Get Started. It's Free
or sign up with your email address
ISACA® CRISC™ study guide mind map by Mind Map: ISACA® CRISC™ study guide mind map

1. CRISC Exam Passing Principles

2. The job profile of the CRISC™ (Certified in Risk and Information Systems Control) published at the beginning of 2010 is the combination of considerable enterprise and IT risk management, in two modules, for implementing and monitoring internal information technology controls has met with significant global interest.

2.1. Covers

2.1.1. It covers 5 domains, 39 tasks and 72 knowledge statements (statements covering the required technical knowledge).

2.2. Designation

2.2.1. The CRISC™ certification / designation reflects reflects a solid achievement record in the areas of enterprise / IT risk management as well ad the design, implementation, monitoring and maintenance of controls.

2.3. The first CRISC™ examinations took place in June 2011.

3. Domain 1 - Risk Identification, Assessment and Evaluation

3.1. Domain 1 - CRISC® Exam Relevance

3.1.1. The content area for Domain 1 will represent ... 31% of the CRISC examination 62 questions

3.2. Risk Management Process

3.2.1. What is it? The (constant) process of balancing the risk associated with business activities with an adequate level of control that will enable the business to meet its objectives. Holistically covers all concepts and processes affiliated with managing risk, including: Systematic application of management policies, procedures and practices Establishing the context Communicating, consulting Identifying Analysing Evaluating Treating Controlling Monitoring Reviewing

3.2.2. High Level Process Phases (Risk IT) 1. Collect Data 2. Analyze Risk 3. Maintain Risk Profile

3.3. Risk Governance

3.3.1. Strategic business function that helps ensure that: Risk Management activities align with the enterprise’s loss capacity and leadership’s subjective. Risk Management strategy is aligned with the overall business strategy.

3.3.2. Risk Governance is ultimately the responsibility of the board of directors and senior management. They establish risk culture and acceptable level of risk.

3.4. Guiding Principles for Effective Risk Management

3.4.1. Maintain business objective focus. Why Risk Management must provide value.

3.4.2. Integrate IT risk management into Enterprise Risk Management (ERM). Why Risk Management must be part of overall enterprise Governance.

3.4.3. Balance the costs and benefits of managing risk. Why Risk Management costs must be lower than value (monetary and monetary) of assets under protection.

3.4.4. Promote fair and open communication. Why Risk Management must promote and communicate Risk-aware culture.

3.4.5. Establish tone at the top and assign personal accountability. Why Risk Management must have defined clear roles and responsibilites in order to be effective.

3.4.6. Daily process with continuous improvement. Why Risk changes and environment changes (Internal and External), so Risk Management practices must be adapt. Risk management should use historical data and facilitates learning and continual improvement.

3.5. Risk Evaluation Process

3.5.1. Process of comparing the estimated risk against given risk criteria to determine the significance of the risk.

3.6. Risk Assessment Process

3.6.1. Process used to identify and evaluate risk and its potential effects.

3.6.2. Elements of Risk Assessment Scope Description of Assessment Area Assets System Region Processes ... Threats Vulnerabilities Likelihood Impact Risk Assessment Report

3.7. Risk Identification Process

3.7.1. Process of determining the risk that an enterprise / organization faces (globally or in specific organization activity: programme, project).

3.8. The Business Impact of IT Risk

3.8.1. Loss of revenue.

3.8.2. Loss of sensitive information and data.

3.8.3. Loss of reputation / brand visibility / brand image.

3.8.4. Loss of public confidence.

3.8.5. Loss of SLAs / OLAs levels.

3.8.6. LOE to correct problems caused by Threat Actions.

3.8.7. Loss of credibility.

3.8.8. Damage to enterprise’s interest.

3.8.9. System repair costs.

3.9. Applicable Guidelines for Risk Appetite and Risk Tolerance

3.9.1. Connectivity of risk appetite and risk tolerance.

3.9.2. Review and approval of exceptions to risk tolerance standards.

3.9.3. Risk appetite and tolerance change over time.

3.9.4. Cost of risk mitigation options can affect risk tolerance.

3.9.5. Risk Capacity The maximum amount of risk that an organisation or subset of it, can bear, linked to factors such as its reputation, capital, assets and ability to raise additional funds.

3.9.6. Risk Tolerance The threshold levels of risk exposure that, with appropriate approvals, can be exceeded, but which when exceeded will trigger some form of response (e.g. reporting the situation to senior management for action)

3.9.7. Risk Appetite The amount of risk the organisation, or subset of it, is willing to accept

3.10. Risk Hierarchy - 4 Levels of Risk

3.10.1. Portfolio risk goal Management of stakeholder perceptions that would affect the reputation of an organization. Ensuring business success of the organization. context business success business vitality finance core services organization / enterprise capabilities resources portfolio management

3.10.2. Program risk goal Delivering business change with measurable benefits. Delivering business transformation. Delivering outcomes. context benefits capabilities programme management

3.10.3. Project risk goal Producing defined business change products within time, cost and scope constraints. Delivering outputs. context (6 project parameters) time budget benefits quality scope risk context project management

3.10.4. Operational risk goal Maintaining business services to appropriate levels. Day-to-day management. Business as Usual (BaU). context reputation volume quality internal control revenue staff customer

3.11. IT Risk in the Risk Hierarchy (from ISACA® Risk IT™ perspective)

3.11.1. Strategic Risk

3.11.2. Environment Risk

3.11.3. Market Risk

3.11.4. Credit Risk

3.11.5. Operational Risk

3.11.6. Compliance Risk

3.11.7. IT-related Risk

3.12. Three IT Risk Categories (from ISACA® Risk IT™ perspective)

3.12.1. IT Benefit / Value Enablement e.g. Technology enabler for new business initiatives. Technology enabler for efficient operations. Technology enabler for higher SLAs / OLAs levels.

3.12.2. IT Programme and Project Delivery e.g. Project relevance / priority. Project time / budget overrun. Project quality.

3.12.3. IT Operations and Service Delivery e.g. IT service interruptions (SLAs / OLAs crisis). Security issues. Compliance / regulatory issues.

3.13. Risk Scenario

3.13.1. What Risk Scenario is a description of an event that can lead to a business impact, when and if it should occur. Risk Scenario is a technique used to make risk more concrete and tangible and allow for proper risk assessment and analysis.

3.13.2. Why (Purpose of Risk Scenario) Bring realism. Provide insight. Facilitate organizational engagement. Provide improved analysis and structure to the complex nature of enterprise risk.

3.13.3. Risk Scenario components Actor / Threat Actor / Source What Internal (to the organization) External (to the organization) Threat Actors can be also human or nonhuman. In 2008, CSO Magazine reported In 2009, Verizon Data Breach Investigation Report Threat Type What e.g. Event Loss Events Vulnerability Events (or vulnerabilities / weaknesses) Threat Events e.g. Asset / Resource What Tangible Intangible Time / Timing Dimension What e.g.

