The ISACA CRISC Exam is challenging and thorough preparation is essential for success. This exam study guide is designed to help you prepare for the CRISC certification exam. It contains a detailed list of the topics covered on the Professional exam, as well as a detailed list of preparation resources. These study guides for the ISACA Risk and Information Systems Control will help guide you through the study process for your certification.
CRISC ISACA Risk and Information Systems Control Exam Summary
● Exam Name: ISACA Risk and Information Systems Control
● Exam Code: CRISC
● Exam Price ISACA Member: $575 (USD)
● Exam Price ISACA Nonmember: $760 (USD)
● Duration: 240 mins
● Number of Questions: 150
● Passing Score: 450/800
● Books / Training:
● Schedule Exam: Exam Registration
● Sample Questions: ISACA CRISC Sample Questions
● Recommended Practice: ISACA CRISC Certification Practice Exam
Exam Syllabus: CRISC ISACA Certified in Risk and Information Systems Control
1. Governance (26%)
A. Organizational Governance
● Organizational Strategy, Goals, and Objectives
● Organizational Structure, Roles, and Responsibilities
● Organizational Culture
● Policies and Standards
● Business Processes
● Organizational Assets
B. Risk Governance
● Enterprise Risk Management and Risk Management Framework
● Three Lines of Defense
● Risk Profile
● Risk Appetite and Risk Tolerance
● Legal, Regulatory, and Contractual Requirements
● Professional Ethics of Risk Management
2. IT Risk Assessment (20%)
A. IT Risk Identification
● Risk Events (e.g., contributing conditions, loss result)
● Threat Modelling and Threat Landscape
● Vulnerability and Control Deficiency Analysis (e.g., root cause analysis)
● Risk Scenario Development
B. IT Risk Analysis and Evaluation
● Risk Assessment Concepts, Standards, and Frameworks
● Risk Register
● Risk Analysis Methodologies
● Business Impact Analysis
● Inherent and Residual Risk
3. Risk Response and Reporting (32%)
A. Risk Response
● Risk Treatment / Risk Response Options
● Risk and Control Ownership
● Third-Party Risk Management
● Issue, Finding, and Exception Management
● Management of Emerging Risk
B. Control Design and Implementation
● Control Types, Standards, and Frameworks
● Control Design, Selection, and Analysis
● Control Implementation
● Control Testing and Effectiveness Evaluation
C. Risk Monitoring and Reporting
● Risk Treatment Plans
● Data Collection, Aggregation, Analysis, and Validation
● Risk and Control Monitoring Techniques
● Risk and Control Reporting Techniques (heatmap, scorecards, dashboards)
● Key Performance Indicators
● Key Risk Indicators (KRIs)
● Key Control Indicators (KCIs)
4. Information Technology and Security (22%)
A. Information Technology Principles
● Enterprise Architecture
● IT Operations Management (e.g., change management, IT assets, problems, incidents)
● Project Management
● Disaster Recovery Management (DRM)
● Data Lifecycle Management
● System Development Life Cycle (SDLC)
● Emerging Technologies
B. Information Security Principles
● Information Security Concepts, Frameworks, and Standards
● Information Security Awareness Training
● Business Continuity Management
● Data Privacy and Data Protection Principles
ISACA CRISC Certification Sample Questions and Answers
To make you familiar with ISACA Risk and Information Systems Control (CRISC) certification exam structure, we have prepared this sample question set. We suggest you try ourSample Questions for Risk and Information Systems Control CRISC Certification to test your understanding of ISACA CRISC process with the real ISACA certification exam environment.
CRISC ISACA Risk and Information Systems Control Sample Questions:-
01. An IT organization has put in place an anti-malware system to reduce risk. Assuming the control is working within specified parameters, which of the following statements BEST describes how this control reduces risk?
a) The control reduces the probability of malware on company computers but does not reduce the impact of those attacks
b) The control reduces the impact of malware on company computers but does not reduce the probability of those attacks
c) The control reduces the probability and impact of malware on company computers
d) The control reduces neither probability nor impact of malware on company computers
02. Which of the following is the BEST indicator that incident response training is effective?
a) Decreased reporting of security incidents to the response team
b) Increased reporting of security incidents to the response team
c) Decreased number of password resets
d) Increased number of identified system vulnerabilities
03. Which of the following is the BEST way to ensure that contract programmers comply with organizational security policies?
a) Have the contractors acknowledge the security policies in writing
b) Explicitly refer to contractors in the security standards
c) Perform periodic security reviews of the contractors
d) Create penalties for noncompliance in the contracting agreement
04. Which of the following factors will have the GREATEST impact on the type of information security governance model that an enterprise adopts?
a) The number of employees
b) The enterprise’s budget
c) The organizational structure
d) The type of technology that the enterprise uses
05. In an operational review of the processing environment, which indicator would be MOST beneficial?
a) User satisfaction
b) Audit findings
c) Regulatory changes
d) Management changes
06. An enterprise learns of a security breach at another entity using similar network technology. The MOST important action for a risk practitioner is to:
a) Assess the likelihood of the incident occurring at the risk practitioner’s enterprise
b) Discontinue the use of the vulnerable technology
c) Report to senior management that the enterprise is not affected
d) Remind staff that no similar security breaches have taken place
07. Which of the following is MOST useful in developing a series of recovery time objectives?
a) Regression analysis
b) Risk analysis
c) Gap analysis
d) Business impact analysis
08. Which of the following is MOST relevant to include in a cost-benefit analysis of a two-factor authentication system?
a) The approved budget of the project
b) The frequency of incidents
c) The annual loss expectancy of incidents
d) The total cost of ownership
09. Which of the following examples includes ALL required components of a risk calculation?
a) Over the next quarter, it is estimated that there is a 30 percent chance of two projects failing to meet a contract deadline, resulting in a US $500,000 fine related to breach of service level agreements
b) Security experts believe that if a system is compromised, it will result in the loss of US $15 million in lost contracts
c) The likelihood of disk corruption resulting from a single event of uncontrolled system power failure is estimated by engineers to be 15 percent
d) The impact to security of a business line of a malware-related workstation event is estimated to be low
10. A global financial institution has decided not to take any further action on a denial-of-service vulnerability found by the risk assessment team. The MOST likely reason for making this decision is that:
a) The needed countermeasure is too complicated to deploy
b) There are sufficient safeguards in place to prevent this risk from happening
c) The likelihood of the risk occurring is unknown
d) The cost of countermeasure outweighs the value of the asset and potential loss
Answers:-
Answer 1:- b
Answer 2:- b
Answer 3:- c
Answer 4:- c
Answer 5:- a
Answer 6:- a
Answer 7:- d
Answer 8:- d
Answer 9:- a
Answer 10:- d