Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide
ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide: A primer on GRC and an exam guide for the most recent and rigorous IT risk certification

eBook
AU$41.99 AU$60.99
Paperback
AU$75.99
Subscription
Free Trial
Renews at AU$24.99p/m

What do you get with Print?

Product feature icon Instant access to your digital eBook copy whilst your Print order is Shipped
Product feature icon Paperback book shipped to your preferred address
Product feature icon Download this book in EPUB and PDF formats
Product feature icon Access this title in our online reader with advanced features
Product feature icon DRM FREE - Read whenever, wherever and however you want
Product feature icon AI Assistant (beta) to help accelerate your learning
OR
Modal Close icon
Payment Processing...
tick Completed

Shipping Address

Billing Address

Shipping Methods
Table of content icon View table of contents Preview book icon Preview Book

ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

Governance, Risk, and Compliance

Dear reader, I have been in your place, thinking about which certification I should go for first. Should I begin with CISM? It seems to be the most widely recognized. Alternatively, should I consider CISA? However, I am not an auditor, so is it really necessary for me? What about CISSP? It seems rather challenging for someone trying to get certified for the first time. Finally, what about CRISC? It doesn’t appear to be the most relevant for the job responsibilities in the expanding realm of IT risk management.

Congratulations! Now that you have decided on the CRISC, you have taken the most important step of deciding on your certification and are embarking on the first stage of the journey of your career growth. However, what about the study material? Should I buy the official review manual? It appears to be very dull. Should I explore technical forums or communities for more advice and hacks? Alternatively, should I conduct a search using the hashtag CRISC (#CRISC) to see if there's a one-stop blog with all the resources needed to pass the exam in one convenient location?

As I look back on all this certification preparation and reference material, I realize that the majority of them missed a key point – what is the practical application of the knowledge I will acquire as I read this book and attain the certification? If I zoom out a little, why is governance, risk, and compliance (GRC) required in an organization when the sole aim of cybersecurity is to prevent companies from attackers? Also, what is GRC in the first place?

This chapter aims to answer all these questions so that when you pass your CRISC with flying colors and boast about your certification, you don’t have to worry about recalling the basic concepts of GRC and have a solid foundation of IT risk management.

In this chapter, we will cover the following topics:

  • Governance, risk, and compliance
  • GRC for cybersecurity professionals
  • Importance of GRC for cybersecurity professionals
  • A primer on cybersecurity domains and the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF).
  • Importance of IT risk management

Important note

The content of this chapter is not directly related to the exam syllabus, but it is important to understand the concepts of GRC before learning about IT risk management and its implementation for the CRISC exam.

The hope is that this chapter will provide you with enough understanding that you can differentiate between all domains of cybersecurity and can continue your journey well beyond the CRISC certification.

Governance, risk, and compliance

In this section, we’ll look at the concepts of GRC, their interrelationships, and how to differentiate among them.

What is GRC?

GRC is an acronym that stands for governance, risk, and compliance. It can be defined as a common set of practices and processes, supported by a risk-aware culture and enabling technologies that improve decision-making and performance through an integrated view of how well an organization manages its unique set of risks.

A GRC program aims to provide organizations with an overarching framework that can be used to streamline different organizational functions, such as legal, IT, human resources, security, compliance, privacy, and more so that they can all collaborate under a common framework and set of principles instead of running individual functions and programs.

Governance is the organizational framework that helps the stakeholder set the tone for the stakeholders on the direction and alignment with business objectives. These are the rules that run the organization, including policies, standards, and procedures that set the direction and control of the organization’s activities. These stakeholders can be a board of directors in large companies or senior executives in small and medium enterprises.

Risk or risk management is the process of optimizing organizational risk to acceptable levels, identifying potential risk and its associated impacts, and prioritizing the mitigation based on the impact of risk on business objectives. The purpose of risk management is to analyze and control the risks that can deflect an organization from achieving its strategic objectives.

Qualitative risk is defined as likelihood * probability of impact, whereas the Factor Analysis of Information Risk (FAIR) methodology is widely used for quantitative risk assessment in matured organizations.

Compliance requirements for an organization ensure that all obligations including but not limited to regulatory factors, contractual requirements, federal and state laws, certification requirements such as ISO 27001 or SOC 2 audit, and more are adhered to and any gaps in compliance are logged, monitored, and corrected within a reasonable timeframe. The entire organization must follow a standard set of policies and standards to achieve these objectives.

An integrated approach to GRC that is communicated to the entire organization ensures that the main strategies, processes, and resources are aligned according to the organization’s risk appetite. A strong compliance program with the sponsorship of a senior leadership team is better suited to align its internal and external compliance requirements, leading to increased efficiency and effectiveness.

In the next section, we’ll learn about the relationship between these concepts.

Simplified relationship between GRC components

I would not blame you if you found the preceding concepts tedious and confusing. It took me a good 5 years to make sense of all the concepts. The following paragraph should serve as an adage for the preceding concepts:

Governance is guidance from stakeholders (board of directors or senior leadership) to put the processes and practices in place to optimize (not reduce) the risk and comply with external and internal compliance obligations.

