CRISC Certification Job Practice (Changed from 1 Aug 2021)

Domain 1 – Governance (26%)

• Collect and review existing information regarding the organization’s business and IT environments. 
• Identify potential or realized impacts of IT risk to the organization’s business objectives and operations. 
• Identify threats and vulnerabilities to the organization’s people, processes and technology. 
• Evaluate threats, vulnerabilities and risk to identify IT risk scenarios. 
• Establish accountability by assigning and validating appropriate levels of risk and control ownership. 
• Establish and maintain the IT risk register and incorporate it into the enterprise-wide risk profile. 
• Facilitate the identification of risk appetite and risk tolerance by key stakeholders. 
• Promote a risk-aware culture by contributing to the development and implementation of security awareness training. 
• Conduct a risk assessment by analyzing IT risk scenarios and determining their likelihood and impact.

Domain 2 – IT Risk Assessment (20%)

• Analyze risk scenarios to determine likelihood and impact
• Identify current state of risk controls and their effectiveness
• Determine gaps between the current state of risk controls and the desired state
• Ensure risk ownership is assigned at the appropriate level
• Communicate risk assessment data to senior management and appropriate stakeholders
• Update the risk register with risk assessment data

Domain 3 – Risk Response and Reporting (32%)

• Align risk responses with business objectives
• Develop consult with and assist risk owners with development risk action plans
• Ensure risk mitigation controls are managed to acceptable levels
• Ensure control ownership is appropriately assigned to establish accountability
• Develop and document control procedures for effective control
• Update the risk register
• Validate that risk responses are executed according to risk action plans

Domain 4 – Information Technology and Security (22%)

• Risk and control monitoring and reporting
• Define key risk indicators (KRIs) and identify key performance indicators (KPIs) to enable performance measurement key risk indicators (KRIs) and key performance indicators (KPIs)
• Determine the effectiveness of control assessments
• Identify and report trends/changes to KRIs/KPIs that affect control performance or the risk profile