Welcome to the CRISC course and instructor introduction

- [Michelle] Hello everyone. Welcome to our CRISC exam prep class. We're going to be going through a lot of modules, lessons, examples, and other things to answer all the questions that you have on taking the CRISC exam. We're going to start with an overview of myself and of the course before diving into key topics and other central definitions before we kick off on the specific modules within the CRISC exam. First an introduction to me. My name is Michelle Croak and I'm currently a GRC and cybersecurity or information security freelancer. I've spent about 10 years in the broader governance risk and compliance or GRC industry and spent about the last five to six diving into the world of technology and security risk management. I have two business degrees, a bachelor's and a master's, and also have an alphabet soup full of certifications from ISACA. I got my CRISC certification in about 2020, and since then have also gotten the CGEIT and the CIS all sponsored by ISACA. You'll see my LinkedIn link as well as my email address on the screen. Feel free to reach out on either platform if you have any questions about any of the topics that we walk through, about the general industry itself, or anything else that may come up for you as you study for this exam. As we talk about why to take CRISC, I think oftentimes similar talking points come up for all types of certifications within the industry. Things like it's great for your resume or it'll show how knowledgeable you are, it'll keep you up to date on changing guidance, things like that. I didn't want to focus on that for CRISC because I think that is true for a lot of the certifications, and I really want to dive into why CRISC might be different and even better for you to get within the part of the industry that you're in. These are all from ISACA's website, so feel free to take a look at anything that they've published themselves on the actual website as well. You'll see that it's currently the number four top paying certification worldwide, and 52% of people who have the CRISC have experienced improvement within their industry, within their organization, or within their professional trajectory. They say the average salary for people with a CRISC is about 151,000, and there's over 30,000 professionals with the CRISC. Considering how many people are within the industry or do tasks similar to those in information security, cybersecurity, general IT, I think that this is a pretty small percentage of those, and one way to really, really differentiate yourself. Personally, I've seen a lot of job postings that ask for people to have the CRISC certification or are looking for people who have taken the exam and passed it and have something on their resume related to CRISC. It's very well known, so both my peers kind of more on the GRC or governance side know what CRISC is, as well as more technical folks who are more in the actual hands-on cyber and IT space are familiar with it as well. As I mentioned, we have five modules in this class. We're currently in the middle of module one, introducing myself, introducing the course and going over some key topics. And then you'll see that we have one module for every domain in the CRISC exam. So we'll start with governance, going into more risk assessment, risk response, and reporting topics, and then we'll dive into module five, which is the fourth domain in the CRISC exam that ISACA has added to really baseline general security and technology, terminology controls mechanisms that are deployed. If you find yourself more on the technical side, so maybe you've been a practitioner for many years, you're more in an hands-on information security, cybersecurity or IT role, this is going to be very basic for you. Really revisiting those core fundamental concepts before taking the exam. If you're like me and you come from more of a governance, risk assessment, enterprise risk management background, this is going to be a really great baseline for you to figure out some of those key security and technology terms so you can stay up to date and discuss very intelligently with your peers. Let's dive a little bit more into the CRISC exam. So let's start with ISACA. I know I've thrown their name around a little bit here. They're an organization that is worldwide, as you can see, they have over 185,000 members in 188 countries with 225 local chapters worldwide. These chapters allow for local professionals, maybe in the audit space, maybe in the risk management space, maybe more of a practitioner who's implementing and monitoring controls to be able to connect locally as well as internationally and keep up with the trends and what's going on within the broader world of technology and information security, compliance, audit and governance. They do have multiple certifications and certificates related to a general field of digital trust. I mentioned a few that I have. You may have a couple or are generally familiar with some of their more foundational or certificate items, which is going to be different than the certifications that we've talked about. They have a lot of publications as well. They have frameworks, they have tools, they have policies that they've put out as well as education, some things like the certificates or the certifications, but they also have general education to make sure that people who understand IT audit are getting the most up to date and current feedback to be able to integrate within the roles themselves. Assuming since you're here, you're thinking about getting the CRISC, maybe you've already signed up for the exam, maybe you're trying to figure out if CRISC is the right thing for you. So the certification itself as published by ISACA is really looking for those IT risk management professionals. This does not mean that your job title has to be