The following figure shows a simplistic view of GRC. It should be noted that the activities included under each pillar are not holistic and an organization may have an overlap between these activities. You should also be mindful that these activities are not standalone programs but need inputs from other pillars to be implemented successfully:

Figure 1.1 – Relationship between the components of GRC

Figure 1.1 – Relationship between the components of GRC

Now that we know what GRC entails, we’ll learn about the importance of various factors for a successful GRC program in the next section.

Key ingredients of a successful GRC program

A successful GRC program requires collaboration across all layers of the organization. Three major components are a must-have for successful implementation:

  • Sponsorship: A successful GRC implementation should have the sponsorship of a senior leader such as a Chief Information Security Officer (CISO), Chief Risk Officer (CRO), Chief Information Officer (CIO), Chief Financial Officer (CFO), Chief Executive Officer (CEO), or someone else. These sponsors have a wider overview of not only the organization’s risk but also the industry peers across multiple verticals. Sponsorship from leadership is also important to have a risk-focused culture.
  • Stewardship: The GRC program requires participation from all businesses and functions of an organization. Stewards play an important role in the GRC program and make information sharing across the organization easier for developing a common understanding across the organization and making relevant information available for everyone. These stewards, while translating the requirements from governance, are better able to target and address business risks. Stewards of the program are better suited to create business-oriented, process-based workflows to identify risks across functions, analyze for cascading risks, and treat them accordingly.
  • Monitoring and reporting: It is easy to roll out a GRC program across the organization, but over time, it becomes extremely difficult to keep pace with internal and external regulations without continuously monitoring risks and controls without efficient risk indicators. It is important to enable continuous monitoring of risks and controls by using automated risk indicators and keep the stakeholders abreast of risk in business terms through business-focused indicators and reports periodically circulated to the appropriate audience with actionable insights.

An important pillar of the monitoring function is to monitor the security controls of critical vendors and perform an ongoing assessment for each department and functional group across the enterprise to provide a holistic real-time view of risk.

In the next section, we’ll learn about how to differentiate between governance and management.

Governance is not management

Those new to the GRC domain often confuse governance with management and think both are the same; however, in the realm of GRC, governance and management serve very different functions.

Governance provides oversight and is highly focused on risk optimization for the stakeholders. Governance always focuses on the following aspects:

  • Is the organization doing the right things?
  • Are these things done in the right away?
  • Is the team getting things done on time and within budget?
  • Are we continuously optimizing the risk and getting benefits?

Once these questions have been answered, the management team focuses on planning, building, executing, and monitoring to ensure that that all projects, processes, and activities are aligned with the direction and business objectives set by governance. It is expected that as management progresses in achieving these goals, the results are shared with governance (board of directors) periodically and additional inputs are taken into consideration.

GRC for cybersecurity professionals

In this section, we’ll learn about cybersecurity, information assurance, and the difference between these two concepts.

Cybersecurity and information assurance

For non-cybersecurity professionals, the word cybersecurity is synonymous with hacking, but in reality, this could not be further from the truth.

There are various ways to look at cybersecurity from an outsider’s view. In the industry, this is often categorized as a red team (attackers), blue team (defenders), and purple team (a combination of the red team and blue team focusing on collaboration and information sharing). For this book, I will take a different approach that is more aligned with the objectives of this book and your understanding when you prepare for the certification.

Firstly, let’s segregate cybersecurity into two major practices: cybersecurity and information assurance.

In the cybersecurity realm, we consider activities such as penetration testing, vulnerability assessments, network monitoring, malware analysis, and all the other practices that require robust technical understanding and knowledge to prevent unauthorized access and disruption to the business.

The second practice, information assurance, is going to be the focus of this book. Information assurance includes activities such as policy and procedure development, risk assessments and management, data analysis, IT audits, compliance with regulatory frameworks, incident management, vulnerability management, vendor management, KPI and KRI reporting and dashboards, and all the other sub-domains that do not require extensive technical understanding. However, these practices do require thorough collaboration across all teams and a strong understanding of the fundamentals of cybersecurity concepts. These activities are important for complying with multiple federal and state regulations as well as to ensure the implementation of compliance with industry-standard practices.

Many organizations tend to completely segregate the cybersecurity and information assurance functions into different verticals altogether, where the communication between different teams and opportunities to collaborate are limited. This leads to security being seen as a gatekeeper and not an enabler.

As security is continuing to shift left – that is, being prioritized more and more in the initial stages of software development and project viability – this distinction is fading and teams using modern security tools collaborate a lot more than just meeting once a month.

As you continue with this book, you will realize that though the CRISC exam covers all concepts of cybersecurity and information assurance, the focus will primarily be on the latter as the entire purpose of the CRISC exam is to help you prepare for the IT risk management of an organization, regardless of its size.

