What this book covers

Chapter 1, Governance, Risk, and Compliance, provides an introduction to GRC. This chapter includes all the lessons I learned later in my career but should have learned when I started.

Chapter 2, CRISC Practice Areas and the ISACA Mindset, provides a detailed description of the CRISC exam and practice areas. This chapter also includes my experience of attempting CRISC exams and understanding the ISACA mindset from both sides – as a candidate for the exam and also when I write questions for the official ISACA exam.

Chapter 3, Organizational Governance, Policies, and Risk Management, provides an introduction to organizational governance, strategy, structure, and culture. Governance is often confused with management, which is not true. This chapter continues from the lessons of Chapter 1.

Chapter 4, The Three Lines of Defense and Cybersecurity, provides an introduction to the concept of the three lines of defense and more importantly how you could draw the teachings from this model to develop your own cybersecurity program.

Chapter 5, Legal Requirements and the Ethics of Risk Management, provides an overview of major laws and regulations affecting IT risk. We will also learn about the importance of professional ethics in risk management and how it influences organizational culture.

Chapter 6, Risk Management Life Cycle, provides an introduction to the concept of risk, where you will learn how is it different from IT risk; take a deeper dive into the risk management life cycle; understand the requirements of risk assessments; learn the difference between issues, events, incidents, and breaches; and ultimately learn about how events and incidents are correlated. We will also learn how to choose different sets of controls (detective/corrective/preventive) to influence the inherent risk and optimize the residual risk.

Chapter 7, Threat, Vulnerability, and Risk, provides an introduction to the concepts of threat, vulnerability, and risk, helping you understand the relationships between each and teaching you about threat modeling and the threat landscape. We will also learn about vulnerability and control analysis, as well as vulnerability sources, and briefly touch on building a vulnerability management program.

Chapter 8, Risk Assessment Concepts, Standards, and Frameworks, builds on the knowledge from Chapter 7. We will learn about maintaining an effective risk register and how we can leverage already available industry risk catalogs to baseline the risk assessment program for an organization.

Chapter 9, Business Impact Analysis, and Inherent and Residual Risk, details the differences between Business Impact Analysis (BIA) and risk assessments. You will learn concepts related to BIA and the differences between inherent and residual risk, and finally, review how BIA can be used for business continuity and disaster recovery planning.

Chapter 10, Risk Response and Control Ownership, introduces the concept of risk response and monitoring and risk and control ownership, and details the risk response strategies – mitigate/accept/transfer/avoid.

Chapter 11, Third-Party Risk Management, introduces the concepts of third-party risk management and how to perform an effective third-party risk evaluation. We will also learn about issues, findings, exceptions, and how to manage them effectively.

Chapter 12, Control Design and Implementation, introduces the different types of controls, standards, frameworks, and methodologies for control design and selection and how to implement them effectively. We will also learn about several control techniques and methods to evaluate them effectively.

Chapter 13, Log Aggregation, Risk and Control Monitoring, and Reporting, provides a summary of the different methods of log sources, aggregation, and analysis. We will also learn about risk and control monitoring and reporting, and how to present them effectively.

Chapter 14, Enterprise Architecture and Information Technology, introduces the concept of enterprise architecture, the Capability Maturity Model, and IT operations, such as management and other network and technology concepts.

Chapter 15, Enterprise Resiliency and Data Life Cycle Management, provides a deep dive into the concepts of enterprise resiliency while building the foundations of a resilient architecture and data life cycle management.

Chapter 16, The System Development Life Cycle and Emerging Technologies, provides an understanding of the components of the software development life cycle and builds a foundational understanding of emerging technologies and the related security implications.

Chapter 17, Information Security and Privacy Principles, provides an understanding of information security and privacy principles, which secure the system and build trust with the users.

Chapter 18, Practice Quiz – Part 1, contains 100 review questions with a detailed explanation of each written from my experience of working with ISACA for many years.

Chapter 19, Practice Quiz – Part 2, contains additional 100 questions to solidify your understanding and ultimately set you up for success!