Everything to know about earning the CRISC certification

it and cybersecurity professional monitors company security system

Certifications are a vital component of the Information Technology (IT) and Information Security (IS) fields. They substantiate a professional's experience and demonstrate certain skills to potential employers. Many IT/IS positions prefer or require applicants to have certain certifications so that they know that the person they hire has the skills to perform the job. Because of this, earning a certification is something that everyone in the cyber security field should strive for if they want to maximize their success.

In order to earn most IT/IS certifications, you have to fulfill certain experience requirements and pass an exam. The same is true for one popular certification for cyber security professionals that specialize in risk management: Certified in Risk and Information Systems Control (CRISC). According to ISACA, over 23,000 people have obtained the CRISC certification since its inception in 2010. In this guide, we've outlined who the CRISC certification is designed for, how to prepare for the exam, how to leverage this popular certification to your advantage and more.

What is CRISC?

The CRISC certification is one of many IT certifications offered by ISACA, formerly known as the Information Systems Audit and Control Association. ISACA is a membership organization dedicated to the advancement of IT/IS professionals and is recognized as a global leader in the IT/IS fields.

"The CRISC is designed for IT risk, control and compliance practitioners, business analysts, project managers and other IT and business professionals who have three years of risk management and information system control experience within the past ten years," wrote Lisa Cook, GRC Professional Practices Principal at ISACA. "CRISC prepares IT professionals to help the enterprise assess, govern and mitigate risk from internal and external threats and vulnerabilities. These are in-demand skills in organizations."

CRISC certification requirements

Most certifications in the IT/IS fields and beyond require candidates to fulfill certain eligibility requirements before they can take the associated exam. Indeed, the CRISC certification requires that applicants have three or more years of experience in IT risk management and IS control to qualify.

However, one unique feature of ISACA's certifications is that you don't have to complete the experience requirement before taking the exam. While it probably makes the most sense to have the experience first so that you have the knowledge and skills necessary to pass the exam, you could finish up the experience requirement after the exam and apply for certification later if you want. ISACA simply requires that applicants apply for certification by satisfying the following:

  • Successfully pass the certification exam
  • Pay the application fee
  • Submit an application that demonstrates the experience requirement
  • Adhere to their code of professional ethics
  • Adhere to their continuing professional education (CPE) policy 

Candidates have five years after passing the exam to apply for certification.

CRISC certification salary & other benefits

As a cyber security professional, there are many advantages to earning the CRISC certification. Adding the CRISC certification to your resume could be an incredible boon to your career and earning potential in the cyber security field.

"CRISC is the certification associated with the highest salary in North America according to Skillsoft's 2022 IT Skills & Salary Report, increasing from the fourth position in 2021. The CRISC certification garners an average salary of $167,145," Cook said.

The benefits don't end there. Consider these other ways that a CRISC certification could upgrade your career:

It could increase your career advancement potential by making you qualified for a great number of risk management positions

ISACA certifications are globally recognized, which means your certification could benefit you wherever your career takes you

Increased recognition and credibility in the industry may lead to more leadership positions and the possibility of a higher salary

By enhancing your knowledge and skills in IT risk management, you may be more prepared to excel in most risk management roles

Earning an ISACA certification opens up opportunities for networking within the ISACA community

The certification allows IT risk practitioners to demonstrate to hiring managers they have the knowledge and skills to perform risk assessments and validate the requisite job experience. CRISC is also an accredited certification program under ISO/IEC 17024:2012, further validating that the job functions tested match the experience required.  All of this helps lend credibility to any CRISC holder, which helps boost earning potential and career opportunity," Cook said.

CRISC exam details

The CRISC exam is a computer-based test administered at authorized testing centers or as a remotely proctored exam. You have four hours to answer the exam's 150 multiple-choice questions. These questions may be in the form of a question or an incomplete statement. You may also be presented with a scenario that requires you to answer two or more questions on the information provided.

