Control Frameworks · KRIs/KCIs/KPIs · Heatmaps · Dashboards · Emerging Risk
This sub-domain covers both the engineering side (designing and testing controls) and the governance side (measuring, monitoring, and communicating risk and control effectiveness to decision-makers). Together, Domains 3B and 3C represent approximately 19% of the CRISC exam and are heavily tested.
By function: Preventive (stop the threat), Detective (identify it), Corrective (fix it), Deterrent (discourage), Compensating (alternative). By nature: Administrative (policies), Technical (IT systems), Physical (locks/cameras). CRISC tests both dimensions — know the matrix.
Key Risk Indicator: early warning of increasing risk (leading indicator). Key Control Indicator: measures control effectiveness (is the control working?). Key Performance Indicator: measures business process performance. Each serves a distinct monitoring purpose and requires defined thresholds.
Verifying that controls operate as designed: vulnerability assessments, penetration testing, control self-assessments (CSA), internal audit testing. Testing confirms residual risk assumptions. Critical distinction: test of design vs. test of operating effectiveness.
Risk heatmaps (likelihood × impact visualization), scorecards (metric-based, periodic), dashboards (real-time, operational), risk registers (source data). Each serves a different audience and decision purpose — match the tool to the stakeholder.
Every risk mitigation decision from Domain 3A (Risk Response) requires a control to be designed and implemented. Domain 3B tests whether you can select the right control type, apply design principles like least privilege and defense in depth, and verify effectiveness through testing.
Risk management is not a one-time activity. Domain 3C tests whether you understand how KRIs, KCIs, and KPIs feed into continuous monitoring — and how to report risk status appropriately to different audiences from board level to operational teams.
ISACA emphasizes that risk practitioners must look beyond current risks. Domain 3C includes horizon scanning and emerging risk integration — a differentiator for candidates who understand that the risk register must evolve with the threat landscape.
Controls are safeguards or countermeasures to avoid, counteract, or minimize security risks. CRISC tests two classification dimensions simultaneously.
| Control Function | What It Does | Administrative Examples | Technical Examples | Physical Examples |
|---|---|---|---|---|
| Preventive | Stops the risk event before it occurs | Access policies, background checks, training | Firewall, MFA, encryption, IAM, DLP | Badge readers, biometrics, locked server rooms |
| Detective | Identifies when a risk event has occurred | Audit reviews, reconciliation procedures | IDS/IPS, SIEM, log monitoring | CCTV cameras, motion sensors |
| Corrective | Restores normal operations after an event | Incident response plan, disciplinary procedures | Backup restoration, patch deployment | Fire suppression, physical repair |
| Deterrent | Discourages threat actors from attempting | Legal notices, acceptable use policy | Warning banners, honeypots | Visible cameras, security guards, signage |
| Compensating | Alternative when primary control unavailable | Manual approval process during system downtime | Temporary VPN during firewall maintenance | Temporary security guard during access system repair |
| Directive | Guides behavior toward compliance | Policies, procedures, standards | Configuration baselines, system prompts | Posted instructions, safety signage |
Key exam tip: Detective controls identify events — they do NOT prevent them. Corrective controls respond after events — they are NOT detective. Do not confuse these on the exam.
Identify → Protect → Detect → Respond → Recover. Five functions covering the full risk lifecycle. Widely used across sectors; referenced in CRISC for control alignment.
Comprehensive security and privacy control catalog for federal systems. Control families (e.g., AC — Access Control, AU — Audit). Used for federal and high-assurance environments.
93 controls in 4 categories: organizational, people, physical, and technological. Forms the control set for an ISMS. CRISC often references ISO 27001 for control selection rationale.
Governance and management practices mapped to controls. Aligns IT controls with business objectives. Core ISACA framework — expect CRISC to test COBIT concepts directly.
18 control groups prioritized by implementation group (IG1/IG2/IG3). IG1 = essential hygiene for all organizations. Practical, prescriptive, and free to access.
12 requirements for payment card data security. Relevant for financial and retail sectors. Demonstrates how industry-specific compliance standards map to control frameworks.
Users receive only the minimum access needed for their specific role. Reduces insider threat and lateral movement attack surface.
No single individual can complete an entire sensitive transaction alone. Reduces fraud and errors. Example: person who requests payment cannot also approve it.
Multiple overlapping control layers — no single control failure causes total compromise. Network → host → application → data layers each have controls.
When a control fails, it defaults to the more secure state. Example: electronic door locks to locked position on power failure. Contrast with fail-open (less secure).
| Method | Description | Independence | Invasiveness |
|---|---|---|---|
| Vulnerability Assessment | Automated scanning to identify technical weaknesses | Can be internal or external | Low — scan only, no exploitation |
| Penetration Testing | Simulated attacks to validate exploitability of vulnerabilities | Usually external/independent | High — active exploitation |
| Control Self-Assessment (CSA) | Business units assess their own controls via survey or workshop | Low — self-reported | None — no system access |
| Internal Audit Testing | Independent assessment of control design and operating effectiveness | High — independent function | Low to moderate |
| Walkthrough | Interview and observe process to confirm control exists and is understood | Can be internal | None |
| Sampling | Test a subset of evidence; attribute sampling (compliance) vs. variable sampling (accuracy) | Auditor-driven | Low |
A risk action plan documents the specific steps to implement a selected risk treatment. Components include: action items, responsible parties, timeline, expected outcome (target residual risk level), and current status. CRISC Task: "Validate that risk responses have been executed according to risk action plans." Overdue action plans represent unmitigated risk and must be escalated to risk owners and senior management.
