CRISC Domain #2 - IT Risk Assessment

Greg Belding
October 26, 2021 by
Greg Belding

IT risk management is an area of IT that organizations have been focusing on increasingly over the years. Certified in Risk and Information Systems Control (CRISC) is an IT risk management certification that will verify that the cert holder understands how IT risk impacts and is related to their organization. 

Earn your CRISC certification, guaranteed!

Earn your CRISC certification, guaranteed!

Enroll in a CRISC Boot Camp and earn one of the highest paying industry certifications — guaranteed.

What is CRISC?

CRISC is an enterprise IT risk management certification hosted by ISACA. It is for enterprise IT risk management professionals working in at least two of the CRISC domains for a minimum of three years. CRISC is currently the only enterprise IT risk management certification in existence. It verifies that the certification holder has mid-career level knowledge of IT risk identification, assessment, monitoring and reporting, risk response and mitigation and risk control. Earning this certification will make you an invaluable IT risk expert for your organization which may launch your career to even greater heights.

What has changed since the last CRISC exam version?

The 2021 version of the CRISC certification exam has had almost all of its domains changed. Below is a comparison of the new and previous CRISC Job Practices.

Domains Previous CRISC domains New CRISC domains

1 IT Risk Identification 27% Governance 26%

2 IT Risk Assessment 28% IT Risk Assessment 20%

3 Risk Response Mitigation 23% Risk Response and Reporting 32%

4 Risk and Control Monitoring and Reporting 22% Information Technology and Security 22%

As you can see, the respective weight of Domain #2 has been reduced a noticeable amount since the last CRISC exam version namely from 28% to 20%. This may seem like a negligible reduction of exam material, but in terms of exam questions, this amounts to around 12 fewer exam questions covering Domain #2 material.

What is CRISC domain #2?

Domain #2 of the CRISC certification exam covers IT risk assessment, an important aspect of IT risk management. Professionals working in IT risk management determine the likelihood and impact of IT risk on organizational objectives by analyzing and evaluating IT risk. This enables the organization to enable IT risk-based decision-making. This domain discusses:

  1. IT risk identification
  2. Understanding the organization’s threat landscape and emerging risk
  3. Analyzing and evaluating identified risk

What does CRISC domain #2 IT risk assessment cover?

This domain categorizes the material it covers into the two broad elements of IT risk assessment IT risk identification and IT risk analysis and evaluation. Both categories are made up of subcategories (four and five, respectively). Domain #2 represents 20% of the total exam content translating into approximately 30 exam questions out of 150 possible multiple-choice questions. You will need to score a minimum of 450 out of 800 possible points to pass the CRISC certification exam.

Below is an outline of what this domain covers:

A. IT risk identification

2.1 Risk events

2.2 Threat modeling and threat landscape

2.3 Vulnerability and control deficiency analysis

2.4 Risk scenario development

B. IT risk analysis and evaluation

2.5 Risk assessment concepts, standards and frameworks

2.6 Risk register

2.7 Risk analysis methodologies

2.8 Business impact analysis

2.9 Inherent and residual risk

Learning objectives/task statements

By the time you have learned the material covered by CRISC domain #2, you should be able to explain the following:

  1. Identify potential or realized impacts of IT risk to the organization’s business objectives and operations
  2. Identify threats and vulnerabilities to the organization’s people, processes and technology
  3. Evaluate threats, vulnerabilities and risks to identify IT risk scenarios
  4. Establish and maintain the IT risk register and incorporate it into the enterprise-wide risk profile
  5. Facilitate the identification of risk appetite and risk tolerance by key stakeholders
  6. Promote a risk-aware culture by contributing to the development and implementation of security awareness training
  7. Conduct a risk assessment by analyzing IT risk scenarios and determining their likelihood and impact
  8. Identify the current state of existing controls and evaluate their effectiveness for IT risk mitigation
  9. Review the results of risk analysis and control analysis to assess any gaps between current and desired states of the IT risk environment
  10. Collaborate with control owners on the selection, design, implementation and maintenance of controls
  11. Collaborate with control owners on the identification of key performance indicators (KPIs) and key control indicators (KCIs)
  12. Review the results of control assessments to determine the effectiveness and maturity of the control environment
  13. Conduct aggregation, analysis and validation of risk and control data
  14. Report relevant risk and control information to applicable stakeholders to facilitate risk-based decision-making
  15. Evaluate emerging technologies and changes to the environment for threats, vulnerabilities and opportunities
  16. Evaluate alignment of business practices with risk management and information security frameworks and standards

Earn your CRISC certification, guaranteed!

Earn your CRISC certification, guaranteed!

Enroll in a CRISC Boot Camp and earn one of the highest paying industry certifications — guaranteed.

Understanding CRISC domain #2

CRISC is an IT risk management certification that verifies that the certification holder has a mid-career level hands-on experience level in at least two of the four domains of information and has mastered this level of knowledge. IT risk management has been increasingly moved to the forefront of organizational culture, and this domain covers an integral part of it IT risk assessment. Organizations know this and will be willing to give your job candidacy more consideration if you master this domain and earn the CRISC certification.



Greg Belding
Greg Belding

Greg is a Veteran IT Professional working in the Healthcare field. He enjoys Information Security, creating Information Defensive Strategy, and writing – both as a Cybersecurity Blogger as well as for fun.