Book Image

ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

By : Shobhit Mehta
5 (1)
Book Image

ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

5 (1)
By: Shobhit Mehta

Overview of this book

For beginners and experienced IT risk professionals alike, acing the ISACA CRISC exam is no mean feat, and the application of this advanced skillset in your daily work poses a challenge. The ISACA Certified in Risk and Information Systems Control (CRISC®) Certification Guide is a comprehensive guide to CRISC certification and beyond that’ll help you to approach these daunting challenges with its step-by-step coverage of all aspects of the exam content and develop a highly sought-after skillset in the process. This book is divided into six sections, with each section equipped with everything you need to get to grips with the domains covered in the exam. There’ll be no surprises on exam day – from GRC to ethical risk management, third-party security concerns to the ins and outs of control design, and IDS/IPS to the SDLC, no stone is left unturned in this book’s systematic design covering all the topics so that you can sit for the exam with confidence. What’s more, there are chapter-end self-assessment questions for you to test all that you’ve learned, as well as two book-end practice quizzes to really give you a leg up. By the end of this CRISC exam study guide, you’ll not just have what it takes to breeze through the certification process, but will also be equipped with an invaluable resource to accompany you on your career path.

Related Content you might be interested in

Current Title:

Small book image
ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide
Shobhit Mehta
Sep, 2023 | 316 pages
Small book image
Information Security Handbook
Darren Death
Oct, 2023 | 370 pages
Small book image
Certified Information Security Manager Exam Prep Guide
Hemang Doshi
Dec, 2022 | 718 pages
Small book image
Certified Information Security Manager Exam Prep Guide
Hemang Doshi
Nov, 2021 | 616 pages
Table of Contents (28 chapters)
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Conventions used
Get in touch
Share Your Thoughts
Download a free PDF copy of this book
1
Part 1: Governance, Risk, and Compliance and CRISC
Part 1: Governance, Risk, and Compliance and CRISC
Free Chapter
2
Chapter 1: Governance, Risk, and Compliance
Chapter 1: Governance, Risk, and Compliance
Governance, risk, and compliance
GRC for cybersecurity professionals
Importance of GRC for cybersecurity professionals
A primer on cybersecurity domains and the NIST CSF
Importance of IT risk management
Summary
3
Chapter 2: CRISC Practice Areas and the ISACA Mindset
Chapter 2: CRISC Practice Areas and the ISACA Mindset
CRISC exam outline
CRISC job practice areas
CRISC exam structure
CRISC certification requirements
The ISACA mindset
Additional material
Summary
4
Part 2: Organizational Governance, Three Lines of Defense, and Ethical Risk Management
Part 2: Organizational Governance, Three Lines of Defense, and Ethical Risk Management
5
Chapter 3: Organizational Governance, Policies, and Risk Management
Chapter 3: Organizational Governance, Policies, and Risk Management
IT governance and risk
IT risk management
Organizational structure
Organizational culture
Policy documentation
Organizational asset
Summary
Review questions
Answers
6
Chapter 4: The Three Lines of Defense and Cybersecurity
Chapter 4: The Three Lines of Defense and Cybersecurity
The 3LoD model
3LoD and cybersecurity
Critical concepts for risk assessment and management
Risk tolerance versus risk capacity
Risk appetite and business objectives
Summary
Review questions
Answers
7
Chapter 5: Legal Requirements and the Ethics of Risk Management
Chapter 5: Legal Requirements and the Ethics of Risk Management
Major laws for IT risk management
Ethics and risk management
How do ethics affect IT risk?
ISACA Code of Professional Ethics
Summary
Review questions
Answer
8
Part 3: IT Risk Assessment, Threat Management, and Risk Analysis
Part 3: IT Risk Assessment, Threat Management, and Risk Analysis
9
Chapter 6: Risk Management Life Cycle
Chapter 6: Risk Management Life Cycle
Comparing risk and IT risk
IT risk management life cycle
Requirements of risk assessment
Issues, events, incidents, and breaches
Correlating events and incidents
Summary
Review questions
Answers
10
Chapter 7: Threat, Vulnerability, and Risk
Chapter 7: Threat, Vulnerability, and Risk
Threat, vulnerability, and risk
The relationship between threats, vulnerabilities, and risk
Understanding threat modeling
Vulnerability analysis
Tools for identifying vulnerabilities
Vulnerability management program
Summary
Review questions
Answers
11
Chapter 8: Risk Assessment Concepts, Standards, and Frameworks
Chapter 8: Risk Assessment Concepts, Standards, and Frameworks
Risk assessment approaches
Risk assessment methodologies
Risk assessment frameworks
Risk assessment techniques
Importance of a risk register
Summary
Review questions
Answers
12
Chapter 9: Business Impact Analysis, and Inherent and Residual Risk
Chapter 9: Business Impact Analysis, and Inherent and Residual Risk
Differentiating between BIA and risk assessment
Key concepts related to BIA
Understanding types of risk
Summary
Review questions
Answers
13
Part 4: Risk Response, Reporting, Monitoring, and Ownership
Part 4: Risk Response, Reporting, Monitoring, and Ownership
14
Chapter 10: Risk Response and Control Ownership
Chapter 10: Risk Response and Control Ownership
Risk response and monitoring
Risk owners and control owners
Risk response strategies
Risk optimization
Summary
Review questions
Answers
15
Chapter 11: Third-Party Risk Management
Chapter 11: Third-Party Risk Management
The need for TPRM
Managing third-party risks
Upstream and downstream third parties
Responding to anomalies
Summary
Review questions
Answers
16
Chapter 12: Control Design and Implementation
Chapter 12: Control Design and Implementation
Control categories
Control design and selection
Control implementation
Control testing and evaluation
Summary
Review questions
Answers
17
Chapter 13: Log Aggregation, Risk and Control Monitoring, and Reporting
Chapter 13: Log Aggregation, Risk and Control Monitoring, and Reporting
Log aggregation and analysis
SIEM
Risk and control monitoring
Risk and control reporting
Key indicators
Summary
Review questions
Answers
18
Part 5: Information Technology, Security, and Privacy
Part 5: Information Technology, Security, and Privacy
19
Chapter 14: Enterprise Architecture and Information Technology
Chapter 14: Enterprise Architecture and Information Technology
Enterprise architecture
The CMM framework
Computer networks
Networking devices
Firewalls
Intrusion detection and prevention systems
The Domain Name System
Wireless networks
Virtual private networks
Cloud computing
Summary
Review questions
Answers
20
Chapter 15: Enterprise Resiliency and Data Life Cycle Management
Chapter 15: Enterprise Resiliency and Data Life Cycle Management
Enterprise resiliency
Business continuity and disaster recovery
Recovery objectives
Data classification and labeling
Data life cycle management
Summary
Review questions
Answers
21
Chapter 16: The System Development Life Cycle and Emerging Technologies
Chapter 16: The System Development Life Cycle and Emerging Technologies
Introducing the SDLC
Project risk and SDLC risk
System accreditation and certification
Emerging technologies
Summary
Review questions
Answers
22
Chapter 17: Information Security and Privacy Principles
Chapter 17: Information Security and Privacy Principles
Fundamentals of information security
Access management
Encryption
Hashing
Digital signatures
Certificates
Public key infrastructure
Security awareness training
Principles of data privacy
Comparing data security and data privacy
Summary
Review questions
Answers
23
Part 6: Practice Quizzes
Part 6: Practice Quizzes
24
Chapter 18: Practice Quiz – Part 1
Chapter 18: Practice Quiz – Part 1
25
Chapter 19: Practice Quiz – Part 2
Chapter 19: Practice Quiz – Part 2
26
Index
Index
Why subscribe?
27
Other Books You May Enjoy
Other Books You May Enjoy
Packt is searching for authors like you
Share Your Thoughts
Download a free PDF copy of this book