So far, we have learned about GRC, the importance of GRC, and how to differentiate between different verticals of cybersecurity. In the next section, we’ll learn about the importance of GRC for cybersecurity professionals and industry-standard frameworks to implement a GRC program.

Importance of GRC for cybersecurity professionals

As mentioned earlier, the lack of an effective GRC program makes it difficult to collaborate across all teams. An effective GRC program is the prerequisite to an effective cybersecurity program.

With the continuously increasing emphasis on privacy in the form of GDPR, CCPA, HIPAA, LGPD, and other state, national, and international regulations, the cybersecurity and information assurance teams can’t work in silos. Compliance with these laws and regulatory requirements requires commitment and tenacity from all functions of the organization.

The following table shows the importance of implementing an overarching GRC framework for an organization in detail:

Non-GRC

Effective GRC

Lack of effective oversight

Effective oversight across all departments

Focus on achieving results only

Achieving results with integrity and ethics

Organizational and functional silos

Integrated decision-making

Lack of visibility

Shared technology, services, and vocabulary

Disjointed strategy

Integrated strategy

Duplication of efforts

Create-once, use-multiple

High costs

Optimized costs

Inefficient efforts

Efficient efforts

Lack of integrity

Culture of integrity

Wasted information

Shared and common knowledge

Fragmented information

Continuous flow of information

Table 1.1 – Importance of a GRC framework

In the next section, we’ll learn about how we can use ISACA COBIT to implement a GRC program and its relationship with ITIL.

Implementing GRC using COBIT

Now that we have a good understanding of GRC and what it entails, it’s important to understand how to translate this knowledge into practice.

ISACA, the certification body of CRISC, also provides a comprehensive framework called Control Objectives for Information and Related Technology (COBIT) to bridge the gap between governance, technical requirements, business objectives and risks, and control requirements.

The latest version of COBIT (COBIT 2019) guidance from ISACA focuses on providing elaborate guidance on managing risk, optimizing resources, and creating value by streamlining all business objectives.

There are four publications under the COBIT 2019 framework:

  • Introduction and Methodology: This is the fundamental document for implementing the COBIT framework that details governance principles, provides key concepts and examples, and lays out the structure of the overall framework, including the COBIT Core Model.
  • Governance and Management Objectives: This publication contains a detailed description of the COBIT Core Model and its 40 governance and management objectives. These are then defined and matched with the relevant processes, enterprise goals, and governance and management practices.
  • Design Guide: Designing an Information and Technology Governance Solution: This publication provides essential guidance on how to put COBIT to practical use while offering perspectives for designing a tailored governance system for an organization.
  • Implementation Guide: Implementing and Optimizing an Information and Technology Governance Solution: This document, combined with the COBIT 2019 Design Guide, provides a practical approach to specific governance requirements.

COBIT Core includes 40 governance and management objectives that have defined purposes that are mapped to specific core processes. These objectives are primarily divided into five categories:

  • Evaluate, Direct, and Monitor (EDM): EDM has five objectives that focus on a few specific, governance-related, areas. These include alignment of enterprise and IT strategies, optimization of costs and efficiency, and stakeholder sponsorship.
  • Align, Plan, and Organize (APO): APO’s 14 objectives include managing organizational structure and strategy, budgeting and costs, the HR aspect of IT, vendors, service-level agreements (SLAs), risk optimization, and data management.
  • Build, Acquire, and Implement (BAI): The 11 BAI objectives are focused on managing changes to data and assets while ensuring end user availability and capacity needs are met.
  • Deliver, Service, and Support (DSS): DSS contains six objectives and mostly aligns with the IT domains. DSS is focused on managing operations, problems, incidents, continuity, process controls, and security.
  • Monitor, Evaluate, and Assess (MEA): MEA has four objectives related to creating a monitoring function that ensures compliance for APO, BAI, and DSS. These objectives include managing performance and conformance, internal control, external requirements, and assurance. Notably, MEA differs from EDM by concentrating on the monitoring function from an operational standpoint, whereas EDM monitors from a governance (or top-down) approach.

The following figure shows the five domains and 40 COBIT Core processes:

Figure 1.2 – COBIT 2019 Core Model (COBIT® 2019 Framework: Governance and Management Objectives ©2019 ISACA. All rights reserved. Used with permission.)

Figure 1.2 – COBIT 2019 Core Model (COBIT® 2019 Framework: Governance and Management Objectives ©2019 ISACA. All rights reserved. Used with permission.)

Important note

Detailed guidance on ISACA introduction and methodology is available at no cost to members and non-members on the ISACA website: https://www.isaca.org/resources/cobit.

COBIT and ITIL

This section would not be complete without understanding the relationship between COBIT and ITIL.

ITIL is a framework designed to standardize the selection, planning, delivery, and maintenance of IT services within an enterprise. The goal is to improve efficiency and achieve predictable service delivery.

ITIL and COBIT are both governance frameworks but serve different purposes. ITIL primarily aims to fulfil service management objectives, whereas COBIT is globally recognized for both enterprise governance and IT management.

