How to become CRISC Certified – Certification Requirements

February 1, 2018 by Lester Obbayi


The CRISC certification is awarded to candidates that are experienced in the management of Information Technology risk and the design, implementation, monitoring and maintenance of Information Security Controls. In this article, we will take look at the requirements needed to be awarded the CRISC certification.

Prerequisites for Certification

For candidates to be able to qualify for the CRISC certification, ISACA has stated that the following conditions must be met. Candidates must possess all of the following:

  1. Possess IT risk management and information systems control experience
    Aspiring candidates must have three (3) years of work experience managing Information Technology risk by designing and implementing Information Security Controls. Candidates must have working experience across at least two (2) of the four (4) CRISC domains. Of these two (2) required domains, one must be in Domain 1 or 2, is required for clarification. Candidates should also note that there are no substitutions or experience waivers.
  2. Successful completion of the CRISC examination
    ISACA makes the examination open to every interested individual interested in business and technology risk management as well as the development and implementation of IS controls. Emphasis is placed on the importance of taking the examination. Once passed, information is made available to successful candidates, on how they may apply for certification. Deeper details concerning the examination can be found here. Candidates need to familiarize themselves with the terminology and concepts described in ISACA’s intellectual property and other credible sources.
  3. Adherence to the Code of Professional Ethics
    All the holders of CRISC certification (and ISACA members as well) agree to a Code of Professional Ethics that can be found here, which aspiring candidates will need to adhere to at all times.
  4. Adherence to the Continuing Professional Education (CPE) Policy
    Candidates will be required to agree and adhere to CPE policy. Their main objectives are:
    – To maintain the CRISC holders’ competency by requiring the update of knowledge and skills in the areas of risk and Information Systems control
    – To differentiate between qualified CRISC holders and those unable to meet the requirements for continuation of their certification
    – To monitor risk and information systems control professionals’ maintenance of their competency, and
    – To aid top management provide criteria for personnel selection and development.

ISACA requires candidates to pay a maintenance fee and earn a minimum of 20 contact hours of CPE annually. Additionally, a minimum of 120 contact hours is required during a fixed 3-year period.

It’s also worth noting that the CRISC examination will be offered in Chinese Simplified, English and Spanish, so a firm grasp of any of these languages will be important.

How to Earn the CRISC

Obtaining the CRISC certification is an involved process that involves candidates following a series of outlined steps. What follows is a detailed description of each of the steps that will be faced in the quest to earn the CRISC certification.

Registering for the Exam

Aspiring candidates will be able to register for the CRISC examination by:

  1. Selecting the CRISC certification from the ISACA website here.
  2. Creating an account and logging in if already a member.
  3. Accepting the ISACA terms and conditions.

These candidates are then contacted through email with the instructions on how to schedule an exam, as well as requirement information – for example, the languages used and more information on the certification exam.

Preparing for the Exam

Upon completing the registration and being found eligible to proceed, the candidates will receive an email. The following are the steps that should be followed to register:

  1. Login to ISACA’s website
  2. Click on the myCertification page
  3. Click on Schedule Exam URL which is located in the Pre-Certification Summary section. This will lead to the scheduling page.
  4. Follow the instructions to schedule your testing appointment. Aspiring candidates may take a look at this Candidates Guide.

The Candidates Guide comes in handy as it provides information about exam registration, dates and deadlines for the exam administration as well as the exam day rules.

Registered CRISC candidates who are eligible to schedule their testing appointments can obtain valuable information and instructions from the Scheduling Guide which gives the instructions on scheduling appointments.

Aspiring candidates can also access the CRISC Exam Study Community that has been provided by ISACA to allow candidates share experiences, ideas, questions and study materials.

Taking the Exam

The CRISC examination contains two hundred (200) items taken over a four (4) hour period. Candidate scores are reported as scaled scores. A scaled score is basically a conversion of a candidate’s raw score on an exam to a common scale. ISACA uses and reports scores on a common scale of between 200 and 800.

Candidates must receive a score of 450 or higher to pass the examination. A score of exactly 450 represents a minimum consistent standard of knowledge as established by ISACA’s CRISC Certification Committee.

Candidates who receive a passing score may then apply for the certification.

Applying for the Certification

Aspiring candidates should know that applications for the CRISC certification need to be made within 5 years from the date of initially passing the examination. In case this is not possible, then re-taking and passing the examination will be required. Also, all past working experience must be independently verified with employees. Said experience must have been gained within the 10-year period preceding the application date for certification or within five years of passing the examination.

It is also important to note that decisions on applications are not final since there is an appeal process for certification denials.

More information regarding appeals can be found here.

Maintaining Certification

Over the three-year CRISC certification period, it is required that candidates collect Continuing Professional Education (CPE) hours, per the CPE policy. Candidates need to meet the following requirements in order to maintain their certification:

  1. Candidates are required to collect a minimum of 20 annual CPE hours, and within the three years of CRISC certification, a minimum of 120 hours respectively.
  2. A submission of annual CPE maintenance fees to ISACA international headquarters is also required.
  3. Candidates will be required to provide required documentation of CPE activities if audited.
  4. Finally, candidates will be required to adhere to the ISACA code of Professional Ethics.

Aspiring candidates can check the Infosec Institute CRISC Boot Camp which is a neatly tailored preparation course designed to prepare CRISC candidates for the certification. Infosec Institute offers various security articles and has been one of the most awarded (42 industry awards) and trusted information security training vendors for 19 years.


CRISC is the most current and rigorous evaluation available applied on IT professionals and other employees within an enterprise or financial institute. Holders of the CRISC aid enterprises understand business risk, and possess the technical knowledge to implement appropriate Information Security controls.



Posted: February 1, 2018
Articles Author
Lester Obbayi
View Profile

Lester Obbayi is a Cyber Security Consultant with one of the largest Cyber Security Companies in East and Central Africa. He has a deep interest in Cyber Security and spends most of his free time doing freelance Penetration Tests and Vulnerability Assessments for numerous organizations.

Leave a Reply

Your email address will not be published. Required fields are marked *