3.13.4. Risk Scenario development strategies Top-down approach. Bottom-up approach. Approaches are complementary and should be used simultaneously.

3.13.5. Risk Scenario development process 1. Use list of example generic scenarios to define a manageable set of concrete scenarios for the enterprise. 2. Perform a validation against business objectives of the entity. 3. Refine the selected scenarios and detail them in line with criticality to entity. 4. Reduce number of scenarios to manageable set. 5. Keep all risks in a Risk Register for easy re-evaluation. 6. Include in scenarios how to handle unspecified events.

3.13.6. Risk Scenario development enablers Organizational Buy-in. Risk Culture. What Often one of the most if not the most important enabler! Begins at the top (board / executive / CEO): Symptoms of inadequate or problematic risk culture include Skilled scenario facilitation / identification. Thorough understanding of environment (internal and external). Involvement of all stakeholders (especially decision-makers).

3.14. Risk Factors

3.14.1. What is it? A features that influences the likelihood and or business impact of risk scenarios. A condition that can influence the frequency and/or magnitude and, ultimately, the business impact of IT-related events/scenarios.

3.14.2. 5 Risk Factors categories External Environmental What is it? e.g. Not always controllable by the enterprise / organisation. Internal Environmental What is it? e.g. Capabilities Risk Management Capability IT Capability IT Related Business Capability

3.15. Risk Analysis Process

3.15.1. What is it? Process of integrating risk assessments at a corporate level to obtain a complete view of the overall risk for the enterprise.

3.15.2. Risk Analysis determines Extent of potential threat. Risks associated with IT systems throughout SDLC.

3.16. Risk Analysis methods

3.16.1. Risk Analysis methods / techniques categories: Qualitative Analysis What Qualitative Risk Analysis methods (non-exhaustive list) Advantages Disadvantages Quantitative Analysis What Quantitative Risk Analysis methods (non-exhaustive list) Advantages Disadvantages

3.17. Identifying and assessing IT Risk

3.17.1. Threats and Opportunities inherent in enterprise use of IT.

3.17.2. Clarity in defining business impact (+/-) of IT related risks is critical to understanding threats, vulnerabilities, and opportunities.

3.18. Adverse Impact of Risk Event

3.18.1. Loss of degradation of any or a combination of the 3 basic risk goals of CIA: Integrity Accuracy & completeness of processing of transaction. Reliability of information processing activities. Accuracy and completeness and security of the output. Data cannot be modified undetectably. Data entered into a database are accurate, valid and consistent. Alteration Availability Mission critical system is unavailable for end users. Loss of system functionality. Destruction Confidentiality Disclosure

3.19. Business Impact Analysis / Assessment (BIA)

3.19.1. What is it? Business Impact Analysis (BIS) is a specialized process / exercise (not tool or technique) to determine the impact of losing the support of any resource.

3.19.2. Why Establishes the escalation of that loss overtime. Is a discovery process to uncover the inter workings of a given process. Answers the questions about procedures, shortcuts, workarounds, and possible failures. Uses the same qualitative and quantitative techniques.

3.19.3. BIA discovery techniques (non-exhaustive list) Questionnaires. Interviews. Documentation review. Process observation. Personnel observation during work. ID vital material and records (Information asset inventory). Detect existing workarounds and alternate procedures. Verify critical business functions. OBASHI® methodology. see OBASHI® mind map

3.20. Ways of describing IT Risk in business terms (methods, frameworks, standards) (from ISACA® Risk IT™ perspective)

3.20.1. Extended Information Criteria (COBIT®) What is it? To satisfy business objectives, information needs to conform to certain control criteria, which COBIT refers to as business requirements for information. Based on broader quality, fiduciary, and security requirements, 7 distinct information criteria are defined. The COBIT® Framework identifies which of the 7 information criteria: Effectiveness Efficiency Confidentiality Integrity Availability Compliance Reliability see COBIT® 5 mind map

3.20.2. Balanced Scorecard (BSC) What is it? Strategic management system that helps organization translates its strategies into objectives that drive both behaviour and performance. Both financial and non-financial. Measures are designed to track the progress of objectives against targets. Financial Share value, profit, revenue, cost of capital, debt, ROA, cash flow. Customer Market share, customer satisfaction, customer service, number of contracts, KYC, customer due diligence, number of claims. Internal Regulatory compliance, number of incidents, centralized data, process optimization. Growth Competitive advantage, reputation. Further reading

3.20.3. Extended Balanced Scorecard (EBSC) What A variant of BSC approach, linking BSC dimensions to a limited set of more tangible criteria. Financial Share value Profit Revenue Cost of capital debt ROA Cash flow Customer Market share customer satisfaction customer service number of contracts KYC Customer due diligence number of claims Internal Regulatory compliance number of incidents centralized data process optimization Growth Competitive advantage Reputation

3.20.4. dr. Westerman 4 A’s What is it? Key area of focus presented by Dr Westerman aka. The Four As Framework Why IT managers can improve alignment and understanding, both in IT and the business, by discussing IT risk considerations in terms of four key enterprise risks: Availability, Access, Accuracy and Agility. The four As can be the basis for effective IT / business alignment conversations, for evaluating risk implications of new investments, and for categorizing operational risks identified through more specialized risk management techniques. Agility To be able to change with business with appropriate cost and speed. Accuracy To provide correct information on time and complete. Access To ensure right people access data and systems when they need. Availability To keep systems (and business processes) running and recoverable.

3.20.5. Factor Analysis of Information Risk (FAIR) What is it? Taxonomy of the factors that contribute to risk and how they affect each other. It is primarily concerned with establishing accurate probabilities for the frequency and magnitude of loss events. The Open Group has adopted FAIR as a key component in its approach to risk management. The "Build Security In" initiative of Homeland Security Department of USA, cites FAIR. By FAIR the risk is the probability of a loss tied to an asset. FAIR defines 6 kind of loss: 1. Productivity 2. Response 3. Replacement 4. Fines and judgements (F/J) 5. Competitive advantage (CA) 6. Reputation FAIR defines Value / Liability as: Criticality Cost Sensitivity FAIR defines Threat as:

3.20.6. COSO® Enterprise Risk Management - Integrated Framework (ERM) What is it? Serve as the broadly accepted standard for satisfying those reporting requirements; however, in 2004 COSO® published Enterprise Risk Management - Integrated Framework. COSO® believes this framework expands on internal control, providing a more robust and extensive focus on the broader subject of enterprise risk management. 4 Objectives categories (vertical columns) Strategic Operations Reporting Reporting It should be recognized that the four columns represent categories of an entity’s objectives, not parts or units of the entity. 8 Components (horizontal rows) Internal Environment Objective Setting Event Identification Risk Assessment Risk Response Control Activities Information and Communication Monitoring The entity and its organizational units are depicted by the third dimension of the matrix. Each component row “cuts across'' and applies to all four objectives categories. see COSO ERM-IF mind map

4. Domain 2 - Risk Response

4.1. Domain 2 - CRISC™ Exam Relevance

4.1.1. The content area for Domain 2 will represent ... 17% of the CRISC examination 34 questions

4.2. Risk Response Process

4.2.1. What is it? Process of addressing the risks identified during risk assessment. Cost benefit analysis. Reduce risk to acceptable levels. Combination of types of controls. Triggered when a risk exceeds an organizations acceptance level. Driven by input from the risk assessment process.

