Certified in Risk and Information Systems Control (CRISC) Training

Commitment 5 Days, 7-8 hours a day.
Language English
User Ratings Average User Rating 4.8 See what learners said
Delivery Options Instructor-Led Onsite, Online, and Classroom Live


Propel your career with CRISC certification and build a greater understanding of the impact of IT risk and how it relates to your organization. In this Certified in Risk and Information Systems Control (CRISC) Training course, you’ll cover all four domains of the ISACA Certified in Risk and Information Systems Control (CRISC) exam and gain the knowledge and concepts required to obtain CRISC certification. Since its inception in 2010, the CRISC certification is designed for IT and business professionals who identify and manage risks through the development, implementation, and maintenance of appropriate information systems (IS) controls.

Required Exams:

Domain 1 – Information Security Governance (24%)
Domain 2 – Information Risk Management (30%)
Domain 3 – Information Security Program Development and Management (27%)
Domain 4 – Information Security Incident

  • All ISACA certification exams consist of 150 multiple-choice questions that cover the respective job practice areas created from the most recent job practice analysis.
  • You have 4 hours to complete the exam.


The CRISC continuing professional education (CPE) policy requires that you attain at least 20 CPE hours per year and 120 CPE hours every three years.

Visit the ISACA website for additional detail.

  • 3 Days of CRISC Training with an expert instructor
  • ISACA issued CRISC Training Courseware / Review Manual
  • ISACA issued CRISC Review Questions, Answers & Explanations (QAE)
  • Certificate of Completion
  • 100% Satisfaction Guarantee
  • Exam Pass Guarantee



This Certified in Risk and Information Systems Control (CRISC) Training boot camp prepares you to pass the ISACA CRISC exam, which covers four domain areas designed to reflect the work performed by IT risk professionals:

  • Domain 1: Governance
  • Domain 2: IT risk assessment
  • Domain 3: Risk response and reporting
  • Domain 4: Information technology security

You will also learn how to:

  • Identify risks related to an organization’s internal and external business and IT environments
  • Identify potential threats and vulnerabilities to the organization’s people, processes, and technology
  • Develop and analyze IT risk scenarios to determine the potential impact
  • Identify the effectiveness of existing controls
  • Identify key stakeholders and assign risk ownership
  • Communicate results of risk assessments
  • Consult with risk owners on the design and implementation of mitigating controls
  • Define and establish data-driven key risk indicators
  • Monitor changes in risk indicators
  • Report risk indicator changes to key stakeholders
  • Analyze risk indicators to determine the effectiveness of existing controls
  • We can adapt this Certified in Risk and Information Systems Control (CRISC) Training course to your group’s background and work requirements at little to no added cost.
  • If you are familiar with some aspects of this Certified in Risk and Information Systems Control (CRISC) course, we can omit or shorten their discussion.
  • We can adjust the emphasis placed on the various topics or build the Certified in Risk and Information Systems Control (CRISC) Course around the mix of technologies of interest to you (including technologies other than those included in this outline).
  • If your background is nontechnical, we can exclude the more technical topics, include the topics that may be of special interest to you (e.g., as a manager or policy-maker), and present the Certified in Risk and Information Systems Control (CRISC) course in a manner understandable to lay audiences.

Certified in Risk and Information Systems Control Training (CRISC) is intended for risk and control professionals. Sample job titles might include:

  • IT Professionals
  • Control Professionals
  • Project Managers
  • Risk Professionals
  • Business Analysts
  • Compliance Professionals

The knowledge and skills that a learner must have before attending this Certified in Risk and Information Systems Control (CRISC) Training course are as follows:

  • There are no prerequisites to take the exam. However, in order to apply for certification, you must meet the necessary experience requirements as determined by ISACA: a minimum of three years of cumulative work experience performing the tasks of a CRISC professional across two of the four CRISC domains. Of these two required domains, one must be in either Domain 1 or 2 (risk identification or assessment).


Domain 1 – Governance

Organizational Governance A

  • Organizational strategy, goals, and objectives
  • Organizational structure, roles, and responsibilities
  • Organizational culture
  • Policies and standards
  • Business processes
  • Organizational assets

Risk Governance B

  • Enterprise risk management and risk management framework
  • Three lines of defense
  • Risk profile
  • Risk appetite and risk tolerance
  • Legal, regulatory, and contractual requirements
  • Professional ethics of risk management
Domain 2 – IT Risk Assessment

IT Risk Identification A

  • Risk events (e.g., contributing conditions, loss result)
  • Threat modeling and threat landscape
  • Vulnerability and control deficiency analysis (e.g., root cause analysis)
  • Risk scenario development
  • Certified in Risk and Information Systems Control (CRISC) Training

IT Risk Analysis and Evaluation B

  • Risk assessment concepts, standards, and frameworks
  • Risk register
  • Risk analysis methodologies
  • Business impact analysis
  • Inherent and residual risk
Domain 3 – Risk Response and Reporting

Risk Response A

  • Risk treatment/risk response options
  • Risk and control ownership
  • Third-party risk management
  • The issue, finding, and exception management
  • Management of emerging risk

Control Design and Implementation B

  • Control types, standards, and frameworks
  • Control design, selection, and analysis
  • Control implementation
  • Control testing and effectiveness evaluation

Risk Monitoring and Reporting C

  • Risk treatment plans
  • Data collection, aggregation, analysis, and validation
  • Risk and control monitoring techniques
  • Risk and control reporting techniques (heatmap, scorecards, and dashboards)
  • Key performance indicators
  • Key risk indicators (KRIs)
  • Key control indicators (KCIs)
Domain 4 – Information Technology and Security

Information Technology Principles A

  • Enterprise architecture
  • IT operations management (e.g., change management, IT assets, problems, and incidents)
  • Project management
  • Disaster recovery management (DRM)
  • Data lifecycle management
  • System development life cycle (SDLC)
  • Emerging technologies

Information Security Principles B

  • Information security concepts, frameworks, and standards
  • Information security awareness training
  • Business continuity management
  • Data privacy and data protection principles
Certified in Risk and Information Systems Control (CRISC) TrainingCertified in Risk and Information Systems Control (CRISC) Training Course Recap, Q/A, and Evaluations