CRISC Exam Domains

Domain 1: Governance (26%)

This area focuses on organizational strategy, risk appetite, and the "Lines of Defense" model. It now includes expanded content on business process resilience and the ethics of emerging technologies.

Domain 2: IT Risk Assessment (22%)

This domain covers the identification and analysis of risks. It involves threat modeling, vulnerability assessments, and evaluating the potential impact of IT-related events on the business.

Domain 3: Risk Response and Reporting (32%)

As the largest portion of the exam, this domain deals with risk treatment options (avoid, mitigate, share, or accept). It also covers third-party risk management and the tracking of Key Risk Indicators (KRIs).

Domain 4: Information Technology and Security (20%)

This section focuses on the technical implementation of controls. For the 2026 version, it has been updated to include Zero Trust Architecture, data privacy, and the risks associated with Artificial Intelligence (AI).