Emerging Technologies, in the CRISC context, are information technologies in early-to-mid market adoption phases defined by four characteristics: (1) limited operational history—insufficient real-world data to apply traditional actuarial risk quantification; (2) evolving standards—industry frameworks, regulatory requirements, and security baselines are still forming; (3) uncertain business value—ROI projections rely on vendor claims and analyst forecasts rather than internal benchmarks; and (4) novel risk factors—threat vectors, failure modes, and control requirements differ materially from established IT. ISACA's CRISC framework spans five primary technology families: Generative AI and ML systems, cloud-native architectures (containers, Kubernetes, serverless, API-first), quantum computing and its cryptographic implications, edge computing and IoT, and distributed ledger/Web3 applications. The CRISC practitioner's role is not to evaluate technical feasibility but to assess, govern, and monitor the organizational risk introduced by adopting these technologies—enabling safe innovation rather than blocking it.
Where it stops · what it isn't
- —IS: Technologies in early-to-mid adoption curves with limited internal operational history (typically fewer than 3 production deployment cycles within the organization) and still-maturing industry control standards.
- —IS: Risk assessment methodology adaptations required when historical incident data is scarce and traditional actuarial models cannot be directly applied.
- —IS NOT: General IT risk management for well-established technologies (ERP systems, relational databases, legacy networks)—those fall under foundational CRISC risk assessment principles.
- —IS NOT: Technology evaluation or architecture design—CRISC practitioners assess the risk of adoption decisions; engineers and architects design implementations.
- —IS NOT: Cloud security controls fundamentals—IAM, encryption at rest/transit, and network segmentation are covered in the Enterprise Architecture cubelet. This cubelet addresses risk governance gaps specific to cloud-native patterns: serverless ownership gaps, container escape risks, and multi-cloud sprawl.
- —IS NOT: A static list of risky technologies. What qualifies as 'emerging' shifts over time; the assessment methodology is the durable competency, not a point-in-time technology inventory.
Connected concepts in the graph
Every cubelet sits in a knowledge graph. Here's what this one connects to.
PART OFCRISC Domain 4: IT and Security — Information Technology and Security
REQUIRESIT Risk Identification and Assessment (CRISC Domain 1)Information Security Concepts, Frameworks, and Standards
RELATED TOEnterprise Architecture RiskSystem Development Life Cycle RiskData Privacy and Protection Principles
ENABLESThird-Party and Vendor Risk ManagementIT Risk Monitoring and Reporting (CRISC Domain 3)
CONSTRAINSTechnology Investment and Capital Allocation Decisions