Masterclass - CRISC Exam (Updated 2026)

Identify threats, vulnerabilities, assets, and existing controls to populate the risk register; use Delphi method for information collection and gather inputs from audits, incident reports, media, vulnerability assessments, and interviews.

Explore the method of risk identification, highlighting the Delphi technique for anonymous input, and outline how to build a risk register from information gathering, assets, threats, controls, vulnerabilities, and impacts.

Use the Delphi technique to anonymously identify risks, gather information on the current and future business environment, and maintain a risk register to document all threats and vulnerabilities.

Explore risk scenarios by defining what a risk scenario is, and compare top-down and bottom-up approaches, highlighting a combined method to assess business risks.

Combine top-down and bottom-up approaches to address major business objectives and process-level risks, then develop risk scenarios to assess likelihood and impact via threats and vulnerabilities.

Explore risk scenarios as the most effective technique for risk assessment, using scenarios to estimate frequency and impact, focusing on threats, and combining top-down and bottom-up approaches.

Analyze risk scenarios to identify events and their impact on business processes, and emphasize risk assessment, data ownership to prevent inappropriate access, and adherence to information security requirements.

Analyze risk scenarios through practice questions focusing on risk assessment of proposed infrastructure plans, ownership, and access controls, with follow-up reviews and vulnerability reporting to the system owner.

Master the three-step risk assessment—identification, analysis, and evaluation—and learn to determine risk, justify mitigation against risk appetite, plus data owner and risk register essentials.

Use risk assessment to identify and evaluate risk and its impact, justify a mitigation plan, and track trends via periodic assessments measuring probability and impact on business operations.

Explore key risk assessment techniques, including Bayesian analysis, bow tie analysis, fault tree analysis, Monte Carlo simulation, and Delphi method, to identify threats, consequences, and controls.

Rank risks by monetary value or qualitative levels to identify high-priority items for treatment, and apply Octave processes to identify, prioritize, and manage information security risk for effective mitigation.

Explore risk management procedures and documentation by integrating administration, physical, and technical controls, while ensuring documented procedures, change management, staff training, and clear ownership of controls.

Learn how the risk register captures the organization's risk universe, incorporating threats, vulnerabilities, probability, impact, and residual risk to guide risk response and mitigation.

Explore risk analysis methodologies, including quantitative, qualitative, and semi-quantitative methods, and learn when to apply each using probability, impact, data availability, and cost-benefit considerations.

Identify and differentiate inherent, residual, and control risks, and explain how implementing controls lowers gross risk to an acceptable residual level.

Assess the current state of controls using risk assessment reports, independent audits, third-party assurance, and control self-assessments; apply gap analysis and business impact analysis to improve incident response and compliance.

Evaluate changes in the risk environment and test new technologies before implementation, using a consistent annual risk assessment and an independent benchmark of capabilities against industry peers.

Learn to perform risk and control analysis to rank risks by impact, prioritize responses, and allocate resources, while using root cause analysis, a pre-mortem, and gap analysis to strengthen controls.

Map each risk to a specific business process owner to establish clear risk ownership and accountability, documented in the risk register and monitored by board of directors with audit trails.

Explore risk treatment options including mitigation, acceptance, transfer, and avoidance, with examples and guidance on reducing risk to an acceptable level and deciding when to share or insure.

Learn to select risk responses using cost-benefit analysis and return on investment, factoring total cost of ownership to maximize value and minimize impact.

Explore third party risk management for outsourcing, focusing on the right to audit, service level agreements, and compliance responsibilities amid privacy laws. Assess subcontracting risks and offshore data considerations.

Explore managerial, technical, and physical controls, with examples like policies, procedures, audits, risk and compliance reporting, firewalls, and CCTV to show how oversight and technology protect assets.

Explore preventive, detective, and corrective controls, and learn how proactive safeguards differ from reactive countermeasures, with examples like audits, locks, fire extinguishers, and disaster recovery.

Align stakeholder requirements in the design phase to design and implement controls, guided by risk practitioners, using ISO 27001, PCI DSS, Hepa, with auto-expiry access and encryption.

Explore post-implementation review objectives, including assessing whether the project meets its goals, return on investment, and security controls, while documenting lessons learned for future projects.

Test controls at frequent intervals to determine effectiveness, balancing cost against perceived risk for optimum control. Monitor in the risk management phase, ensure regulatory compliance, and demonstrate organizational value.

