CRISC Certified in Risk and Information Systems Control Study Guide
Description
A comprehensive and up-to-date prep guide for the CRISC exam and the perfect desk reference for professionals in the field
In CRISC Certified in Risk and Information Systems Control Study Guide, veteran author, cybersecurity, and privacy expert Peter H. Gregory delivers thorough and accurate coverage of how to prepare for the CRISC certification exam. He's also written a practical, on-the-job reference for current and aspiring practitioners in information security, privacy, information technology, and audit.
This book shows you how to succeed on the challenging CRISC certification test. It mirrors the structure of the CRISC Job Practice guidance published by ISACA and provides detailed coverage of the entire CRISC certification process, including ongoing, post-exam certification requirements.
Gregory draws on his extensive experience as an industry practitioner and technology educator to walk you through the ins and outs of the four key domains covered by the CRISC Exam: Governance, Risk Assessment, Risk Response and Reporting, and Technology and Security. You'll also get:
- Comprehensive, domain-specific coverage of the CRISC exam objectives
- Complete, up-to-date, and accurate guidance for all professionals responsible for setting and managing risk controls
- Access to a superior set of online study tools, including hundreds of practice questions, flashcards, and a glossary of key terms
Perfect for anyone preparing for the CRISC exam, CRISC Certified in Risk and Information Systems Control Study Guide is a must-have resource for practicing and aspiring information security, technology, business, and privacy leaders with a stake in managing, monitoring, mitigating, and governing risk.
More details
Other editions
Additional editions
Person
ABOUT THE AUTHOR
Peter H. Gregory, CRISC, CISM, CISA, CDPSE, CISSP, CCSK, CIPM, is an experienced technology, cybersecurity, and privacy leader. He's the author of more than 50 cybersecurity and technology books, including CISM All-In-One Exam Guide, CISA Study Guide, and The Art of Writing Technical Books. He is an advisor and adjunct faculty emeritus at the University of Washington's cybersecurity certificate program, an advisory board member at Akylade, a member of InfraGard, a member of the Informa TechTarget security editorial advisory board, and a former member of the Forbes Technology Council and the FBI Citizens Academy Alumni Association.
Content
Contents at a Glance
Introduction xxiii
Assessment Test xliii
Answers to Assessment Questions xlvii
Chapter 1 Governance 1
Chapter 2 Risk Assessment 29
Chapter 3 Risk Response and Reporting 97
Chapter 4 Information Technology 163
Chapter 5 Information Security 223
Appendix Implementing and Managing a Risk Management Program 271
Index 295
Introduction
Welcome to the Sybex Study Guide for ISACA's Certified in Risk and Information Systems Control (CRISC) exam! This book will help you study for, and successfully pass, one of ISACA's premier certification exams, the CRISC exam. This exam is designed to test your knowledge of a wide variety of topics related to risk management and information systems controls. The exam focuses on business and IT risk management in enterprise infrastructure, as well as on designing and implementing IT security controls to mitigate risks.
Every day, it seems, data is breached at some of the largest organizations in the world. Recently, we've seen breaches in the U.S. government, in the healthcare industry, and even at tech giants such as Microsoft, LinkedIn, and Facebook. Ransomware attacks alone are a plague on thousands of companies in nearly every country in the world. And to make matters worse, cybercriminals are using AI to develop their attacks more quickly and make them stealthier and more potent. No organization, no matter what size, is immune to the threat of data breaches or, for that matter, data theft or loss. However, effective risk management can reduce the likelihood of data breaches, strengthen business processes and IT infrastructure, and even improve their efficient use. Information system controls reduce the likelihood of adverse events having a significant impact on the organization and should be carefully planned and considered.
This book covers basic risk concepts, risk assessments, standards and frameworks, and information security control design and implementation. I also cover the essential concepts, terminology, and definitions that risk management practitioners and security professionals need to be effective in these areas. In the book's five main chapters, I cover all four top-level domains as well as the task and knowledge statements listed in the official ISACA exam objectives. Appendix discusses the practical steps a security leader can take to successfully implement a risk management program.
While you don't have to be an expert already in all the areas I discuss, having experience in some, such as risk concepts, helps. A good, broad background of experience and knowledge in information security will give you an advantage in your studies for this exam. Of course, you'll get a good background in all these subjects throughout the book.
Passing the CRISC exam not only places you in a class of professionals recognized for their experience and expertise in this field, but it also serves to quantify and validate your knowledge of advanced risk management and security topics. After passing this exam, you'll be able to show that not only are you qualified, but you are certified in these areas. This book is designed to help you get there.
