CRISC Domain #1 - Governance

Greg Belding
October 25, 2021 by
Greg Belding

IT risk management is an area of IT that organizations have been focusing on increasingly over the years. Certified in Risk and Information Systems Control (CRISC) is an Enterprise IT risk management certification that will verify that the cert holder understands how IT risk impacts and is related to their organization. Let’s explore the CRISC job practice, the areas of study that this domain covers and the learning objectives/task statements that certification candidates will be expected to explain on the CRISC certification exam.

Earn your CRISC certification, guaranteed!

Earn your CRISC certification, guaranteed!

Enroll in a CRISC Boot Camp and earn one of the highest paying industry certifications — guaranteed.

What is CRISC?

CRISC is an enterprise IT risk management certification hosted by ISACA. It is intended for enterprise IT risk management professionals working in at least two of the CRISC domains for a minimum of three years. CRISC is currently the only enterprise IT risk management certification in existence. It verifies that the cert holder has mid-career level knowledge of IT risk identification, assessment, monitoring and reporting, risk response and mitigation, and risk control. Earning this certification will make you an invaluable IT risk expert for your organization which may launch your career to even greater heights.

What has changed since the last CRISC exam version?

The 2021 version of the CRISC certification exam has had almost all of its domains changed. Below is a comparison of the new and previous CRISC Job Practice.

Previous CRISC Domains New CRISC Domains


1 IT Risk Identification 27% Governance 26%

2 IT Risk Assessment 28% IT Risk Assessment 20%

3 Risk Response Mitigation 23% Risk Response and Reporting 32%

4 Risk and Control Monitoring and Reporting 22% Information Technology and Security 22%

What is CRISC domain #1?

Domain #1 of the CRISC certification exam covers governance, which emphasizes the organization having a suitable, well-defined risk management capability in place. This ensures that the organization can identify, evaluate, analyze, assess and respond to threats that pose the greatest risk to the organization. 

Governance answers four overarching questions:

  1. Are we doing the right things?
  2. Are we doing them the right way?
  3. Are we getting them done well?
  4. Are we seeing expected benefits?

Why is Domain #1 (Governance) important?

Governance has been moved to the center stage of business thinking and it extends down to the enterprise IT environment, so as time goes on you are sure to hear more about it from your organization’s decision-makers. Enterprise IT governance is the system by which current and future IT use is evaluated, monitored, directed and controlled. The ultimate goal of enterprise IT governance is to create value for the organization. This value is made up of benefit realization, risk optimization, and resource optimization. 

What does CRISC domain #1 cover?

This domain categorizes the material it covers into two types of governance: organizational governance and risk governance which are both made up of six sub-categories. Domain #1 represents 26% of the total exam content which translates into approximately 36 exam questions out of 150 possible multiple-choice questions. You will need to score a minimum of 450 out of 800 possible points to pass the CRISC certification exam.

A. Organizational Governance

1.1 Organizational Strategy, Goals and Objectives

1.2 Organizational Structure, Roles and Responsibilities

1.3 Organizational Culture

1.4 Policies and Standards

1.5 Business Processes

1.6 Organizational Assets

B. Risk Governance

1.7 Enterprise Risk Management and Risk Management Frameworks

1.8 Three Lines of Defense

1.9 Risk Profile

1.10 Risk Appetite, Tolerance and Capacity

1.11 Legal, Regulatory and Contractual Requirements

1.12 Professional Ethics of Risk Management

Learning Objectives/Task Statements

By the time you have learned the material covered by CRISC domain #1, you should be able to explain the following:

  1. Collect and review existing information regarding the organization’s business and IT environments
  2. Identify potential or realized impacts of IT risk to the organization’s business objectives and operations
  3. Identify threats and vulnerabilities to the organization’s people, processes and technology
  4. Evaluate threats, vulnerabilities and risk to identify IT risk scenarios
  5. Establish accountability by assigning and validating appropriate levels of risk and control ownership
  6. Establish and maintain the IT risk register and incorporate it into the enterprise-wide risk profile
  7. Facilitate the identification of risk appetite and risk tolerance by key stakeholders
  8. Promote a risk-aware culture by contributing to the development and implementation of security awareness training
  9. Conduct a risk assessment by analyzing IT risk scenarios and determining their likelihood and impact
  10. Review the results of risk analysis and control analysis to assess any gaps between current and desired states of the IT risk environment
  11. Facilitate the selection of recommended risk responses by key stakeholders
  12. Collaborate with risk owners on the development of risk treatment plans
  13. Collaborate with control owners on the selection, design, implementation and maintenance of controls
  14. Define and establish key risk indicators (KRIs)
  15. Monitor and analyze key risk indicators (KRIs)
  16. Collaborate with control owners on the identification of key performance indicators (KPIs) and key control indicators (KCIs)

Earn your CRISC certification, guaranteed!

Earn your CRISC certification, guaranteed!

Enroll in a CRISC Boot Camp and earn one of the highest paying industry certifications — guaranteed.

Pursuing the CRISC certification

CRISC is an intermediate career-level Enterprise IT risk certification intended for IT and IS Risk, Audit, and Information Security professionals that have at least three years of hands-on experience in at least two of the four CRISC domains. Domain #1, Governance, covers 26% of the overall exam content and divides the material between two categories: organizational governance and risk governance. With governance becoming more important with every passing day, mastering this material will help you pass the CRISC certification exam and will make a credit to your organization.



Greg Belding
Greg Belding

Greg is a Veteran IT Professional working in the Healthcare field. He enjoys Information Security, creating Information Defensive Strategy, and writing – both as a Cybersecurity Blogger as well as for fun.