Certified in Risk and Information Systems Control (CRISC) Certification Training

This domain breaks down into two governance subcategories:

Organizational Governance A

• Organizational strategy, goals, and objectives
• Organizational structure, roles, and responsibilities
• Organizational culture
• Policies and standards
• Business processes
• Organizational assets

Risk Governance B

• Enterprise risk management and risk management framework
• Three lines of defense
• Risk profile
• Risk appetite and risk tolerance
• Legal, regulatory and contractual requirements
• Professional ethics of risk management

This domain breaks down into two distinct sections:

IT Risk Identification A

• Risk events (e.g., contributing conditions, loss result)
• Threat modeling and threat landscape
• Vulnerability and control deficiency analysis (e.g., root cause analysis)
• Risk scenario development

IT Risk Analysis and Evaluation B

• Risk assessment concepts, standards, and frameworks
• Risk register
• Risk analysis methodologies
• Business impact analysis
• Inherent and residual risk

This domain is split into three sub-sections.

Risk Response A

• Risk treatment/risk response options
• Risk and control ownership
• Third-party risk management
• Issue, finding, and exception management
• Management of emerging risk

Control Design and Implementation B

• Control types, standards, and frameworks
• Control design, selection, and analysis
• Control implementation
• Control testing and effectiveness evaluation

Risk Monitoring and Reporting C

• Risk treatment plans
• Data collection, aggregation, analysis, and validation
• Risk and control monitoring techniques
• Risk and control reporting techniques (heatmap, scorecards, and dashboards)
• Key performance indicators
• Key risk indicators (KRIs)
• Key control indicators (KCIs)

This domain is split into two sections.

Information Technology Principles A

• Enterprise architecture
• IT operations management (e.g., change management, IT assets, problems, and incidents)
• Project management
• Disaster recovery management (DRM)
• Data lifecycle management
• System development life cycle (SDLC)
• Emerging technologies

Information Security Principles B

• Information security concepts, frameworks, and standards
• Information security awareness training
• Business continuity management
• Data privacy and data protection principle

A certification from ISACA demonstrates your skills in IT risk management and cybersecurity. It will improve your career prospects by building your credibility and showing your commitment to staying informed about current practices. To earn the CRISC certification, you must pass the ISACA CRISC exam. We will prepare you for the exam through comprehensive guidance and exam samples.   

About The CRISC Exam: 

Starting on November 3, 2025, ISACA’s CRISC certification will reflect updated job practice areas. The updated exam content outline (ECO) is as follows: 

Comparison of 2021 to 2025 CRISC exam content outline (ECO) domains: 

The Risk Response and Reporting domain remains the largest at 32%, but the IT Risk Assessment domain has increased from 20% to 22%. Meanwhile, the Information Technology and Security domain has decreased to 20%.