About the Course


3 Days


The CRISC course is designed for those who have experience with risk identification, assessment, and evaluation; risk response; risk monitoring; information systems control design and implementation; and information systems control monitoring and maintenance.

Course Structure


  1. Organizational Governance
    1. Organizational Strategy, Goals, and Objectives
    2. Organizational Structure, Roles and Responsibilities
    3. Organizational Culture
    4. Policies and Standards
    5. Business Processes
    6. Organizational Assets
  2.  Risk Governance
    1. Enterprise Risk Management and Risk Management Framework
    2. Three Lines of Defense
    3. Risk Profile
    4. Risk Appetite and Risk Tolerance
    5. Legal, Regulatory and Contractual Requirements
    6. Professional Ethics of Risk Management

IT Risk Assessment

  1. IT Risk Identification
    1. Risk Events (e.g., contributing conditions, loss result)
    2. Threat Modelling and Threat Landscape
    3. Vulnerability and Control Deficiency Analysis (e.g., root cause analysis)
    4. Risk Scenario Development
  2. IT Risk Analysis, Evaluation and Assessment
    1. Risk Assessment Concepts, Standards and Frameworks
    2. Risk Register
    3. Risk Analysis Methodologies
    4. Business Impact Analysis
    5. Inherent and Residual Risk

Risk Response

  1. Risk Response
    1. Risk Treatment / Risk Response Options
    2. Risk and Control Ownership
    3. Third-Party Risk Management
    4. Issue, Finding and Exception Management
    5.  Management of Emerging Risk
  2. Control Design and Implementation
    1. Control Types, Standards and Frameworks
    2. Control Design, Selection and Analysis
    3. Control Implementation
    4. Control Testing and Effectiveness Evaluation

Risk Reporting

  1. Risk Monitoring and Reporting
    1. Risk Treatment Plans
    2. Data Collection, Aggregation, Analysis and Validation
    3. Risk and Control Monitoring Techniques
    4. Risk and Control Reporting Techniques (heatmap, scorecards, dashboards)

Information Technology and Security

  1. Information Technology Principles
    1. Enterprise Architecture
    2. IT Operations Management (e.g., change management, IT assets, problems, incidents)
    3. Project Management
    4. Disaster Recovery Management (DRM)
    5. Data Lifecycle Management
    6. System Development Life Cycle (SDLC)
    7. Emerging Technologies
  2. Information Security Principles
    1. Information Security Concepts, Frameworks and Standards
    2. Information Security Awareness Training
    3. Business Continuity Management
    4. Data Privacy and Data Protection Principles