Introduction to CRISC

CRISC PREPARATION
Certification Overview
Introduction to CRISC
Overview

CRISC is the only credential focused on enterprise IT risk management.

CRISC exam content outline is based on the latest work practices and
knowledge to keep certification holders ahead of the game in tackling
real-world threats in today’s business landscape.
The CRISC Job Practice
The updated CRISC exam validates your expertise in the 4 work-related
domains listed below that are applicable across industry verticals:

INFORMATION
IT RISK RISK RESPONSE AND TECHNOLOGY
GOVERNANCE ASSESSMENT REPORTING AND SECURITY

26% 20% 32% 22%

Learning Objectives
Introduction to CRISC
Governance
Learning Objectives
Domain 1—Governance
A. Organizational Governance
1. Organizational Strategy, Goals and Objectives
2. Organizational Structure, Roles and Responsibilities
3. Organizational Culture
4. Policies and Standards
5. Business Processes
6. Organizational Assets
Domain 1—Governance
B. Risk Governance
1. Enterprise Risk Management and Risk Management Frameworks
2. Three Lines of Defense
3. Risk Profile
4. Risk Appetite and Risk Tolerance
5. Legal, Regulatory and Contractual Requirements
6. Professional Ethics of Risk Management
Supporting Tasks/Learning Objectives
1. Collect and review existing information regarding the organization's business and IT
environments
2. Identify potential or realized impacts of IT risk to the organization's business objectives
and operations
3. Identify threats and vulnerabilities to the organization's people, processes and
technology
4. Evaluate threats, vulnerabilities and risk to identify IT risk scenarios
5. Establish accountability by assigning and validating appropriate levels of risk and
control ownership
6. Establish and maintain the IT risk register and incorporate it into the enterprise-wide
risk profile
7. Facilitate the identification of risk appetite and risk tolerance by key stakeholders
8. Promote a risk-aware culture by contributing to the development and implementation
of security awareness training
Supporting Tasks/Learning Objectives
9. Conduct a risk assessment by analyzing IT risk scenarios and determining their
likelihood and impact
10. Review the results of risk analysis and control analysis to assess any gaps
between current and desired states of the IT risk environment
11. Facilitate the selection of recommended risk responses by key stakeholders
12. Collaborate with risk owners on the development of risk treatment plans
13. Collaborate with control owners on the selection, design, implementation and
maintenance of controls
14. Define and establish key risk indicators (KRis)
15. Monitor and analyze key risk indicators (KRis)
16. Collaborate with control owners on the identification of key performance
indicators (KPis) and key control indicators (KCis)
IT Risk Assessment
Learning Objectives
Domain 2—IT Risk Assessment
A. IT Risk Identification
1. Risk Events
2. Threat Modeling and Threat Landscape
3. Vulnerability and Control Deficiency Analysis
4. Risk Scenario Development
Domain 2—IT Risk Assessment
B. IT Risk Analysis and Evaluation
1. Risk Assessment Concepts, Standards and Frameworks
2. Risk Register
3. Risk Analysis Methodologies
4. Business Impact Analysis
5. Inherent and Residual Risk
Supporting Tasks/Learning Objectives
1. Identify potential or realized impacts of IT risk to the organization's business objectives
and operations
2. Identify threats and vulnerabilities to the organization's people, processes and
technology
3. Evaluate threats, vulnerabilities and risk to identify IT risk scenarios
4. Establish and maintain the IT risk register and incorporate it into the enterprise-wide
risk profile
5. Facilitate the identification of risk appetite and risk tolerance by key stakeholders
6. Promote a risk-aware culture by contributing to the development and implementation
of security awareness training
7. Conduct a risk assessment by analyzing IT risk scenarios and determining their
likelihood and impact
8. Identify the current state of existing controls and evaluate their effectiveness for IT risk
management
Supporting Tasks/Learning Objectives
9. Review the results of risk analysis and control analysis to assess any gaps between current and
desired states of the IT risk environment
10. Collaborate with control owners on the selection, design, implementation and maintenance of
controls
11. Collaborate with control owners on the identification of key performance indicators (KPis) and
key control indicators (KCis)
12. Review the results of control assessments to determine the effectiveness and maturity of the
control environment
13. Conduct aggregation, analysis and validation of risk and control data
14. Report relevant risk and control information to applicable stakeholders to facilitate risk-based
decision-making
15. Evaluate emerging technologies and changes to the environment for threats, vulnerabilities
and opportunities
16. Evaluate alignment of business practices with risk management and information security
frameworks and standards
Risk Response and Reporting
Learning Objectives
Domain 3—Risk Response and Reporting
A. Risk Response
1. Risk Treatment/Risk Response Options
2. Risk and Control Ownership
3. Third-party Risk Management
4. Issue, Finding and Exception Management
5. Management of Emerging Risk
Domain 3—Risk Response and Reporting
B. Control Design and Implementation
1. Control Types, Standards and Frameworks
