CRISC Four Domains Brief

 

KNOWLEDGE STATEMENTS

The CRISC candidate should be familiar with the task statements relevant to each domain in the CRISC  job practice. The The tasks tasks are supported supported by 41 knowled knowledge ge state statemen ments ts that that delineate each of th thee areas in which the risk ris k pr practit actitioner ioner must have a good understanding understanding in order or der to perform per form the tasks. Many knowledge statements statemen ts support tasks that cross domains. The CRISC candidate should have knowledge of: 1.  Laws, regulations, standards and compliance requirements 2.  Industry trends and emerging technologies 3.  Enterprise systems systems architecture (e.g., platforms, networks, applications, databases and operating systems) 4.  Business goals and objectives 5.  Contractual requirements with customers and third-party service providers 6.  Threat Threatss and vulnerabilities related to: 6. 6.1 1  Busin Business ess processes and initiatives in itiatives 6. 6.2 2  6. 6.3 3  6. 6.4 4  6. 6.5 5  6. 6.6 6  6. 6.7 7  6. 6.8 8 

Third-pa rty managem Third-party management ent Data management Hardware, software and appliances The system development life cycle (SDLC) Projectt and program Projec progra m manage managemen mentt Business continuity and disaster recovery recove ry management management (DRM) Managem Man agement ent of IT operations oper ations

6. 6.9 9  Emerging technologies 7.  Methods to identify risk 8.  Risk scenario development tools and techniques 9.  Risk identification and classification standards, and frameworks frameworks 10.  Risk events/incident concepts (e.g., contributin contributing g conditions, lessons learned, loss result) 11.  Ele Elemen ments ts of a risk register 12.  Risk appetite and tolerance 13.  Risk analysis methodologies (quantitative and qualitative) 14.  Organizatio Organizational nal structures st ructures 15.  Organizational culture, ethics and behavior 16.  Organizational assets (e.g., people, technology, data, trademarks, intellectual property) and business  processes, including including en enterprise terprise risk managem managemen entt (ERM) 17.  Organizational policies and standards 18.  19.  20.  21.  22.  23.  24.  25.  26.  27.  28. 

Business process review tools and techniques Analysis techniques (e.g., root cause, gap, cost-benefit, return on investment [ROI]) Capability assessment models and improvement techniques and strategies Data analysis, validation and aggregation techniques (e.g., trend analysis, modeling) Data collection and extraction tools and techniques Principles of risk ri sk and control ownership ownership Characteristics of inherent inherent and and residual risk ris k Exception Except ion manage management ment practices practi ces Risk assessment standards, frameworks and techniques Risk response options (i.e., accept, ac cept, mitigate, mitigate, avoid, avoid, transfer) and criteria for selection Information security concepts and principles, including confidentiality, integrity and availability of information 29.  Syste Systems ms control design de sign and implementation, implementation, including testing methodologies and practices practi ces

30.  31.  32.  33. 

The impact of emerging technologies on design desi gn and implementation implementation of controls Requirements, principles, and practices for educating and training on risk and control activities Key risk ris k indicators (KRIs) (KRIs) Risk monitoring standards and frameworks

 

34.  35.  36.  37.  38.  39.  40. 

Risk monitoring monitoring tools tool s and techniqu techniques es Risk reporting tools and techniques IT risk management best practices Key performance performance indicator (KPIs) Control types, standards, and frameworks Control monitoring monitoring and reporting reporti ng tools tool s and techniques Control Contr ol assessment types types (e.g., self-assessments, se lf-assessments, audits, vulnerability assessments, assessments, penetration tests, third-party assurance) 41.  Contr Control ol activities, objectives, practices and metrics related to:

 

41.1  41.2 41.3  41.4  41.5 

Business Busin ess processes Information security, including technology certification and accreditation practices Third-party management, including service delivery Data management The system development life cycle (SDLC)

 

41.6  41.7  41.8  41.9 

Project and program pro gram managemen managementt Business continuity and disaster disaste r re recover covery y management management (DRM) (DRM) IT operations operat ions management management The information systems architecture (e.g., platforms, networks, applications, databases and operating systems)