4.2.2. Why Ensures that the residual risk is within limits of the risk appetite and risk acceptance levels (aka. risk tolerance) of the enterprise. Is based on selecting the correct, prioritized response to risk, based on level of risk, organizations risk tolerance and cost/benefit of risk response options. In other words: does asset value still overweight risk response costs including monetary and non-monetary costs.

4.3. High level Risk Response Process

4.3.1. 1. Review risk analysis results.

4.3.2. 2. Select response options.

4.3.3. 3. Prioritize options.

4.3.4. 4. Implement risk action plan.


4.4. Risk Response Process phases & tasks.

4.4.1. Phase 1 - Articulate Risk Task 1 - Communicate Risk Analysis results. Report results. Coordinate additional RA activities. Communicate risk return. Identify negative and positive impacts. Provide decisions makers summary of exposures, scenarios, and key considerations. Task 2 - Report Risk Management activities. Meet risk reporting needs. Ensure Reporting on Issues and Status is appropriate. Include all pertinent activities in reporting. Provide inputs to integrated enterprise reporting. Task 3 - Interpret Risk Assessment findings. Review results and findings from various sources. Map results to risk profile and control baseline. Consider established risk tolerance. Communicate gaps and exposure to business. Help business understand how corrective action plans affect risk profile. Identify integration opportunities. Task 4 - Identify business opportunities. Recurring risk analysis. Identify IT related capacity parity. Look for opportunities to use IT (technology).

4.4.2. Phase 2 - Manage Risk Task 1 - Inventory controls. Inventory controls in place. Classify and map controls. Develop control tests. Identify procedures and technology. Partition operational controls. Task 2 - Monitor operational alignment. Ensure business line accountability. Test key risk issues. Obtain Buy-in by management on KRI. Ensure KRI’s are implemented with thresholds, checkpoint and automated communications. Integrate KRI data into performance indicator reporting. Ensure risk analysis is performed when residual risk is outside tolerance. Task 3 - Respond to discovered risk exposures and opportunities. Emphasize projects that are expected to reduce adverse events and balance against strategic opportunities. Hold cost benefit discussion. Select candidate controls. Monitoring changes in business operational risk profiles. Adjust the rankings of risk response projects. Task 4 - Implement Controls. Ensure effective deployment / adjustment of controls. Communicate with key stakeholders. Test controls. Map controls to monitoring mechanisms. Identify and train staff on new procedures. Task 5 - Report IT risk response plan progress. Monitor risk response plans (all levels). Ensure effectiveness of responses. Determine whether acceptance of residual risk has been obtained. Ensure committed risk responses are owned and deviations are reported to senior management.

4.4.3. Phase 3 - React To Risk Events Task 1 - Maintain incident response plans. Prepare for materialization of threats. Maintain open communication about risks. Build RTO into action plans. Define pathways of escalation. Verify incident response plans are adequate. Task 2 - Monitor risk. Monitor the environment. When control limit breached; escalate or confirm. Categorize incidents. Communicate business impact. Continue to take action and drive desired outcome. Ensure policy is followed with clear accountability for follow-up actions. Task 3 - Initiate incident response. Take action to minimize in-progress incident impact. Identify impact category. Inform stakeholders of incident. Identify time requirements to carry out plan. Ensure correct action is taken. Task 4 - Communicate lessons learned from risk events. Examine past events and missed opportunities. Determine where failure stemmed from. Research root cause. Determine underlying problem. Identify tactical corrections. Identify and correct underlying root causes. Identify root cause of incidents. Request additional risk analysis as needed. Communicate root cause, response requirements, process improvements.

4.5. Risk Response Options

4.5.1. for Threats Avoid risk avoidance is achieved by deciding not to undertake a risk by either not taking part in a certain risky activity or by abandoning an asset / source that generates the risk avoiding all risks is not a viable strategy outcome = risk probability of occurrence is 0% it simply means to conduct activity where the risk is not met Reduce reduce probability (a.k.a. Prevent) reduce impact (a.k.a. Mitigate) reduce probability & impact simultaneously

4.5.2. for Opportunities Exploit exploiting the opportunity aims to make the most of an opportunity that arises to make the probability of its outcome to be 100%. it uses extensive measures to ensure that the opportunity becomes a certainty. outcome = risk probability of occurrence is 100% Enhance (a.k.a. Improve) control methods put in place to increase the likelihood or increase the impact of the opportunity. enhancement methods are not as extensive as exploit controls because they do not aim at making the opportunity a certainty. increse probability (but still <100%) increse impact increse probability & impact simultaneously

4.5.3. for Threats & Opportunities Transfer by transferring risk firms remove their own responsibility for dealing with risk events to someone outside of the organisation / programme / project etc. (for opportunity) it aims to transfer the opportunity to a more specialised organisation that will help maximise its effects. you cannot transfer accountability, only risk impact as name suggest 2nd party is needed for transfer transfer means transfering all (100%) impact to 2nd party Share as name suggest 2nd party is needed for sharing sharing means sharing at least small percentage of impact with 2nd party Accept accepting an opportunity basically leaves everything to chance Passive Acceptance Active Acceptance Prepare Contingent Plans only reduces impact does not changes probability

4.6. Risk Response Process parameters

4.6.1. Cost of Response to Reduce Risk Within Tolerance Levels.

4.6.2. Importance of Risk.

4.6.3. Capability to Implement Risk Response.

4.6.4. Effectiveness of Response.

4.6.5. Efficiency of Response.

4.7. Risk Response Prioritization

4.7.1. Quick win.

4.7.2. Business case to be made.

4.7.3. Deferral.

4.8. Risk Response Prioritization Options

4.9. Risk Response Prioritization Factors

4.9.1. Stakeholder interests / perception

4.9.2. Acceptance of change.

4.9.3. Solution balance.

4.9.4. Cost. Including monetary and non-monetary costs (e.g. time, scope)

4.9.5. Productivity impact (impact on BaU).

4.9.6. Control ownership.

4.9.7. Ability to monitor, audit and control.

4.9.8. Regulations.

4.9.9. Market condition changes.

4.9.10. Ability to execute.

4.9.11. Ability to rollback (if needed).

4.10. Risk Mitigation Control Types

4.10.1. Managerial.

4.10.2. Technical.

4.10.3. Operational.

4.10.4. Preparedness activities.

4.11. Risk Response programs

4.11.1. Prioritize Risk Response programs according to risk levels: Look for quick wins. Search by experience and known situations.

