Security
Reader small image

You're reading from  ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

Product typeBook
Published inSep 2023
PublisherPackt
ISBN-139781803236902
Edition1st Edition
Concepts
Cybersecurity
Right arrow
Author (1)
Shobhit Mehta
Shobhit Mehta
author image
Shobhit Mehta

Shobhit Mehta is the Security and Compliance Director at Headspace, an on-demand mental health company in San Francisco, CA. Previously, he worked in different facets of security and assurance with HSBC, Deutsche Bank, Credit Suisse, PayPal, and Fidelity Investments. He also works with ISACA to develop exam questions for CISA, CISM, and CGEIT, served as the technical reviewer for the CGEIT and CISA review manuals, and is a published author for the COBIT 5 journal. He completed his MS in cybersecurity at Northeastern University, Boston, and holds CRISC, CISM, CISA, CGEIT, CISSP, and CCSP certifications. In his spare time, he likes to explore the inclined trails of the Bay Area, complete ultramarathons, and blog on GRCMusings.
Read more about Shobhit Mehta

Right arrow

CRISC Practice Areas and the ISACA Mindset

If the previous chapter was all about learning about governance, risk, and compliance, and why they are required, this chapter will focus on preparing you for the main goal of this book – to pass the ISACA Certified in Risk and Information Systems Control (CRISC) exam.

The CRISC certification aims to advance your career by helping you understand the impact of IT risk and how it relates to your organization. The CRISC certification demonstrates the holder’s ability to identify and evaluate IT risk, propose strategies to mitigate risk optimally, and help the enterprise accomplish its business objectives.

The ISACA website (https://www.isaca.org/credentialing/crisc) provides an apt description of the certification: The CRISC certification validates your experience in building a well-defined, agile risk-management program, based on best practices to identify, analyze, evaluate, assess, prioritize, and respond to risks. This...

CRISC exam outline

ISACA is well known for updating the job practice areas; for instance, they modify the syllabus for exams of all flagship certifications at least every five years or update the existing practices to meet the professional demands of the industry. The current CRISC exam outline was updated in August 2021 to keep up with the industry requirements for IT risk management jobs.

The following table shows a breakdown of the old and new job practice areas:

CRISC job practice areas

I have combined the job practice areas to ease the flow of reading and the logical structure of the book. The following list summarizes the practice areas and their corresponding chapters in this book:

Domain 1 – Governance

  • Organizational governance:
    • Chapter 3, Organizational Governance, Policies, and Risk Management:
      • Organizational strategy, goals, and objectives
      • Organizational structure, roles, and responsibilities
      • Organizational culture
      • Policies and standards
      • Business processes
      • Organizational assets
  • Risk governance:
    • Chapter 4, The Three Lines of Defense and Cybersecurity:
      • Enterprise risk management and the risk management framework
      • Three lines of defense
      • Risk profile
      • Risk appetite, tolerance, and capacity
    • Chapter 5, Legal Requirements and the Ethics of Risk Management:
      • Legal, regulatory, and contractual requirements
      • Professional ethics of risk management

Domain 2 – IT risk assessment

  • IT risk identification:

CRISC exam structure

All ISACA exams, including the CRISC, consist of 150 questions covering all the areas discussed in the previous section. At the time of publication, the four domains have different weightages for exam questions.

Here is a summary of the number of questions per domain:

Domains

Old CRISC job practice

New CRISC job practice

Domain 1

IT Risk Identification (27%)

Governance (26%)*

Domain 2

IT Risk Assessment (28%)

IT Risk Assessment (20%)

Domain 3

Risk Response and Mitigation (23%)

...

CRISC job practice

Weightage

Questions

Governance

26%

39

IT risk assessment

20%

30

Risk response and reporting

32%

48

Information technology and security

22%

33

Table 2.2 – Number of questions across domains

You will have 4 hours to answer 150 questions, which, in my experience...

CRISC certification requirements

Passing the exam with a minimum of 450 marks is one of the requirements for attaining the CRISC certification.

Once you pass the exam, the next step is to submit a CRISC application form, which should be endorsed by a colleague, previous manager, or someone who knows you in a professional capacity, attesting that you have a minimum of 3 years of cumulative work experience in at least two of the four domains. The work experience must be gained within the 10-year period preceding the application date for certification. After passing the exam, you have 5 years to apply for the certification.

Once the certification is issued, you will also have to maintain a minimum of 120 Continuing Professional Education (CPE) hours over a 3-year cycle and report an annual minimum of 20 CPE hours to keep the certification active.

Lastly, you will have to comply with ISACA’s Code of Professional Ethics to uphold the professional and personal conduct of...

The ISACA mindset

After attempting all the major ISACA certifications and then being actively involved on the other side of the table, that is, writing questions for the official exams, I think I have a fair understanding of the rationale for answering the ISACA questions. In the ISACA working group, and in multiple forums on the internet, you will often hear about developing the ISACA mindset before attempting the exam.

Important note

The ISACA mindset involves understanding the rationale behind why a certain question is asked and what would be the MOST appropriate answer. When you read the question, you should ask yourself what concept the exam is trying to test and assume the role of an IT risk manager while answering the question. Once you have a fair understanding of the reasoning for the question in the first place, you should look for the answer that looks the closest to an ideal answer. It should be noted that all four options in the ISACA exam will seem to be the right...