2. Control Design, Selection and Analysis
3. Control Implementation
4. Control Testing and Effectiveness Evaluation
Domain 3—Risk Response and Reporting
C. Risk Monitoring and Reporting
1. Risk Treatment Plans
2. Data Collection, Aggregation, Analysis and Validation
3. Risk and Control Monitoring Techniques
4. Risk and Control Reporting Techniques
5. Key Performance Indicators
6. Key Risk Indicators
7. Key Control Indicators
Supporting Tasks/Learning Objectives
1. Collect and review existing information regarding the organization's business and IT
environments
2. Identify potential or realized impacts of IT risk to the organization's business objectives
and operations
3. Identify threats and vulnerabilities to the organization's people, processes and
technology
4. Evaluate threats, vulnerabilities and risk to identify IT risk scenarios
5. Establish accountability by assigning and validating appropriate levels of risk and
control ownership
6. Establish and maintain the IT risk register and incorporate it into the enterprise-wide
risk profile
7. Facilitate the identification of risk appetite and risk tolerance by key stakeholders
8. Promote a risk-aware culture by contributing to the development and implementation
of security awareness training
Supporting Tasks/Learning Objectives
9. Conduct a risk assessment by analyzing IT risk scenarios and determining their
likelihood and impact
10. Identify the current state of existing controls and evaluate their effectiveness
for IT risk management
11. Review the results of risk analysis and control analysis to assess any gaps
between current and desired states of the IT risk environment
12. Facilitate the selection of recommended risk responses by key stakeholders
13. Collaborate with risk owners on the development of risk treatment plans
14. Collaborate with control owners on the selection, design, implementation and
maintenance of controls
15. Validate that risk responses have been executed according to risk treatment
plans
16. Define and establish key risk indicators (KRis)
Supporting Tasks/Learning Objectives
17. Monitor and analyze key risk indicators (KRis)
18. Collaborate with control owners on the identification of key performance
indicators (KPis) and key control indicators (KCis)
19. Monitor and analyze key performance indicators (KPis) and key control
indicators (KCis)
20. Review the results of control assessments to determine the effectiveness and
maturity of the control environment
21. Conduct aggregation, analysis and validation of risk and control data
22. Report relevant risk and control information to applicable stakeholders to
facilitate risk-based decision-making
23. Evaluate emerging technologies and changes to the environment for threats,
vulnerabilities and opportunities
Information Technology and
Security
Learning Objectives
Domain 4—Information Technology and
Security
A. Information Technology Principles
1. Enterprise Architecture
2. IT Operations Management
3. Project Management
4. Disaster Recovery Management
5. Data Life Cycle Management
6. System Development Life Cycle
7. Emerging Technologies
Domain 4—Information Technology and
Security
B. Information Security Principles
1. Information Security Concepts, Frameworks and Standards
2. Information Security Awareness Training
3. Business Continuity Management
4. Data Privacy and Data Protection Principles
Supporting Tasks/Learning Objectives
1. Collect and review existing information regarding the organization's business and IT
environments
2. Identify potential or realized impacts of IT risk to the organization's business objectives
and operations
3. Identify threats and vulnerabilities to the organization's people, processes and
technology
4. Evaluate threats, vulnerabilities and risk to identify IT risk scenarios
5. Establish accountability by assigning and validating appropriate levels of risk and
control ownership
6. Facilitate the identification of risk appetite and risk tolerance by key stakeholders
7. Promote a risk-aware culture by contributing to the development and implementation
of security awareness training
Supporting Tasks/Learning Objectives
8. Review the results of risk analysis and control analysis to assess any
gaps between current and desired states of the IT risk environment
9. Collaborate with risk owners on the development of risk treatment
plans
10. Collaborate with control owners on the selection, design,
implementation and maintenance of controls
11. Evaluate emerging technologies and changes to the environment
for threats, vulnerabilities and opportunities
12. Evaluate alignment of business practices with risk management and
information security frameworks and standards
Sharing and
Acknowledgement
Introduction to CRISC
Role atau fungsi terkait sertifikasi CRISC?

ⓘ Start presenting to display the poll results on this slide.

Anggota ISACA?

ⓘ Start presenting to display the poll results on this slide.

Sudah pernah ujian sertifikasi CRISC?

ⓘ Start presenting to display the poll results on this slide.

Sudah pernah ujian sertifikasi apa saja?

ⓘ Start presenting to display the poll results on this slide.

Pemahan tentang COBIT/COBIT 2019?

ⓘ Start presenting to display the poll results on this slide.

Pemahaman tentang Manajemen Risiko

ⓘ Start presenting to display the poll results on this slide.

Regulasi di Indonesia terkait Tata Kelola TI
yang diketahui?

ⓘ Start presenting to display the poll results on this slide.