crisc-d4-it-security-project-management

IT Project Risk Management (CRISC Domain 4)

isaca-crisc · framework · Production-ready

Drawn fromCRISC Review Manual · ISACA peer-reviewed case sets·Reviewed May 5, 2026

How this was built ▾

Every cubelet runs through five agent passes before publishing. Each stage's output is recorded so we can trace how a claim got here.

01 · RESEARCHSource synthesisClaude Haiku
02 · WRITERSix-face draftingClaude Sonnet
03 · EDITORCoherence + clarity passClaude Sonnet
04 · QAQuality gate scoringClaude Opus
05 · PUBLISHERCatalog + graph commitClaude Haiku

This runcourse-factory-pipeline-v1

1

Face 1 of 6 · WHAT

What is IT Project Risk Management (CRISC Domain 4)

Within the ISACA CRISC framework, IT Project Risk Management is the discipline of identifying, assessing, and mitigating risks across every phase of the IT project lifecycle—initiation through closure—to protect organizational value, ensure control effectiveness, and align IT project portfolios with enterprise risk appetite. Unlike general project management (PMI, PRINCE2), which optimizes scope, schedule, and budget delivery, CRISC project risk management is risk-first: its primary lens is detecting and treating threats to information security, regulatory compliance, operational continuity, and strategic outcomes embedded within project portfolios.

Where it stops · what it isn't

—IS: Risk identification, assessment, and mitigation across IT project lifecycle phases (initiation, planning, execution, monitoring, closure)
—IS: Portfolio-level risk concentration management—evaluating interdependencies and cumulative risk across multiple simultaneous IT projects
—IS: Control design and implementation through governance gates, steering committees, and risk-based project selection criteria
—IS: Integration of cybersecurity, compliance, and third-party/vendor risk into project governance frameworks
—IS NOT: Project execution methodology (Waterfall, Agile, SAFe, PRINCE2)—covered by the SDLC competency
—IS NOT: Day-to-day project scheduling, resource leveling, or earned value management—operational PM functions outside CRISC scope
—IS NOT: Post-deployment operational risk management of project-initiated systems—covered by the IT Operations Management competency
—IS NOT: Disaster recovery or business continuity planning for project-related incidents—covered by BCM/DRM competencies

Connected concepts in the graph

Every cubelet sits in a knowledge graph. Here's what this one connects to.

PART OF

CRISC Domain 4: Information Technology and Security

RELATED TO

System Development Life Cycle (SDLC)IT Operations ManagementBusiness Continuity ManagementDisaster Recovery Management

REQUIRES

Risk Identification and Assessment (CRISC Domain 1)IT Governance Concepts and Roles

ENABLES

Enterprise Risk Management (ERM) IntegrationThird-Party and Vendor Risk Management

CONSTRAINS

IT Project Portfolio Selection and Prioritization

Practice this judgment ↗

Adaptive, ~8 min

Sit in the practitioner's chair ↗

Live simulator

06 · APPLYSign up to enter the judgment simulator →

Watch your judgment grow on this concept

Create a free account to unlock all 6 faces, the judgment simulator, and a mastery score that updates with every attempt.