4.11.2. Update Risk Register.

4.11.3. Ensure that controls are designed and implemented correctly: A control poses a new risk to the organization.

5. Domain 3 - Risk Monitoring

5.1. Domain 3 - CRISC™ Exam Relevance

5.1.1. The content area for Domain 3 will represent ... 17% of the CRISC examination 34 questions

5.2. Risk Monitoring Process

5.2.1. What is it? Process accomplished by selecting KRIs from all the controls and data points available. Periodically re-evaluate risk levels.

5.2.2. Select which controls will be used as Key Risk Indicators (KRIs): Controls that indicate important risk issues or risk trends. Monitored on a regular basis to allow results to be compared over time. Reflect business priorities.

5.3. Risk Indicators

5.3.1. What is it? Metrics used to indicate risk thresholds and when a risk level may be approaching a high or unacceptable level of risk. A metric capable of showing that the enterprise is subject to, or has a high probability of being subject to, a risk that exceeds the defined risk appetite.

5.3.2. Why Set in place tracking and reporting mechanisms that alert staff to a developing or potential risk.

5.3.3. Risk indicators are placed at control points positioned to gather data used to: Gauge risk levels at a point in time. Track events and incidents. That may indicate a potential hazardous situation.

5.4. Key Performance Indicators (KPIs)

5.4.1. Requirements that a KPI must satisfy: Contribution to CSFs The connection between the KPI and the CSF above must be demonstrable and described. Stakeholders The stakeholders of the KPI must be identified and have accepted their role. Stakeholders are all parties involved in the creation of the KPI and/or with an interest in the presence of the KPI. Relevance The KPI, together with other KPIs, must cover as much of the information needs as possible, which is explicitly coordinated with the stakeholders. Ownership Ownership of the KPI must be established. The owner is to have a mandate, in the event that the standard value is not obtained, to take measures to adjust the process, so that the value of the KPI is improved. Recognizable KPIs are recognizable for employees. Repeatable The KPI must be able to be established regularly and in the same way. Traceable The way in which the result of the KPI was achieved must be described. Uniformity of processes The KPIs must result from processes that are interpreted and implemented in a uniform way by all stakeholders. Standard In particular, if KPIs are used for a benchmark, they must correspond to existing standards and be described using standard definitions. Costs vs benefits A healthy ratio between costs and benefits of the development of KPIs and especially of the measurements. The costs involved in defining the KPI must be justified by the benefits of the insight obtained. SMART The KPI must be Specific, Measurable, Acceptable (for all stakeholders), Realistic, and Time-dependent. The I in KPI stands for indicator The goal of KPI is to provide insight into what can be improved and is not intended as a way of settling scores

5.5. Key Risk Indicators (KRIs)

5.5.1. KRIs are like signals / triggers: Indicate warning thresholds. Allow tracking and reporting. Highlight trends in developing or potential risk.

5.5.2. KRIs are like Early Warning Indicator (EWIs). The difference is that KRIs are dedicated to risks.

5.5.3. KRIs are subset of Risk Indicators (RI).

5.5.4. Types Logs. Alarms. Reports. Calls. Events. Incidents. ...

5.5.5. Parameters Size and complexity of enterprise. Business vision / mission stability. Type of market in which the enterprise operates. Strategy focus of the enterprise.

5.5.6. Factors Create ownership of Risk Indicators Involve stakeholders to obtain buy-in. Include all stakeholders, operational and strategic. Balanced selection of risk indicators Lag (detective). Lead (preventative). Trend (indicator correlation / risk). Ensure Indicators reflect Root Cause. Map unique root cause to single or specific of indicators to avoid false conclusions.

5.5.7. Criteria for KRI selection Impact: Controls covering high impact risks. Effort: Controls that are easy to monitor. Reliability: Close relationship between the risk and the control. Sensitivity: Accurately reflect changes in risk. Repeatability: Is repeatable so it can be measured in regular basis.

5.5.8. Benefits of selecting right KRIs Forecast developing risks (forecasts / forward-looking): Trends/preventative. Post-incident review (backward-looking): Analysis and lessons learned. Better future risk response. Document trends: Watch developing risks over time. Measure risk appetite and tolerance: Compliance. Increase likelihood of meeting strategic objectives. Assist in optimizing risk governance and risk management environment.

5.5.9. Disadvantages of wrong KRIs No linkage from KRI to specific risk. Useless. Unclear or incomplete KRIs: Not industry or market specific. Too generic, to organization / department / project specific. Too many KRIs: Meaningless. Difficult to measure: Hard to compare, interpret, or aggregate.

5.5.10. Changing KRIs / KRIs Maintenance Risk changes - so should KRIs: Different trigger levels. Each KRI is related to the risk appetite and tolerance so that trigger levels can be defined that enable stakeholders to take appropriate action in a timely manner.

5.5.11. Optimizing KRIs Sensitivity: Collecting too much data. Solution: Only collect critical level data. Timing: Data collected too late to take corrective action. Solution: Collect abnormalities in a timely manner. Frequency: Data collected daily but reported monthly. Solution: set sample rate. Corrective action gaps: Reports do not indicate priority corrective action underway. Solution: project management tools, assign owners of risk.

5.6. Gathering KRI information / data

5.6.1. KRIs rely on information / data from diverse sources.

5.6.2. Steps to Data Gathering Gathering requirements Requires input from Information / Data access Direct data access Receipt of data extracts Information / Data validation Information / Data prepared for analysis: Information / Data validating considerations: Information / Data analysis Ensure that information / data analysis supports the review objective: Analysis should be repeatable: Reporting & corrective action Reports generated and sent:

5.7. Maturity Level Assessment

5.7.1. Use of Maturity Level Assessment Determine maturity level of several key factors. Provides gap analysis between current and desired state. Supports projects to address processes at unacceptable maturity level. Maturity Models are well known concept not only in IT or Risk Management domain.

5.7.2. Assessing Risk Maturity Levels Boards need accurate reporting on maturity of risk management efforts: Ensure risk is managed enterprise-wide. Correct priorities. Activities necessary to develop greater maturity. Maturity levels are assessed from unpredictable, uncontrolled processes, to levels of consistency and continuous improvement.