On their own, each framework is extremely successful in offering custom governance while delivering quality service management. When paired together, however, COBIT and ITIL have the potential to dramatically increase value for customers as well as internal and external stakeholders.

The COBIT framework helps identify what IT should be doing to generate the most value for a business, ITIL prescribes how it should be done to maximize resource utilization within the IT purview. Even though the frameworks are different, they do have multiple touchpoints – for example, from the COBIT domain, BAI, process BAI06 Managed IT Changes is equivalent to ITIL Change Management; process BAI10 Managed Configuration is equivalent to ITIL Configuration Management, and so on.

A major differentiation between COBIT and ITIL is that COBIT covers the entire enterprise, ensuring that governance is achieved, stakeholder value is ensured, and holistic approaches to governing and managing IT are accomplished, whereas ITIL is focused entirely on IT service management. COBIT aims to achieve its objectives through policies, processes, people, information, and culture and organizational structures, services, and applications that are implemented and integrated under a single overarching framework for ease of integration and customization, whereas ITIL provides prescriptive guidance on implementing these objectives.

In the previous section, we learned about the importance of ISACA COBIT for implementing a GRC program and its relationship with ITIL. In the next section, we will learn about multiple cybersecurity domains and the NIST CSF.

A primer on cybersecurity domains and the NIST CSF

There are many, many ways to think about cybersecurity domains and this could very well be a book in itself. The purpose of this section is to provide an overview of common cybersecurity domains and what they entail.

For the sake of simplicity and aligning it with a common industry standard, this section is aligned with the NIST CSF.

The NIST CSF divides the cybersecurity domain into five main categories, namely, Identify, Protect, Detect, Respond, and Recover:

  • Identify: There is an old saying in the cybersecurity world – You cannot protect what you do not know exists. The Identify category of the CSF emphasizes developing the organization’s understanding to manage cybersecurity risk to systems, assets (including people), data, and the capabilities to do so.

This activity is important for prioritizing the organization’s efforts and resources in consistency with its overall risk management strategy and business goals. This function stresses the importance of understanding the business context, the resources that support critical functions, and the related cybersecurity risks. The activities in Identify include the following:

  • Identification of physical, software, and people assets to establish the basis of an asset management program
  • Identification of established cybersecurity policies to define the governance program, as well as identifying legal and regulatory requirements regarding the cybersecurity capabilities of the organization
  • Identification of the organization’s business environment and critical systems, including the role of critical vendors in the supply chain
  • Identification of asset vulnerabilities, threats to internal and external organizational resources, and risk response activities to assess risk
  • Implementation of a risk management strategy, including identifying risk appetite and tolerance
  • Identification of vendor risk management strategy, including priorities, constraints, risk tolerances, and assumptions used to support risk decisions associated with managing supply chain risks
  • Protect: Once the assets and critical processes have been identified, the appropriate safeguards (controls) must be developed and implemented to ensure the delivery of critical infrastructure services. This function is dedicated to identifying controls that outline appropriate safeguards to ensure the delivery of critical infrastructure services and supports the ability to limit or contain the impact of a potential cybersecurity event. The activities in Protect can be seen here:
    • Perform security awareness training for all staff and additional role-based and privileged user training.
    • Implement protections for identity management and access control within the organization, including physical and remote access. In the case of an external data center or using cloud services, implement robust controls such as complex passwords, the use of VPNs, and multi-factor authentication.
    • Establish data security protection consistent with the organization’s risk strategy and criticality of assets to protect the confidentiality, integrity, and availability of information.
    • Implement processes and procedures to maintain and manage the protection of information systems and assets.
    • Protect organizational resources through maintenance, including remote maintenance activities.
    • Manage technology to ensure the security and resilience of systems, consistent with organizational policies, procedures, and agreements.
  • Detect: Proactively detecting and deterring potential cybersecurity incidents is critical to a robust information security program. This function defines the appropriate activities to proactively identify the occurrence of a cybersecurity event and involve the relevant teams as soon as the threat vectors are identified. The activities in Detect can be seen in the following list:
    • Detect anomalies across all system events and act on them before they cause substantial harm to the assets
    • Implement tools for continuous monitoring and detection (also known as the Security Operations Centre) to monitor critical events, tune the systems to reduce false positives, and gauge the effectiveness of protective measures, including network and physical activities
  • Respond: Once an event has indeed materialized and caused the incident, the organization should be prepared to contain and respond using manual as well as automated processes. This function aims to develop such systems, train the staff on incident response, and ensure that incidents can be resolved within the agreed timeframe and with minimum disruption to the system. The activities in Respond include the following:
    • Manage communications with internal and external stakeholders during and after an event
    • Analyze the incident to ensure effective response and supporting recovery activities including forensic analysis and determining the impact of incidents
    • Ensure incident response planning processes are agreed upon with relevant staff, executed at the time of the incident, and lessons learned are improved to prevent the incident in the future
    • Perform mitigation activities to prevent the expansion of an event and to resolve the incident
    • Implement improvements by incorporating lessons learned from such responses and ensure the staff is trained on the new practices
  • Recover: This function identifies appropriate activities to renew and maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident. The activities in Recover can be seen here:
    • Ensure that the organization has a recovery plan process in place that is tested within an acceptable time frame and that procedures to restore systems and/or assets affected by cybersecurity incidents are in place
    • Implement the lessons learned while responding to incidents and review those with relevant stakeholders
    • Internal and external communications are coordinated during and following the recovery from a cybersecurity incident, and new areas of risk are continuously added and acted upon