risk manager, but rather that you're participating in one of the parts of the IT risk management lifecycle, whether that's risk analysis, whether that's risk identification, control implementation, control monitoring, reporting. There's a whole lot of people who are involved in that. But you might also be new to the field. You might say, hey, I've been in more of a technical role and I want to get more into risk management. You might say, I've been more in risk management in other spaces or in other verticals, and I really want to jump into more cybersecurity information security and technology. I've put an arrow here saying that it really depends on your circumstance for those who are new to the field. We'll talk a little bit about some experience requirements that ISACA has put for this certification, but beyond that, I think one of the really important things that'll be very evident to you as we go through this class, but really is key I think to just general risk management jobs, is that a lot of it has to do with your personal experience. It's very easy for me to sit here and talk about risk management from a textbook point of view. This is how it should go, this is what we should do, and just like anything else relating to risk that you may be experiencing in your personal or professional life, it very rarely goes according to those things. So if you're new to the field, I think this is a great way to really baseline your knowledge, learn those textbook facts, but I also want to promote having that work experience, getting your hands dirty, working directly in the field to figure out if this is something that's right for you. As I mentioned, ISACA post the requirements on their website as well, so take feel free to take a look there. First and foremost, you have to pass the exam, and then there is a requirement to have three plus years of experience, and CRISC is one of the ISACA certifications that does have specific domain requirements, so those are certain job areas and job practices where you have to have some years of experience in. Again, the website will give you everything that you need there, but something to keep in mind when you look at your own experience in relation to what's needed to get CRISC. The exam itself is four hours long with 150 multiple choice questions, and it is a computer based exam. Kind of post 2020, moving to more of a digital world, you are able to take the exam proctored online through your own computer, or if you'd prefer, you can also go to a testing facility nearby. Again, all the details on that and what will work for you can be found on the ISACA website. I've put the percentages of the exam domains and the amount of questions that they have per domain. Now, this is just an estimate, so it's not saying that every time, if someone takes the test, that exactly 20% of the questions will be related to technology and security, for example, but that's just a rough estimate. So you can see that the majority will come from the risk response and reporting, and the minority will come from technology and security with something in the middle for the other two domains. Again, something to just keep in mind as you're studying, as we're going through the modules, as you figure out what topics you want to dive into a little bit deeper, maybe because they interest you, maybe because you're struggling with them and you want to get some more information, or in this case because you know that it's going to be a pretty big question and a pretty big section on the exam itself. I've added some tips here. Again, I have taken and passed three ISACA exams, including the CRISC, so these are really from my own personal experience. Number one is going to be to read carefully. They are trying to trick you. They're trying to make sure that you know what you're talking about. They're trying to make sure that you are able to actually put the risk management knowledge that we're going to talk about here in this class, and that you're going to learn as you prepare for the CRISC into practice. That means it's not going to be something where every question is going to be just a true definitional question, what is this? Who is this, how does this work? But rather applying the knowledge in a way where it shows that you can demonstrate that you know what you're talking about when it comes to these terms and when it comes to these topics. You also want to make sure that you're picking the best answer. This is absolutely something where there's going to be a word in the question that says, which is the best choice, which seems like it may be the most optimal choice. Those types of words, where again, as I talked about, it's not just as simple as Johnny does A, and therefore the answer should be B. There's going to be a lot of analysis and a not a lot of thinking that you're going to have to do on these questions. My third, and I think really the number one thing that I suggest to people as they take these exams is to practice. Again, our discussion here and our learning here is really only one of the tools that you're going to use to make sure that you master that CRISC exam. You're going to look for other sources of information. Maybe you're going to do some practice questions. There's a lot of different entities that offer those so that you can take those practice questions. Maybe you're going to talk with someone who's taken the CRISC exam and kind of get their perspective on it. There's a lot of different ways that you're going to practice, but just by reading the book or just by consuming this class is not going to get you where you need to be for that CRISC exam. So highly suggest, if I could, I would list practice about 500 times on this slide. I've stuck with three, but just something to keep in mind as you plan out kind of your timeline for going through and taking that CRISC exam.