Aggregation combines data from multiple sources into a unified risk profile. Validation ensures data is accurate, complete, and timely before use in reporting. Data quality issues include: data silos, inconsistent rating scales, stale data, and missing control evidence.
Bad risk data leads to bad risk decisions. If KRI data is delayed or incomplete, the organization may not escalate in time. Risk registers with stale data create a false sense of control over risks that have already evolved.
Key Risk Indicator — signals increasing risk before a risk event occurs. Must be linked to specific risk scenarios and appetite thresholds.
Key Control Indicator — measures how well a specific control is operating. Tells you whether the control is working as designed.
Key Performance Indicator — measures overall business process performance. Risk-relevant when performance degradation increases risk exposure.
| Dimension | KRI — Key Risk Indicator | KCI — Key Control Indicator | KPI — Key Performance Indicator |
|---|---|---|---|
| Definition | Metric that signals risk is increasing before an event | Metric measuring control operating effectiveness | Metric measuring business process performance |
| Purpose | Early warning — act before risk materializes | Confirm controls are working as designed | Measure operational performance |
| Type | Leading indicator | Lagging/current indicator | Can be leading or lagging |
| Example | % critical systems unpatched >30 days | % access reviews completed on time | System availability %, MTTP |
| Threshold breach → action | Escalate to risk owner; review risk treatment plan | Escalate to control owner; initiate corrective action | Notify process owner; assess risk impact of degradation |
Automated, real-time collection and alerting. Tools: SIEM, vulnerability scanners, IDS/IPS. Provides near-instant notification of threshold breaches.
Scheduled reviews on a defined cycle: monthly control testing, quarterly risk register review, annual risk assessment. Lower overhead but less timely.
Event-driven reviews activated by specific triggers: post-incident review, major system change, new regulation, key personnel departure, or acquisition.
Evaluating controls against a maturity model (e.g., CMMI levels 1–5). Level 1 = ad-hoc; Level 5 = continuously optimizing. Identifies where controls need investment.
Tracking KRIs over time to detect deteriorating risk posture. A single KRI reading is less informative than a trend — a rising trajectory demands action even before threshold breach.
Visual 5×5 grid plotting likelihood vs. impact for all risks. Executive-friendly — shows risk distribution at a glance. Best for board/executive reporting.
Real-time or near-real-time view of KRIs, KCIs, and control status. Operational focus — for risk managers and control owners watching thresholds daily.
Periodic, structured report of risk ratings against predefined criteria and targets. Structured for committee review — balances metrics with narrative context.
Shows risk posture change over time. Critical for demonstrating program effectiveness and justifying risk investments to senior leadership.
An emerging risk is a new or evolving risk not yet fully understood or included in the current risk profile. Sources include threat intelligence, regulatory changes, technology adoption (AI, cloud, quantum), and geopolitical events. CRISC Task: "Evaluate emerging technologies and changes to the environment for threats, vulnerabilities, and opportunities."
Six mnemonic anchors to make CRISC control and monitoring concepts stick — designed for exam-day recall.
10 questions covering control types, KRI/KCI/KPI, testing methodologies, and reporting tools. One question at a time — answers explained.
Click any card to flip it and reveal the answer. 8 cards covering core Domain 3B+3C concepts.
Targeted guidance for Domain 3B+3C preparation — exam strategy, resources, practice exercises, and pitfalls to avoid.
Domain 3B+3C is the largest sub-section of the biggest domain (Domain 3: 32%). Expect control type classification questions — know Preventive/Detective/Corrective by function AND Administrative/Technical/Physical by nature. KRI/KCI/KPI distinctions appear in nearly every CRISC exam. Practice distinguishing early-warning metrics (KRI) from effectiveness metrics (KCI).
Control design connects directly to Risk Response (Domain 3A) — mitigation responses require control selection. Monitoring connects to Domain 1 (Governance) — KRI thresholds must align with risk appetite. Technology controls connect to Domain 4 (Technology & Security) — SDLC, cloud, and DevOps controls are tested there.
Official and free resources to deepen your Domain 3B+3C knowledge. Always verify current exam fees and requirements directly with ISACA.
Official certification page — exam handbook, eligibility requirements, application process, and exam registration.
isaca.org/credentialing/criscFree CSF documentation — Identify, Protect, Detect, Respond, Recover functions with implementation guidance. Core framework for CRISC control alignment.
nist.gov/cyberframeworkComprehensive security and privacy control catalog for federal systems. Useful for understanding control families and implementation.
csrc.nist.gov — SP 800-53 Rev 518 prioritized control groups with Implementation Groups (IG1/IG2/IG3). Downloadable for free — excellent for understanding control prioritization.
cisecurity.org/controls93 controls across 4 categories (organizational, people, physical, technological). Foundational for ISMS control selection.
iso.org/standard/27001ISACA's governance and management framework. Management practices map directly to control design and monitoring activities tested in CRISC.
isaca.org/resources/cobit| Detail | Information |
|---|---|
| Questions | 150 multiple-choice questions |
| Domains | 4 domains; Domain 3 (Risk Response & Reporting) = 32% |
| This Sub-domain | 3B (Control Design & Implementation) + 3C (Risk Monitoring & Reporting) ≈ 19% |
| Experience Required | 3+ years of work experience in risk management and IS control |
| Exam Fee | $760 ISACA member / $960 non-member (verify at isaca.org before registering) |
| Credential Validity | 3-year renewal cycle with CPE requirements |
