CRISC Prep Course

Hellenic American Union offers the CRISC prep Course in co-operation with ES Learning. ES Learning is an international consulting and training services company based in Riyadh, and an Authorized Training Organization (ATO) of ISACA International.

ES-Learning is a specializing in capacity building and professionalization, by providing training programs in the following areas: Business Process Management, Facilitation through Trainings, Quality & Performance Management, Services Design, Strategy.

As ISACA'S ATOs, our partners meet ISACA's high training standards. Courses are taughted by accredited and certified trainers, follow ethical practices, and use ISACA's designated materials to make sure you get the most up to date training.

CRISC Prep course offers you the following:

• 27 hours with a thorough overview and key points of the 5 domain areas of  the CISA Exam
• 2 extra hours for a mock-up exam delivered within 2 months after the end of the course to refresh your knowledge
• ISACA training material
• Post-training access to the instructor for advice and support
• Analysis of particular topics which are popular exam questions
• Practice on the “Philosophy” of the examinations’ questions and testing conditions
• Reference tools
• 27 CPEs

CRISC is an exam that tests experience and experience cannot be taught.  However this course, will give you specific guidelines in your study by providing an overview of the core knowledge bases included in the CRISC examination ‘Body of Knowledge’.

Following each section, you will work through a series of sample questions to give you a "feel" for the format and the types of questions you will encounter.

The instructor will provide you with many reference tools and study guides, together with the official ISACA training material. You should continue to study the course materials and rehearse the sample questions after the course until the exam date. Practice with as many sample questions as you can is a key factor for succeeding in the test.

The CRISC certification is addressed to IT risk management experts who should have a minimum of three years of applicable professional experience in IT risk and information systems control, which includes roles such as:

• Security Directors, Managers, or Consultants
• Directors and Managers responsible for Compliance, Risk, and Privacy
• IT Audit Directors, Managers, or Consultants
• Staff members specializing in Compliance, Risk, and Control

Domain 1 - Governance (26% of exam)

The governance domain refers to a company's business and IT setups, its strategy, aims, and objectives. It also looks at how IT risks could affect the company's goals and operations, including things like Enterprise Risk Management and Risk Management Framework.

This domain includes:

A— Organizational Governance

• Organizational Strategy, Goals, and Objectives
• Organizational Structure, Roles and Responsibilities
• Organizational Culture
• Policies and Standards
• Business Processes

B—Risk Governance

• Enterprise Risk Management and Risk Management Framework
• Three Lines of Defense
• Risk Profile
• Risk Appetite and Risk Tolerance
• Legal, Regulatory and Contractual Requirements
• Professional Ethics of Risk Management Organizational Assets

Domain 2 - IT Risk Assessment (20% of exam)

This domain will confirm your understanding of risks and weaknesses affecting the organization's personnel, procedures, and technology, along with assessing how likely these threats and vulnerabilities are to occur and the consequences they might have. This domain includes:

A—IT Risk Identification

• Risk Events (e.g., contributing conditions, loss result)
• Threat Modelling and Threat Landscape
• Vulnerability and Control Deficiency Analysis (e.g., root cause analysis)
• Risk Scenario Development

B—IT Risk Analysis and Evaluation

• Risk Assessment Concepts, Standards and Frameworks
• Risk Register
• Risk Analysis Methodologies
• Business Impact Analysis
• Inherent and Residual Risk

Domain 3 - Risk Response and Reporting (32% of exam)

This domain focuses on creating and overseeing plans to address risks involving important parties, reviewing existing safeguards and enhancing their effectiveness in mitigating IT risks, and sharing appropriate risk and control information with relevant stakeholders.

A—Risk Reponse

• Risk Treatment / Risk Response Options
• Risk and Control Ownership
• Third-Party Risk Management
• Issue, Finding and Exception Management
• Management of Emerging Risk

B—Control Design and Implementation

• Control Types, Standards and Frameworks
• Control Design, Selection and Analysis
• Control Implementation
• Control Testing and Effectiveness Evaluation

C—Risk Monitoring & Reporting

• Risk Treatment Plans
• Data Collection, Aggregation, Analysis and Validation
• Risk and Control Monitoring Techniques
• Risk and Control Reporting Techniques (heatmap, scorecards, dashboards)
• Key Performance Indicators
• Key Risk Indicators (KRIs)
• Key Control Indicators (KCIs)

Domain 4 - Information Technology and Security (22% of exam)

Within this domain, we examine how well business practices align with Risk Management and Information Security frameworks and standards. We also assess the establishment of a culture that is conscious of risk and the implementation of security awareness training.

A—Information Technology Principles

• Enterprise Architecture
• IT Operations Management (e.g., change management, IT assets, problems, incidents)
• Project Management
• Disaster Recovery Management (DRM)
• Data Lifecycle Management
• System Development Life Cycle (SDLC)
• Emerging Technologies

B—Information Security Principles

• Information Security Concepts, Frameworks and Standards
• Information Security Awareness Training
• Business Continuity Management
• Data Privacy and Data Protection Principles

Supporting Tasks

• Collect and review existing information regarding the organization’s business and IT environments.
• Identify potential or realized impacts of IT risk to the organization’s business objectives and operations.
• Identify threats and vulnerabilities to the organization’s people, processes and technology.
• Evaluate threats, vulnerabilities and risk to identify IT risk scenarios.
• Establish accountability by assigning and validating appropriate levels of risk and control ownership.
• Establish and maintain the IT risk register and incorporate it into the enterprise-wide risk profile.
• Facilitate the identification of risk appetite and risk tolerance by key stakeholders.
• Promote a risk-aware culture by contributing to the development and implementation of security awareness training.
• Conduct a risk assessment by analyzing IT risk scenarios and determining their likelihood and impact.
• Identify the current state of existing controls and evaluate their effectiveness for IT risk mitigation.
• Review the results of risk analysis and control analysis to assess any gaps between current and desired states of the IT risk environment.
• Facilitate the selection of recommended risk responses by key stakeholders.
• Collaborate with risk owners on the development of risk treatment plans.
• Collaborate with control owners on the selection, design, implementation and maintenance of controls.
• Validate that risk responses have been executed according to risk treatment plans.
• Define and establish key risk indicators (KRIs).
• Monitor and analyze key risk indicators (KRIs).
• Collaborate with control owners on the identification of key performance indicators (KPIs) and key control indicators (KCIs).
• Monitor and analyze key performance indicators (KPIs) and key control indicators (KCIs).
• Review the results of control assessments to determine the effectiveness and maturity of the control environment.
• Report relevant risk and control information to applicable stakeholders to facilitate risk-based decision-making.
• Evaluate alignment of business practices with risk management and information security frameworks and standards.

Mock Exam – Reviewing questions and answers