Certified Risk and Information Systems Control

CRISC Course Overview:

CRISC Training Length: 3-DAY

crisc trainingCRISC Certifications:  ISACA CRISC

With a growing demand for professionals possessing risk and control skills, CRISC® has positioned itself to be the preferred certification programme by enterprises and individuals working in Risk. CRISC® is the only certification that prepares and enables IT professionals for the unique challenges of IT and enterprise risk management, and positions them to become strategic members of the enterprise. CRISC® is now among the top five highest-paying IT certifications in the Foote Partners IT Skills and Certification Pay Index™ (ITSCPI)

Our CRISC® training course is the comprehensive and examination. Our instructors will encourage all attending delegates to go through the ISACA released CRISC® QA&E (Questions, Answers and Explanations) as exam preparation work – you get this FREE with our course. The QA&E is exceptional in helping delegates understand the ISACA style of questioning, approach to solving these questions and it helps rapid memory assimilation of the CRISC concepts during live classroom sessions.

All our trainers have extensive experience in delivering CRISC training around the world including one of them as ex-president from ISACA local chapter. The intent of the classroom training is hard-core exam preparation for ISACA’s Certified in Risk and Information System control (CRISC®) Examination.

crisc trainingWho Should Attend CRISC Training?

CRISC® is for IT professionals, risk professionals, business analysts, and project manager and/or compliance professionals and anyone who has job responsibilities in the following areas: Risk identification, assessment, evaluation, risk response, monitoring and IS control design/monitoring and implementation/maintenance.

crisc trainingCRISC Training Objectives:

• Understand Business risk and have the technical knowledge to implement appropriate IS controls.
• Identify, assess and evaluate risk to execute the enterprise risk management strategy
• Understand risk appetite, tolerance, residual risk, risk registers, Key risk indicators
• Design and implement systems controls in line with the organization’s risk appetite and tolerance levels
• Monitor and communicate risk information to the relevant stakeholders in line to the enterprise’s risk management strategy

crisc trainingCRISC Course Syllabus:


Domain 1—Risk Identification, Assessment and Evaluation

Identify, assess and evaluate risk to enable the execution of the enterprise risk management strategy.
Domain 1—Task Statements:

1.1 Collect information and review documentation to ensure that risk scenarios are identified and evaluated.
1.2 Identify legal, regulatory and contractual requirements and organizational policies and standards related to information systems to determine their potential impact on the business objectives.
1.3 Identify potential threats and vulnerabilities for business processes, associated data and supporting capabilities to assist in the evaluation of enterprise risk.
1.4 Create and maintain a risk register to ensure that all identified risk factors are accounted for.
1.5 Assemble risk scenarios to estimate the likelihood and impact of significant events to the organization.
1.6 Analyze risk scenarios to determine their impact on business objectives.
1.7 Develop a risk awareness program and conduct training to ensure that stakeholders understand risk and contribute to the risk management process and to promote a risk-aware culture.
1.8 Correlate identified risk scenarios to relevant business processes to assist in identifying risk ownership.
1.9 Validate risk appetite and tolerance with senior leadership and key stakeholders to ensure alignment


Domain 1—Knowledge Statements:

1.1 Knowledge of standards, frameworks and leading practices related to risk identification, assessment and evaluation
1.2 Knowledge of techniques for risk identification, classification, assessment and evaluation
1.3 Knowledge of quantitative and qualitative risk evaluation methods
1.4 Knowledge of business goals and objectives
1.5 Knowledge of organizational structures
1.6 Knowledge of risk scenarios related to business processes and initiatives
1.7 Knowledge of business information criteria
1.8 Knowledge of threats and vulnerabilities related to business processes and initiatives
1.9 Knowledge of information systems architecture (e.g. platforms, networks, application, databases and operating systems)
1.10 Knowledge of information security concepts
1.11 Knowledge of threats and vulnerabilities related to third-party management
1.12 Knowledge of threats and vulnerabilities related to data management
1.13 Knowledge of threats and vulnerabilities related to the system development life cycle
1.14 Knowledge of threats and vulnerabilities related to project and program management
1.15 Knowledge of threats and vulnerabilities related to business continuity and disaster recovery management
1.16 Knowledge of threats and vulnerabilities related to management of IT operations
1.17 Knowledge of the elements of a risk register
1.18 Knowledge of risk scenario development tools and techniques
1.19 Knowledge of risk awareness training tools and techniques
1.20 Knowledge of principles of risk ownership
1.21 Knowledge of current and forthcoming laws, regulations and standards
1.22 Knowledge of threats and vulnerabilities associated with emerging technologies