Explore the full spectrum of testing in the system development life cycle, from unit and integration testing to system testing, acceptance testing, regression testing, and white-box versus black-box approaches.

Evaluate new controls for vulnerabilities after implementation by conducting user acceptance testing to confirm risk mitigation, identify any new weaknesses, and validate the controls' effectiveness.

Develop a documented risk action plan within the risk register, assign responsibilities with start and end dates, monitor progress, and periodically review controls to keep risk at an acceptable level.

Explore data collection and extraction tools and techniques for detecting unauthorized access, balance log capture levels with performance, and leverage siem and integrated test facilities for validation.

Identify and implement control monitoring through a continuous monitoring system, thresholds, and sources such as SOC, NOC, and control self-assessment to assess control effectiveness and inform risk owners.

Explore control assessment types, including internal audit, vulnerability assessment, penetration testing, and third party assurance, their roles, periodic audits, and key standards like ISO 27001, PCI DSS, and COBIT 5.

Explore how control assessment results, maturity models, and gap assessments drive continuous improvement in risk management, using capacity maturity model, capability maturity model, and risk-aware culture to gauge security controls.

Explore key performance indicators and smart KPI characteristics, learn how KPIs measure and monitor process performance against goals, set thresholds, and use root cause analysis for corrective actions.

Explore key risk indicators and their thresholds to monitor risk levels, trigger alerts, and guide independent monitoring and reporting to senior management during the risk response and risk monitoring stages.

Understand the difference between lagging indicators and lead indicators, with backward-looking versus forward-looking insights, through practical examples like a 100-mile journey and mid-course checks.

Explore key control indicators (KCI) as measures of control effectiveness, with examples like email filtering, audit findings, and firewall performance, and learn how tolerances and optimum balance guide risk management.

Differentiate KPI, KRI, and KCI to see how performance, risk, and control monitoring interrelate, with examples like system uptime, unpatched systems, and phishing filter effectiveness.

Changes to the it risk profile occur with new technologies, process shifts, and regulatory or market changes; evaluate, document in the risk register, and adjust controls to align with objectives.

Explore control ownership concepts, periodic control reviews, and assigning the mitigation action plan to responsible individuals to keep risk at acceptable levels.

Explore enterprise architecture as the framework for aligning technology initiatives with the IT framework, outlining current and future states, risk assessment, and security architecture to guide patches and deployments.

Develop and implement security architecture to align strategy across the organization and external partners. Explore patch management, secure coding, input validation, network isolation, encryption, and multi-factor authentication.

explains maturity models and the five-level capability maturity model (CMM) used to assess and improve the risk management process, focusing on measuring gaps against desired states for continuous improvement.

Explain the osi model's seven layers from physical to application, showing how each layer performs its function to move, route, encrypt, compress, translate, and present data for end-user access.

Explore the TCP/IP model and its five-layer structure, contrasted with the OSI seven-layer model. Compare TCP and UDP, highlighting reliability, connection orientation, and data delivery behavior.

examine network cabling, comparing fiber optic and twisted pair, highlighting fiber's security and not being affected by EMI, plus attenuation and crosstalk risks as exam-relevant concepts for long-distance, high-volume networks.

Explore core network devices: repeater, hub, switch, bridge, and router, within the OSI framework for the CRISC exam, showing how layer one to three determines device intelligence and functions.

Explore four firewall types: packet filtering, stateful inspection, circuit level, and application level, along with Bastion hosts and proxies, mapping them to OSI layers; application level is the most secure.

Demilitarized zone (DMZ) routes external traffic to a noncritical area before reaching internal network, protecting critical systems. Place mail servers in the DMZ, harden them, and differentiate DMZ from proxy.

Discover how a proxy server acts as a middleman between internal networks and internet, and compare circuit level proxies at session layer with application level proxies for services, more secure.

Explore firewall implementation methods, including screened host, dual-homed, and screened subnet (DMZ), and identify protected configurations featuring packet-filtering routers and bastion hosts.

Explore intrusion detection and intrusion prevention systems, comparing network based and host based IDs for monitoring security events. Learn signature based, statistical based, and neural network approaches, plus honeypots.

Identify attacks on internal networks using intrusion detection systems and intrusion prevention systems. Contrast statistical, signature-based, and neural network approaches, and explain anomaly-based detection, data sensors, honeypots, and tuning.

