ISACA CRISC (Certified in Risk and Information Systems Control) Exam Guide

The **CRISC** is the only certification that prepares IT professionals for the unique challenges of IT and enterprise risk management. It positions you as an expert capable of linking IT risk to business goals.

What is the definition of IT Risk?

Answer : The likelihood that an event will affect an organization's ability to reach its goals.

Risk is the product of the probability of an event and its potential impact.

What does Risk 'Mitigation' involve?

Answer : Implementing controls to reduce risk probability or impact.

One of the four risk responses: Mitigate, Avoid, Transfer, or Accept.

What is 'Residual Risk'?

Answer : The risk remaining after security controls and mitigation strategies are applied.

This residual amount must align with the organization's risk tolerance.

What is the purpose of a Key Risk Indicator (KRI)?

Answer : To provide early warning signs of increasing risk levels.

Allows for proactive management before a significant event occurs.

Who is the ultimate owner of risk in an enterprise?

Answer : The Business Process Owner.

They are responsible for the business results and suffer the direct consequences of realized risk.

Related Certifications

• ISACA CISM - Certified Information Security Manager
• ISACA CISA - Certified Information Systems Auditor
• ISACA CGEIT - Certified in the Governance of Enterprise IT
• ISACA AAISM – Advanced in AI Security Management
• ISACA Advanced in AI Audit (AAIA)