The following figure summarizes the NIST CSF functions:

Figure 1.3 – Simplified NIST CSF functions

Figure 1.3 – Simplified NIST CSF functions

Each of these domains is further segregated into multiple subdomains that are outside the scope of this book. I highly encourage you to familiarize yourself with the NIST CSF subdomains and their relationship with COBIT.

Important note

COBIT has custom frameworks for several specific use cases, including a framework for implementing the NIST CSF. A set of such publications can be found on the ISACA website at https://www.isaca.org/resources/cobit.

Importance of IT risk management

Now that we’ve discussed a fair bit about GRC, the domains of cybersecurity, and the NIST CSF, it is important to understand the implications of IT risk management for an organization.

In an enterprise risk management function, there can be a myriad of risks such as strategic risk, environmental risk, market risk, credit risk, operational risk, compliance risk, reputational risk, and more.

All the preceding risks can be impacted by IT risks in three major ways:

  • IT value enablement risk: The delivered projects did not create the expected value, leading to a loss of shareholder value and opportunities that could have materialized
  • IT program and project delivery risk: Projects are not ready to be delivered as agreed with the internal and external stakeholders, leading to inconsistency with the overall strategy
  • IT operations and service delivery risk: Delivered services are not in compliance with the SLAs agreed upon at the inception of the project

All the preceding impacts have cascading effects on other areas of the organization. An overarching governance framework implementation can prevent these risks from materializing.

Summary

At the beginning of this chapter, we learned that governance is the guidance from stakeholders (board of directors or senior leadership) to put the processes and practices in place to optimize (not eliminate) the risk and comply with external and internal compliance obligations. Then, we looked at the key ingredients of a successful GRC program, including sponsorship, stewardship, monitoring, and reporting. We concluded this chapter by understanding the ISACA COBIT framework for a GRC program implementation and its relationship with ITIL and providing a primer on cybersecurity domains and the NIST CSF. Now, you should be well equipped to start conversations regarding a GRC program implementation and speak about its value with the senior leaders in your organization.

In the next chapter, we will switch gears and learn about the CRISC practice areas and the ISACA mindset to answer the CRISC exam questions.

Left arrow icon Right arrow icon

Key benefits

  • Gain end-to-end coverage of all the topics assessed in the ISACA CRISC exam
  • Apply and embed your learning with the help of practice quizzes and self-assessment questions
  • Have an in-depth guide handy as you progress in your enterprise IT risk management career
  • Purchase of the print or Kindle book includes a free PDF eBook

Description

For beginners and experienced IT risk professionals alike, acing the ISACA CRISC exam is no mean feat, and the application of this advanced skillset in your daily work poses a challenge. The ISACA Certified in Risk and Information Systems Control (CRISC®) Certification Guide is a comprehensive guide to CRISC certification and beyond that’ll help you to approach these daunting challenges with its step-by-step coverage of all aspects of the exam content and develop a highly sought-after skillset in the process. This book is divided into six sections, with each section equipped with everything you need to get to grips with the domains covered in the exam. There’ll be no surprises on exam day – from GRC to ethical risk management, third-party security concerns to the ins and outs of control design, and IDS/IPS to the SDLC, no stone is left unturned in this book’s systematic design covering all the topics so that you can sit for the exam with confidence. What’s more, there are chapter-end self-assessment questions for you to test all that you’ve learned, as well as two book-end practice quizzes to really give you a leg up. By the end of this CRISC exam study guide, you’ll not just have what it takes to breeze through the certification process, but will also be equipped with an invaluable resource to accompany you on your career path.

Who is this book for?

If you are a GRC or a risk management professional with experience in the management of IT audits or in the design, implementation, monitoring, and maintenance of IS controls, or are gearing up to take the CRISC exam, then this CRISC book is for you. Security analysts, penetration testers, SOC analysts, PMs, and other security or management professionals and executives will also benefit from this book. The book assumes prior experience of security concepts.

What you will learn

  • Adopt the ISACA mindset and learn to apply it when attempting the CRISC exam
  • Grasp the three lines of defense model and understand risk capacity
  • Explore the threat landscape and figure out vulnerability management
  • Familiarize yourself with the concepts of BIA, RPO, RTO, and more
  • Get to grips with the four stages of risk response
  • Manage third-party security risks and secure your systems with ease
  • Use a full arsenal of InfoSec tools to protect your organization
  • Test your knowledge with self-assessment questions and practice quizzes
Estimated delivery fee Deliver to Australia

Economy delivery 7 - 10 business days

AU$19.95

Product Details

Country selected
Publication date, Length, Edition, Language, ISBN-13
Publication date : Sep 08, 2023
Length: 316 pages
Edition : 1st
Language : English
ISBN-13 : 9781803236902
Category :
Concepts :

What do you get with Print?