ISACA exams are scored on a scale of 200 to 800. You need a score of 450 or higher to pass. After you finish the exam, you are immediately notified if you passed or not.

You can retake the test a maximum of three more times within a year of your first attempt if you don't pass. Keep in mind that you must pay the exam fee for each retake.

CRISC domains and knowledge areas

The CRISC certification exam tests candidates on four core domains that each make up roughly one-fourth of the exam:

Governance: This domain evaluates your understanding of an organization's business and IT environments, such as their organizational strategy, structure, goals and objectives and makes up 26% of the exam. It explores the potential or existing impacts of IT risk on the business objectives and operations of the organization.
IT risk assessment: The second knowledge area validates your knowledge of the threats and vulnerabilities to the organization and the probability and impact of future attacks. This domain constitutes 20% of the exam.
Governance: This domain evaluates your understanding of an organization's business and IT environments, such as their organizational strategy, structure, goals and objectives and makes up 26% of the exam. It explores the potential or existing impacts of IT risk to the business objectives and operations of the organization.
Information technology and security: The fourth and final domain is 22% of the exam and explores the synthesis of business practices with risk management and IS frameworks and standards. It also looks at the development of a risk-aware organizational culture and the implementation of cyber security awareness training.

Preparing for the CRISC exam

ISACA has a wide variety of CRISC exam prep resources available, including online prep courses, study groups, study guides and a free practice quiz. Most of their resources must be purchased, but you can receive a discount if you are an ISACA member. Try to take advantage of as many resources as you can—by checking out exam resources, you can get a good idea of how prepared you already are for the test and what areas you might need to spend extra time studying for.

"ISACA offers an online review course, review manuals (available in English and other languages) and a powerful review questions, answers and explanations database to help practitioners prepare to earn the CRISC certification. There is also the option to participate in the ISACA Engage Community, with access to forums and advice on how to prepare for the exam and seek real-world insight into the day-to-day challenges of a risk professional," Cook said. "ISACA also offers an IT Risk Fundamentals certificate for those interested in gaining knowledge in the field, but who lack the experience to pursue the CRISC. It is a great stepping stone to becoming knowledgeable in IT risk."

In addition, check out some of these test-taking tips that can help ensure you do your best on the exam:

  1. Study frequently leading up to the exam instead of cramming.
  2. If you are taking an in-person exam, arrive at the testing center early to make sure you can find where you need to be, stow your personal belongings, use the restroom, or anything else you need to do before the exam.
  3. Read each answer carefully, answer what you know, and skip questions that are stumping you and come back to them later.
  4. Answer every single question. You aren't penalized for wrong answers—your grade is based on the number of correct answers only. If there are questions left that you either didn't know or didn't have time to answer, just make a guess.
  5. Try to budget your time as best you can. With 240 minutes to answer 150 questions, that translates to about a minute and a half per question.

After passing the CRISC exam

Unlike many other professional certifications out there, you are not automatically CRISC-certified once you pass the exam. Instead, you must apply for certification as long as you meet the rest of the requirements (including the experience requirements). 

In order to maintain your CRISC certification, you must complete the Continuing Professional Education (CPE) requirements. This means you must complete 20 CPE units annually and 120 CPE units over a three-year period. ISACA offers many ways to earn CPE units including attending conferences, completing training courses and skills-based labs, watching webinars and so much more.

Real-world applications of CRISC

Risk management within the IT/IS fields is arguably more important now than ever before. Integrating new technologies like machine learning into business models requires that businesses understand how to use them safely.


Risk management within the IT/IS fields is arguably more important now than ever before.

"The breakneck speed of technology innovation and advancement (e.g., AI-enabled systems and other emerging technology) require enterprises to align technology to business needs and design and implement systems in a way that enhances the effectiveness and efficiency of the business processes and services they deliver," Cook said. "It's important for enterprises to first understand the risk associated with emerging tech and then put mechanisms in place to mitigate it. Those mechanisms will require a multi-disciplinary team which will include IT risk and associated practitioners with deep knowledge of IT risk management, governance, data compliance and assurance."

