Any good free resources for CRISC?

UnixGuy

Preferably video material for CRISC. I'm doing the QA database from ISACA, but i'm wondering if there is something free I can watch for certain topics?

JDMurray

What are the major topics of the CRISC?

O'Reilly Online only has the MGH CRISC All-In-One book from December 2015. Pluralsight has a learning path for CRISC which contains 7 hours of videos by Kevin Henry based on the 2015 CRISC Job Practice Areas. I assume these material can be access in the free trial period for both sites.

It looks like a lot of the commercial study materials are for the 2015 CRISC Job Practice Areas. Is there a more recent one?

UnixGuy

Four main areas:

- IT Risk Identification

- IT Risk Assessment

- Risk Response and Mitigation

- Risk and Control Monitoring and Reporting

My score is averaging 65%-70%. I didn't do any studying, just relying on my experience with Risk assessment. Some questions (and answers) in the QAE are strange to say the least, making big claims that I can challenge ISACA to but I honestly can't be bothered.

My lowest score seem to be in the IT Risk Identification area, so I thought perhaps I can watch some videos that are ISACA related. Cybrary seem to have videos but they're not free.

JDMurray

Most for-cost training sites have a "free trial period" that you can access using a burner email account and without a credit card. I'm thinking the only videos that will have the depth and detail you need are those created specifically for the CRISC. 

Are there any other risk management certs? 

UnixGuy

JDMurray said:

Are there any other risk management certs? 

Not that I know off. I'm doing this one because it's a requirement for something obscure I need to do at work.

The majority of Risk professionals (non IT) don't have any certs, just experience. Some come from law backgrounds some come from accounting, and other random professions. A huge chunk of risk professionals have worked at (or closely with) consulting firms that specialise in this area. I did risk assessment and enterprise risk management and had to learn on the job. The work can be tedious but you get interact with many interesting stakeholders at all levels and you get exposure to boards and risk committees.

I'm not a fan of ISACA for a multitude of reasons, I have strong opinions that I'll keep for myself. I'll get this done.

I'll see how I go with the Q&A database questions, if I need further help I'll check more resources if necessary. For now, I think I can manage

JDMurray

To me, Risk Management = Insurance/Assurance

What can happen, how likely is it to happen in a given time period, and what will it cost us to recover each time it happens.

Fun stuff! 

UnixGuy

Pretty much!

It's an important agenda item for boards and cyber security is now a popular risk that needs to be managed and stirred by a risk steering committee. It created a lot of jobs and endless meetings/consulting work to talk about cyber risks, document risks, follow up on risks, report on risks, generate graphs, power points, spreadsheets, more reports....etc .etc .etc.

This is where my career's at at the moment

JDMurray

Well, you can always space-out during a long risk management meeting and dream of your next career pivot!

scasc

Risk management is my livelihood - albeit in different walks of life. I wouldn’t change for the world lolzz. Sarcasm aside, in all honesty I only used the Q&A. Talking of risk, my own interests lie within risk quantification - using FAIR. Sounds pretty interesting.

UnixGuy

@scasc: I'm a member of my local FAIR chapter! I argued to death with them about the validity of trying to quantify breaches

Jokes aside, I think I'll just rely on Q&A. I'm getting 70%+ consistently. The Q&A recommends that I get 80%+ consistently, not sure how realistic is this. We'll see

scasc

@UnixGuy - the issue I have found is that when presenting or working with risk, management are so ingrained in viewing heat maps still. Culturally not ready to truly quantify the problem. Funny story, I once presented results the typical heat map fashion to a techie as it was such a project and he demanded actual quantification saying this is all "fluff" lol. So I guess it depends. But what is your take on Fair? I am interested in perhaps exploring this further to add quantification to my results? 

In respect to CRISC - I am sure that the Q&A will be suffice for you to pass. Just go over a couple times, understand the concepts and the way ISACA answer the question. Even with 70% it still is a reasonable shot. But keep at it to see if this can be improved. 

UnixGuy

I'm improving my score so will probably take the exam some time in the coming weeks.

FAIR is fine, I'm just wary of putting dollar values on the cost of hypothetical breaches and different risks before they occur; there are just so many variables that no matter what benchmark is being used, the data will never be accurate (or even close to being accurate) so I'm wary of those 'quantitative' measures. Some breaches cost nothing and the company moves on, others can get the company out of business so i'm just not comfortable throwing a number around. Other than that, they seem to be doing good work and it's an ok network of risk professionals

UnixGuy

Ok I finished all the 550 questions, with a score of exactly 80%. I'm going to book the exam soon and hope for the best....

scasc

Best of luck, let us know how you get on. 

UnixGuy

Exam in 3 days...Im going through the QA DB but I'm afraid I memorised the questions/answers somehow (I still understand the logic behind the answers)  so it's pointless doing more now. I think I'm ready.

scasc

Best of luck. I'm sure it will be fine. Keep us posted.

UnixGuy

I passed just now. They will email the score results within 10 business days. I'll share my experience in a new thread when i get the results

scasc

Well done, look forward to it.

UnixGuy

It's been a week, still haven't received any acknowledgment that I passed.....waiting for those 10 business days

scasc

My results came exactly on 10th day, like all my isaca results. Sit tight

UnixGuy

@scasc it's weird because ISACA send me DAILY emails about all the amazing services I should be paying for and all the event I should attend. They also send 'renewal' reminders 4 months before the expire date...

scasc

UnixGuy said:

@scasc it's weird because ISACA send me DAILY emails about all the amazing services I should be paying for and all the event I should attend. They also send 'renewal' reminders 4 months before the expire date...

haha - Yep, pretty much a money making machine that wants to prioritize this. I guess they all are to some degree. Be patient my friend, all will come through.