Product feature icon Instant access to your digital eBook copy whilst your Print order is Shipped
Product feature icon Paperback book shipped to your preferred address
Product feature icon Download this book in EPUB and PDF formats
Product feature icon Access this title in our online reader with advanced features
Product feature icon DRM FREE - Read whenever, wherever and however you want
Product feature icon AI Assistant (beta) to help accelerate your learning
OR
Modal Close icon
Payment Processing...
tick Completed

Shipping Address

Billing Address

Shipping Methods
Estimated delivery fee Deliver to Australia

Economy delivery 7 - 10 business days

AU$19.95

Product Details

Publication date : Sep 08, 2023
Length: 316 pages
Edition : 1st
Language : English
ISBN-13 : 9781803236902
Category :
Concepts :

Packt Subscriptions

See our plans and pricing
Modal Close icon
AU$24.99 billed monthly
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Simple pricing, no contract
AU$249.99 billed annually
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just AU$5 each
Feature tick icon Exclusive print discounts
AU$349.99 billed in 18 months
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just AU$5 each
Feature tick icon Exclusive print discounts

Frequently bought together


Stars icon
Total AU$ 245.97
ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide
AU$75.99
Certified Information Security Manager Exam Prep Guide
AU$86.99
CISA – Certified Information Systems Auditor Study Guide
AU$82.99
Total AU$ 245.97 Stars icon

Table of Contents

27 Chapters
Part 1: Governance, Risk, and Compliance and CRISC Chevron down icon Chevron up icon
Chapter 1: Governance, Risk, and Compliance Chevron down icon Chevron up icon
Chapter 2: CRISC Practice Areas and the ISACA Mindset Chevron down icon Chevron up icon
Part 2: Organizational Governance, Three Lines of Defense, and Ethical Risk Management Chevron down icon Chevron up icon
Chapter 3: Organizational Governance, Policies, and Risk Management Chevron down icon Chevron up icon
Chapter 4: The Three Lines of Defense and Cybersecurity Chevron down icon Chevron up icon
Chapter 5: Legal Requirements and the Ethics of Risk Management Chevron down icon Chevron up icon
Part 3: IT Risk Assessment, Threat Management, and Risk Analysis Chevron down icon Chevron up icon
Chapter 6: Risk Management Life Cycle Chevron down icon Chevron up icon
Chapter 7: Threat, Vulnerability, and Risk Chevron down icon Chevron up icon
Chapter 8: Risk Assessment Concepts, Standards, and Frameworks Chevron down icon Chevron up icon
Chapter 9: Business Impact Analysis, and Inherent and Residual Risk Chevron down icon Chevron up icon
Part 4: Risk Response, Reporting, Monitoring, and Ownership Chevron down icon Chevron up icon
Chapter 10: Risk Response and Control Ownership Chevron down icon Chevron up icon
Chapter 11: Third-Party Risk Management Chevron down icon Chevron up icon
Chapter 12: Control Design and Implementation Chevron down icon Chevron up icon
Chapter 13: Log Aggregation, Risk and Control Monitoring, and Reporting Chevron down icon Chevron up icon
Part 5: Information Technology, Security, and Privacy Chevron down icon Chevron up icon
Chapter 14: Enterprise Architecture and Information Technology Chevron down icon Chevron up icon
Chapter 15: Enterprise Resiliency and Data Life Cycle Management Chevron down icon Chevron up icon
Chapter 16: The System Development Life Cycle and Emerging Technologies Chevron down icon Chevron up icon
Chapter 17: Information Security and Privacy Principles Chevron down icon Chevron up icon
Part 6: Practice Quizzes Chevron down icon Chevron up icon
Chapter 18: Practice Quiz – Part 1 Chevron down icon Chevron up icon
Chapter 19: Practice Quiz – Part 2 Chevron down icon Chevron up icon
Index Chevron down icon Chevron up icon
Other Books You May Enjoy Chevron down icon Chevron up icon

Customer reviews

Top Reviews
Rating distribution
Full star icon Full star icon Full star icon Full star icon Half star icon 4.8
(23 Ratings)
5 star 91.3%
4 star 4.3%
3 star 0%
2 star 4.3%
1 star 0%
Filter icon Filter
Top Reviews

