 23%||Risk Response and Reporting 32%|
|4||Risk and Control Monitoring and Reporting 22%||Information Technology and Security 22%|
While the respective weight of exam content has not changed (remaining at 22%), it should be noted that the focus of the domain has shifted from risk and control monitoring and reporting to information technology and security.
What is CRISC domain #4?
Domain #4 of the CRISC certification exam covers information technology and security. The content covered by this domain may come off as trending more toward being foundational. This information is necessary to give the right perspective to IT risk management. While IT risk management is separate and distinct from information technology and security, they cannot be completely separated from each other. Those working in IT risk management need to understand key concepts and principles from information technology and security to be the most effective IT risk management professional possible.
What does CRISC’s domain #4 information technology and security cover?
This domain divides the material it covers into two categories: information technology principles and information security principles. Each of these categories is made up of sub-categories (seven and three, respectively). Domain #4 represents 22% of the total exam content, translating into approximately 33 exam questions out of 150 possible multiple-choice questions. You will need to score a minimum of 450 out of 800 possible points to pass the CRISC certification exam.
Below is an outline of what this domain covers:
A. Information technology principles
4.1 Enterprise architecture
4.2 IT operations management
4.3 Project management
4.4 Enterprise resiliency
4.5 Data life cycle management
4.6 System development life cycle
4.7 Emerging trends in technology
B. Information security principles
4.8 Information security concepts, frameworks and standards
4.9 Information security awareness training
4.10 Data privacy and principles of data protection
Learning objectives/task statements
By the time you have learned the material covered by CRISC domain #2, you should be able to explain the following:
- Collect and review existing information regarding the organization’s business and IT environments
- Identify potential or realized impacts of IT risks to the organization’s business objectives and operations
- Identify threats and vulnerabilities to the organization’s people, processes and technology
- Evaluate threats, vulnerabilities and risks to identify IT risk scenarios
- Establish accountability by assigning and validating appropriate levels of risk and control ownership
- Facilitate the identification of risk appetite and risk tolerance by key stakeholders
- Promote a risk-aware culture by contributing to the development and implementation of security awareness training
- Review the results of risk analysis and control analysis to assess any gaps between current and desired states of the IT risk environment
- Collaborate with risk owners on the development of risk treatment plans
- Collaborate with control owners on the selection, design, implementation and maintenance of controls
- Evaluate emerging technologies and changes to the environment for threats, vulnerabilities and opportunities
- Evaluate alignment of business practices with risk management and information security frameworks and standards
Understanding CRISC domain 4
To pass the CRISC certification exam, you will have to master four domains of information that make up the 2021 CRISC Job Practice. Domain #4, information technology and security, will present you with key principles and concepts of information technology and security necessary to put IT risk management in the proper perspective in the context of the information technology and information security environment. The information in this domain will be spread across approximately 33 questions on the exam. Mastering this final domain will put you in the catbird seat to pass the CRISC certification exam and earn this IT risk management certification.
- CRISC Exam Content Outline, ISACA
- CRISC Review Manual, 7th ed, ISACA