How to Pass the CRISC Exam: Certified in Risk and Information Systems Control

CRISC: The Risk Professional's Certification

CRISC (Certified in Risk and Information Systems Control) is the premier certification for IT risk management professionals. While CISM covers security management broadly, CRISC focuses specifically on identifying, assessing, and managing IT risk. It is ideal for risk analysts, risk managers, compliance professionals, and control assurance practitioners.

The exam has 150 questions in 4 hours with a passing score of 450/800. Three years of experience in at least two of the four domains is required.

Domain-by-Domain Strategy

Domain 1: IT Risk Identification (27%)

The highest-weighted domain. Covers risk identification methods, IT risk landscape, and risk scenarios.

Key concepts: Risk identification techniques: risk assessments, threat modeling, vulnerability assessments, business impact analysis, gap analysis. Risk scenarios: threat × vulnerability × asset × impact. IT risk universe: strategic risk, compliance risk, operational risk, financial risk, reputational risk.

Emerging risks: cloud adoption risks, third-party/supply chain risks, AI/ML risks, IoT risks. Risk register: how to document and maintain identified risks.

Study tip: CRISC emphasizes risk SCENARIOS. A risk scenario combines a threat source, threat event, vulnerability, asset, and consequence. Practice constructing risk scenarios — the exam will present partial scenarios and ask you to identify the missing component or the most significant risk.

Domain 2: IT Risk Assessment (28%)

The second-highest domain (essentially tied with Domain 1). Covers risk assessment methodologies and analysis techniques.

Key concepts: Qualitative assessment: likelihood and impact ratings (high/medium/low), risk heat maps. Quantitative assessment: AV (Asset Value), EF (Exposure Factor), SLE (Single Loss Expectancy = AV × EF), ARO (Annual Rate of Occurrence), ALE (Annual Loss Expectancy = SLE × ARO).

Risk appetite and risk tolerance: appetite is the amount of risk an organization is willing to accept in pursuit of objectives; tolerance is the acceptable range of variation around risk appetite.

Inherent risk vs residual risk: inherent risk is before controls; residual risk is after controls. Risk assessment frameworks: NIST SP 800-30, ISO 27005, OCTAVE, FAIR (Factor Analysis of Information Risk).

Domain 3: Risk Response and Reporting (23%)

Covers risk response strategies, control selection, and risk reporting.

Key concepts: Risk response options: accept (formally acknowledge the risk), mitigate (reduce likelihood or impact with controls), transfer (shift risk to third party through insurance or contracts), avoid (eliminate the activity that creates the risk).

Control types: preventive, detective, corrective, compensating, directive. Control selection criteria: cost-benefit analysis, operational impact, regulatory requirements, implementation complexity.

Risk reporting: risk dashboards, KRIs (Key Risk Indicators), risk trends, reporting to the board and management.

Domain 4: Information Technology and Security (22%)

Covers IT controls, security frameworks, and technology-specific risks.

Key concepts: Control frameworks: COBIT, NIST CSF, ISO 27001, CIS Controls. IT general controls vs application controls. Access controls, change management controls, network security controls. Business continuity and disaster recovery from a risk perspective. Third-party risk management: vendor assessments, contract controls, ongoing monitoring.

The Risk Mindset

CRISC consistently tests whether you think in terms of RISK rather than SECURITY. The correct answer is almost never the most secure option — it is the option that best addresses the risk given the organization's risk appetite and business objectives.

Wrong approach: "Implement the strongest security control available."

Right approach: "Select the control that reduces risk to an acceptable level at a reasonable cost, aligned with the organization's risk appetite."

Every control decision should pass the cost-benefit test. If a $500,000 control mitigates a risk with an ALE of $50,000, that control is not justified — unless regulatory requirements mandate it.

Study Plan (10 Weeks)

Weeks 1-3: Domains 1 and 2 (Risk Identification and Assessment) — over half the exam.

Weeks 4-6: Domain 3 (Risk Response and Reporting).

Weeks 7-8: Domain 4 (IT and Security).

Weeks 9-10: Practice exams and review. Focus on the quantitative risk calculation questions.

Quantitative Risk Calculations

CRISC will test ALE calculations. Practice these until they are automatic:

SLE = Asset Value × Exposure Factor

ALE = SLE × ARO

Risk reduction = ALE (before control) - ALE (after control)

Control justified if: cost of control < risk reduction achieved

Example: Server worth $200,000. Fire threat has 20% exposure factor and occurs once per 10 years. SLE = $40,000. ARO = 0.1. ALE = $4,000. A $50,000 fire suppression system is NOT justified by this ALE alone (but may be justified by regulatory requirements or protection of human safety).

Practice risk quantification with CyberCertPrep's CRISC question bank featuring scenario-based risk assessment questions and ALE calculations.