Additional material

This book covers all the content, tips, and practice quizzes you need to pass the ISACA CRISC exam. As discussed in the CRISC job practice areas section, some sections are bundled to ease the flow of the content in a way that should make the most logical sense. As much as I would want to keep this as a single source for all the knowledge you would need to pass the exam, there are two additional resources that I would highly recommend to supplement your learning:

  • ISACA CRISC Review Manual, 7th Edition

This is the official review manual from ISACA, the governing body that creates and conducts the exam. Almost everyone I have ever spoken to has given negative feedback on the ISACA material due to its dry nature and monotonous writing, but I would highly recommend you go through it at least once. ISACA has a way of phrasing common terminologies as well as information security concepts. The content might not be as interactive as this book, but it is important...

Summary

At the beginning of this chapter, we learned about the CRISC exam domains and the weightage for each domain in the exam. We learned about the official CRISC job practice areas and how they are reflected in the structure of this book. Then, we learned about the CRISC exam structure in detail and the passing criteria, that is, a minimum score of 450 and 3 years of experience in at least 2 domains to achieve the official CRISC credential and an additional requirement of maintaining the CPEs once the credential is achieved. We also noted that there is no negative marking/deduction for incorrect answers in the exam, so your best bet is to answer all the questions even if you are not 100% sure about the answer. At the end of the chapter, we learned about the ISACA mindset, the types of questions that will be asked (knowledge-based versus scenario-based), how to read and identify the keywords in the questions, and tips on how to eliminate incorrect answers. Lastly, we looked at the...

lock icon
The rest of the chapter is locked
Previous Chapter
Chapter 4 of 28
Next Chapter
You have been reading a chapter from
ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide
Published in: Sep 2023Publisher: PacktISBN-13: 9781803236902
© 2023 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
undefined
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at €14.99/month. Cancel anytime

Author (1)

author image
Shobhit Mehta

Shobhit Mehta is the Security and Compliance Director at Headspace, an on-demand mental health company in San Francisco, CA. Previously, he worked in different facets of security and assurance with HSBC, Deutsche Bank, Credit Suisse, PayPal, and Fidelity Investments. He also works with ISACA to develop exam questions for CISA, CISM, and CGEIT, served as the technical reviewer for the CGEIT and CISA review manuals, and is a published author for the COBIT 5 journal. He completed his MS in cybersecurity at Northeastern University, Boston, and holds CRISC, CISM, CISA, CGEIT, CISSP, and CCSP certifications. In his spare time, he likes to explore the inclined trails of the Bay Area, complete ultramarathons, and blog on GRCMusings.
Read more about Shobhit Mehta

Personalised recommendations for you

Based on your interests and search pattern

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Attacks will help you understand how to identify attack surfaces and detect vulnerabilities. This book takes a hands-on approach to implementation and associated methodologies and equips you with the knowledge and skills needed to effectively combat web attacks.

BookAug 2023338 pages
Automotive Cybersecurity Engineering Handbook

Automotive Cybersecurity Engineering Handbook

This Automotive Cybersecurity Engineering Handbook untangles the complexities of building secure automotive products and helps you to comply with cybersecurity standards. It provides practical tools, tips, and techniques coupled with real-world examples to enable you to create cyber-resilient automotive products with ease.

BookOct 2023392 pages
Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

This book will help you to design, develop, and operate security controls on Google Cloud as well as discover best practices for relevant security domains, including identity and access management, network, and data.

BookAug 2023496 pages
Cloud Penetration Testing for Red Teamers

Cloud Penetration Testing for Red Teamers

The advent of cloud networks and the AWS, Azure, and GCP platforms has revolutionized how companies of all sizes in all industries do business online. This book will help you meet the emerging demand for pentesting as it guides you through the tools, techniques, and security measures used by pentesters and red teamers in the 2020s and beyond.

BookNov 2023298 pages
ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Certification Guide is an enterprise IT risk management professional’s dream. With its in-depth approach and various self-assessment exercises, this book arms you with knowledge of every single aspect of the certification, and is a fantastic career companion after you’re certified.

BookSep 2023316 pages5
Burp Suite Cookbook

Burp Suite Cookbook

Burp Suite is an immensely powerful and popular tool for web application security testing. This book provides a collection of recipes that address vulnerabilities in web applications and APIs. It offers guidance on how to configure Burp Suite, make the most of its tools, and explore into its extensions.

BookOct 2023450 pages
Building and Automating Penetration Testing Labs in the Cloud

Building and Automating Penetration Testing Labs in the Cloud

This hands-on guide will help you design and build a variety of penetration testing labs that mimic modern cloud environments running on AWS, Azure, and GCP. In addition to these, you will explore a number of practical strategies on how to manage the complexity, cost, and security risks involved when setting up vulnerable cloud lab environments.

BookOct 2023562 pages
Ethical Hacking Workshop

Ethical Hacking Workshop

As cyber-attacks grow and APT groups advance their skillset, you need to be able to protect your enterprise against cyber-attacks. In order to limit your attack surface, you need to ensure that you leverage the same skills and tools that an adversary may use to hack your environment and discover the security gaps. This book will teach you how to think like a hacker, use state-of-the-art hacking tools, and protect yourself and your organizaiton.

BookOct 2023220 pages
Windows Forensics Analyst Field Guide

Windows Forensics Analyst Field Guide

This book contains step-by-step processes to guide you in any investigation related to Windows OS. You’ll find out how to acquire evidence using multiple tools as well as examine and analyze the collected artifacts, while discovering multiple techniques used in real-world forensic incidents.

BookOct 2023318 pages
Implementing DevSecOps Practices

Implementing DevSecOps Practices

This book is a comprehensive, hands-on guide for individuals new to DevSecOps who want to implement DevSecOps practices successfully and efficiently. With its help, you’ll be able to shift security toward the left, enabling you to merge security into coding in no time.

BookDec 2023258 pages