Crisc SPRING 2013 Certified in Risk and Information Systems Control
Crisc SPRING 2013 Certified in Risk and Information Systems Control
CRISC training is a competency-based 4-day, (32 contact hours), course that provides
participants with the knowledge necessary to identify, assess and implement a Risk Management
Program designed to mitigate risks associated with information, business systems and
technology.
Experienced instructors will guide participants through the implementation of a Risk
Management Program encompassing the design and ongoing daily maintenance of the program.
The course will include the assessment of threats and vulnerabilities leading to risk exposure and
potential impact to the confidentiality, integrity and availability of information. During the
course we will walk through risk scenarios and identify the appropriate response. We will also
walk though the process of designing and integrating controls within policies, procedures and
standards. In addition we will establish a monitoring process identifying the appropriate
governance committee.
In addition, will be reviewed best practices for Risk Management within multiple sources
seeking the best possible control design strategy for each individual organization. These standard
frameworks include COBiT 5, ISO 31000, COSO ERM and ISO/IEC 27001:2013.
CREDIT STATUS: n/a
PREREQUISITES: Review CRISC job practice areas
SPECIFIC OUTCOMES: Upon successful completion:
Page 1 of 5
TOPIC OUTLINE:
Risk Identification, Assessment and Evaluation
Collect information and review documentation to ensure that risk scenarios are
identified and evaluated.
Identify legal, regulatory and contractual requirements and organizational policies
and standards related to information systems to determine their potential impact on
the business objectives.
Identify potential threats and vulnerabilities for business processes, associated
information and supporting capabilities to assist in the evaluation of enterprise risk.
Create and maintain a risk register to ensure that all identified risk factors are
accounted for.
Assemble risk scenarios to estimate the likelihood and impact of significant events to
the organization.
Analyze risk scenarios to determine their impact on business objectives.
Develop a risk awareness program and conduct training to ensure that stakeholders
understand risk and contribute to the risk management process and to promote a risk aware culture.
Correlate identified risk scenarios to relevant business processes to assist in
identifying risk ownership.
Validate risk appetite and tolerance with senior leadership and key stakeholders to
ensure alignment.
Risk Response
31%
17%
Identify and evaluate risk response options and provide management with information
to enable risk response decisions.
Review risk responses with the relevant stakeholders for validation of efficiency
effectiveness and economy.
Apply risk criteria to assist in the development of the risk profile for management
approval.
Assist in the development of risk response action plans to address risk factors
identified in the organizational risk profile.
Assist in the development of business cases supporting the investment plan to ensure
risk responses are aligned with the identified business objectives.
Page 2 of 5
Risk Monitoring
Collect and validate information that measure key risk indicators (KRIs) to monitor
and communicate their status to relevant stakeholders.
Monitor and communicate key risk indicators (KRIs) and management activities to
assist relevant stakeholders in their decision-making process.
Facilitate independent risk assessments and risk management process reviews to
ensure they are performed efficiently and effectively.
Identify and report on risk, including compliance, to initiate corrective action and
meet business and regulatory requirements.
17%
17%
17%
Page 3 of 5
COBiT 4, COBiT 5
REFERENCE MATERIAL:
Required: None.
Recommended: COBiT 4, COBiT 5, COSO ERM, ISO 31000, ISO 27001
MODES OF EVALUATION:
Two tests
Two assignments
Final examination
40%
20%
40%
Page 4 of 5
Each student should be aware that cheating or plagiarism will result in failure of successfully
completing this course.
APPROVED BY: Mark E.S. Bernard
SIGNATURE:
NOTE: Any inquires concerning the training session can be directed to the instructor following
attendance at our course.
CONTACT:
Skype; Mark_E_S_Bernard
Twitter; @MESB_TechSecure
LinkedIn; http://ca.linkedin.com/in/markesbernard
Page 5 of 5