Any good free resources for CRISC?

UnixGuyUnixGuy Are we having fun yet?Mod Posts: 4,203 Mod
Preferably video material for CRISC. I'm doing the QA database from ISACA, but i'm wondering if there is something free I can watch for certain topics?
Tagged:

Comments

  • JDMurrayJDMurray MSIT InfoSec, CISSP, SSCP, GSEC, EnCE, C|EH, CySA+, PenTest+, CASP+, Security+ Surf City, USAAdmin Posts: 11,844 Admin
    edited September 1
    What are the major topics of the CRISC?

    O'Reilly Online only has the MGH CRISC All-In-One book from December 2015. Pluralsight has a learning path for CRISC which contains 7 hours of videos by Kevin Henry based on the 2015 CRISC Job Practice Areas. I assume these material can be access in the free trial period for both sites.

    It looks like a lot of the commercial study materials are for the 2015 CRISC Job Practice Areas. Is there a more recent one?
  • UnixGuyUnixGuy Are we having fun yet? Mod Posts: 4,203 Mod
    Four main areas:
    - IT Risk Identification
    - IT Risk Assessment
    - Risk Response and Mitigation
    - Risk and Control Monitoring and Reporting


    My score is averaging 65%-70%. I didn't do any studying, just relying on my experience with Risk assessment. Some questions (and answers) in the QAE are strange to say the least, making big claims that I can challenge ISACA to but I honestly can't be bothered.

    My lowest score seem to be in the IT Risk Identification area, so I thought perhaps I can watch some videos that are ISACA related. Cybrary seem to have videos but they're not free.
  • JDMurrayJDMurray MSIT InfoSec, CISSP, SSCP, GSEC, EnCE, C|EH, CySA+, PenTest+, CASP+, Security+ Surf City, USAAdmin Posts: 11,844 Admin
    Most for-cost training sites have a "free trial period" that you can access using a burner email account and without a credit card. I'm thinking the only videos that will have the depth and detail you need are those created specifically for the CRISC. 

    Are there any other risk management certs? 
  • UnixGuyUnixGuy Are we having fun yet? Mod Posts: 4,203 Mod
    JDMurray said:

    Are there any other risk management certs? 
    Not that I know off. I'm doing this one because it's a requirement for something obscure I need to do at work.

    The majority of Risk professionals (non IT) don't have any certs, just experience. Some come from law backgrounds some come from accounting, and other random professions. A huge chunk of risk professionals have worked at (or closely with) consulting firms that specialise in this area. I did risk assessment and enterprise risk management and had to learn on the job. The work can be tedious but you get interact with many interesting stakeholders at all levels and you get exposure to boards and risk committees.

    I'm not a fan of ISACA for a multitude of reasons, I have strong opinions that I'll keep for myself. I'll get this done.

    I'll see how I go with the Q&A database questions, if I need further help I'll check more resources if necessary. For now, I think I can manage

  • JDMurrayJDMurray MSIT InfoSec, CISSP, SSCP, GSEC, EnCE, C|EH, CySA+, PenTest+, CASP+, Security+ Surf City, USAAdmin Posts: 11,844 Admin
    To me, Risk Management = Insurance/Assurance

    What can happen, how likely is it to happen in a given time period, and what will it cost us to recover each time it happens.

    Fun stuff!  :expressionless:
  • UnixGuyUnixGuy Are we having fun yet? Mod Posts: 4,203 Mod
    Pretty much!

    It's an important agenda item for boards and cyber security is now a popular risk that needs to be managed and stirred by a risk steering committee. It created a lot of jobs and endless meetings/consulting work to talk about cyber risks, document risks, follow up on risks, report on risks, generate graphs, power points, spreadsheets, more reports....etc .etc .etc.