Purpose of This Book
Let's get the obvious out of the way: this is a comprehensive study guide for the information security and risk management professional who needs a reliable reference for individual or group-led study for the CRISC certification. This book contains the information that CRISC candidates are required to know. While this book is one source of information to help you prepare for the CRISC exam, it should not be thought of as the ultimate collection of all the knowledge and experience that ISACA expects qualified CRISC candidates to possess-no one publication covers all this information. The other thing you'll need, just as important as suitable study material in our minds, is experience. There's no substitute for practical, hands-on experience. You should make every effort to learn all aspects of the ISACA CRISC exam material I discuss in this book.
This book also serves as a reference for aspiring and practicing security and risk professionals and leaders. The content required to pass the CRISC exam is the same content that practicing security and risk professionals need to be familiar with in their day-to-day work. This book is a definitive CRISC exam study guide as well as a desk reference for those who have already earned their CRISC certification.
The pace of change in the information security and risk management industry and profession is high. Rather than cover every detail and nuance of laws, practices, standards, and techniques in information security and risk management, this book shows readers how to stay current in the profession. Indeed, the pace of change is one of many reasons that ISACA and other associations require continuous learning to retain one's certifications. It is crucial to understand key facts and practices in security and risk management, and to learn how to stay current as they continue to evolve. However, despite the high rate of change in information technology and information security, there's good news: the techniques for governance and risk management themselves change very slowly. The principles of governance, risk assessments, risk management, risk treatment, and controls are solid and time-proven. Much of this book is devoted to these practices.
This book is also invaluable for security and risk management professionals who are not in a leadership position. You will gain considerable insight into today's security and risk management challenges. This book is also helpful for IT, privacy, and business management professionals who work with risk management professionals and need a better understanding of what they are doing, how they do it, and why.
Finally, this book is an excellent guide for anyone exploring a career in information security and risk management. The study chapters explain all the relevant technologies, techniques, and processes used to manage a modern risk management program, which is helpful if you are wondering what the risk management profession is all about.
How to Use This Book
This book covers everything you'll need to know for ISACA's CRISC certification examination. Each chapter covers specific objectives and exam details, as defined by ISACA in its job practice areas. The chapters and their sections correspond precisely to the CRISC job practice that ISACA updates from time to time.
Each chapter has several components designed to effectively communicate the information you'll need for the exam.
The topics covered in each chapter are listed in the first section to help you map out your study.
- The Summary section of each chapter briefly explains the chapter, allowing you to easily understand what it covers.
- Exam Essentials focus on major exam topics and critical knowledge that you should take into the test. The Exam Essentials focus on the ISACA CRISC exam objectives.
- Tips are included in each chapter that offer great information on how concepts you'll study apply in a place that we like to call "the real world." Often, they give you a bit more information on a topic covered in the text that may appear in the exam.
- Notes may be included in a chapter as well. These are bits of information that are relevant to the discussion and that point out extra information.
- Case Studies are included to illustrate how an idea, concept, or standard can be put into practice.
- Twenty or more practice questions appear at the end of each chapter and are designed to allow you to attempt some exam questions on the topics covered in the domain.
Appendix is designed to help you understand the practical side of risk management, particularly for security leaders who need to develop or improve the risk management function in an organization. I have many years of experience; this is my gift to you so that you have the greatest chance to succeed.
About This Edition
ISACA, like other certification organizations, periodically updates the job practice for CRISC and its other certifications. In 2024, I expected that ISACA would update the CRISC job practice in November 2025, which prompted me to prepare to write this edition reflecting these updates, as well as changes in related industry practices and developments.
ISACA is somewhat academic in its approach to the arrangement of the CRISC job practice areas. For this reason, I included an appendix that describes the development and operation of a risk management program from a practical perspective. This appendix helps to fill the gap between the CRISC job practice and what it really takes to succeed.
Becoming a CRISC Professional
To become a CRISC professional, you are required to pay the exam fee, pass the exam, prove that you have the necessary education and experience, and agree to uphold ethics and standards. To keep your CRISC certification, you are required to take at least 20 continuing education hours each year (120 hours in three years) and pay annual maintenance fees. This lifecycle is depicted in Figure 1.
FIGURE 1 The CRISC certification lifecycle.
The following list outlines the primary requirements for becoming certified:
- Experience: A CRISC candidate must submit verifiable evidence of at least three years of professional work experience in IT risk management and IS control. Experience must be verified and gained within the ten-year period preceding the application date for certification or within five years of passing the exam. No waiver options are available.
- Ethics: Candidates must commit to adhering to ISACA's Code of Professional Ethics, which guides the personal and professional conduct of those certified.
- Exam: Candidates must receive a passing score on the CRISC exam. A passing score is...
