CRISC: Exam details & process

January 31, 2018 by Daniel Brecht

In a fast-changing cyberspace landscape, CRISC-recognized professionals are essential for any companies thanks to their knowledge in the fields of IT risk management and IS control. As ISACA states: “CRISC is the only certification that prepares and enables IT professionals for the unique challenges of IT and enterprise risk management, and positions them to become strategic partners to the enterprise.” For that reason, becoming CRISC demonstrates that a person has the expertise and skills to effectively manage risks and assess the effectiveness of key controls.

CRISC exam particulars

To become Certified in Risk and Information Systems Control (CRISC), an applicant must, first of all, have a minimum of three years of work experience in IT risk and information systems (IS) control. In addition, he or she must have worked in two of the areas covered by the CRISC domains to include one between Risk Identification and Risk Assessment. Candidates, then, must obtain a passing score on the computer-based CRISC exam, a 150-question test that candidates must complete in 4 hours. ISACA “reports scores on a common scale from 200 to 800 […]. A score of 450 represents a minimum consistent standard of knowledge.” The exam is available in 3 languages: English, Spanish and Chinese simplified.

A passing score on the CRISC exam without completing the required work experience as specified will only be valid for five years. And if the applicant does not apply or meet the CRISC certification requirements within the five-year period, the passing score will be voided. If all requirements are met, instead, professionals can apply for certification.

The CRISC exam is administered and proctored by PSI’s testing center, located in all 50 states and found in 120 countries around the world. Exam takers have the option to participate in a test session at a computer-lab setting while being monitored by an onsite proctor; otherwise, there is the PSI kiosk experience via video as an alternative that allows for testing at a small individual work station in a managed, yet self-service way, with examiners being monitored by a remote proctor.

Candidates can look for the closest PSI test center and select a date for the exam by going through ISACA; here the testers can verify a testing site that is available where and when they need it, plus register for their exam. Also, they’ll be able to pay and schedule their examination.

CRISC registration, scheduling, testing and examination

Registration to the CRISC exam can only be accomplished through an online procedure. Candidates must register and pay a non-refundable and non-transferable fee prior to becoming eligible to schedule their test.

There are 4 Steps to Registering to Take an ISACA Exam: 

For registration deadlines and opening information, visit

To register for the CRISC exam, candidates must create an ISACA profile at After the login, candidates are allowed to complete the purchase of the test. Any profile changes, preferences for testing in their requested language can be done by the student directly online. Within one business day, they then will receive a ‘Notification to Schedule’ email with all the information necessary to reserve and actual exam appointment.

At that point, the professional can log-in to their ISACA profile at and click on the “myCertifications” tab; then, they can click on the “Schedule” option. In the same way, candidates can schedule according to a timetable. Otherwise, they can reschedule or annul a previously booked test through the “Re-Schedule or Cancel Exam.” They can also decide to reschedule within the same testing window without forfeiting their exam registration fees, if need to. Once the doings are completed, the candidate will get an email that will confirm that ISACA has received their registration. In a separate email they’ll be given details on submitting documentation for any special testing accommodations requested.

It is advisable to consult the “The ISACA Exam Candidate Information Guide (at} for the latest information about exam registration, dates and deadlines.

CRISC registration/scheduling dates

  • Registration opens 1 December 2017 (Exam Window 1)

Testing window: 1 February–24 May 2018

Registration deadline: 18 May 2018

  • Registration opens 1 March 2018 (Exam Window 2)

Testing window: 1 June–23 September 2018

Registration deadline: 18 September 2018

  • Registration opens 1 July 2018 (Exam Window 3)

Testing window: 1 October 2018–24 January 2019

Registration deadline: 18 January 2019

  • Exam Registration Fees are as follows:

2018 Exam Registration Fees:

  • $525 Member/$710 Non-Member [by February 16, 2018]
  • $575 Member/$760 Non-Member [after February 16, 2018]

The CRISC exam: Testing information

Whether taking the test at a PSI test center or at a testing kiosk, candidates will not be able to bring any reference material, study aid or even dictionaries. Personal belongings including handbags, any recording devices and cell phones will be stored in lockers. Procedures are in place for restroom breaks during the test, but no other pauses will be afforded except for confirmed emergencies.

Although the test is four hours long, it is important for candidates to manage their time wisely. Questions evolve around the standards and general concepts related to the subject matter and on practical knowledge. The CRISC exam is multiple choice with 4 options and only one possible best answer. Scenario-type questions are also possible, so take a moment to think about your response before you answer. Candidates should ensure to answer all questions as there are no penalties for incorrect answers. After the exam, testers will immediately receive a preliminary score report; however, official results are released within 10 working days. 

How to apply for CRISC certification

CRISC exam takers can apply for certification if they’ve met all requirements, including submitting an application, as passing the examination does not automatically grant the designation. A completed CRISC application for certification must be submitted within 5 years from the date of initially passing the test. Retaking and passing the examination will be required if the completed application for certification is not submitted within five years from the passing date of the examination.

To complete the CRISC Application for Certification, visit and pay the USD$50 processing fee. If the test has been successfully passed and the candidates meet the other requirements relative to work experience, then certification is granted. In order for the application to be processed, a verification of work experience must be submitted with the application via mail, FAX, or e-mail to: CRISC Certification ISACA 3701 Algonquin Road, Suite 1010 Rolling Meadows, IL 60008; USA Fax: +1.847.253.1755; Email:

Once submitted, the application progress can be followed online at MyISACA > MyCertifications page.

After obtaining the certification, all CRISCs are asked to maintain an adequate level of current knowledge and proficiency by attaining CPE hours; one must earn a minimum of 20 CPE hours annually, and 120 CPE hours over a period of three years.

How to report your CPE:

  • Log in at
  • Click on MY ISACA
  • Click on Manage My CPE
  • Scroll down, then click on Add CPE button
  • Enter CPE activity information and click Save.

Failure to report CPEs will result in the revocation of the CRISC designation and membership; to restore them, candidates will need to re-take and pass the CRISC exam and re-submit a completed application. Note that, in addition to documentation of CPE hours, renewal fees and maintenance fees apply for re-certification.


A CRISC certification can give professionals a way to demonstrate their skills in risk analysis and assessment. This certification, however, is not based on simply passing a test, but it requires a mixture of previous, specific work experiences, and a life-long commitment to continuous education that consists of maintaining CPE hours whereby updating existing knowledge and skills in the areas of risk and information systems control, as each ISACA member must maintain an adequate level of current competence and proficiency in their field or profession to support any professional qualifications/certifications.


Posted: January 31, 2018
Articles Author
Daniel Brecht
View Profile

Daniel Brecht has been writing for the Web since 2007. His interests include computers, mobile devices and cyber security standards. He has enjoyed writing on a variety of topics ranging from cloud computing to application development, web development and e-commerce. Brecht has several years of experience as an Information Technician in the military and as an education counselor. He holds a graduate Certificate in Information Assurance and a Master of Science in Information Technology.

Leave a Reply

Your email address will not be published. Required fields are marked *