ISACA Certified in Risk and Information Systems Control (CRISC®)

Area 1: Governance

• Risk assessment concepts, standards and frameworks
• Corporate strategy, goals and targets
• Organizational structure, roles and responsibilities
• Corporate culture and assets
• Guidelines, standards and business processes
• Enterprise risk management, risk management frameworks and three lines of defense
• Risk profile, risk appetite and risk tolerance
• Dealing with the professional ethics of risk management and the requirements of laws, regulations and controls

Area 2: IT Risk Assessment

• Risk events, threat modeling and threat situation
• Analysis of weak points and control deficiencies
• Development of risk scenarios
• Risk register
• Methods of risk analysis
• Analysis of the impact on the business
• Inherent, residual and current risks

Area 3: Risk Response and Reporting

• Risk treatment/risk response options
• Responsibility for risks and controls
• Management of risks from processes, third parties and new sources
• Control types, standards and frameworks
• Control design, selection and analysis
• Control implementation, testing and effectiveness
• Risk treatment plans
• Data collection, aggregation, analysis and validation
• Techniques for risk and control monitoring and reporting
• Key performance, risk and control indicators

Area 4: Information Technology and Security

• Enterprise architecture
• IT operations management
• Project management
• Disaster recovery management
• Data lifecycle management
• System development life cycle
• New technologies
• Concepts, framework conditions, standards and awareness training on information security
• Business continuity management
• Principles of data protection and data security

Requirements: 

There is no formal admission for attending the course.

The requirements for official ISACA® certification are:

1. Passing the CRISC® examination The examination can be taken without professional experience. After passing the exam, certification must be applied for within 5 years.
2. Proof of at least three years of professional experience in IT risk management and in the implementation of information system controls The experience must have been gained within the last ten years before submitting the application or within five years of passing the examination.
3. Coverage of at least two of the four CRISC® domains Professional experience must include practical knowledge in at least two of the following four areas: Governance IT Risk Assessment Risk Response and Reporting Information Technology and Security
4. Verifiability of professional experience Professional experience must be confirmed by a higher authority (e.g. line manager or HR department).
5. Submitting the application for certification to ISACA® Online application via the ISACA® account Payment of an application fee of currently USD 50
6. Acceptance of the ISACA® Code of Professional Ethics Commitment to ethical standards in the practice of the profession
7. Compliance with Continuing Professional Education (CPE) requirements After certification: annual continuing education and proof of title maintenance (at least 20 CPEs per year, 120 within 3 years)