Filter reviews by




John Breeden Apr 05, 2024
Full star icon Full star icon Full star icon Full star icon Full star icon 5
Feefo Verified review Feefo
Brandon Lachterman Sep 18, 2023
Full star icon Full star icon Full star icon Full star icon Full star icon 5
This is necessary for anyone looking to get certified, or want to fill in some gaps in their knowledge. It was comprehensive and well written.
Amazon Verified review Amazon
Moses sule Mar 19, 2024
Full star icon Full star icon Full star icon Full star icon Full star icon 5
This book is written in a simple and clear language. The definition of terms is easy to understand.
Amazon Verified review Amazon
Terence Hamilton Sep 25, 2023
Full star icon Full star icon Full star icon Full star icon Full star icon 5
I noticed a common theme among many authors in the preface of this book. I appreciate how the author shares the level of support he received from family, friends and stakeholders when writing the book.As far as the content, I liked how the author comprehensively explained what Governance, Risk and Compliance (GRC) entails and how it flows from upper management to the employees of an organization through its standards and policies.For example, I learned that Governance is guidance from the stakeholders. This could be a board of directors or senior leadership in the form of policies and standards which translate to processes and practices for employees to follow. This strategy optimizes risk and establishes compliance with internal and external compliance obligations.Knowing how to implement this strategy successfully and many other strategies covered in the CRISC certification is what this book is all about! Get your copy now!
Amazon Verified review Amazon
Dwayne Natwick Sep 16, 2023
Full star icon Full star icon Full star icon Full star icon Full star icon 5
I recently received a copy of Packt Publishing's ISACA Certified in Risk and Information Systems Control book by Shobhit M. If you are preparing for this exam from ISACA or are in a role that relates to understanding risk analysis and IT governance. Shobhit does an excellent job of explaining risk handling and the various frameworks for handling governance and compliance. I have been considering the ISACA CRISC certification and this book will assist in my preparation.
Amazon Verified review Amazon
Get free access to Packt library with over 7500+ books and video courses for 7 days!
Start Free Trial

FAQs

What is the delivery time and cost of print book? Chevron down icon Chevron up icon

Shipping Details

USA:

'

Economy: Delivery to most addresses in the US within 10-15 business days

Premium: Trackable Delivery to most addresses in the US within 3-8 business days

UK:

Economy: Delivery to most addresses in the U.K. within 7-9 business days.
Shipments are not trackable

Premium: Trackable delivery to most addresses in the U.K. within 3-4 business days!
Add one extra business day for deliveries to Northern Ireland and Scottish Highlands and islands

EU:

Premium: Trackable delivery to most EU destinations within 4-9 business days.

Australia:

Economy: Can deliver to P. O. Boxes and private residences.
Trackable service with delivery to addresses in Australia only.
Delivery time ranges from 7-9 business days for VIC and 8-10 business days for Interstate metro
Delivery time is up to 15 business days for remote areas of WA, NT & QLD.

Premium: Delivery to addresses in Australia only
Trackable delivery to most P. O. Boxes and private residences in Australia within 4-5 days based on the distance to a destination following dispatch.

India:

Premium: Delivery to most Indian addresses within 5-6 business days

Rest of the World:

Premium: Countries in the American continent: Trackable delivery to most countries within 4-7 business days

Asia:

Premium: Delivery to most Asian addresses within 5-9 business days

Disclaimer:
All orders received before 5 PM U.K time would start printing from the next business day. So the estimated delivery times start from the next day as well. Orders received after 5 PM U.K time (in our internal systems) on a business day or anytime on the weekend will begin printing the second to next business day. For example, an order placed at 11 AM today will begin printing tomorrow, whereas an order placed at 9 PM tonight will begin printing the day after tomorrow.


Unfortunately, due to several restrictions, we are unable to ship to the following countries:

  1. Afghanistan
  2. American Samoa
  3. Belarus
  4. Brunei Darussalam
  5. Central African Republic
  6. The Democratic Republic of Congo
  7. Eritrea
  8. Guinea-bissau
  9. Iran
  10. Lebanon
  11. Libiya Arab Jamahriya
  12. Somalia
  13. Sudan
  14. Russian Federation
  15. Syrian Arab Republic
  16. Ukraine
  17. Venezuela
What is custom duty/charge? Chevron down icon Chevron up icon

Customs duty are charges levied on goods when they cross international borders. It is a tax that is imposed on imported goods. These duties are charged by special authorities and bodies created by local governments and are meant to protect local industries, economies, and businesses.

Do I have to pay customs charges for the print book order? Chevron down icon Chevron up icon

The orders shipped to the countries that are listed under EU27 will not bear custom charges. They are paid by Packt as part of the order.

List of EU27 countries: www.gov.uk/eu-eea:

A custom duty or localized taxes may be applicable on the shipment and would be charged by the recipient country outside of the EU27 which should be paid by the customer and these duties are not included in the shipping charges been charged on the order.

How do I know my custom duty charges? Chevron down icon Chevron up icon

The amount of duty payable varies greatly depending on the imported goods, the country of origin and several other factors like the total invoice amount or dimensions like weight, and other such criteria applicable in your country.

