Mob: +254 721 130 397, +254 780 342 333 | Email:


Course Description

The technical knowledge and practices that CRISC evaluates and promotes are the building blocks of victory in the field.

After qualifying this certification, a professional can be hired as a senior IT auditor, security engineer architect, IT security analyst, or information assurance program manager.

The CRISC is designed for professionals who have three years of experience in professional-level risk control and management. To get the CRISC credential, a professional must: Concur to abide by the CRISC Continuing Education Policy Pass the CRISC exam Stick to the ISACA Code of Professional Ethics.


Upon Completion of this Course, you will accomplish following:-Prepare for the Certified in Risk and Information Systems Control exam.

  • Understanding enterprise risk.
  • Plan, execute, scrutinize and retain information systems controls.
  • Risk: identification, evaluation, assessment, response, and monitoring.
  • IS control design and execution.
  • IS control maintenance and monitoring.

Target Audience

  • Individuals who are looking to build a greater understanding of the impact of IT risk and how it relates to their organization.


  • There are no prerequisite to take the CRISC exam; however, in order to apply for CRISC certification you must meet the necessary experience requirements as determined by ISACA


  • 40 Hours

Course Outline

DOMAIN 1—Governance 26%

Organizational Governance A

  1. Organizational Strategy, Goals, and Objectives
  2. Organizational Structure, Roles, and Responsibilities
  3. Organizational Culture
  4. Policies and Standards
  5. Business Processes
  6. Organizational Assets

Risk Governance B

  1. Enterprise Risk Management and Risk Management Framework
  2. Three Lines of Defense
  3.  Risk Profile
  4. Risk Appetite and Risk Tolerance
  5. Legal, Regulatory, and Contractual Requirements
  6. Professional Ethics of Risk Management

DOMAIN 2—IT Risk Assessment 20%

IT Risk Identification A

  1. Risk Events (e.g., contributing conditions, loss result)
  2. Threat Modelling and Threat Landscape
  3. Vulnerability and Control Deficiency Analysis (e.g., root cause analysis)
  4. Risk Scenario Development

IT Risk Analysis and Evaluation B

  1. Risk Assessment Concepts, Standards, and Frameworks
  2. Risk Register
  3. Risk Analysis Methodologies
  4. Business Impact Analysis
  5. Inherent and Residual Risk

DOMAIN 3—Risk Response and Reporting 32%

Risk Response A

  1. Risk Treatment / Risk Response Options
  2. Risk and Control Ownership
  3. Third-Party Risk Management
  4. Issue, Finding, and Exception Management
  5. Management of Emerging Risk

Control Design and Implementation B

  1. Control Types, Standards, and Frameworks
  2. Control Design, Selection, and Analysis
  3. Control Implementation
  4. Control Testing and Effectiveness Evaluation

Risk Monitoring and Reporting C

  1. Risk Treatment Plans
  2. Data Collection, Aggregation, Analysis, and Validation
  3. Risk and Control Monitoring Techniques
  4. Risk and Control Reporting Techniques (heatmap, scorecards, dashboards)
  5. Key Performance Indicators
  6. Key Risk Indicators (KRIs)
  7. Key Control Indicators (KCIs)

DOMAIN 4—Information Technology and Security 22%

Information Technology Principles A

  1. Enterprise Architecture
  2. IT Operations Management (e.g., change management, IT assets, problems, incidents)
  3. Project Management
  4. Disaster Recovery Management (DRM)
  5. Data Lifecycle Management
  6. System Development Life Cycle (SDLC)
  7. Emerging Technologies

Information Security Principles B

  1. Information Security Concepts, Frameworks, and Standards
  2. Information Security Awareness Training
  3. Business Continuity Management
  4. Data Privacy and Data Protection Principles



Contact Information

Eco Bank Towers, 4th Floor Muindi Mbingu Street
P. O. Box 21857 - 00100 Nairobi

Mob: +254 780 342 333, +254 202 246145, 2246154 

Copyright © 2022 Learnovate Technologies Limited. All rights reserved