CRISC domain - 26% of the exam

Governance

Governance is 26% of the Certified in Risk and Information Systems Control (CRISC) (CRISC) exam. These are the objectives it covers, each with practice questions and worked explanations.

Objectives in this domain

Align the IT risk management approach with the organisation's strategy, goals and objectives.
Section 1.1medium
Define organisational structures, roles and responsibilities that support effective risk governance.
Section 1.2medium
Assess how organisational culture influences risk-aware decision-making and behaviour.
Section 1.3medium
Evaluate policies and standards as the instruments that translate governance intent into operational control.
Section 1.4medium
Identify legal, regulatory and contractual requirements that shape the IT risk programme.
Section 1.5medium
Incorporate business process resilience and continuity considerations into organisational governance.
Section 1.6hard
Apply enterprise risk management concepts and a risk management framework to govern IT risk.
Section 1.7hard
Establish lines of defence that separate risk ownership, oversight and independent assurance.
Section 1.8medium
Define risk appetite and risk tolerance and use them to guide risk decisions.
Section 1.9hard
Maintain an enterprise risk profile and apply professional ethics in the conduct of risk management.
Section 1.10medium

Sample question from this domain

Free sampleGovernancemedium

A risk practitioner is asked to demonstrate that the IT risk management approach supports the organisation's strategy. Which action provides the strongest evidence of strategic alignment?

ADeriving risk appetite, tolerance and treatment priorities directly from the approved strategic objectives Correct
BMapping each identified IT risk scenario to the specific business objectives it could impair
CCounting how many IT risk scenarios were closed within the agreed remediation window
DPublishing the IT risk register to every department head on a fixed monthly schedule

Strategic alignment is proven when risk appetite, tolerance and treatment priorities are derived from approved strategic objectives. Alignment means the strategy drives the risk decisions, so deriving appetite, tolerance and treatment priorities from the approved objectives makes business intent the controlling input rather than an afterthought layered onto technical activity.

Why A is correct: When appetite, tolerance and priorities flow from the approved strategic objectives, the risk approach is demonstrably governed by strategy rather than run as an isolated technical exercise.

Why B is wrong: Mapping risks to objectives is useful and tempting because it shows traceability, but it documents exposure rather than proving the overall approach is steered by strategy.

Why C is wrong: Closure rates measure operational efficiency of treatment, so they look like progress, yet they say nothing about whether the work served the organisation's strategic goals.

Why D is wrong: Wide distribution improves transparency and feels like good governance, but circulating a register does not show that risk decisions are anchored to business strategy.

Other domains in this exam

Risk Assessment22% of the exam
Risk Response and Reporting32% of the exam
Information Technology and Security20% of the exam

See also the CRISC cert hub, the study guide, and the cheat sheet.

Examworthy is not affiliated with or endorsed by ISACA. Original, blueprint-aligned practice material only.