Governance, Risk, and Compliance
Dear reader, I have been in your place, thinking about which certification I should go for first. Should I begin with CISM? It seems to be the most widely recognized. Alternatively, should I consider CISA? However, I am not an auditor, so is it really necessary for me? What about CISSP? It seems rather challenging for someone trying to get certified for the first time. Finally, what about CRISC? It doesn’t appear to be the most relevant for the job responsibilities in the expanding realm of IT risk management.
Congratulations! Now that you have decided on the CRISC, you have taken the most important step of deciding on your certification and are embarking on the first stage of the journey of your career growth. However, what about the study material? Should I buy the official review manual? It appears to be very dull. Should I explore technical forums or communities for more advice and hacks? Alternatively, should I conduct a search using the hashtag CRISC (#CRISC) to see if there's a one-stop blog with all the resources needed to pass the exam in one convenient location?
As I look back on all this certification preparation and reference material, I realize that the majority of them missed a key point – what is the practical application of the knowledge I will acquire as I read this book and attain the certification? If I zoom out a little, why is governance, risk, and compliance (GRC) required in an organization when the sole aim of cybersecurity is to prevent companies from attackers? Also, what is GRC in the first place?
This chapter aims to answer all these questions so that when you pass your CRISC with flying colors and boast about your certification, you don’t have to worry about recalling the basic concepts of GRC and have a solid foundation of IT risk management.
In this chapter, we will cover the following topics:
- Governance, risk, and compliance
- GRC for cybersecurity professionals
- Importance of GRC for cybersecurity professionals
- A primer on cybersecurity domains and the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF).
- Importance of IT risk management
Important note
The content of this chapter is not directly related to the exam syllabus, but it is important to understand the concepts of GRC before learning about IT risk management and its implementation for the CRISC exam.
The hope is that this chapter will provide you with enough understanding that you can differentiate between all domains of cybersecurity and can continue your journey well beyond the CRISC certification.
