CRISC Domain 4: Risk and Control Monitoring and Reporting

February 9, 2018 by Graeme Messina

What is Risk and Control Monitoring and Reporting?

Risk monitoring and control are two elements that are responsible for keeping track of identified risks, residual risks, and new and emerging risks. In addition to this, they are also used to monitor the execution and implementation of plans for all of the known risks, and they also gauge the efficacy of the plans that are in place. Every so often a project risk review needs to be done so that the identification process, the analysis, and the appropriate responses can be planned again.

How much is this domain covered on the exam & what topics are discussed?

There are 7 subcategories within this domain that must be understood by the candidate. Once qualified, candidates will be required to constantly monitor and report on IT risks and controls in the workplace to relevant stakeholders, such as management and the executive staff.

These tasks must be done so as to ensure the continued operations and practical utility of the IT risk management strategy and its alignment to business objectives going forward. The below topics need to be taken into consideration in preparation for the exam:

  • 4.1 Define and establish key risk indicators (KRIs) and thresholds based on available data, to enable monitoring of changes in risk.
  • 4.2 Monitor and analyze key risk indicators (KRIs) to identify changes or trends in the IT risk profile.
  • 4.3 Report on changes or trends related to the IT risk profile to assist management and relevant stakeholders in decision making.
  • 4.4 Facilitate the identification of metrics and key performance indicators (KPIs) to enable the measurement of control performance.
  • 4.5 Monitor and analyze key performance indicators (KPIs) to identify changes or trends related to the control environment and determine the efficiency and effectiveness of controls.
  • 4.6 Review the results of control assessments to determine the effectiveness of the control environment.
  • 4.7 Report on the performance of, changes to, or trends in the overall risk profile and control environment to relevant stakeholders to enable decision making.

What risk monitoring standards and frameworks are covered on the exam?

Candidates must have knowledge of the most internationally recognized regulations, standards, frameworks and best practices related to information security program development and management. These include:

  • ISO 27000
  • NIST SP 800 Series

What risk monitoring tools and techniques are covered on the test?

These could include (but are not limited to):

  • Brainstorming
  • Event inventories and loss event data
  • Interviews and self-assessment
  • Facilitated workshops
  • SWOT analysis
  • Risk questionnaires and risk surveys, and
  • Scenario analysis.

What risk reporting tools and techniques do you need to know?

1. Risk Reassessment

  • Host project risk reviews whenever you have team meetings
  • All major reviews must be performed at major milestones with your team
  • You should look at your risk ratings and prioritizations as they may change during the duration of the project. These changes may also require additional qualitative or quantitative risk analysis, so these issues need to be addressed as well.

2. Risk audits

You must examine and document the effectiveness of your particular risk response plan. This is vital where controlling risk, and the effectiveness of the risk owner needs to be established within certain timeframes.

3. Variance and Trend Analysis

These tools are used for monitoring your overall project cost. It also allows schedule performance to be run against the parameters that were established at the beginning of your project. Any changes that look like a significant deviation mean that updated risk identification and analysis should be performed as soon as possible.

4. Reserve Analysis

As the execution of your plan continues, some of the risk events that occur could be either positive or negative, which will impact the overall cost or schedule contingency reserves for your project. Running a reserve analysis will compare all of your available reserves, as well as the amount of risk remaining at the time. This will determine whether the reserves that have been put in place are sufficient or not.

5. Status Meetings

By scheduling regular status meetings, you can receive constant risk management updates, and all-important issues can be addressed at rapid intervals by including relevant points of concern in your project meetings.

What control types, standards, and frameworks are covered?

  • COBIT: (Control Objectives for Information and Related Technologies) is a best-practice framework that has been created by ISACA for IT management.
  • VAL IT: A governance framework that is used for creating business value from IT spending. It is comprised of a set of guiding principles and numerous processes and best practice solutions that are seen as a set of management strategies that support executive management and board members at a corporate and enterprise level.
  • RISK IT: this framework enables enterprises to understand as well as manage significant IT risks, and allows them to build upon existing risk-related items within the current ISACA frameworks such as COBIT and Val IT.

What control monitoring and reporting tools and techniques do you need to know?

  • Risk scenario development tools and techniques
  • Business process review tools and techniques
  • Data collection and extraction tools and techniques
  • Risk monitoring tools and techniques
  • Risk reporting tools and techniques, and
  • Control monitoring and reporting tools and techniques.

What control assessment types are covered on the exam?

There are many different assessment types that are covered in the exam. These include:

  • Self-assessments
  • Audits
  • Vulnerability assessments
  • Penetration tests, and
  • Third-party assurance.

How to Pursue your CRISC Certification

The Infosec CRISC Bootcamp is the best place to get started if you are new to the IA field of certification. Here you will learn everything that you will need to pass the exam and advance your career.

The CRISC certification has been created to cater to IT professionals that have experience in the field with things such as risk identification, risk assessments and evaluation, as well as risk response and risk monitoring.

Earning your CRISC certification has two main benefits. The first and most obvious is the fact that certifying with this course will help you on your way as you pursue a career in Information Security. The second benefit is that employers realize the value of adding a qualified CRISC professional to their staffing complement, and that means that your skills are likely to land you that dream job.

The InfoSec CRISC examination preparation course will help you to achieve the following milestones within their company:

  • Creating, rolling out, viewing and adapting risk-based controls
  • Keeping your business compliant with statutory requirements

The 4 domains that are covered in the course are required by ISACA, and they are:

  1. IT Risk Identification
  2. IT Risk Assessment
  3. Risk Response and Mitigation
  4. Risk and Control Monitoring and Reporting

Pricing for Infosec’s CRISC Bootcamp can be found here.

Posted: February 9, 2018
Articles Author
Graeme Messina
View Profile

Graeme is an IT professional with a special interest in computer forensics and computer security. When not building networks and researching the latest developments in network security, he can be found writing technical articles and blog posts at InfoSec Resources and elsewhere.

Leave a Reply

Your email address will not be published. Required fields are marked *