Chapter 1: IT Risk Identification  Identification  DOMAIN DEFINITION  DEFINITION 

Identify the the universe of IT risk ri sk to contribute to the execution of the IT risk manag managemen ementt strategy in support sup port of of  business objectives and in alignment alignment with the the enterprise enterprise risk manage manageme ment nt (ERM) str strate ategy. gy. LEARNING OBJECTIVES  OBJECTIVES 

The objective of this domain is to ensure that the CRISC candidate has the knowledge necessary to:   Identify relevant standards, frameworks and practices   Apply risk identification techn techniques iques   Distinguish between threats and vulnerabilities   Iden Identify tify relevant stakeholders   Discuss risk scenario development tools and techniques   Explain the meaning of key risk management concepts, including risk appetite and risk tolerance   Describe the key elements of a risk register •

•

•

•

•

•

•

  Contribute to the creation of a risk awareness program

•

CRISC EXAM REFERENCE REFERENCE  

This domain represents 27 percent of the CRISC CR ISC exam (approximately 41 questions). TASK AND NOWLEDGE STATEMENTS TASKS

There are seven tasks within this domain that a CRISC candidate must know how to perform. These relate to IT risk identification. T1.1

T1.2 T1.3 T1.4 T1.5 T1.6 T1.7

Collec Collectt and review informati information, on, iinclud ncluding ing existing existing documentation, regarding the organization’s internal and external business and IT environments to t o identi identify fy potential impact impactss of IT risk to the organization’s organization’s business  business objectives and operations.  operations.  Identify potential threats and vulnerabi vulnerabilitie litiess to the organization’s organization’s people,  people, processes p rocesses and technology to enable IT risk analysis.  analysis.  Develop a comprehensive set of IT risk scenarios based on available available information to determine the potential impact to business objectives and operations.  operations.   Identify key stakeholders for IT ris risk k scenarios to help establ establish ish accountabil accountability. ity.   Estab Establish lish an IT risk register register to help ensure that identified identified IT risk scenarios are accounted for and incorporated into the enterprisewide risk profile. profile.   Identify risk appetite and tolerance defined by senior leadership leadership and key stakeholders to ensure alignme alignment nt with business objectives.  objectives.  Collabora Collaborate te in in the development of a risk awareness program, and conduct tr training aining to ensure that stakeholders understand risk and to promote a risk-aware culture.  culture. 

 

Chapter 2: IT Risk Assessment   LEARNING OBJECTIVES  OBJECTIVES 

The objective of this domain is to ensure that the CRISC candidate has the knowledge necessary to:   Identify and apply risk ris k assessmen a ssessmentt techniques   Analyze risk scenarios   Identify current state of controls   Assess gaps between current and desired states of the IT risk environment   Communicate IT risk assessment results to relevant stakeholders. •

•

•

•

•

CRISC EXAM REFERENCE REFERENCE  

This domain represents 28 percent of the CRISC CR ISC exam (approximately 42 questions). TASK AND KNOWLEDGE

STATEMENTS   STATEMENTS

TASKS

There are six tasks within this domain that a CRISC candidate must know how to perform. These relate to the IT risk assessment process. T2.1 T2.2 T2.3 T2.4 T2.5 T2.6

Analy Analyze ze rrisk isk scenarios based on o organiza rganizational tional crite criteria ria (e.g., organizat organizational ional structure, policies, policies, standards, technology, techn ology, architecture, controls) to determine d etermine the t he like likelih lihood ood and impact of an identified identified risk.  risk.  Identify the current state of existin existing g controls and evaluate the their ir e effectiveness ffectiveness for IT risk risk mitiga mitigation. tion.   Review the results results of risk and control analy analysis sis to assess any gaps between current and desired states of the IT risk environment.  environment.  Ensure that risk ownership is assigne assigned d at the appropriate level to es establis tablish h clear clear line liness of accountability. accountability.   Communicate the results of rrisk isk assessments to senior senior management and appropriate stakeholders to enable risk-based decision decision making.  making.  Update the risk register register with the results results of the risk assessment. assessment.  

