Want to know where the real money is made in the Information Security industry? Management always is first and next up is Governance Risk and Compliance. Not the people that actually work defense day to day but the people that put policies in place and are aware of regulations etc. The CRISC certification would be the way to go for GRC. This isn’t for everyone but if you can see yourself in that world more so than being a pentester or really if you are looking to make more money whatever the path then this is probably the path for you. CRISC would be the certification to put you on that path.
CRISC (Certified in Risk and Information Systems Control) is a core GRC certification offered by ISACA. The certification validates the users’ knowledge and skills required to understand IT risk and its impact on the business, and managing the risk from business perspective. CRISC not only tests the risk management skills but it also validates the capabilities of the people in developing, implementing, and taking care of Information System (IS) controls.
CRISC Fast Facts
- Started in 2010 by ISACA
- More than 18,000 CRISC credentials since 2010
- Accredited by the American National Standards Institute (ANSI) under ISO/IEC 1704:2012
- Ranked #1 among top six GRC certification in 2016 survey of CIO Magazine
Who Should Earn CRISC Certification
CRISC is a tailor-made certification for those interested in (a) business and technology risk management jobs and (b) Developing and implementing Information Systems (IS) controls. Following are some of the key enterprise level positions that can be achieved through CRISC credentials.
- IT professionals
- Risk Professionals
- Control and assurance Professionals
- Business Analysts
- Compliance Professionals
- Project Managers
- Chief Information Officer (CIO)
- Chief Information Security Officer (CISO)
- Security Director
- Security Manager
- Security Auditor
CRISC Certification Requirement
Professionals interested in CRISC certification must pass the CRISC exam and adhere to the CRISC’s code of ethics and Continuing Professional Education (CPE) policy to earn the certification. Experience of at least three years is also required to become eligible for the certification. The experience must be in domain 1 or 2 of the four CRISC domains. ISACA focuses on the following four domains to test the users’ knowledge and skills required to become CRISC professionals.
Domain-1: Risk Identification
Domain-2: Risk Assessment
Domain-3: Risk Response and Mitigation
Domain-4: Risk and Control Monitoring and Reporting
CRISC exam is based on the following format.
|Exam Duration||4 hours|
|Passing Marks Criteria||Minimum 450 on a scale from 200 to 800|
|Domains Contribution in Exam|
|Risk Response and Mitigation||23%|
|Risk and Control Monitoring and Reporting||22%|
Those who have taken CRISC exam without prior experience must earn the required experience within 5 years of clearing the exam. The validity of the exam score expires after 5 years if no experience is gained in this period.
CRISC covers four domains namely IT Risk Identification, IT Risk Assessment, Risk Response and Mitigation, and Risk and Control Monitoring and Reporting. Following is a brief summary of these domains.
IT Risk Identification: IT Risk Identification domain covers the techniques of identifying the IT risk within an enterprise and strategies to manage that risk. The strategies must align with the business objectives of the organizations. Following is a brief overview of IT Risk Identification domain.
- Gathering all the relevant information regarding the organization’s IT environment to identify the potential IT risk and its impact on the business objectives of the organization. This also includes the collection of all the documentation that can help in understanding the business environment of the organization
- IT risks analysis of threats and potential vulnerabilities to technology, processes, and people working in an organization
- Identifying the key stakeholders accountable for IT risk
- Creating a risk register by documenting the elements accountable for IT risk scenarios and adding them to the enterprise-wide risk profile
- Identifying risk appetite and the tolerance defined by key stakeholders and leadership to maintain a balance between the IT risk and the business goals
- Conducting risk awareness programs and training sessions for stakeholders to spread the awareness
IT Risk Assessment: IT Risk assessment helps in making risk-based decisions by analyzing IT risk and evaluating its impact on business objectives. Risk ownership is assigned at the appropriate level for transparent accountability. The domain covers the following tasks
- Analyzing the risk scenarios to determine the likelihood of identified risk and its impact on the business objectives. The analysis is done on the basis of certain criteria, such as technology, architecture, policies, standards, controls, and organization structure
- Identifying the state of the existing controls to evaluate their efficiency in terms of IT risk mitigation
- Sharing the risk assessment reports with the senior leadership for appropriate decision making
- Documenting the risk assessment results in the risk register
Risk Response and Mitigation: An appropriate response is required to mitigate/manage the risk identified and analyzed through domain 1 and 2. Domain 3 covers the topics related to risk response options to effectively manage the risk in accordance with the business goals of the organizations. The domain covers the following
- Selecting the appropriate risk response by consulting the risk owners for better alignment of response with the business objectives of the organizations.
- Consulting and assisting risk owners on action plans that include the important elements like response, cost, target etc.
- Ensuring control ownership for transparent accountability
- Updating the risk register with the risk response measures
Risk and Control Monitoring and Reporting: Domain 4 involves continuous monitoring of IT risk controls and reporting to the stakeholders to ensure efficient and effective IT risk management strategies. Risk control monitoring and reporting covers the following.
- Defining and establishing Key Risk Indicators (KRIs) based on available data
- Monitoring and Analyzing KRIs to track changes and IT risk trends
- Measuring the performance of controls through metrics and Key Performance Indicators (KPIs)
- Reporting the performance, changes, and trends of IT risk profile to the concerned authorities for effective decision making
CRISC Knowledge Statements
Apart from domains, the candidates should be aware of the CRISC knowledge statements. Few important statements are listed below.
- Knowledge of laws and compliance requirements
- Knowledge of organizational standards and policies
- Knowledge of emerging technologies and industrial trends
- Information about contractual requirements and Service Level Agreements (SLAs) with third parties
- Knowledge of threats and vulnerabilities to processes, people, assets, technologies etc.
- Understanding of methods of risk identification and risk management strategies
- Clear understanding of information security concepts including CIA (Confidentiality, Integrity, and Availability)
- Knowledge of tools required for identifying, analysis, and monitoring IT risk
Maintaining CRISC Certification
CRISC certification must be renewed after a period of three years. Annual CPE hours must be attained to retain the certification. Although a total of 120 CPE hours are required to be reported over a period of three years, a minimum of 20 CPE hours must be reported annually.