Examworthyexamworthy.comCertified in Risk and Information Systems Control (CRISC) cheat sheet
ISACA
Free to share. Examworthy is not affiliated with or endorsed by ISACA; CRISC and related marks belong to their respective owners.
At a glance
Format: Multiple choice, computer-based at PSI testing centres or remote proctored
Domain weight map
Heaviest first - spend your time hereHow this exam thinks
CRISC is a judgement exam: nearly every question is a scenario, and the right answer is the move that aligns the decision with the organisation's risk appetite and puts the accountable business owner, not the practitioner, in charge of the risk.
Spot the trap
Tempting wrong answers, and why they failTempting but wrong
Transferring a marginal over-appetite exposure to an insurer is the right call when controls would cost more than the loss.
Why it fails
Transfer adds premium cost on top of an exposure already smaller than further treatment spend, so it is hard to justify. When treatment cost exceeds the potential loss, documented acceptance is the rational response.
Risk Response and Reporting
Tempting but wrong
Mapping each IT risk scenario to the business objectives it could impair proves the risk approach is steered by strategy.
Why it fails
Mapping risks to objectives shows useful traceability and documents exposure, but it does not prove the overall approach is steered by strategy. Strategic alignment is shown by deriving appetite, tolerance and treatment priorities from the approved objectives.
Governance
Tempting but wrong
A list of every operating control and its last test date is enough to form a risk scenario.
Why it fails
A control catalogue describes the current state but states no threat, event, or consequence, so it cannot frame what could go wrong or how badly. A scenario needs an actor, an event, an affected asset, and a loss outcome.
Risk Assessment
Tempting but wrong
Architecture's job for a duplicate tool purchase is just to document it in the repository after it goes into production.
Why it fails
Recording a tool after deployment keeps the repository current but does nothing to manage the risk of the purchase itself. By then the redundancy and integration cost are locked in. The architecture review must happen before approval, while the decision can still be changed.
Information Technology and Security
Tempting but wrong
Avoiding the risk by retiring the underlying activity is appropriate for an exposure only marginally above appetite.
Why it fails
Avoidance removes the activity entirely, an extreme response that sacrifices business value. For a residual risk only marginally above appetite where treatment costs more than the loss, informed acceptance fits better.
Risk Response and Reporting
Tempting but wrong
Counting how many IT risk scenarios were closed within the remediation window demonstrates strategic alignment.
Why it fails
Closure rates measure the operational efficiency of treatment and look like progress, but they say nothing about whether the work served the organisation's strategic goals. Alignment comes from anchoring risk decisions to approved objectives.
Governance
Tempting but wrong
A detailed network and data-flow diagram of a platform constitutes a risk scenario.
Why it fails
An architecture diagram is an input that supports analysis, not a scenario in itself, because it names no event, no actor, and no loss outcome. A scenario must connect actor, event, asset, and consequence.
Risk Assessment
Tempting but wrong
Tool selection is a local operational matter, so enterprise architecture should defer entirely to the business unit.
Why it fails
Treating selection as purely local ignores that overlapping platforms create enterprise integration and cost risk. Governing exactly that kind of cross-estate redundancy is what the architecture function exists to do, so deferring entirely abandons its core role.
Information Technology and Security
Key terms
Exam-day rules
- Find the appetite and the owner first. Before judging the options, ask what the organisation's risk appetite is and who is accountable for this risk, because that pairing usually picks the answer.
- Reject answers where the practitioner oversteps. If an option has you accepting risk, choosing a treatment unilaterally or quietly working around a conflict, it is almost always the trap; the owner decides and accepts, you advise and disclose.
- Understand the risk before you treat it. When an option jumps to a control before the risk is assessed or scoped, prefer the answer that assesses or clarifies first; sequence matters on this exam.
- Run the cost-benefit on every control. Never pick a safeguard that costs more each year than the largest plausible loss it prevents; the proportionate, lower-cost treatment is usually correct.
- Match the report to its audience. Boards get exposure aggregated against appetite and the decisions they must make; operational owners get the detailed control and remediation status. The same data, shaped to the reader, is the right answer.
Revision schedule
- Day 1Map the blueprint and book a date
- Week 1Internalise the practitioner mindset
- Weeks 1 to 3Go deep on Response and Reporting, then Governance
- Weeks 3 to 4Lock risk assessment fundamentals
- Week 4Cover the technology and security knowledge