5.7.3. Levels Level 0 - Non-existent: Management processes are not applied at all. Level 1 - Initial / Ad hoc: Processes are ad hoc and disorganized. Level 2 - Repeatable But Intuitive: Processes follow regular pattern. Level 3 - Defined Process: Processes are documented and communicated. Level 4 - Managed and Measureable: Processes are monitored and measured. Level 5 - Optimised: Good practices are followed and automated.

5.7.4. see Maturity Models mind map

5.8. Changing Threat Levels

5.8.1. Market conditions.

5.8.2. New technology.

5.8.3. Aging technology.

5.8.4. Staff experience levels (aka. capabilities).

5.8.5. Regulations and legislation (aka. constraints).

5.8.6. Attackers skill level.

5.8.7. New connections to global systems.

5.8.8. Measuring Changes in Threat Levels Open new vulnerabilities. Bypass or remove existing controls. Adversely affect potential business levels.

5.8.9. Responding to Changes in Threat Levels Changes in threat levels may mandate changes in: Network infrastructure. Policies. Procedures. Threat-specific countermeasures. Compensating controls.

5.8.10. Threat Level Review The threat level (aka. Risk Profile) for the organization must be checked at least: Annually. Whenever there is a major change to the system. Following any major incident. The risk may be checked as a specific periodic review or in an incremental manner: Regulation. PCI-DSS requirements. ISO 27001 requirements.

5.9. Changes in Asset Value

5.9.1. Changes in asset value will have a direct impact on risk levels: End of life for a product or service. Rapidly growing new product or service. Size of stored customer data.

5.10. Risk Reporting

5.10.1. Types of risk communication reporting content include Expectations from risk management: Policies, strategy, procedures, awareness training etc. Status with regard to IT risk: Risk profile of enterprise, KRIs, thresholds, loss data, etc. Current risk management capability: Risk management process maturity, how well risk is manager etc. Actionable Items.

5.10.2. Effective Report Writing Skills Report writing can be described as a career skill. Not only is it a task that forms part of an increasing number of business jobs, but it can make a huge difference to how you are perceived and how well you get on in your career. Today, good communication skills and the ability to write effective reports are essential competencies in the workplace. Style is the most nebulous area of report writing. It is very easy to criticise a writer’s style as ‘poor’ or ‘inappropriate’. What is not so easy is to specify the stylistic improvements that should be encouraged.

5.10.3. Good vs. Poor Communication Benefits of good communication include: Contributing to managements understanding of exposures. Awareness. Transparency to external stakeholders. Consequences of poor communication include: Perception that the enterprise lacks transparency with external stakeholders. Incorrect perception by external stakeholders. False sense of confidence relating to exposure.

5.10.4. Effective reports Clear: e.g. use plain language (Language clarity), are logically ordered and easy to navigate (Structural clarity / logic flow), highlight important information, explain complex information in plain language. Concise: e.g. concise document is a piece of writing that conveys only the needed material. Coherent: e.g. at the paragraph level, coherence is achieved by organizing material into a topic sentence and supporting sentences. Useful. e.g. enable decision making. Timely. Appropriate: e.g. aimed at the correct audience based on levels of knowledge, format of report. Available only to personnel on a ‘need-to-know’ basis.

5.10.5. Possible Risk Report recipients Steering committee. Senior Management Team: CEO. CFO. CIO. CRO / CIRO. Business unit directors. Consultants. Security experts. Subject domain experts. IT Directors. PMOs. Compliance and Audit.

5.10.6. Reporting on Periodic Risk Assessment On a periodic basis to steering committees and responsible managers (e.g. Project / Programme Manager) to enable timely response to emerging trends. Indicate progress on risk mitigation activities.

5.10.7. Risk Reporting topics Current levels of policy, culture and compliance. Current risk status: KRI thresholds. Changes over past period. Forecast of future risk. Capability of staff to meet risk scenarios. State of awareness programs. Past incidents.

5.10.8. Risk Reporting methods (non-exhaustive list) Face to face (F2F) meetings. Heatmaps. Dashboards. Workshops. Bubble charts. Risk prioritisation chart. Facilitated workshops. Distribution lists. Centralized web portals PPM software.

6. Domain 4 - Information Systems Control Design and Implementation

6.1. Domain 4 - CRISC™ Exam Relevance

6.1.1. The content area for Domain 4 will represent ... 17% of the CRISC® examination 38 questions

6.2. Control

6.2.1. Policies, procedures, practices and guidelines designed to provide reasonable assurance that: Business objectives are achieved. Undesired events are prevented or detected and corrected.

6.3. Control Categories

6.3.1. Compensatory Reduces likelihood of Attack

6.3.2. Corrective Controls that remedy incident Decrease Impact

6.3.3. Detective Controls that identify incident Reduces likelihood of Attack

6.3.4. Deterrent Discovers Attack Triggers Preventive Controls

6.3.5. Directive Regulations, Policies, Standards, Guidelines, Processes & Procedures

6.3.6. Preventative Controls that avoid incident Protects Vulnerability Reduces Impact

6.4. Control Types

6.4.1. Technical / Logical: Safeguards or countermeasures built into computer equipment and software to avoid, counteract or minimize security risks relating to personal property, or any company property. e.g. ACLs Antivirus software firewalls IPS IDS

6.4.2. Nontechnical: Management (Administrative) e.g. Operational (and Physical) e.g. locks, compartmentalized areas, fences, doors, gates, extinguishers. Physical Security (Facility or Infrastructure Protection) Operational Security (Execution of Policies, Standards & Process, Education & Awareness)

6.4.3. according to NIST SP800-53, Rev 3, Recommended Security Controls for Federal Information Systems ISO/IEC 27001:2013 Information technology - Security techniques - Information security management systems - Requirements

6.5. Control Types and Effects

6.5.1. Compensating control An internal control that reduces the risk of an existing or potential control weakness resulting in errors and omissions.

6.5.2. Impact (Business impact) The net effect, positive or negative, on the achievement of business objectives.

6.5.3. Preventive control An internal control that is used to avoid undesirable events, errors and other occurrences that an enterprise has determined could have a negative material effect on a process or end product.

6.5.4. Threat Anything nything (e..g.., , object,, substance substance,, human) that is ca that is capable of actin of acting against an asset in a manner that can result in harm an asset in a manner that can result in harm

6.5.5. Vulnerability A weakness in the design, implementation, operation or internal control of a process that could expose the system to adverse threats from threat events.

6.6. Control Strength

6.6.1. Cannot be determined by simple control category identification.

6.6.2. Can be assessed by its quantitative and qualitative compliance testing results.

6.6.3. Must be assessed within context.

6.6.4. Can be effectively assessed only by measuring against control objective.

6.6.5. Meaningful control design considerations include: Design effectiveness. Operating effectiveness. Alignment with operating environment.