Explore how the domain name system converts web addresses to IP addresses, enabling browser connections. Examine risks such as farming attacks, false DNS replies, and amplification attacks.

Explore risks and controls in wireless networks, including encryption, mac filtering, disable ssid broadcast, and disable dhcp, to protect access and prevent rogue access points.

Explore cloud computing foundations, including resources such as storage, processing power, memory, network bandwidth, and virtual machines, and review private, public, community, and hybrid deployments and IaaS, SaaS, and PaaS.

Explore the five phases of the system development life cycle, from initiation and feasibility to disposal, emphasizing early design, internal controls, and risk assessment at every phase.

Explore the five SDLC phases—initiation and feasibility, development and acquisition, implementation, operations and maintenance, and disposal—and how internal controls, change management, and risk assessment guide secure system development.

Explore system migration and changeover techniques, including parallel changeover, abrupt changeover, and phased changeover, detailing risks, benefits, and roles like the data owner in ensuring data migration integrity.

Explore how to align the business continuity plan and disaster recovery with risk assessment, and use business impact analysis to determine disruption impact and prioritize critical processes for early recovery.

Understand recovery time objective and recovery point objective, defining acceptable downtime and data loss with practical examples. Explore backup strategies, hot sites, data mirroring, and synchronous backups for critical systems.

Define and execute an incident response plan to minimize outage duration and business impact, assign clear incident management roles, collect evidence, and learn from events through testing and post-incident reviews.

Classify information assets by inventorying, establishing ownership, labeling data, and creating access control lists; data owners define access rules and maintain controls, prioritizing data integrity and policy awareness.

Explore data and database management, including input validation, data authorization, and storing sensitive information. Learn about data encapsulation, redundancy, normalization, and protection through encryption and access controls.

Understand the difference between accreditation and certification, where accreditation approves system functionality by an authoritative body and certification verifies conformance to standards such as iso 27001.

Explore online auditing techniques including integrated test facility with dummy transactions in production environment, the snapshot technique capturing before-and-after states, and audit hooks for flagging suspicious transactions and fraud indicators.

Explore how emerging technologies affect the design and implementation of controls, emphasizing defined, documented processes with risk assessment before adoption, and detect unauthorized use with the elusive discovery scanner.

Explore deepfake technology powered by artificial intelligence and deep learning to create convincing images. Assess risks to video or voice based approvals, false information, and reputation; implement administrative controls.

Explore the internet of things, where devices communicate autonomously, with Alexa, and learn IoT security risks, the role of information security staff, and regulatory and privacy considerations.

Learn how blockchain stores data in blocks linked by hashes to ensure integrity, forming a decentralized, irreversible ledger for cryptocurrency transactions.

Explore segregation of duties, cross training, and job rotation to prevent fraud and detect irregularities. See how role-based access and audit logs provide compensating controls and reduce collusion.

Explore segregation of duties by enforcing role based access, ensuring two-person task completion, and applying compensating controls like transaction log reviews to deter fraud and error.

Explore factor of authentication and the three factors—something you know, something you have, and something you are. Learn how two-factor authentication strengthens access using passwords, tokens, and biometrics.

Explore password management for the CRISC exam, covering system enforced password configuration, automated password synchronization, strong password settings, password policy, and risk assessment for non-compliance.

Learn how biometrics identify individuals using features like fingerprints and retina scans, explore key accuracy measures (FAR, FRR, EER), attack types, and the biometric lifecycle.

Explore cryptography fundamentals, contrasting symmetric and asymmetric encryption, and show how private and public keys and hashes enable confidentiality, authenticity, integrity, and non-repudiation.

Explain how hash functions produce a message digest, then encrypt this digest with the sender's private key to create a digital signature that provides authentication, integrity, and non-repudiation.

Explore the public key infrastructure lifecycle, including the certifying authority and registration authority roles, issuing and revoking digital certificates, and the certification practice statement and certificate policy.

Foster a risk aware culture to improve ethics, risk reporting, and informed decision making by delivering tailored security awareness training and measuring its effectiveness through quizzes, incident reporting, and metrics.

Explore data privacy principles, consent, data inventory and classification, privacy by design, and governance for cross-border transfers, with privacy impact assessments and data loss prevention to safeguard personal information.

Explore information system attack methods and techniques, including botnets, buffer overflow, denial of service, and social engineering, to understand how attackers exploit networks, data, and users.