ISACA’s CRISC 2015 Certification – What has changed?

March 4, 2015 by Kenneth Magee

In comparing the 2015 CRISC Review Manual to the 2014 CRISC Review Manual, the first thing which is quite obvious is size. The 2015 manual is only 186 pages compared to the 430 pages which were in the 2014 manual.  ISACA dropped Part II – Risk Management and Information Systems Control in Practice.  Although some of the information was carried forward, the majority of it was dropped.

The second thing which is just as obvious as the first is the domains have changed.  In 2014 there were 5 domains, now there are only 4. The domains have been restructured to be more in line with IT Risk Management.

The old domain 1 was entitled Risk Identification, Assessment and Evaluation and accounted for 31% of the exam. Now the title is “IT Risk Identification” and it is 27% of the exam.

The old domain 2 was entitled Risk Response, now the Assessment portion of the old Domain 1 is the new Domain 2 and it is titled, “IT Risk Assessment” and it represents 28% of the exam.

In brief these two domains now account for 55% of the exam whereas before they were only 31% of the exam.

The old domain 3 was Risk Monitoring and 17% of the exam, now the old domain 2 & 3 have been combined into the new Domain 3 entitled “Risk Response and Mitigation” and it is worth 23% of the exam. This new combined domain has dropped from a combined 34% to just 23% of the exam.

The old domain 4 and 5, entitled “Information Systems Control Design and Implementation” and “Information Systems Control Monitoring and Maintenance” are gone. The new domain 4 in entitled “Risk and Control Monitoring and Reporting” and is worth 22% of the exam.

As you can see, ISACA’s focus (55%) is clearly on IT Risk Identification and Assessment. This is borne out by the increased size of the knowledge statements for IT Risk Identification. There are 41 knowledge statements in the new 2015 Review Manual and if you expand #6 and #41 there are actually 57 new areas. In reviewing the new manual it would appear that ISACA has pulled all of the knowledge statements from the old domains 2, 3, & 4 that pertained to IT Risk Identification and placed them into Domain 1.

It’s also apparent in my view that ISACA has taken this exam to another level of detail. For example, in Domain 1, threats and vulnerabilities have been expanded to include emerging threats, cloud computing, big data and Web-facing Services. Domain 2 also shows that same “Let’s dig deeper” process by looking at different risk assessment techniques, including HACCP, HAZOP, HRA, LOPA and SWIF, and not just qualitative vs. quantitative. Domain 2 also includes detailed discussion with respect to the risk associated with the enterprise architecture and looks in detail at hardware, software, utilities, platforms, network components and network architecture. The last one, “network architecture” includes a detailed look at encryption, DMZs, extranets and user interfaces.

Domain 3 is no exception to the “Let’s dig deeper” process by going into detail about testing in the SDLC and looks at risk associated with cutover and how that is accomplished. For example, “What’s the risk with doing an abrupt cutover vs. a phased cutover.

Domain 4 goes into detail about key risk indicators (KRI) with respect to selection, effectiveness, optimization and maintenance. This domain wraps up with a look at monitoring using SEIM, Auditing and ITF.

As a final word, this exam has changed extensively and is now focused on IT Risk Management.  Details on the CRISC certification can be found of ISACA’s webpage at:


Posted: March 4, 2015
Articles Author
Kenneth Magee
View Profile

Ken is President and owner of Data Security Consultation and Training, LLC. He has taught cybersecurity at the JAG school at the University of Virginia, KPMG Advisory University, Microsoft and several major federal financial institutions and government agencies. As CISO for the Virginia Community College System, Ken’s focus was the standardization of security around the ISO 27000 series framework. Writing is one of his passions and he has authored and/or co-authored several courses, including CISSP, CISA, CISM, CGEIT, CRISC, DoD Cloud Computing SRG and a course for training Security Control Assessors using NIST SP 800-53A. Ken has also achieved a number of certifications, including CISSP, SSCP, CCSP, CAP, ISSMP, ISSAP, ISSEP, CISM, CISA, CAC, CEH, ISO9000LA, ISO14001LA, ISO27001PA, Security+, CySA+, CASP, CTT+, CPT, GSEC, GSNA, GWAPT, CIA, CGAP, CFE, MCP, MCSA, MCSE and MCT.

One response to “ISACA’s CRISC 2015 Certification – What has changed?”

  1. Itay Semel says:

    where can buy crisc manual 2014?

Leave a Reply

Your email address will not be published. Required fields are marked *