Certified in Risk and Information Systems Control (CRISC)

Learners should have:

• At least three years of professional experience in IT risk management or control, covering a minimum of two CRISC domains (including governance or risk assessment).
• Familiarity with risk frameworks, organisational governance, and control processes.

Target Audience

This course is designed for:

• IT risk and compliance professionals seeking CRISC certification
• Business analysts, project managers, and auditors involved in risk activities
• IT managers, information security officers, and governance specialists responsible for risk oversight

By the end of this course, learners will be able to:

• Explain the governance structures, frameworks, and cultural factors that shape IT risk management.
• Identify, evaluate, and prioritise IT risks using established assessment methodologies.
• Develop and implement risk response strategies aligned with enterprise objectives.
• Design, monitor, and assess IT controls for effectiveness and maturity.
• Report relevant risk and control information to stakeholders to support decision making.
• Recognise the impact of emerging technologies, regulations, and security practices on enterprise risk.
• Apply exam strategies and practice techniques to prepare for the CRISC exam.

Introduction to the CRISC exam

• About the CRISC certification
• Exam structure, scoring, and preparation strategies

Domain 1 – Governance

• Strategy, goals, and objectives
• Organisational structure, culture, ethics, and accountability
• Risk appetite, tolerance, and enterprise risk frameworks
• Policies, standards, legal and regulatory requirements
• Maintaining risk registers and profiles
• Stakeholder communication and reporting

Domain 2 – Risk assessment

• Risk event identification and threat modelling
• Vulnerability management and scenario development
• Business impact analysis and residual risk evaluation
• Risk analysis methodologies and risk register updates
• Promoting a risk-aware culture through awareness and training

Domain 3 – Risk response and reporting

• Risk response options and treatment planning
• Control design, selection, and implementation
• Issue, finding, and exception management
• Vendor and supply chain risk management
• Monitoring and analysing KPIs, KRIs, and KCIs
• Reporting emerging risks to stakeholders

Domain 4 – Technology and security

• Technology roadmaps and enterprise architecture
• IT operations, lifecycle management, and disaster recovery
• Security frameworks, standards, and awareness training
• Data lifecycle management, privacy, and protection
• Emerging technologies and their risk implications

Exam readiness

• Mock exam review
• Time management and test-taking strategies

Exams and Assessments

This course prepares learners for the CRISC exam. The exam is booked separately via ISACA and delivered online. It consists of 150 multiple-choice questions over four hours. A passing score of 450 (out of 800) is required. Practice questions and mock tests are included during the course.

CRSIC exam changes from 3rd Nov 2025, the four CRISC domains remain the same, but the distribution of the exam content will slightly change to the following:

Domain 1: Governance (26 percent)

Domain 2: Risk Assessment (22 percent, compared to 20 percent previously)

Domain 3: Risk Response and Reporting (32 percent)

Domain 4: Technology and Security (20 percent, compared to 22 percent previously)

Hands-On Learning

Learners will engage in:

• Scenario-based group exercises and tabletop simulations
• Risk register development and analysis workshops
• Mock exam practice with guided review from instructors
• Case studies reflecting real-world enterprise risk challenges