Governance, Risk, and Compliance

Dear reader, I have been in your place, thinking about which certification I should go for first. Should I begin with CISM? It seems to be the most widely recognized. Alternatively, should I consider CISA? However, I am not an auditor, so is it really necessary for me? What about CISSP? It seems rather challenging for someone trying to get certified for the first time. Finally, what about CRISC? It doesn’t appear to be the most relevant for the job responsibilities in the expanding realm of IT risk management.

Congratulations! Now that you have decided on the CRISC, you have taken the most important step of deciding on your certification and are embarking on the first stage of the journey of your career growth. However, what about the study material? Should I buy the official review manual? It appears to be very dull. Should I explore technical forums or communities for more advice and hacks? Alternatively, should I conduct a search using the hashtag CRISC (#CRISC) to see if there's a one-stop blog with all the resources needed to pass the exam in one convenient location?

As I look back on all this certification preparation and reference material, I realize that the majority of them missed a key point – what is the practical application of the knowledge I will acquire as I read this book and attain the certification? If I zoom out a little, why is governance, risk, and compliance (GRC) required in an organization when the sole aim of cybersecurity is to prevent companies from attackers? Also, what is GRC in the first place?

This chapter aims to answer all these questions so that when you pass your CRISC with flying colors and boast about your certification, you don’t have to worry about recalling the basic concepts of GRC and have a solid foundation of IT risk management.

In this chapter, we will cover the following topics:

  • Governance, risk, and compliance
  • GRC for cybersecurity professionals
  • Importance of GRC for cybersecurity professionals
  • A primer on cybersecurity domains and the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF).
  • Importance of IT risk management

Important note

The content of this chapter is not directly related to the exam syllabus, but it is important to understand the concepts of GRC before learning about IT risk management and its implementation for the CRISC exam.

The hope is that this chapter will provide you with enough understanding that you can differentiate between all domains of cybersecurity and can continue your journey well beyond the CRISC certification.

Previous Section
End of Section 1
Next Section