CRISC Exam Glossary - 35 Terms

Search the terminology pack for Certified in Risk and Information Systems Control. Use these definitions with the study guide and practice questions.

Download App Study Guide Free Practice Exam

A

Authentication factor: A category of identity evidence, such as something a user knows, has, or is.

B

Board risk oversight: The board’s responsibility to supervise how risk is identified, managed, and governed across the organization.
Business unit risk appetite: A business-unit-specific interpretation of enterprise risk appetite that defines local limits and priorities.

C

Cloud infrastructure: The underlying cloud services, platforms, hardware, and facilities managed to support cloud operations.
Control exception tracking: The process of documenting, monitoring, and reviewing approved deviations from established control requirements.

D

Discrete logarithm: A mathematical problem used in some cryptographic systems that may become solvable efficiently by quantum computing.
Dynamic risk assessment: Continuous evaluation of hazards and risks in real time as conditions or circumstances change.

E

Enterprise Risk Management (ERM) framework: A structured organization-wide approach for identifying, assessing, responding to, and monitoring risk.

F

Failure mode: A specific way in which a process, system, or component could fail.
Failure Mode and Effects Analysis (FMEA): A structured technique for identifying potential failure points in a process and evaluating their effects.

I

Impact: The magnitude of consequences or effect if a risk event occurs.
Inherent risk: The level of risk that exists before any controls or mitigation measures are applied.

L

Least privilege: An access control principle that gives users only the minimum permissions needed to perform their job functions.
Likelihood: The probability that a risk event will occur.

M

Material risk disclosure: The requirement to report significant risks that a reasonable investor would consider important in decision-making.
Multi-factor authentication (MFA): An authentication method requiring two or more different verification factors to confirm identity.

N

Network Access Control (NAC): A security technology that checks and enforces policy compliance for devices before allowing network access.

Q

Quantum computing threat: The risk that quantum computers could break current cryptographic methods much faster than classical computers.

R

Risk appetite statement: A formal expression of the amount and type of risk an organization or business unit is willing to accept.
Risk escalation: The process of raising a risk to a higher authority level when it exceeds defined tolerance or decision rights.
Risk governance: The system of direction and oversight used to manage risk consistently with organizational objectives and accountability.
Risk governance training: Education provided to leadership or board members to strengthen their understanding of risk oversight responsibilities.
Risk heat map: A visual tool that plots risks based on likelihood and impact to show their relative severity and priority.
Risk response performance metrics: Measures used to determine whether risk treatment actions are effective and achieving intended outcomes.
Risk standards: Detailed mandatory requirements that specify how risk management activities must be performed within an organization.
Risk tolerance: The acceptable level of variation or exposure related to a specific risk or objective.
Risk treatment: An action taken to modify risk, such as mitigating, transferring, accepting, or avoiding it.
Risk-adjusted return: A performance measure that evaluates returns in relation to the amount of risk taken to achieve them.

S

Secondary risk: A new risk that arises as a direct result of implementing a risk response or control action.
Security policy enforcement: The application of technical or administrative controls to ensure compliance with defined security requirements.
Separation of duties: A control principle that divides critical tasks among multiple individuals so no single person has end-to-end control.
Shared responsibility model: A cloud computing model in which security responsibilities are divided between the cloud provider and the customer.
Shor’s algorithm: A quantum algorithm capable of efficiently factoring large numbers and solving discrete logarithms, threatening common public-key cryptography.

T

Technology resilience: The ability of technology systems to withstand disruptions and recover operations after adverse events.

V

Vulnerability assessment: A structured process for identifying and evaluating security weaknesses in systems, applications, or networks.

About These Definitions

These definitions are loaded from the shared release pack. Use them with the study guide and practice questions to connect vocabulary to exam scenarios.

Download App Read the full study guide Take the free practice exam