How to become CRISC Certified – Certification Requirements [updated 2022]
The CRISC certification is awarded to candidates that are experienced in the management of Information Technology risk and the design, implementation, monitoring and maintenance of Information Security Controls.
Prerequisites for certification
For candidates to qualify for the CRISC certification, ISACA has stated that the following conditions must be met. Candidates must possess all of the following:
- Possess IT risk management and information systems control experience. Aspiring candidates must have three years of work experience managing Information Technology risk by designing and implementing Information Security Controls. Candidates must have working experience across at least two of the four CRISC domains. Of these two required domains, one must be in Domain 1 or 2, which is required for clarification. Candidates should also note that there areno substitutions or experience waivers.
- Successful completion of the CRISC examination. ISACA makes the examination open to every interested individual interested in business and technology risk management and the development and implementation of IS controls. Emphasis is placed on the importance of taking the examination. Once passed, information is made available to successful candidates on applying for certification. Deeper details concerning the examination can be foundhere. Candidates need to familiarize themselves with the terminology and concepts described in ISACA’s intellectual property and other credible sources.
- Adherence to the Code of Professional Ethics. All the holders of CRISC certification (and ISACA members) agree to a Code of Professional Ethics that can be found here, which aspiring candidates will need to adhere to at all times.
- Adherence to the Continuing Professional Education (CPE) Policy. Candidates will be required to agree and adhere to CPE policy. Their main objectives are:
- To maintain the CRISC holders’ competency by requiring the update of knowledge and skills in the areas of risk and Information Systems control
- To differentiate between qualified CRISC holders and those unable to meet the requirements for continuation of their certification
- To monitor risk and information systems control professionals’ maintenance of their competency, and
- To aid top management to provide criteria for personnel selection and development.
ISACA requires candidates to pay a maintenance fee and earn a minimum of 20 contact hours of CPE annually. Additionally, a minimum of 120 contact hours is required during a fixed three-year period.
It’s also worth noting that the CRISC examination will be offered in Simplified Chinese, English and Spanish, so a firm grasp of any of these languages will be important.
How to earn the CRISC
Obtaining the CRISC certification is an involved process that involves candidates following a series of outlined steps. What follows is a detailed description of each of the steps that will be faced in the quest to earn the CRISC certification.
Registering for the exam
Aspiring candidates will be able to register for the CRISC examination by:
- Select the CRISC certification from the ISACA website here.
- Creating an account and logging in if already a member.
- Accepting the ISACA terms and conditions.
These candidates are then contacted through email with instructions on how to schedule an exam and the required information. For example, the languages used and more information on the certification exam.
Preparing for the exam
Upon completing the registration and being eligible to proceed, the candidates will receive an email. The following are the steps that should be followed to register:
- Login to ISACA’s website
- Click on the myCertification page
- Click on the Schedule Exam URL, which is located in the Pre-Certification Summary section. This will lead to the scheduling page.
- Follow the instructions to schedule your testing appointment. Aspiring candidates may take a look at this Candidates Guide.
The Candidates Guide comes in handy as it provides information about exam registration, dates and deadlines for the exam administration, and the exam day rules.
Registered CRISC candidates who are eligible to schedule their testing appointments can obtain valuable information and instructions from the Scheduling Guide, which gives the instructions on scheduling appointments.
Aspiring candidates can also access the CRISC Exam Study Community that ISACA has provided to allow candidates to share experiences, ideas, questions and study materials.
Taking the exam
The CRISC examination contains 150 items taken over four hours. Candidate scores are reported as scaled scores. A scaled score is converting a candidate’s raw score on an exam to a common scale. ISACA uses and reports scores on a common scale of 200 and 800.
Candidates must receive a score of 450 or higher to pass the examination. A score of exactly 450 represents a minimum consistent standard of knowledge as established by ISACA’s CRISC Certification Committee.
Candidates who receive a passing score may then apply for the certification.
Applying for the certification
Aspiring candidates should know that applications for the CRISC certification need to be made within five years from the date of initially passing the examination. If this is not possible, then re-taking and passing the examination will be required. Also, all past working experience must be independently verified with employees. Said experience must have been gained within the 10 years preceding the application date for certification or within five years of passing the examination.
It is also important to note that decisions on applications are not final since there is an appeal process for certification denials.
More information regarding appeals can be found here.
Candidates need to meet the following requirements to maintain their certification. Over the three-year CRISC certification period, it is required that candidates collect Continuing Professional Education (CPE) hours, per the CPE policy.
- Candidates must collect a minimum of 20 annual CPE hours, and within the three years of CRISC certification, a minimum of 120 hours, respectively.
- Submission of annual CPE maintenance fees to ISACA international headquarters is also required.
- Candidates will be required to provide required documentation of CPE activities if audited.
- Finally, candidates will be required to adhere to the ISACA Code of Professional Ethics.
CRISC is the most current and rigorous evaluation applied to IT professionals and other employees within an enterprise or financial institute. Holders of the CRISC aid enterprises in understanding business risk and possess the technical knowledge to implement appropriate Information Security controls.
- Appeals Policy, ISACA
- Code of Professional Ethics, ISACA
- CRISC Job Practice Updates for 2021, ISACA
- ISACA Certifications, ISACA
- ISACA Engage Community, ISACA
- Maintain CRISC Certification, ISACA