For example:

  • If you live in Mexico, and the declared value of your ordered items is over $ 50, for you to receive a package, you will have to pay additional import tax of 19% which will be $ 9.50 to the courier service.
  • Whereas if you live in Turkey, and the declared value of your ordered items is over € 22, for you to receive a package, you will have to pay additional import tax of 18% which will be € 3.96 to the courier service.
How can I cancel my order? Chevron down icon Chevron up icon

Cancellation Policy for Published Printed Books:

You can cancel any order within 1 hour of placing the order. Simply contact customercare@packt.com with your order details or payment transaction id. If your order has already started the shipment process, we will do our best to stop it. However, if it is already on the way to you then when you receive it, you can contact us at customercare@packt.com using the returns and refund process.

Please understand that Packt Publishing cannot provide refunds or cancel any order except for the cases described in our Return Policy (i.e. Packt Publishing agrees to replace your printed book because it arrives damaged or material defect in book), Packt Publishing will not accept returns.

What is your returns and refunds policy? Chevron down icon Chevron up icon

Return Policy:

We want you to be happy with your purchase from Packtpub.com. We will not hassle you with returning print books to us. If the print book you receive from us is incorrect, damaged, doesn't work or is unacceptably late, please contact Customer Relations Team on customercare@packt.com with the order number and issue details as explained below:

  1. If you ordered (eBook, Video or Print Book) incorrectly or accidentally, please contact Customer Relations Team on customercare@packt.com within one hour of placing the order and we will replace/refund you the item cost.
  2. Sadly, if your eBook or Video file is faulty or a fault occurs during the eBook or Video being made available to you, i.e. during download then you should contact Customer Relations Team within 14 days of purchase on customercare@packt.com who will be able to resolve this issue for you.
  3. You will have a choice of replacement or refund of the problem items.(damaged, defective or incorrect)
  4. Once Customer Care Team confirms that you will be refunded, you should receive the refund within 10 to 12 working days.
  5. If you are only requesting a refund of one book from a multiple order, then we will refund you the appropriate single item.
  6. Where the items were shipped under a free shipping offer, there will be no shipping costs to refund.

On the off chance your printed book arrives damaged, with book material defect, contact our Customer Relation Team on customercare@packt.com within 14 days of receipt of the book with appropriate evidence of damage and we will work with you to secure a replacement copy, if necessary. Please note that each printed book you order from us is individually made by Packt's professional book-printing partner which is on a print-on-demand basis.

What tax is charged? Chevron down icon Chevron up icon

Currently, no tax is charged on the purchase of any print book (subject to change based on the laws and regulations). A localized VAT fee is charged only to our European and UK customers on eBooks, Video and subscriptions that they buy. GST is charged to Indian customers for eBooks and video purchases.

What payment methods can I use? Chevron down icon Chevron up icon

You can pay with the following card types:

  1. Visa Debit
  2. Visa Credit
  3. MasterCard
  4. PayPal
What is the delivery time and cost of print books? Chevron down icon Chevron up icon

Shipping Details

USA:

'

Economy: Delivery to most addresses in the US within 10-15 business days

Premium: Trackable Delivery to most addresses in the US within 3-8 business days

UK:

Economy: Delivery to most addresses in the U.K. within 7-9 business days.
Shipments are not trackable

Premium: Trackable delivery to most addresses in the U.K. within 3-4 business days!
Add one extra business day for deliveries to Northern Ireland and Scottish Highlands and islands

EU:

Premium: Trackable delivery to most EU destinations within 4-9 business days.

Australia:

Economy: Can deliver to P. O. Boxes and private residences.
Trackable service with delivery to addresses in Australia only.
Delivery time ranges from 7-9 business days for VIC and 8-10 business days for Interstate metro
Delivery time is up to 15 business days for remote areas of WA, NT & QLD.

Premium: Delivery to addresses in Australia only
Trackable delivery to most P. O. Boxes and private residences in Australia within 4-5 days based on the distance to a destination following dispatch.

India:

Premium: Delivery to most Indian addresses within 5-6 business days

Rest of the World:

Premium: Countries in the American continent: Trackable delivery to most countries within 4-7 business days

Asia:

Premium: Delivery to most Asian addresses within 5-9 business days

Disclaimer:
All orders received before 5 PM U.K time would start printing from the next business day. So the estimated delivery times start from the next day as well. Orders received after 5 PM U.K time (in our internal systems) on a business day or anytime on the weekend will begin printing the second to next business day. For example, an order placed at 11 AM today will begin printing tomorrow, whereas an order placed at 9 PM tonight will begin printing the day after tomorrow.


Unfortunately, due to several restrictions, we are unable to ship to the following countries:

  1. Afghanistan
  2. American Samoa
  3. Belarus
  4. Brunei Darussalam
  5. Central African Republic
  6. The Democratic Republic of Congo
  7. Eritrea
  8. Guinea-bissau
  9. Iran
  10. Lebanon
  11. Libiya Arab Jamahriya
  12. Somalia
  13. Sudan
  14. Russian Federation
  15. Syrian Arab Republic
  16. Ukraine
  17. Venezuela