Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide
ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide: A primer on GRC and an exam guide for the most recent and rigorous IT risk certification

eBook
€22.99 €32.99
Paperback
€41.99
Subscription
Free Trial
Renews at €18.99p/m

What do you get with a Packt Subscription?

Free for first 7 days. $19.99 p/m after that. Cancel any time!
Product feature icon Unlimited ad-free access to the largest independent learning library in tech. Access this title and thousands more!
Product feature icon 50+ new titles added per month, including many first-to-market concepts and exclusive early access to books as they are being written.
Product feature icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
Product feature icon Thousands of reference materials covering every tech concept you need to stay up to date.
Subscribe now
View plans & pricing
Table of content icon View table of contents Preview book icon Preview Book

ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

Governance, Risk, and Compliance

Dear reader, I have been in your place, thinking about which certification I should go for first. Should I begin with CISM? It seems to be the most widely recognized. Alternatively, should I consider CISA? However, I am not an auditor, so is it really necessary for me? What about CISSP? It seems rather challenging for someone trying to get certified for the first time. Finally, what about CRISC? It doesn’t appear to be the most relevant for the job responsibilities in the expanding realm of IT risk management.

Congratulations! Now that you have decided on the CRISC, you have taken the most important step of deciding on your certification and are embarking on the first stage of the journey of your career growth. However, what about the study material? Should I buy the official review manual? It appears to be very dull. Should I explore technical forums or communities for more advice and hacks? Alternatively, should I conduct a search using the hashtag CRISC (#CRISC) to see if there's a one-stop blog with all the resources needed to pass the exam in one convenient location?

As I look back on all this certification preparation and reference material, I realize that the majority of them missed a key point – what is the practical application of the knowledge I will acquire as I read this book and attain the certification? If I zoom out a little, why is governance, risk, and compliance (GRC) required in an organization when the sole aim of cybersecurity is to prevent companies from attackers? Also, what is GRC in the first place?

This chapter aims to answer all these questions so that when you pass your CRISC with flying colors and boast about your certification, you don’t have to worry about recalling the basic concepts of GRC and have a solid foundation of IT risk management.

In this chapter, we will cover the following topics:

  • Governance, risk, and compliance
  • GRC for cybersecurity professionals
  • Importance of GRC for cybersecurity professionals
  • A primer on cybersecurity domains and the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF).
  • Importance of IT risk management

Important note

The content of this chapter is not directly related to the exam syllabus, but it is important to understand the concepts of GRC before learning about IT risk management and its implementation for the CRISC exam.

The hope is that this chapter will provide you with enough understanding that you can differentiate between all domains of cybersecurity and can continue your journey well beyond the CRISC certification.

Governance, risk, and compliance

In this section, we’ll look at the concepts of GRC, their interrelationships, and how to differentiate among them.

What is GRC?

GRC is an acronym that stands for governance, risk, and compliance. It can be defined as a common set of practices and processes, supported by a risk-aware culture and enabling technologies that improve decision-making and performance through an integrated view of how well an organization manages its unique set of risks.

A GRC program aims to provide organizations with an overarching framework that can be used to streamline different organizational functions, such as legal, IT, human resources, security, compliance, privacy, and more so that they can all collaborate under a common framework and set of principles instead of running individual functions and programs.

Governance is the organizational framework that helps the stakeholder set the tone for the stakeholders on the direction and alignment with business objectives. These are the rules that run the organization, including policies, standards, and procedures that set the direction and control of the organization’s activities. These stakeholders can be a board of directors in large companies or senior executives in small and medium enterprises.

Risk or risk management is the process of optimizing organizational risk to acceptable levels, identifying potential risk and its associated impacts, and prioritizing the mitigation based on the impact of risk on business objectives. The purpose of risk management is to analyze and control the risks that can deflect an organization from achieving its strategic objectives.

Qualitative risk is defined as likelihood * probability of impact, whereas the Factor Analysis of Information Risk (FAIR) methodology is widely used for quantitative risk assessment in matured organizations.

Compliance requirements for an organization ensure that all obligations including but not limited to regulatory factors, contractual requirements, federal and state laws, certification requirements such as ISO 27001 or SOC 2 audit, and more are adhered to and any gaps in compliance are logged, monitored, and corrected within a reasonable timeframe. The entire organization must follow a standard set of policies and standards to achieve these objectives.

