已经有危机认证? 登录myisaca

CRISC考试包括哪些内容?

获得风险与信息系统控制证书® (CRISC®) exam consists of 150 questions covering 4 job practice domains, all testing your knowledge and ability on real-life job practices leveraged by expert professionals.

Below are the key domains, subtopics and tasks candidates will be tested on:

26%
Domain 1 >

治理
20%
Domain 2 >

IT风险评估
32%
Domain 3 >

风险应变及报告
22
Domain 4 >

资讯科技及保安
拿到你的考生指南 获取备考材料
Illustration of a certificate on the wall with man in front

ISACA的承诺

自2010年成立以来, 超过23,000 people have obtained ISACA’s CRISC certification to validate their expertise in using governance best practices and continuous risk monitoring and reporting. 该域, subtopics and tasks are the results of extensive research, feedback and validation from subject matter experts and prominent industry leaders from around the globe.

Job practice areas tested for and validated by a CRISC certification

26%域1 ——治理

The governance domain interrogates your knowledge of information about an organization’s business and IT environments, 组织策略, 目标和目的, and examines potential or realized impacts of IT risk to the organization’s business objectives and operations, including 澳门赌场官方下载 Risk Management and Risk Management Framework.

A-ORGANIZATIONAL治理

  1. 组织战略、目标和目的
  2. 组织结构、角色和职责
  3. 组织文化
  4. 政策及标准
  5. 业务流程
  6. 组织资产

B-RISK治理

  1. 澳门赌场官方下载 Risk Management and Risk Management Framework
  2. 三道防线
  3. 风险预测
  4. 风险偏好和风险承受能力
  5. 法律、法规和合同要求
  6. 风险管理职业道德

20%域2 -资讯科技风险评估

This domain will certify your knowledge of threats and vulnerabilities to the organization’s people, processes and technology as well as the likelihood and impact of threats, 漏洞和风险场景.

it风险识别

  1. 风险事件(e).g.、贡献条件、损失结果)
  2. 威胁建模和威胁景观
  3. 脆弱性和控制缺陷分析(e).g.、根本原因分析)
  4. 风险情景开发

B-it风险分析与评价

  1. 风险评估概念、标准和框架
  2. 风险登记
  3. 风险分析方法
  4. 业务影响分析
  5. 固有风险和剩余风险

32%域3 -风险应对和报告

This domain deals with the development and management of risk treatment plans among key stakeholders, the evaluation of existing controls and improving effectiveness for IT risk mitigation, and the assessment of relevant risk and control information to applicable stakeholders.

一个风险的反应

  1. 风险处理/风险应对方案
  2. 风险与控制
  3. 第三方风险管理
  4. 问题,发现和异常管理
  5. 新兴风险的管理

b控件的设计与实现

  1. 控制类型、标准和框架
  2. 控制设计,选择和分析
  3. 控制实现
  4. 控制测试和有效性评估

——风险监测和报告

  1. 风险处理计划
  2. 数据收集、汇总、分析和验证
  3. 风险和控制监测技术
  4. Risk and Control Reporting Techniques (heatmap, scorecards, dashboards)
  5. 关键性能指标
  6. 主要风险指标(KRIs)
  7. 关键控制指标(kci)

22%域4 -资讯科技及保安

In this domain we interrogate the alignment of business practices with Risk Management and Information Security frameworks and standards, as well as the development of a risk-aware culture and implementation of security awareness training.

a .信息技术原则

  1. 澳门赌场官方下载架构
  2. IT运营管理(e.g.(变更管理、IT资产、问题、事件)
  3. 项目管理
  4. 灾难恢复管理(DRM)
  5. 数据生命周期管理
  6. 系统开发生命周期(SDLC)
  7. 新兴技术

b -信息安全原则

  1. Information Security Concepts, Frameworks and Standards
  2. 资讯保安意识培训
  3. 业务连续性管理
  4. 资料私隐及资料保障原则

支持任务

  1. Collect and review existing information regarding the organization’s business and IT environments.
  2. Identify potential or realized impacts of IT risk to the organization’s business objectives and operations.
  3. Identify threats and vulnerabilities to the organization’s people, processes and technology.
  4. Evaluate threats, vulnerabilities and risk to identify IT risk scenarios.
  5. Establish accountability by assigning and validating appropriate levels of risk and control ownership.
  6. Establish and maintain the IT risk register and incorporate it into the enterprise-wide risk profile.
  7. Facilitate the identification of risk appetite and risk tolerance by key stakeholders.
  8. Promote a risk-aware culture by contributing to the development and implementation of security awareness training.
  9. Conduct a risk assessment by analyzing IT risk scenarios and determining their likelihood and impact.
  10. Identify the current state of existing controls and evaluate their effectiveness for IT risk mitigation.
  11. Review the results of risk analysis and control analysis to assess any gaps between current and desired states of the IT risk environment.
  12. Facilitate the selection of recommended risk responses by key stakeholders.
  13. Collaborate with risk owners on the development of risk treatment plans.
  14. 与控制所有者合作进行选择, 设计, 控制的实施和维护.
  15. Validate that risk responses have been executed according to risk treatment plans.
  16. 定义和建立关键风险指标(KRIs).
  17. 监控和分析关键风险指标(KRIs).
  18. Collaborate with control owners on the identification of key performance indicators (KPIs) and key control indicators (KCIs).
  19. Monitor and analyze key performance indicators (KPIs) and key control indicators (KCIs).
  20. Review the results of control assessments to determine the effectiveness and maturity of the control environment.
  21. Report relevant risk and control information to applicable stakeholders to facilitate risk-based decision-making.
  22. Evaluate alignment of business practices with risk management and information security frameworks and standards.

为考试做准备

ISACA offers a variety of exam preparation resources including group training, self-paced training and study resources in various languages to help you prepare for your certification exam. Choose what works for your schedule and your studying needs.

访问所有紧急考试准备材料

下载考试术语表

While studying for your CRISC exam, explore our lists of terms that will appear on the test. See the terms in English alongside how they will appear in the other languages offered.

简体中文 | 朝鲜文 | 西班牙语