6.7. Control Costs and Benefits

6.7.1. Cost-benefit Analysis Provide a monetary impact view of risk. Determine the cost of protecting what is important. Make good choices.

6.8. Total Cost of Ownership (TCO) for controls

6.8.1. Acquisition costs.

6.8.2. Deployment and implementation costs.

6.8.3. Recurring maintenance costs.

6.8.4. Testing and assessment costs.

6.8.5. Compliance monitoring and enforcement.

6.8.6. Inconvenience to users.

6.8.7. Reduced throughput of controlled processes.

6.8.8. Training in new procedures or technologies as applicable.

6.8.9. End of life decommissioning.

6.9. Software Development Life Cycle (SDLC) Process

6.9.1. The SDLC process governs: The phases deployed in the development or acquisition of a software system. Depending on the methodology, may even include the controlled retirement of the system.

6.9.2. Various types / formats of SDLC waterfall e.g. iterative e.g. iterative & incremental & adaptive (a.k.a. true ’agile’) Agile is a umbrella term enclosing different methodologies, tools, techniques, practices and frameworks e.g. Plan-Driven Projects vs. Change-driven Project Projects

6.9.3. SDLC phases (generic, not methodology specific) 1. Feasibility study Do we need this project / product? Is it aligned with our mission? 2. Requirements study What exactly do we need? Can we do it? Budget? Scope? Time? 3. Requirements definition Business analysis. Use stories. Use cases. Business process modelling. 4. Detailed design Mock-ups, Prototypes, Designs, Models, Technical Specifications. 5. Programming Coding 6. Testing 7. Installation Up and running on production. 8. Post-implementation review 9. Benefits realization

6.9.4. High Level SDLC phases (from CRISC™ perspective) 1. Project Initiation Tasks 2. Project Design and Development Proposed system has: Leading Principles for Design and Development Project Status Reports 3. Project Testing Meets the business requirements. Has appropriate controls implemented. Is ready to be migrated to production. 4. Project Implementation Project Implementation planning. Develop and establish technical infrastructure. Roles. Skills training. New processes. Supporting infrastructure. Ensure controls operate correctly. Challenges in implementation Data Migration / Conversion Considerations Risks During Data Migration Data Conversion Project Key Considerations Changeover (Go-live) Techniques (moving into production) 5. Project Post Implementation review Conducted by independent personnel. Compare to initial project design and baselines. Focus on control effectiveness. Compare to previous audits. Document findings and recommendations. Does the system meet: Are recommended modifications scheduled. System being supported adequately. Security controls working correctly. Closing a Project

6.9.5. Business Risk The risk that the system may not meet the users’ expected benefits, services or requirements e.g. Risk of ”shelfware” - a piece of software that has never been used at all since its creation. Risk of ”bloatware” - type of software that using more system resources than necessary.

6.9.6. Project Risk The risk that the project is under. e.g. in PRINCE2® each project risk impact is measured against all 6 project parameters Budget Time Quality Scope Risk Benefits

6.9.7. Understanding Business and Risk Requirements The business usually does not really know their risk requirements Lead the business through a process to discover their risk requirements What risks will this new system pose to the business? How critical is the system to enterprise? Does this system contain / process sensitive data? Who will use the system (end users / employees / technical support / customers)? Does this system is under local law requirements? Does system scope is under specific norm, e.g. ISO / EIC 27001, HIPPA, BESEL III?

6.9.8. Project Management and Controlling Scope Management e.g. Time Management e.g. Budget Management e.g. Risk Management e.g. Quality Management e.g. Benefits Management e.g.

6.9.9. PM tools and techniques (non-exhaustive list) Critical Path Method (CPM) example #1 Gantt chart example #1 PERT chart and CPM example #1 Product Breakdown Structure (PBS). Resourse Breakdown Structure (RBS). Work Breakdown Structure (WBS).

6.10. HR Practices

6.10.1. Job descriptions

6.10.2. Cross trainings Professional education Job training Awareness training

6.10.3. Job rotation

6.10.4. Mandatory vacations

7. Domain 5 - Information Systems Control Monitoring and Maintenance

7.1. Domain 5 - CRISC™ Exam Relevance

7.1.1. The content area for Domain 5 will represent ... 17% of the CRISC® examination 38 questions

7.2. IS Control Monitoring Process

7.3. IS Control Monitoring and Maintenance Process phases

7.3.1. 1. Prioritize risk

7.3.2. 2. Identify controls

7.3.3. 3. Identify information

7.3.4. 4. Implement monitoring

7.3.5. 5. Report results

7.4. Gathering Monitoring Data

7.4.1. Direct Information e.g. Information obtained directly by the analyst Sampling Tools

7.4.2. Indirect Information e.g. Information provided by a third party

7.5. Key Control Indicators (KCIs)

7.5.1. An indicator which is used by organisations to help define its controls environment and monitor levels of control relative to desired tolerances.

7.6. Select & Implement Automated Monitoring Tools

7.6.1. Sustainability.

7.6.2. Scalability.

7.6.3. Customizability.

7.6.4. Ownership.

7.6.5. Impact on Performance.

7.6.6. Usability of Existing Tools.

7.6.7. Tool Complexity.

7.6.8. Transferability.

7.6.9. License & Ownerships Cost / Benefit.

7.7. Monitoring Tools

7.7.1. Monitoring tools can focus on various dimensions of internal control.

7.7.2. Monitoring tools are organized into groups based on their control monitoring focus: Transaction data. Conditions. Changes. Processing Integrity. Error management.

7.8. Transaction Data Monitoring

7.8.1. This group of tools perform the following functions: Compare transaction data against a defined rule set. Ad hoc reporting. Data correlation across multiple sources.

7.9. Compliance Monitoring

7.9.1. This group of tools perform the following functions: Examine specific settings or parameters. Compare configuration information against a baseline. Operating periodically - scanning basis. Can be agent based (embedded in hardware or software).

7.10. Process Monitoring

7.10.1. The CRISC™ will monitor risk associated with: Error reporting and handling. Change control. Project management. Business continuity plans. Incident reports.

7.11. Continuous Monitoring

7.11.1. Increasing importance with the advent of e-business.

7.11.2. Provides a method to collect data evidence and system reliability, integrity and compliance as part of normal progressing function.

7.11.3. Allows for monitoring on a continuous basis in a automated fashion.

7.11.4. This type of tools are designed to automate the evaluation process The most common types include: Continuous and Intermittent Simulation (CIS). Snapshots. Monitor Hooks. Integrated Test Facility (ITF). Systems Control Audit Review File and Embedded Audit Modules (SCARF/EAM).

7.12. Cause and Effect Diagram

7.12.1. Cause and Effect Diagram Steps Agree on effect or problem statement. Identify major categories of failure. Link the potential or observed control failures to the categories. Discuss the control failure points with the project team. Revise the monitoring process and repeat testing as necessary.