An integrated approach to GRC that is communicated to the entire organization ensures that the main strategies, processes, and resources are aligned according to the organization’s risk appetite. A strong compliance program with the sponsorship of a senior leadership team is better suited to align its internal and external compliance requirements, leading to increased efficiency and effectiveness.

In the next section, we’ll learn about the relationship between these concepts.

Simplified relationship between GRC components

I would not blame you if you found the preceding concepts tedious and confusing. It took me a good 5 years to make sense of all the concepts. The following paragraph should serve as an adage for the preceding concepts:

Governance is guidance from stakeholders (board of directors or senior leadership) to put the processes and practices in place to optimize (not reduce) the risk and comply with external and internal compliance obligations.

The following figure shows a simplistic view of GRC. It should be noted that the activities included under each pillar are not holistic and an organization may have an overlap between these activities. You should also be mindful that these activities are not standalone programs but need inputs from other pillars to be implemented successfully:

Figure 1.1 – Relationship between the components of GRC

Figure 1.1 – Relationship between the components of GRC

Now that we know what GRC entails, we’ll learn about the importance of various factors for a successful GRC program in the next section.

Key ingredients of a successful GRC program

A successful GRC program requires collaboration across all layers of the organization. Three major components are a must-have for successful implementation:

  • Sponsorship: A successful GRC implementation should have the sponsorship of a senior leader such as a Chief Information Security Officer (CISO), Chief Risk Officer (CRO), Chief Information Officer (CIO), Chief Financial Officer (CFO), Chief Executive Officer (CEO), or someone else. These sponsors have a wider overview of not only the organization’s risk but also the industry peers across multiple verticals. Sponsorship from leadership is also important to have a risk-focused culture.
  • Stewardship: The GRC program requires participation from all businesses and functions of an organization. Stewards play an important role in the GRC program and make information sharing across the organization easier for developing a common understanding across the organization and making relevant information available for everyone. These stewards, while translating the requirements from governance, are better able to target and address business risks. Stewards of the program are better suited to create business-oriented, process-based workflows to identify risks across functions, analyze for cascading risks, and treat them accordingly.
  • Monitoring and reporting: It is easy to roll out a GRC program across the organization, but over time, it becomes extremely difficult to keep pace with internal and external regulations without continuously monitoring risks and controls without efficient risk indicators. It is important to enable continuous monitoring of risks and controls by using automated risk indicators and keep the stakeholders abreast of risk in business terms through business-focused indicators and reports periodically circulated to the appropriate audience with actionable insights.

An important pillar of the monitoring function is to monitor the security controls of critical vendors and perform an ongoing assessment for each department and functional group across the enterprise to provide a holistic real-time view of risk.

In the next section, we’ll learn about how to differentiate between governance and management.

Governance is not management

Those new to the GRC domain often confuse governance with management and think both are the same; however, in the realm of GRC, governance and management serve very different functions.

Governance provides oversight and is highly focused on risk optimization for the stakeholders. Governance always focuses on the following aspects:

  • Is the organization doing the right things?
  • Are these things done in the right away?
  • Is the team getting things done on time and within budget?
  • Are we continuously optimizing the risk and getting benefits?

Once these questions have been answered, the management team focuses on planning, building, executing, and monitoring to ensure that that all projects, processes, and activities are aligned with the direction and business objectives set by governance. It is expected that as management progresses in achieving these goals, the results are shared with governance (board of directors) periodically and additional inputs are taken into consideration.

GRC for cybersecurity professionals

In this section, we’ll learn about cybersecurity, information assurance, and the difference between these two concepts.

Cybersecurity and information assurance

For non-cybersecurity professionals, the word cybersecurity is synonymous with hacking, but in reality, this could not be further from the truth.

There are various ways to look at cybersecurity from an outsider’s view. In the industry, this is often categorized as a red team (attackers), blue team (defenders), and purple team (a combination of the red team and blue team focusing on collaboration and information sharing). For this book, I will take a different approach that is more aligned with the objectives of this book and your understanding when you prepare for the certification.

Firstly, let’s segregate cybersecurity into two major practices: cybersecurity and information assurance.

In the cybersecurity realm, we consider activities such as penetration testing, vulnerability assessments, network monitoring, malware analysis, and all the other practices that require robust technical understanding and knowledge to prevent unauthorized access and disruption to the business.