    This is where my career's at at the moment
  • JDMurrayJDMurray MSIT InfoSec, CISSP, SSCP, GSEC, EnCE, C|EH, CySA+, PenTest+, CASP+, Security+ Surf City, USAAdmin Posts: 11,844 Admin
    Well, you can always space-out during a long risk management meeting and dream of your next career pivot!
  • scascscasc Member Posts: 297 ■■■■□□□□□□
    Risk management is my livelihood - albeit in different walks of life. I wouldn’t change for the world lolzz. Sarcasm aside, in all honesty I only used the Q&A. Talking of risk, my own interests lie within risk quantification - using FAIR. Sounds pretty interesting.
    MSc, BSc (Hons), AWS CSA, C-CISO, CISSP, CCSP, CCSK, CISM, CISA, CRISC, GSTRT, GSNA, GDSA, GCCC, CEH, ECSA, CHFI, TOGAF, CISMP
  • UnixGuyUnixGuy Are we having fun yet? Mod Posts: 4,203 Mod
    @scasc: I'm a member of my local FAIR chapter! I argued to death with them about the validity of trying to quantify breaches :D

    Jokes aside, I think I'll just rely on Q&A. I'm getting 70%+ consistently. The Q&A recommends that I get 80%+ consistently, not sure how realistic is this. We'll see
  • scascscasc Member Posts: 297 ■■■■□□□□□□
    @UnixGuy - the issue I have found is that when presenting or working with risk, management are so ingrained in viewing heat maps still. Culturally not ready to truly quantify the problem. Funny story, I once presented results the typical heat map fashion to a techie as it was such a project and he demanded actual quantification saying this is all "fluff" lol. So I guess it depends. But what is your take on Fair? I am interested in perhaps exploring this further to add quantification to my results? 

    In respect to CRISC - I am sure that the Q&A will be suffice for you to pass. Just go over a couple times, understand the concepts and the way ISACA answer the question. Even with 70% it still is a reasonable shot. But keep at it to see if this can be improved. 
    MSc, BSc (Hons), AWS CSA, C-CISO, CISSP, CCSP, CCSK, CISM, CISA, CRISC, GSTRT, GSNA, GDSA, GCCC, CEH, ECSA, CHFI, TOGAF, CISMP
  • UnixGuyUnixGuy Are we having fun yet? Mod Posts: 4,203 Mod
    I'm improving my score so will probably take the exam some time in the coming weeks.

    FAIR is fine, I'm just wary of putting dollar values on the cost of hypothetical breaches and different risks before they occur; there are just so many variables that no matter what benchmark is being used, the data will never be accurate (or even close to being accurate) so I'm wary of those 'quantitative' measures. Some breaches cost nothing and the company moves on, others can get the company out of business so i'm just not comfortable throwing a number around. Other than that, they seem to be doing good work and it's an ok network of risk professionals
  • UnixGuyUnixGuy Are we having fun yet? Mod Posts: 4,203 Mod
    Ok I finished all the 550 questions, with a score of exactly 80%. I'm going to book the exam soon and hope for the best....
  • scascscasc Member Posts: 297 ■■■■□□□□□□
    Best of luck, let us know how you get on. 
    MSc, BSc (Hons), AWS CSA, C-CISO, CISSP, CCSP, CCSK, CISM, CISA, CRISC, GSTRT, GSNA, GDSA, GCCC, CEH, ECSA, CHFI, TOGAF, CISMP
  • UnixGuyUnixGuy Are we having fun yet? Mod Posts: 4,203 Mod
    Exam in 3 days...Im going through the QA DB but I'm afraid I memorised the questions/answers somehow (I still understand the logic behind the answers)  so it's pointless doing more now. I think I'm ready.
  • scascscasc Member Posts: 297 ■■■■□□□□□□
    Best of luck. I'm sure it will be fine. Keep us posted.
    MSc, BSc (Hons), AWS CSA, C-CISO, CISSP, CCSP, CCSK, CISM, CISA, CRISC, GSTRT, GSNA, GDSA, GCCC, CEH, ECSA, CHFI, TOGAF, CISMP
  • UnixGuyUnixGuy Are we having fun yet? Mod Posts: 4,203 Mod
    I passed just now. They will email the score results within 10 business days. I'll share my experience in a new thread when i get the results
Sign In or Register to comment.