Chapter 3: Risk Response and Mitigation DOMAIN DEFINITION  DEFINITION 

Determine risk response options and evaluate their efficiency and effectiveness to manage risk in alignment with business objectives. OBJECTIVES   LEARNING OBJECTIVES

The objective of this domain is to ensure that the CRISC candidate has the knowledge necessary to:   List the different risk response options   Def Define ine various parameters for risk response selection   Explain how residual risk relates to inherent inherent risk, risk, risk appetite and risk tolerance   Discuss the need for performing a cost-benefit analysis when determining a risk response   Develop a risk action plan   Explain the principles of risk ownership   Leverage an understanding of the system development life cycle c ycle (SDLC) process proc ess to implement IS IS controls efficiently and effectively   Unders Understand tand the need for control co ntrol maintenance maintenance •

•

•

•

•

•

•

•

TASK AND KNOWLEDGE STATEMENTS

 

TASKS

There are seven tasks within this domain that a CRISC candidate must know how to perform. These relate to IT risk identification. T3.1 T3.2

Consult with risk owners to se select lect and al align ign recommended risk responses with business objectives and enable informed risk decisions.  decisions.  Consult w with, ith, or assist, assist, risk risk owners on the development of risk action plans to ensure that plans include include key

T3.3 T3.4 T3.5 T3.6 T3.7

elements (e.g., response, cost, target target date). date).   Consult on the design design and implementati implementation on or adjustment of mitigatin mitigating g controls to ensure that the risk is managed to an acceptable level.  level.  Ensure that control ownership is assigned assigned in order to est establish ablish clear lines lines of accountabili accountability. ty.   Assis Assistt control owners in developing developing control procedures and documentation to enable efficient efficient and effective control execution. execution.  Update the risk regis register ter to reflect changes in in risk and management’s management’s risk  risk response. Valid Validat ate e that risk responses have been executed according to the ri risk sk action action plans.

Chapter 4: Risk and Control Monitoring and Reporting Reporting   DOMAIN DEFINITION  DEFINITION 

Continuously monitor and report on IT risk and controls to relevant stakeholders to ensure the continued efficiency and effectiveness of the IT risk management strategy and its alignment to business objectives. LEARNING OBJECTIVES  OBJECTIVES 

The objective of this domain is to ensure that the CRISC candidate has the knowledge necessary to:   Differentiate between key risk indicators (KRIs) and key performance indicators (KPIs)   Describe data extraction, aggregation and analysis tools and techniques   Compare different monitoring tools and techniques   Describe various testing and assessment tools and techniques •

•

•

•

CRISC EXAM REFERENCE  REFERENCE 

This domain represents 22 percent of the CRISC CR ISC exam (approximately 33 questions). TASK AND KNOWLEDGE STATEMENTS TASKS

There are seven tasks within this domain that a CRISC candidate must know how to perform. These relate to IT risk identification. T4.1 T4.2 T4.3 T4.4 T4.5 T4.6

Define and esta establish blish key risk indicator indicatorss (KRIs) and thresholds based on avai available lable data, to enable monitoring of changes in risk.  risk.  Monitor and analyze key risk indicators indicators (KRIs) to ide identify ntify changes or trends in the IT risk profile. profile.   Report on changes or trends related to the IT risk risk profile profile to as assist sist management and relevant stakeholders in decision making.  making.  Fac Facilita ilitate te the ident identifica ification tion of metrics metrics and key performance indicators indicators (KPIs) to enable enable the measurement of control performance.  performance.  Monitor and analyze key performance indicators indicators (KPIs) to identify identify changes or trends related to the control environment and determine the efficiency and effectiveness of controls.  controls.   Review the results results of control assessments to determine the effectiveness of the control environment.  environment.  

 

T4.7

Report on the performance of, changes to, or trends in the overall ris risk k profile profile and control environment to relevant stakeholders stakeho lders to enable decisio decision n makin making. g.