Domain 2—Risk Response

Develop and implement risk responses to ensure that risk factors and events are addressed in a cost-effective manner and in line with business objectives.
Domain 2—Task Statements:

2.1 Identify and evaluate risk response options and provide management with information to enable risk response decisions.
2.2 Review risk responses with the relevant stakeholders for validation of efficiency, effectiveness and economy.
2.3 Apply risk criteria to assist in the development of the risk profile for management approval.
2.4 Assist in the development of risk response action plans to address risk factors identified in the organizational risk profile.
2.5 Assist in the development of business cases supporting the investment plan to ensure risk responses are aligned with the identified business objectives.


Domain 2—Knowledge Statements:

2.1 Knowledge of standards, frameworks and leading practices related to risk response
2.2 Knowledge of risk response options
2.3 Knowledge of cost-benefit analysis and return on investment (ROI)
2.4 Knowledge of risk appetite and tolerance
2.5 Knowledge of organizational risk management policies
2.6 Knowledge of parameters for risk response selection
2.7 Knowledge of project management tools and techniques
2.8 Knowledge of portfolio, investment and value management
2.9 Knowledge of exception management
2.10 Knowledge of residual risk

Domain 3—Risk Monitoring

Monitor risk and communicate information to the relevant stakeholders to ensure the continued effectiveness of the enterprise’s risk management strategy.
Domain 3—Task Statements:

3.1 Collect and validate data that measure key risk indicators (KRIs) to monitor and communicate their status to relevant stakeholders.
3.2 Monitor and communicate key risk indicators (KRIs) and management activities to assist relevant stakeholders in their decision-making process.
3.3 Facilitate independent risk assessments and risk management process reviews to ensure they are performed efficiently and effectively.
3.4 Identify and report on risk, including compliance, to initiate corrective action and meet business and regulatory requirements.

Domain 3—Knowledge Statements:

3.1 Knowledge of standards, frameworks and leading practices related to risk monitoring
3.2 Knowledge of principles of risk ownership
3.3 Knowledge of risk and compliance reporting requirements, tools and techniques
3.4 Knowledge of key performance indicator (KPIs) and key risk indicators (KRIs)
3.5 Knowledge of risk assessment methodologies
3.6 Knowledge of data extraction, validation, aggregation and analysis tools and techniques
3.7 Knowledge of various types of reviews of the organization’s risk monitoring process (e.g. internal and external audits, peer reviews, regulatory reviews, quality reviews)

Domain 4—Information Systems Control Design and Implementation

Design and implement information systems controls in alignment with the organization’s risk appetite and tolerance levels to support business objectives.

Domain 4—Task Statements:
4.1 Interview process owners and review process design documentation to gain an understanding of the business process objectives.
4.2 Analyze and document business process objectives and design to identify required information systems controls.
4.3 Design information systems controls in consultation with process owners to ensure alignment with business needs and objectives.
4.4 Facilitate the identification of resources (e.g., people, infrastructure, information, architecture) required to implement and operate information systems controls at an optimal level.
4.5 Monitor the information systems control design and implementation process to ensure that it is implemented effectively and within time, budget and scope.
4.6 Provide progress reports on the implementation of information systems controls to inform stakeholders and to ensure that deviations are promptly addressed.
4.7 Test information systems controls to verify effectiveness and efficiency prior to implementation.
4.8 Implement information systems controls to mitigate risk.
4.9 Facilitate the identification of metrics and key performance indicators (KPIs) to enable the measurement of information systems control performance in meeting business objectives.
4.10 Assess and recommend tools to automate information systems control processes.
4.11 Provide documentation and training to ensure information systems controls are effectively performed.
4.12 Ensure all controls are assigned control owners to establish accountability.
4.13 Establish control criteria to enable control life cycle management