7.12.2. example #1

8. Overview of the CRISC™ certification

8.1. About the CRISC™ exam

8.1.1. CRISC™ exam questions are developed with the intent of measuring and testing practical knowledge and the application of general concepts and standards.

8.1.2. PBE & CBE (only pencil & eraser are allowed). PBE - Paper based exam. CBE - Closed book exam.

8.1.3. 4 hour exam.

8.1.4. 200 multiple choice questions designed with one best answer.

8.1.5. No negative points.

8.1.6. Pre-requisite for exam: none

8.1.7. Pre-requisite for certification: Read CRISC™ Application Form

9. Basic risk related definitions (from ISACA® CRISC™ perspective)

9.1. Accountability

9.1.1. Applies to those who either own the required resources or those who have the authority to approve the execution and / or accept the outcome of an activity within specific risk management processes.

9.1.2. Ideally only one person should be accountable - from accountability reasons. e.g. Project Management is accountable for risk affecting his project. Team Leader is accountable for risks affecting his team and work.

9.2. Asset (ISACA®)

9.2.1. Something of either tangible or intangible value that is worth protecting, including people, information, infrastructure, finances and reputation.

9.3. Business Impact Analysis / Assessment (BIA)

9.3.1. Business Impact Analysis (BIS) is a specialized process / exercise (not tool or technique) to determine the impact of losing the support of any resource.

9.4. Business risk

9.4.1. The risk that the system may not meet the users’ expected benefits, services or requirements

9.4.2. e.g. Risk of ”shelfware” - a piece of software that has never been used at all since its creation. Risk of ”bloatware” - type of software that using more system resources than necessary.

9.5. Business case (ISACA®)

9.5.1. Documentation of the rationale for making a business investment, used both to support a business decision on whether to proceed with the investment and as an operational tool to support management of the investment through its full economic life cycle.

9.6. Compensating control

9.6.1. An internal control that reduces the risk of an existing or potential control weakness resulting in errors and omissions.

9.7. Control

9.7.1. Policies, procedures, practices and guidelines designed to provide reasonable assurance.

9.8. Data custodian (ISACA®)

9.8.1. The individual(s) and department(s) responsible for the storage and safeguarding of computerized data.

9.9. Data owner (ISACA®)

9.9.1. The individual(s), normally a manager or director, who has responsibility for the integrity, accurate reporting and use of computerized data.

9.10. Framework

9.10.1. Generally accepted, business process-oriented structures that establish a common language and enable repeatable business processes.

9.10.2. e.g. AXELOS® M_o_R® - Management of Risk UK best practices see M_o_R® mind map COSO Enterprise Risk Management (ERM) - Integrated Framework see COSO ERM-IF mind map COSO Internal Control (IC) - Integrated Framework see COSO III IC-IF mind map DHS Risk Management Framework USA framework Framework for Improving Critical Infrastructure Cybersecurity USA framework Pages: 39 see RSA Confereence interview - The Evolving Cybersecurity Framework ISACA® - The Risk IT Framework USA framework NIST Risk Management Framework (RMF) USA framework Process

9.11. Impact (Business impact)

9.11.1. The net effect, positive or negative, on the achievement of business objectives.

9.12. Likelihood

9.12.1. To determine the likelihood of future events, enterprises / organizations must analyse threats to an it system, potential vulnerabilities, and the controls in place.

9.12.2. Possibility observed factors, qualitative.

9.13. Practice

9.13.1. aka. Good Practice / Leading Practice / Generic Practice.

9.13.2. Frequent or unusual actions performed as an application of knowledge.

9.13.3. e.g. APM Body of Knowledge UK standard AS/NZS HB 436:2004 Risk Management Guidelines Companion to AS NZS 4360:2004 Australian guidlines Pages: 130 BS 6079-3:2000: Project Management – Part 3: Guide to the Management of Business-related Projects Risk UK guidlines BS 7799-1:2005 Information technology - Security Techniques - Code of practice for information security management (ISM) UK standard Pages: 130 BS 7799-2 UK guidance BS 7799-3 UK guidance BS 31100:2008 Risk management. Code of practice UK standard CAN/CSA-Q634-91 - Risk Analysis Requirements and Guidelines Canadian guidlines ISACA® - The Risk IT Practitioner Guide USA guidlines ISO Guide 73:2009 Risk management - Vocabulary International guidlines Pages: 24 ISO/EIC 27003:2010 Information technology - Security techniques - Information security management system implementation guidance International guidlines Pages: 74 ISO/EIC 27005:2013 IT Risk: Turning Business Threats Into Competitive Advantage (ISRM) International guidlines Process Risk treatment activity PMBOK®5 Guide (includes Risk Management guidelines in projects) USA best practices Pages: 46 (chapter 11) Process see PMBOK®5 mind map Project Risk Analysis and Management (PRAM) Guide UK guidlines Pages: 186

9.14. Preventive control (ISACA®)

9.14.1. An internal control that is used to avoid undesirable events, errors and other occurrences that an enterprise has determined could have a negative material effect on a process or end product.

9.15. Probability

9.15.1. The probability of it occurring can range anywhere from just above 0 percent to just below 100 percent. Can't be exactly 100 percent, because then it would be a certainty, not a risk. And it can't be exactly 0 percent, or it wouldn't be a risk

9.15.2. Chance, parameters and computation, quantitative.

9.16. Project risk

9.16.1. The risk that the project is under.

9.16.2. e.g. in PRINCE2® each project risk impact is measured against all 6 project parameters Budget Project budget Project risk budget Project change budget Time Project time Project phase time Project work package time Quality quality of delivered deliverables / products quality and maturity of project management practices Scope Risk of ‘fatware’ e.g. 80% of software functionalities never used Risk Overall project risk profile in risk tolerance Benefits Risk associated with project benefits (during and after the project)

9.17. Reputation risk (ISACA®)

9.17.1. The current and prospective effect on earnings and capital arising from negative public opinion.

9.18. Residual risk

9.18.1. The remaining risk after management has implemented a risk response.

9.19. Responsibility

9.19.1. Belongs to those who must ensure that the activities are completed successfully.

9.19.2. Ideally more than one person should be responsible (additional workforce, human resource backup in case of unavailability of first person). e.g. Software Developer Server Administrator Data Custodian

9.20. Risk

9.20.1. The potential for events and their consequences, contains both (aka. two sides of the risk coin): Opportunities for benefit (upside / benefits) Threats to success (downside / disbenefits)

9.20.2. Risk is the combination of the likelihood of events occurring and the impact those events have on the enterprise / organization. Risk = likelihood * impact

9.21. Risk appetite

9.21.1. Risk appetite is intangible and cannot be measured directly. Analogy of physical appetite or hunger, which cannot be directly quantified. ‘I could eat a horse’ ‘I fancy a doughnut’ ‘hungry kike the wolf‘

9.21.2. Appetite is always different across organizations.

9.21.3. The broad-based amount of risk that a company or other entity (CEO, organization / department / sub department) is willing to accept in pursuit of its mission (or vision).