The second practice, information assurance, is going to be the focus of this book. Information assurance includes activities such as policy and procedure development, risk assessments and management, data analysis, IT audits, compliance with regulatory frameworks, incident management, vulnerability management, vendor management, KPI and KRI reporting and dashboards, and all the other sub-domains that do not require extensive technical understanding. However, these practices do require thorough collaboration across all teams and a strong understanding of the fundamentals of cybersecurity concepts. These activities are important for complying with multiple federal and state regulations as well as to ensure the implementation of compliance with industry-standard practices.

Many organizations tend to completely segregate the cybersecurity and information assurance functions into different verticals altogether, where the communication between different teams and opportunities to collaborate are limited. This leads to security being seen as a gatekeeper and not an enabler.

As security is continuing to shift left – that is, being prioritized more and more in the initial stages of software development and project viability – this distinction is fading and teams using modern security tools collaborate a lot more than just meeting once a month.

As you continue with this book, you will realize that though the CRISC exam covers all concepts of cybersecurity and information assurance, the focus will primarily be on the latter as the entire purpose of the CRISC exam is to help you prepare for the IT risk management of an organization, regardless of its size.

So far, we have learned about GRC, the importance of GRC, and how to differentiate between different verticals of cybersecurity. In the next section, we’ll learn about the importance of GRC for cybersecurity professionals and industry-standard frameworks to implement a GRC program.

Importance of GRC for cybersecurity professionals

As mentioned earlier, the lack of an effective GRC program makes it difficult to collaborate across all teams. An effective GRC program is the prerequisite to an effective cybersecurity program.

With the continuously increasing emphasis on privacy in the form of GDPR, CCPA, HIPAA, LGPD, and other state, national, and international regulations, the cybersecurity and information assurance teams can’t work in silos. Compliance with these laws and regulatory requirements requires commitment and tenacity from all functions of the organization.

The following table shows the importance of implementing an overarching GRC framework for an organization in detail:

Non-GRC

Effective GRC

Lack of effective oversight

Effective oversight across all departments

Focus on achieving results only

Achieving results with integrity and ethics

Organizational and functional silos

Integrated decision-making

Lack of visibility

Shared technology, services, and vocabulary

Disjointed strategy

Integrated strategy

Duplication of efforts

Create-once, use-multiple

High costs

Optimized costs

Inefficient efforts

Efficient efforts

Lack of integrity

Culture of integrity

Wasted information

Shared and common knowledge

Fragmented information

Continuous flow of information

Table 1.1 – Importance of a GRC framework

In the next section, we’ll learn about how we can use ISACA COBIT to implement a GRC program and its relationship with ITIL.

Implementing GRC using COBIT

Now that we have a good understanding of GRC and what it entails, it’s important to understand how to translate this knowledge into practice.

ISACA, the certification body of CRISC, also provides a comprehensive framework called Control Objectives for Information and Related Technology (COBIT) to bridge the gap between governance, technical requirements, business objectives and risks, and control requirements.

The latest version of COBIT (COBIT 2019) guidance from ISACA focuses on providing elaborate guidance on managing risk, optimizing resources, and creating value by streamlining all business objectives.

There are four publications under the COBIT 2019 framework:

  • Introduction and Methodology: This is the fundamental document for implementing the COBIT framework that details governance principles, provides key concepts and examples, and lays out the structure of the overall framework, including the COBIT Core Model.
  • Governance and Management Objectives: This publication contains a detailed description of the COBIT Core Model and its 40 governance and management objectives. These are then defined and matched with the relevant processes, enterprise goals, and governance and management practices.
  • Design Guide: Designing an Information and Technology Governance Solution: This publication provides essential guidance on how to put COBIT to practical use while offering perspectives for designing a tailored governance system for an organization.
  • Implementation Guide: Implementing and Optimizing an Information and Technology Governance Solution: This document, combined with the COBIT 2019 Design Guide, provides a practical approach to specific governance requirements.