Domain 4—Knowledge Statements:
4.1 Knowledge of standards, frameworks and leading practices related to information systems control design and implementation
4.2 Knowledge of business process review tools and techniques
4.3 Knowledge of testing methodologies and practices related to information systems control design and implementation
4.4 Knowledge of control practices related to business processes and initiatives
4.5 Knowledge of the information systems architecture (e.g., platforms, networks, application, databases and operating systems)
4.6 Knowledge of controls related to information security
4.7 Knowledge of controls related to third-party management
4.8 Knowledge of controls related to data management
4.9 Knowledge of controls related to the system development life cycle
4.10 Knowledge of controls related to project and program management
4.11 Knowledge of controls related to business continuity and disaster recovery management
4.12 Knowledge of controls related to management of IT operations
4.13 Knowledge of software and hardware certification and accreditation practices
4.14 Knowledge of the concept of control objectives
4.15 Knowledge of governance, risk and compliance (GRC) tools
4.16 Knowledge of tools and techniques to educate and train users

Domain 5—IS Control Monitoring and Maintenance

Monitor and maintain information systems controls to ensure they function effectively and efficiently.

Domain 5—Task Statements:
5.1 Plan, supervise and conduct testing to confirm continuous efficiency and effectiveness of information systems controls.
5.2 Collect information and review documentation to identify information systems control deficiencies.
5.3 Review information systems policies, standards and procedures to verify that they address the organization’s internal and external requirements.
5.4 Assess and recommend tools and techniques to automate information systems control verification processes.
5.5 Evaluate the current state of information systems processes using a maturity model to identify the gaps between current and targeted process maturity.
5.6 Determine the approach to correct information systems control deficiencies and maturity gaps to ensure that deficiencies are appropriately considered and remediated.
5.7 Maintain sufficient, adequate evidence to support conclusions on the existence and operating effectiveness of information systems controls.
5.8 Provide information systems control status reporting to relevant stakeholders to enable informed decision making.

Domain 5—Knowledge Statements:
5.1 Knowledge of standards, frameworks and leading practices related to information systems control monitoring and maintenance
5.2 Knowledge of enterprise security architecture
5.3 Knowledge of monitoring tools and techniques
5.4 Knowledge of maturity models
5.5 Knowledge of control objectives, activities and metrics related to IT operations and business processes and initiatives
5.6 Knowledge of control objectives, activities and metrics related to incident and problem management
5.7 Knowledge of security testing and assessment tools and techniques
5.8 Knowledge of control objectives, activities and metrics related to architecture (platforms, networks, application, databases and operating systems)
5.9 Knowledge of control objectives, activities and metrics related to information security
5.10 Knowledge of control objectives, activities and metrics related to third-party management

crisc trainingCRISC Boot Camp – Training Benefits and Goals:

The CRISC training offers students outstanding benefits, including:

  • Three full days of intense instruction with no outside distractions
  • In-person access to the top security experts in the industry
  • Lunch and snacks provided on each day of class
  • Worldwide recognition as a universally accepted information systems manager
  • Opportunity to build upon existing certifications/credentials already earned
  • Provides tangible evidence of career growth
  • Potential for a salary increase and/or promotion
  • Intense Courseware:

ISACA Authorized Courseware including:
CRISC Review Manual
CRISC Review Questions, Answers & Explanations Manual

  • Excellent Certification Preparation (Note that Students are responsible for registering for the exam and transportation to the exam; InfoSec Institute will not provide exam logistics or transportation support)