9.21.4. Risk Appetite is connected with Risk Attitude and Risk Tolerance. see RARA Model

9.21.5. Risk appetite is directly related to an entity’s strategy.

9.21.6. Entities often consider risk appetite qualitatively, with such categories as high, moderate or low, or they may take a quantitative approach, reflecting and balancing goals for growth, return and risk.

9.22. Risk attitude

9.22.1. Is the chosen response of an individual or group to uncertainty that matters, driven by perception. Understanding risk attitude is a critical success factor that promotes effective decision-making in risky situations.

9.22.2. Risk Attitude is connected with Risk Appetite and Risk Tolerance. see RARA Model

9.23. Risk awareness

9.23.1. Acknowledging that risk is an integral part of the business.

9.24. Risk communication

9.24.1. Risk is to be managed, it must first be discussed and effectively communicated throughout the enterprise.

9.25. Risk culture

9.25.1. ”Culture is a socially constructed attribute of organizations that serves as the social glue binding an organization together.” Cameron & Quinn, 2011

9.25.2. Set of shared attitudes, values and practices that characterize how an entity considers risk in its day-to-day activities.

9.25.3. For many companies, the risk culture flows from the entity’s risk philosophy and risk appetite.

9.25.4. Often one of the most if not the most important enabler! See great talk on RSA 2014 conference about Risk / Security culture.

9.25.5. For those entities that do not explicitly define their risk philosophy, the risk culture may form haphazardly, resulting in significantly different risk cultures within an enterprise or even within a particular business unit, function or department.

9.25.6. Begins at the top (board and executive) Set direction. Communicate risk-aware decision making. Reward effective risk management behaviors.

9.25.7. Risk-Aware Culture is a series of behaviors Behaviors toward taking risk. Behavior toward negative outcomes. Behavior toward policy compliance.

9.25.8. Symptoms of inadequate or problematic risk culture include Misalignment between ‘real’ culture and policies. Misalignment between real risk appetite and translation into policies. Existence of a “blame culture” vs ”learning culture ”.

9.26. Risk impact

9.26.1. Magnitude of harm that could be caused by a threat’s exploitation of a vulnerability.

9.27. Risk indicators (ISACA®)

9.27.1. Metrics used to indicate risk thresholds and when a risk level may be approaching a high or unacceptable level of risk.

9.27.2. A metric capable of showing that the enterprise is subject to, or has a high probability of being subject to, a risk that exceeds the defined risk appetite.

9.28. Risk Management Process

9.28.1. Is the (constant) process of balancing the risk associated with business activities with an adequate level of control that will enable the business to meet its objectives.

9.28.2. Holistically covers all concepts and processes affiliated with managing risk, including: Systematic application of management policies, procedures and practices. Establishing the context. Communicating, consulting. Identifying. Analysing. Evaluating. Treating. Controlling. Monitoring. Reviewing.

9.29. Risk subcultures

9.29.1. Individual business units, functions and departments will have slightly different risk cultures.

9.30. Risk tolerance

9.30.1. The acceptable variation relative to the achievement of an objective (often best measured in the same units as those used to measure the related objectives: costs, time, value, quality etc.)

9.30.2. Risk tolerance always need to be measureable in order to be controlled.

9.30.3. "You cannot control it, if you cannot measure it."

9.30.4. Risk Tolerance is connected with Risk Attitude and Risk Appetite. see RARA Model

9.31. Risk tolerance vs Risk appetite

9.32. Risk factors (ISACA®)

9.32.1. A features that influences the likelihood and or business impact of risk scenarios.

9.32.2. A condition that can influence the frequency and/or magnitude and, ultimately, the business impact of IT-related events/scenarios.

9.33. Standard

9.33.1. Established mandatory rules, specifications and metrics used to measure compliance against quality, value, etc.

9.33.2. e.g. A Risk Management Standard (Ferma) UK standard Pages: 18 Process AS/NZS 4360:1995 & AS/NZS 4360:2004 Risk management Australian standard Pages: 28 Process BS IEC 62198:2001 UK standard CAN/CSA-Q850-97 - Risk Management: Guideline for Decision-Makers Canadian standard Pages: 62 Process CEI/IEC 62198:2001: International Standard, Project Risk Management: Application Guidelines Switzerland standard IEEE Standard 1540-2001 Standard for Software Life Cycle Processes - Risk Management USA standard Pages: 30 Process ISACA IT Audit and Assurance Standards USA standards ISO 31000:2009 Risk management - Principles and guidelines International norm Pages: 34 Process ISO/EIC 27001:2013 Information Technology - Security techniques - Information security management systems (ISMS) - Requirements International norm Pages: 30 JIS Q2001:2001 Guidelines for development and implementation of risk management system Japan standard ONR 49000 series Australian standard PCI DDS International norm

9.34. Threat (ISACA®)

9.34.1. Actions or actors that may act in a manner that can result in loss or harm.

9.34.2. Anything nything (e..g.., , object,, substance substance,, human) that is ca that is capable of actin of acting against an asset in a manner that can result in harm an asset in a manner that can result in harm

9.35. Vulnerability (ISACA®)

9.35.1. A (known) weakness in asset, design, implementation, operation or internal control of a process that could expose the system to adverse threats.

10. CRISC™ Official website


11. Official Recommended exam study materials

11.1. Glossary


11.2. Development Guides

11.2.1. ISACA® CRISC™ QAE Item Development Guide

11.2.2. ISACA® CRISC™ Item Development Guide:

11.3. ISACA® CRISC™ Review Manual 2015


11.4. ISACA® Risk IT™ Framework


11.5. ISACA® Risk IT™ Practitioner Guide


11.6. ISACA® CRISC™ Review Questions, Answers & Explanations Manual 2015 Supplement


11.7. ISACA® CRISC™ Review Questions, Answers & Explanations Manual 2015


11.8. ISACA® CRISC™ Practice Question Database


12. Domains relationships

13. Interactive Glossary

13.1. Interactive CRISC™ Glossary

14. This freeware mind map (aligned with the newest version of CRISC™ exam) was carefully hand crafted with passion and love for learning and constant improvement as well for promotion the CRISC™ qualification and as a learning tool for candidates wanting to gain CRISC™ qualification. (please share, like and give feedback - your feedback and comments are my main motivation for further elaboration. THX!)

14.1. Questions / issues / errors? What do you think about my work? Your comments are highly appreciated. Feel free to visit my website:






14.1.6. miroslaw_dabrowski