Testimonials from professionals certified in risk and information systems control (CRISC)

Reza Khalesi: "To achieve expertise in risk management, acquiring the CRISC certification is essential. CRISC provides you with specialized knowledge in risk and information security control, enabling you to develop advanced strategies for risk mitigation within enterprise settings. Moreover, it equips you with the expertise to effectively bridge the gap between risk controls and the requirements of the business, ensuring seamless alignment with an organization's risk management framework. Additionally, CRISC imparts an in-depth understanding of control plans, as well as comprehensive knowledge of IT security models, controls, and processes." 

Luigi Sbriz: "All business control frameworks are now risk-based. Even the vital decisions for the organizations are risk-based. In this scenario, a holistic and open approach to risk management, such as the CRISC certification of ISACA, is a higher value than vertical methodologies that are too specialized. With the knowledge acquired in this certification path, I have the flexibility to address the processes of assessing the risk of businesses very different from each other."  

Comparing CRISC with other risk management certifications

The CRISC certification is not the only other risk management certification out there. Depending on who you work for, what you do and your individual career goals, there may be other certifications that are better for you or that you could pursue in addition to a CRISC certification.

Here are a few examples of other certifications that may be useful for risk management professionals:

Certified Risk Management Professional (CRMP) from the Risk Management Society (RIMS)

Risk Management Professional (PMI-RMP) from the Project Management Institute (PMI)

Certification in Risk Management Assurance (CRMA) from The Institute of Internal Auditors  (IIA)

Each of these certifications has its own qualifications and competency areas that make them distinct.

"Other risk certifications focus on general overall enterprise risk from an assurance perspective (such as CRMA) or are focused on project-based risk (such as the offerings from PMI)," Cook said. "CRISC focuses on establishing the connection between IT risk and overall enterprise risks. It is unique in focusing on the impact of IT risk management in the context of overall risk to an organization."

"CRISC can stand alone, but ISACA's other certifications can complement and enhance opportunities for those who want to pursue or demonstrate experience in multiple domains," Cook said. "For example, CISA holders can pursue a CRISC to help balance their audit knowledge with appropriate risk identification and assessment expertise.  CRISC holders interested in navigating their career path into security management or IT governance can pursue the CISM or CGEIT certification, respectively. Practitioners seeking to specialize in privacy and associated risk can pursue CDPSE certification."    

Note: Certificate vs Certification

  • Certificate: A certificate is awarded by an educational institution, and signifies that a student has satisfactorily completed a given curriculum. Certificate programs can help students prepare for certification exams.
  • Certification: A certification is generally awarded by a trade group after an individual has met certain professional requirements (e.g. earned a specific cyber degree, worked professionally in a given field for a set amount of time, etc.) and passed a certification exam.

In short, a certificate is evidence that someone has completed an educational program, while a certification denotes that someone has met a certain set of professional criteria and/or passed an exam.

Not all programs offered are designed to meet state educator licensing or advancement requirements; however, it may assist candidates in gaining these approvals in their state of residence depending on those requirements. Contact the state board of education in the applicable state(s) for requirements.

Wrapping it up

If you want to elevate your IT/IS career and validate your risk management skills, the CRISC certification from ISACA could be a fantastic credential to add to your resume. This credential for IS risk management professionals is offered by one of the most recognized organizational leaders in the IT/IS industry. Getting this certification could be that extra boost needed to open up new career possibilities and potentially a higher salary.

To learn more about the CRISC certification and what it could do for your career, check out ISACA's website for more information.

Published: October 16, 2023

kendall upton

Written and reported by:

Kendall Upton

Staff Writer

Lisa Cook

With professional insights from:

Lisa Cook, GRC Professional Practices Principal


Cyber Security Certifications