Module 40: Project Management

CRISC Domain 4 — Technology and Security Section A 10–12 min read
Projects create change.
Change introduces risk.

Project management ensures that:

  • Scope is controlled
  • Risks are identified early
  • Controls are embedded during design
  • Governance oversight exists
  • Stakeholders are aligned
  • Risk treatment is integrated into delivery

CRISC evaluates project governance — not scheduling techniques.

What the exam is really testing

When project management appears, CRISC is asking:

  • Was risk assessed before execution?
  • Are risks tracked throughout the project lifecycle?
  • Is scope creep controlled?
  • Are security and control requirements embedded early?
  • Is governance oversight maintained?
  • Are residual risks formally accepted?

Projects increase inherent risk if unmanaged.

Risk in project lifecycle

Projects introduce risk through:

  • New technology deployment
  • System integration
  • Vendor onboarding
  • Data migration
  • Organizational restructuring
  • Cloud migration
  • Regulatory change implementation

Each phase creates exposure.

Risk must be managed continuously.

Risk identification in projects

Effective project governance includes:

  • Early risk assessment
  • Risk register integration
  • Control requirements definition
  • Security-by-design principles
  • Stakeholder engagement
  • Escalation thresholds

CRISC favors proactive risk inclusion — not post-launch correction.

Scope creep risk

Uncontrolled scope changes lead to:

  • Budget overruns
  • Timeline delays
  • Control bypass
  • Security compromise
  • Compliance gaps

Scope creep without risk reassessment increases exposure.

CRISC frequently tests scope control discipline.

Example scenario

A project adds new functionality late in development without reassessing risk impact.

Primary governance weakness?

A. Strong mitigation
B. Failure to reassess risk due to scope change
C. Excessive appetite
D. Weak inherent risk

Correct answer:

B. Failure to reassess risk due to scope change

Scope changes require risk reassessment.

Risk ownership in projects

Who owns risk during a project?

Still the business.

Project managers coordinate.
Security advises.
Business accepts or rejects risk.

CRISC maintains ownership discipline even during transformation.

Security & control integration

Controls should be:

  • Designed into the system early
  • Aligned to architecture
  • Embedded in requirements
  • Tested before deployment
  • Integrated into change management

If security is added after deployment, cost and exposure increase.

CRISC favors “security by design.”

Vendor & third-party projects

Projects involving vendors require:

  • Due diligence
  • Contractual control requirements
  • SLA monitoring
  • Data protection provisions
  • Escalation clarity

Vendor-led projects do not eliminate accountability.

Project risk monitoring

Project governance should include:

  • Risk tracking logs
  • Escalation thresholds
  • Residual risk documentation
  • KPI/KRI integration
  • Milestone validation
  • Post-implementation review

If risk logs are maintained but not reviewed, governance fails.

Example scenario

A project completes on time and within budget, but security requirements were deferred to a later phase.

Most significant concern?

A. Strong governance
B. Residual risk accepted without formal review
C. Excessive mitigation
D. Reduced inherent risk

Correct answer:

B. Residual risk accepted without formal review

Security deferral without formal acceptance increases exposure.

Post-implementation review

After deployment:

  • Validate control effectiveness
  • Reassess residual risk
  • Update risk register
  • Document lessons learned
  • Adjust monitoring

Project completion ≠ risk elimination.

The most common exam mistakes

Candidates often:

  • Focus on timeline success.
  • Assume budget adherence equals low risk.
  • Forget to reassess risk after scope change.
  • Ignore business ownership.
  • Overlook integration of controls early.
  • Assume project closure ends risk.

CRISC evaluates risk discipline across project lifecycle.

Slightly uncomfortable scenario

A high-priority transformation project bypasses formal risk assessment due to executive urgency.

What governance principle is MOST compromised?

A. Strong innovation
B. Risk governance consistency
C. Control redundancy
D. KPI monitoring

Correct answer:

B. Risk governance consistency

Urgency does not eliminate governance discipline.

Quick knowledge check

1) Risk in projects should be assessed:

A. After deployment
B. Only at initiation
C. Continuously throughout lifecycle
D. Only during testing

Answer & reasoning

Correct: C

Risk evolves during projects.

2) Scope changes require:

A. Immediate acceptance
B. No action
C. Risk reassessment and governance review
D. Avoidance

Answer & reasoning

Correct: C

Scope changes alter exposure.

3) Completing a project on time guarantees low risk.

A. True
B. False

Answer & reasoning

Correct: B

Schedule success does not equal risk reduction.

Final takeaway

Project Management in CRISC is about:

  • Embedding risk discipline early
  • Maintaining governance oversight
  • Reassessing risk with scope change
  • Integrating controls during design
  • Monitoring throughout lifecycle
  • Ensuring formal acceptance of residual risk

Projects introduce change.
Change increases inherent risk.
Governance must follow transformation.

CRISC rewards structured oversight — not speed of delivery.

Next Module Module 41: Disaster Recovery Management (DRM)