COBIT Core includes 40 governance and management objectives that have defined purposes that are mapped to specific core processes. These objectives are primarily divided into five categories:

  • Evaluate, Direct, and Monitor (EDM): EDM has five objectives that focus on a few specific, governance-related, areas. These include alignment of enterprise and IT strategies, optimization of costs and efficiency, and stakeholder sponsorship.
  • Align, Plan, and Organize (APO): APO’s 14 objectives include managing organizational structure and strategy, budgeting and costs, the HR aspect of IT, vendors, service-level agreements (SLAs), risk optimization, and data management.
  • Build, Acquire, and Implement (BAI): The 11 BAI objectives are focused on managing changes to data and assets while ensuring end user availability and capacity needs are met.
  • Deliver, Service, and Support (DSS): DSS contains six objectives and mostly aligns with the IT domains. DSS is focused on managing operations, problems, incidents, continuity, process controls, and security.
  • Monitor, Evaluate, and Assess (MEA): MEA has four objectives related to creating a monitoring function that ensures compliance for APO, BAI, and DSS. These objectives include managing performance and conformance, internal control, external requirements, and assurance. Notably, MEA differs from EDM by concentrating on the monitoring function from an operational standpoint, whereas EDM monitors from a governance (or top-down) approach.

The following figure shows the five domains and 40 COBIT Core processes:

Figure 1.2 – COBIT 2019 Core Model (COBIT® 2019 Framework: Governance and Management Objectives ©2019 ISACA. All rights reserved. Used with permission.)

Figure 1.2 – COBIT 2019 Core Model (COBIT® 2019 Framework: Governance and Management Objectives ©2019 ISACA. All rights reserved. Used with permission.)

Important note

Detailed guidance on ISACA introduction and methodology is available at no cost to members and non-members on the ISACA website: https://www.isaca.org/resources/cobit.

COBIT and ITIL

This section would not be complete without understanding the relationship between COBIT and ITIL.

ITIL is a framework designed to standardize the selection, planning, delivery, and maintenance of IT services within an enterprise. The goal is to improve efficiency and achieve predictable service delivery.

ITIL and COBIT are both governance frameworks but serve different purposes. ITIL primarily aims to fulfil service management objectives, whereas COBIT is globally recognized for both enterprise governance and IT management.

On their own, each framework is extremely successful in offering custom governance while delivering quality service management. When paired together, however, COBIT and ITIL have the potential to dramatically increase value for customers as well as internal and external stakeholders.

The COBIT framework helps identify what IT should be doing to generate the most value for a business, ITIL prescribes how it should be done to maximize resource utilization within the IT purview. Even though the frameworks are different, they do have multiple touchpoints – for example, from the COBIT domain, BAI, process BAI06 Managed IT Changes is equivalent to ITIL Change Management; process BAI10 Managed Configuration is equivalent to ITIL Configuration Management, and so on.

A major differentiation between COBIT and ITIL is that COBIT covers the entire enterprise, ensuring that governance is achieved, stakeholder value is ensured, and holistic approaches to governing and managing IT are accomplished, whereas ITIL is focused entirely on IT service management. COBIT aims to achieve its objectives through policies, processes, people, information, and culture and organizational structures, services, and applications that are implemented and integrated under a single overarching framework for ease of integration and customization, whereas ITIL provides prescriptive guidance on implementing these objectives.

In the previous section, we learned about the importance of ISACA COBIT for implementing a GRC program and its relationship with ITIL. In the next section, we will learn about multiple cybersecurity domains and the NIST CSF.

A primer on cybersecurity domains and the NIST CSF

There are many, many ways to think about cybersecurity domains and this could very well be a book in itself. The purpose of this section is to provide an overview of common cybersecurity domains and what they entail.

For the sake of simplicity and aligning it with a common industry standard, this section is aligned with the NIST CSF.

The NIST CSF divides the cybersecurity domain into five main categories, namely, Identify, Protect, Detect, Respond, and Recover:

  • Identify: There is an old saying in the cybersecurity world – You cannot protect what you do not know exists. The Identify category of the CSF emphasizes developing the organization’s understanding to manage cybersecurity risk to systems, assets (including people), data, and the capabilities to do so.

This activity is important for prioritizing the organization’s efforts and resources in consistency with its overall risk management strategy and business goals. This function stresses the importance of understanding the business context, the resources that support critical functions, and the related cybersecurity risks. The activities in Identify include the following:

  • Identification of physical, software, and people assets to establish the basis of an asset management program
  • Identification of established cybersecurity policies to define the governance program, as well as identifying legal and regulatory requirements regarding the cybersecurity capabilities of the organization
  • Identification of the organization’s business environment and critical systems, including the role of critical vendors in the supply chain
  • Identification of asset vulnerabilities, threats to internal and external organizational resources, and risk response activities to assess risk
  • Implementation of a risk management strategy, including identifying risk appetite and tolerance
  • Identification of vendor risk management strategy, including priorities, constraints, risk tolerances, and assumptions used to support risk decisions associated with managing supply chain risks
  • Protect: Once the assets and critical processes have been identified, the appropriate safeguards (controls) must be developed and implemented to ensure the delivery of critical infrastructure services. This function is dedicated to identifying controls that outline appropriate safeguards to ensure the delivery of critical infrastructure services and supports the ability to limit or contain the impact of a potential cybersecurity event. The activities in Protect can be seen here:
    • Perform security awareness training for all staff and additional role-based and privileged user training.
    • Implement protections for identity management and access control within the organization, including physical and remote access. In the case of an external data center or using cloud services, implement robust controls such as complex passwords, the use of VPNs, and multi-factor authentication.
    • Establish data security protection consistent with the organization’s risk strategy and criticality of assets to protect the confidentiality, integrity, and availability of information.
    • Implement processes and procedures to maintain and manage the protection of information systems and assets.
    • Protect organizational resources through maintenance, including remote maintenance activities.
    • Manage technology to ensure the security and resilience of systems, consistent with organizational policies, procedures, and agreements.
  • Detect: Proactively detecting and deterring potential cybersecurity incidents is critical to a robust information security program. This function defines the appropriate activities to proactively identify the occurrence of a cybersecurity event and involve the relevant teams as soon as the threat vectors are identified. The activities in Detect can be seen in the following list:
    • Detect anomalies across all system events and act on them before they cause substantial harm to the assets
    • Implement tools for continuous monitoring and detection (also known as the Security Operations Centre) to monitor critical events, tune the systems to reduce false positives, and gauge the effectiveness of protective measures, including network and physical activities
  • Respond: Once an event has indeed materialized and caused the incident, the organization should be prepared to contain and respond using manual as well as automated processes. This function aims to develop such systems, train the staff on incident response, and ensure that incidents can be resolved within the agreed timeframe and with minimum disruption to the system. The activities in Respond include the following:
    • Manage communications with internal and external stakeholders during and after an event
    • Analyze the incident to ensure effective response and supporting recovery activities including forensic analysis and determining the impact of incidents
    • Ensure incident response planning processes are agreed upon with relevant staff, executed at the time of the incident, and lessons learned are improved to prevent the incident in the future
    • Perform mitigation activities to prevent the expansion of an event and to resolve the incident
    • Implement improvements by incorporating lessons learned from such responses and ensure the staff is trained on the new practices
  • Recover: This function identifies appropriate activities to renew and maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident. The activities in Recover can be seen here:
    • Ensure that the organization has a recovery plan process in place that is tested within an acceptable time frame and that procedures to restore systems and/or assets affected by cybersecurity incidents are in place
    • Implement the lessons learned while responding to incidents and review those with relevant stakeholders
    • Internal and external communications are coordinated during and following the recovery from a cybersecurity incident, and new areas of risk are continuously added and acted upon

The following figure summarizes the NIST CSF functions:

Figure 1.3 – Simplified NIST CSF functions

Figure 1.3 – Simplified NIST CSF functions

Each of these domains is further segregated into multiple subdomains that are outside the scope of this book. I highly encourage you to familiarize yourself with the NIST CSF subdomains and their relationship with COBIT.

Important note

COBIT has custom frameworks for several specific use cases, including a framework for implementing the NIST CSF. A set of such publications can be found on the ISACA website at https://www.isaca.org/resources/cobit.

Importance of IT risk management

Now that we’ve discussed a fair bit about GRC, the domains of cybersecurity, and the NIST CSF, it is important to understand the implications of IT risk management for an organization.

In an enterprise risk management function, there can be a myriad of risks such as strategic risk, environmental risk, market risk, credit risk, operational risk, compliance risk, reputational risk, and more.

All the preceding risks can be impacted by IT risks in three major ways:

  • IT value enablement risk: The delivered projects did not create the expected value, leading to a loss of shareholder value and opportunities that could have materialized
  • IT program and project delivery risk: Projects are not ready to be delivered as agreed with the internal and external stakeholders, leading to inconsistency with the overall strategy
  • IT operations and service delivery risk: Delivered services are not in compliance with the SLAs agreed upon at the inception of the project

All the preceding impacts have cascading effects on other areas of the organization. An overarching governance framework implementation can prevent these risks from materializing.

