Certified in Risk and Information Systems Control (CRISC)
Module Domain 1: IT Risk Identification
Gather and assess information, including existing documentation, related to the organization’s internal and external business and IT environments to recognize potential or actual impacts of IT risk on the organization’s business objectives and operations.
Identify potential risks and vulnerabilities to the organization’s people, processes, and technology to facilitate IT risk analysis.
Create a comprehensive set of IT risk scenarios based on available information to evaluate their potential impact on business objectives and operations.
Identify key stakeholders for IT risk scenarios to establish accountability.
Establish an IT risk register to ensure that identified IT risk scenarios are acknowledged and integrated into the enterprise-wide risk profile.
Recognize risk appetite and tolerance as defined by senior leadership and key stakeholders to ensure alignment with business objectives.
Contribute to the development of a risk awareness program and conduct training to ensure that stakeholders comprehend risk and to foster a risk-aware culture.
Module Domain 2: IT Risk Assessment
Assess risk scenarios based on organizational criteria (e.g., organizational structure, policies, standards, technology, architecture, controls) to determine the likelihood and impact of identified risks.
Identify the current state of existing controls and evaluate their effectiveness for IT risk mitigation.
Review the results of risk and control analysis to assess any gaps between the current and desired states of the IT risk environment.
Ensure that risk ownership is assigned at the appropriate level to establish clear lines of accountability.
Communicate the results of risk assessments to senior management and relevant stakeholders to enable risk-based decision making.
Update the risk register with the results of the risk assessment.
Module Domain 3: Risk Response Mitigation
Collaborate with risk owners to select and align recommended risk responses with business objectives and enable informed risk decisions.
Work with, or assist, risk owners in developing risk action plans to ensure that plans include key elements (e.g., response, cost, target date).
Provide input on the design and implementation or adjustment of mitigating controls to ensure that the risk is managed to an acceptable level.
Ensure that control ownership is assigned to establish clear lines of accountability.
Assist control owners in developing control procedures and documentation to enable efficient and effective control execution.
Update the risk register to reflect changes in risk and management’s risk response.
Validate that risk responses have been executed according to the risk action plans.
Module Domain 4: Risk and Control Monitoring and Reporting
Define and establish key risk indicators (KRIs) and thresholds based on available data to monitor changes in risk.
Monitor and analyze key risk indicators (KRIs) to identify changes or trends in the IT risk profile.
Report on changes or trends related to the IT risk profile to assist management and relevant stakeholders in decision making.
Facilitate the identification of metrics and key performance indicators (KPIs) to measure control performance.
Monitor and analyze key performance indicators (KPIs) to identify changes or trends related to the control environment and determine the efficiency and effectiveness of controls.
Review the results of control assessments to determine the effectiveness of the control environment.
Report on the performance of, changes to, or trends in the overall risk profile and control environment to relevant stakeholders to enable decision making.