Summary

At the beginning of this chapter, we learned that governance is the guidance from stakeholders (board of directors or senior leadership) to put the processes and practices in place to optimize (not eliminate) the risk and comply with external and internal compliance obligations. Then, we looked at the key ingredients of a successful GRC program, including sponsorship, stewardship, monitoring, and reporting. We concluded this chapter by understanding the ISACA COBIT framework for a GRC program implementation and its relationship with ITIL and providing a primer on cybersecurity domains and the NIST CSF. Now, you should be well equipped to start conversations regarding a GRC program implementation and speak about its value with the senior leaders in your organization.

In the next chapter, we will switch gears and learn about the CRISC practice areas and the ISACA mindset to answer the CRISC exam questions.

Left arrow icon Right arrow icon

Key benefits

  • Gain end-to-end coverage of all the topics assessed in the ISACA CRISC exam
  • Apply and embed your learning with the help of practice quizzes and self-assessment questions
  • Have an in-depth guide handy as you progress in your enterprise IT risk management career
  • Purchase of the print or Kindle book includes a free PDF eBook

Description

For beginners and experienced IT risk professionals alike, acing the ISACA CRISC exam is no mean feat, and the application of this advanced skillset in your daily work poses a challenge. The ISACA Certified in Risk and Information Systems Control (CRISC®) Certification Guide is a comprehensive guide to CRISC certification and beyond that’ll help you to approach these daunting challenges with its step-by-step coverage of all aspects of the exam content and develop a highly sought-after skillset in the process. This book is divided into six sections, with each section equipped with everything you need to get to grips with the domains covered in the exam. There’ll be no surprises on exam day – from GRC to ethical risk management, third-party security concerns to the ins and outs of control design, and IDS/IPS to the SDLC, no stone is left unturned in this book’s systematic design covering all the topics so that you can sit for the exam with confidence. What’s more, there are chapter-end self-assessment questions for you to test all that you’ve learned, as well as two book-end practice quizzes to really give you a leg up. By the end of this CRISC exam study guide, you’ll not just have what it takes to breeze through the certification process, but will also be equipped with an invaluable resource to accompany you on your career path.

Who is this book for?

If you are a GRC or a risk management professional with experience in the management of IT audits or in the design, implementation, monitoring, and maintenance of IS controls, or are gearing up to take the CRISC exam, then this CRISC book is for you. Security analysts, penetration testers, SOC analysts, PMs, and other security or management professionals and executives will also benefit from this book. The book assumes prior experience of security concepts.

What you will learn

  • Adopt the ISACA mindset and learn to apply it when attempting the CRISC exam
  • Grasp the three lines of defense model and understand risk capacity
  • Explore the threat landscape and figure out vulnerability management
  • Familiarize yourself with the concepts of BIA, RPO, RTO, and more
  • Get to grips with the four stages of risk response
  • Manage third-party security risks and secure your systems with ease
  • Use a full arsenal of InfoSec tools to protect your organization
  • Test your knowledge with self-assessment questions and practice quizzes

Product Details

Country selected
Publication date, Length, Edition, Language, ISBN-13
Publication date : Sep 08, 2023
Length: 316 pages
Edition : 1st
Language : English
ISBN-13 : 9781803236902
Category :
Concepts :

What do you get with a Packt Subscription?

Free for first 7 days. $19.99 p/m after that. Cancel any time!
Product feature icon Unlimited ad-free access to the largest independent learning library in tech. Access this title and thousands more!
Product feature icon 50+ new titles added per month, including many first-to-market concepts and exclusive early access to books as they are being written.
Product feature icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
Product feature icon Thousands of reference materials covering every tech concept you need to stay up to date.
Subscribe now
View plans & pricing

Product Details

Publication date : Sep 08, 2023
Length: 316 pages
Edition : 1st
Language : English
ISBN-13 : 9781803236902
Category :
Concepts :

Packt Subscriptions

See our plans and pricing
Modal Close icon
€18.99 billed monthly
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Simple pricing, no contract
€189.99 billed annually
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just €5 each
Feature tick icon Exclusive print discounts
€264.99 billed in 18 months
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just €5 each
Feature tick icon Exclusive print discounts

Frequently bought together


Stars icon
Total 134.97
ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide
€41.99
Certified Information Security Manager Exam Prep Guide
€47.99
CISA – Certified Information Systems Auditor Study Guide
€44.99
Total 134.97 Stars icon

Table of Contents

27 Chapters
Part 1: Governance, Risk, and Compliance and CRISC Chevron down icon Chevron up icon
Chapter 1: Governance, Risk, and Compliance Chevron down icon Chevron up icon
Chapter 2: CRISC Practice Areas and the ISACA Mindset Chevron down icon Chevron up icon
Part 2: Organizational Governance, Three Lines of Defense, and Ethical Risk Management Chevron down icon Chevron up icon
Chapter 3: Organizational Governance, Policies, and Risk Management Chevron down icon Chevron up icon
Chapter 4: The Three Lines of Defense and Cybersecurity Chevron down icon Chevron up icon
Chapter 5: Legal Requirements and the Ethics of Risk Management Chevron down icon Chevron up icon
Part 3: IT Risk Assessment, Threat Management, and Risk Analysis Chevron down icon Chevron up icon
Chapter 6: Risk Management Life Cycle Chevron down icon Chevron up icon
Chapter 7: Threat, Vulnerability, and Risk Chevron down icon Chevron up icon
Chapter 8: Risk Assessment Concepts, Standards, and Frameworks Chevron down icon Chevron up icon
Chapter 9: Business Impact Analysis, and Inherent and Residual Risk Chevron down icon Chevron up icon
Part 4: Risk Response, Reporting, Monitoring, and Ownership Chevron down icon Chevron up icon
Chapter 10: Risk Response and Control Ownership Chevron down icon Chevron up icon
Chapter 11: Third-Party Risk Management Chevron down icon Chevron up icon
Chapter 12: Control Design and Implementation Chevron down icon Chevron up icon
Chapter 13: Log Aggregation, Risk and Control Monitoring, and Reporting Chevron down icon Chevron up icon
Part 5: Information Technology, Security, and Privacy Chevron down icon Chevron up icon
Chapter 14: Enterprise Architecture and Information Technology Chevron down icon Chevron up icon
Chapter 15: Enterprise Resiliency and Data Life Cycle Management Chevron down icon Chevron up icon
Chapter 16: The System Development Life Cycle and Emerging Technologies Chevron down icon Chevron up icon
Chapter 17: Information Security and Privacy Principles Chevron down icon Chevron up icon
Part 6: Practice Quizzes Chevron down icon Chevron up icon
Chapter 18: Practice Quiz – Part 1 Chevron down icon Chevron up icon
Chapter 19: Practice Quiz – Part 2 Chevron down icon Chevron up icon
Index Chevron down icon Chevron up icon
Other Books You May Enjoy Chevron down icon Chevron up icon

Customer reviews

Top Reviews
Rating distribution
Full star icon Full star icon Full star icon Full star icon Half star icon 4.8
(23 Ratings)
5 star 91.3%
4 star 4.3%
3 star 0%
2 star 4.3%
1 star 0%
Filter icon Filter
Top Reviews

Filter reviews by




John Breeden Apr 05, 2024
Full star icon Full star icon Full star icon Full star icon Full star icon 5
Feefo Verified review Feefo
Brandon Lachterman Sep 18, 2023
Full star icon Full star icon Full star icon Full star icon Full star icon 5
This is necessary for anyone looking to get certified, or want to fill in some gaps in their knowledge. It was comprehensive and well written.
Amazon Verified review Amazon
Moses sule Mar 19, 2024
Full star icon Full star icon Full star icon Full star icon Full star icon 5
This book is written in a simple and clear language. The definition of terms is easy to understand.
Amazon Verified review Amazon
Terence Hamilton Sep 25, 2023
Full star icon Full star icon Full star icon Full star icon Full star icon 5
I noticed a common theme among many authors in the preface of this book. I appreciate how the author shares the level of support he received from family, friends and stakeholders when writing the book.As far as the content, I liked how the author comprehensively explained what Governance, Risk and Compliance (GRC) entails and how it flows from upper management to the employees of an organization through its standards and policies.For example, I learned that Governance is guidance from the stakeholders. This could be a board of directors or senior leadership in the form of policies and standards which translate to processes and practices for employees to follow. This strategy optimizes risk and establishes compliance with internal and external compliance obligations.Knowing how to implement this strategy successfully and many other strategies covered in the CRISC certification is what this book is all about! Get your copy now!
Amazon Verified review Amazon
Dwayne Natwick Sep 16, 2023
Full star icon Full star icon Full star icon Full star icon Full star icon 5
I recently received a copy of Packt Publishing's ISACA Certified in Risk and Information Systems Control book by Shobhit M. If you are preparing for this exam from ISACA or are in a role that relates to understanding risk analysis and IT governance. Shobhit does an excellent job of explaining risk handling and the various frameworks for handling governance and compliance. I have been considering the ISACA CRISC certification and this book will assist in my preparation.
Amazon Verified review Amazon
Get free access to Packt library with over 7500+ books and video courses for 7 days!
Start Free Trial

FAQs

What is included in a Packt subscription? Chevron down icon Chevron up icon

A subscription provides you with full access to view all Packt and licnesed content online, this includes exclusive access to Early Access titles. Depending on the tier chosen you can also earn credits and discounts to use for owning content

How can I cancel my subscription? Chevron down icon Chevron up icon

To cancel your subscription with us simply go to the account page - found in the top right of the page or at https://subscription.packtpub.com/my-account/subscription - From here you will see the ‘cancel subscription’ button in the grey box with your subscription information in.

What are credits? Chevron down icon Chevron up icon

Credits can be earned from reading 40 section of any title within the payment cycle - a month starting from the day of subscription payment. You also earn a Credit every month if you subscribe to our annual or 18 month plans. Credits can be used to buy books DRM free, the same way that you would pay for a book. Your credits can be found in the subscription homepage - subscription.packtpub.com - clicking on ‘the my’ library dropdown and selecting ‘credits’.

What happens if an Early Access Course is cancelled? Chevron down icon Chevron up icon

Projects are rarely cancelled, but sometimes it's unavoidable. If an Early Access course is cancelled or excessively delayed, you can exchange your purchase for another course. For further details, please contact us here.

Where can I send feedback about an Early Access title? Chevron down icon Chevron up icon

If you have any feedback about the product you're reading, or Early Access in general, then please fill out a contact form here and we'll make sure the feedback gets to the right team. 

Can I download the code files for Early Access titles? Chevron down icon Chevron up icon

We try to ensure that all books in Early Access have code available to use, download, and fork on GitHub. This helps us be more agile in the development of the book, and helps keep the often changing code base of new versions and new technologies as up to date as possible. Unfortunately, however, there will be rare cases when it is not possible for us to have downloadable code samples available until publication.

When we publish the book, the code files will also be available to download from the Packt website.

How accurate is the publication date? Chevron down icon Chevron up icon

The publication date is as accurate as we can be at any point in the project. Unfortunately, delays can happen. Often those delays are out of our control, such as changes to the technology code base or delays in the tech release. We do our best to give you an accurate estimate of the publication date at any given time, and as more chapters are delivered, the more accurate the delivery date will become.

How will I know when new chapters are ready? Chevron down icon Chevron up icon

We'll let you know every time there has been an update to a course that you've bought in Early Access. You'll get an email to let you know there has been a new chapter, or a change to a previous chapter. The new chapters are automatically added to your account, so you can also check back there any time you're ready and download or read them online.

I am a Packt subscriber, do I get Early Access? Chevron down icon Chevron up icon

Yes, all Early Access content is fully available through your subscription. You will need to have a paid for or active trial subscription in order to access all titles.

How is Early Access delivered? Chevron down icon Chevron up icon

Early Access is currently only available as a PDF or through our online reader. As we make changes or add new chapters, the files in your Packt account will be updated so you can download them again or view them online immediately.

How do I buy Early Access content? Chevron down icon Chevron up icon

Early Access is a way of us getting our content to you quicker, but the method of buying the Early Access course is still the same. Just find the course you want to buy, go through the check-out steps, and you’ll get a confirmation email from us with information and a link to the relevant Early Access courses.

What is Early Access? Chevron down icon Chevron up icon

Keeping up to date with the latest technology is difficult; new versions, new frameworks, new techniques. This feature gives you a head-start to our content, as it's being created. With Early Access you'll receive each chapter as it's written, and get regular updates throughout the product's development, as well as the final course as soon as it's ready.We created Early Access as a means of giving you the information you need, as soon as it's available. As we go through the process of developing a course, 99% of it can be ready but we can't publish until that last 1% falls in to place. Early Access helps to unlock the potential of our content early, to help you start your learning when you need it most. You not only get access to every chapter as it's delivered, edited, and updated, but you'll also get the finalized, DRM-free product to download in any format you want when it's published. As a member of Packt, you'll also be eligible for our exclusive offers, including a free course every day, and discounts on new and popular titles.