CRISC: Exam details & process [updated 2021]
IT risk and control subject matter experts who are exploring role-based certifications can look at the ISACA’s Certified in Risk and Information Systems Control (CRISC) certification to validate their skills and know-how. Acquiring this credential can show expertise in specific technical areas for professionals asked to identify, analyze, evaluate, assess, prioritize and respond to information systems and technology risks.
Opting to pursue the CRISC designation can be an excellent career move for IT practitioners involved in IT risk management (ITRM). It helps you develop, implement and maintain appropriate information systems (IS) controls and mitigate risks and threats using governance best practices and continuous risk monitoring and reporting.
CRISC exam particulars
To become Certified in Risk and Information Systems Control (CRISC), an applicant must, first of all, have a minimum of three years of cumulative work experience performing the tasks of a professional across at least two of four domains. Of these two required domains, one must be either Domain 1 or 2.
The exam was recently revised (August 2021). “This update to the CRISC exam content outline is based on changes in the work practices of IT risk professionals as well as market dynamics and trends.”
The new domains covered in the CRISC exam are as follows:
- Domain 1: Governance (26%)
- Domain 2: IT Risk Assessment (20%)
- Domain 3: Risk Response and Reporting (32%)
- Domain 4: Information Technology and Security (22%)
Candidates will be challenged with a computer-based exam that consists of 150 questions to be completed in less than four hours. ISACA “reports scores on a common scale from 200 to 800 […]. A score of 450 represents a minimum consistent standard of knowledge.” The exam is available in three languages: English, Spanish and Chinese simplified.
The CRISC exam is administered and proctored by PSI’s testing centers located in all 50 states and found in 120 countries worldwide. Exam takers have the option to participate in a test session in a computer-lab setting while being monitored by an onsite proctor. Otherwise, remote testing with online proctors is currently allowed from home or other locations at no additional cost with complete flexibility in terms of day and time.
If the onsite option is preferred, candidates can look for the closest PSI test center and select a date for the exam by going through ISACA; here, the testers can verify a testing site where and when they need it to register for their exam.
Also, they’ll be able to pay and schedule their examination. Exam Registration Fee is now $575 for members and $760 for non-members; the Application Processing Fee is $50 for members and non-members. Note: “You will forfeit your fees if you do not schedule and take the exam during your 12-month eligibility period. No eligibility deferrals or extensions are allowed,” says ISACA.
CRISC registration, scheduling, testing and examination
Registration to the CRISC exam can only be accomplished through an online procedure. Candidates will need to register and pay a non-refundable and non-transferable fee before becoming eligible to schedule their test.
ISACA exams are now administered all year round in what is known as Continuous Testing; this means candidates may register for the CRISC test whenever they are ready to sit for the examination within their 365-day window. There are no deadlines for when an individual needs to register; registrants get their own 365-day exam eligibility period.
There are four steps to registering to take an ISACA exam:
To register for the CRISC exam, candidates must create an ISACA profile at www.isaca.org/myISACA and click on the “Certifications and CPE Management” tab; then, they can click on the “Schedule your exam” option to access the PSI scheduling platform. At the end of the process, the candidates will receive an email that will confirm that ISACA has received the registration. They’ll be given details on submitting documentation for any special testing accommodations requested in a separate email.
To reschedule or cancel a previously booked test, applicants can use the “Reschedule or Cancel Exam” option. All rescheduling and cancellation of appointments must be made a minimum of 48 hours before the originally scheduled appointment to prevent forfeiture of registration fees.
It is advisable to consult the ISACA Exam Candidate Information Guide for the latest exam registration, dates and deadlines.
The CRISC exam: Testing information
Whether taking the test at a PSI test center or elsewhere, candidates will not use any reference material, study aid or even dictionaries. Although the test is four hours long, candidates need to manage their time wisely.
Questions revolve around the standards and general concepts related to the subject matter and practical knowledge. The CRISC exam is multiple choice with four options and only one possible best answer. Scenario-type questions are also possible, so take a moment to think about your response before you answer. Candidates should ensure to answer all questions as there are no penalties for incorrect answers. After the exam, testers will immediately receive a preliminary score report; however, official results are released within 10 working days.
How to apply for CRISC certification
Taking and passing the certification exam is just the first step in becoming CRISC certified.
Exam takers can get certified if they’ve met all requirements, including applying, as passing the examination does not automatically grant the designation. A completed CRISC application for certification must be submitted within five years from the date of initially passing the test, and the required work experience must be gained within the 10 years preceding the application date for certification. There are no substitutions or experience waivers. Retaking and passing the examination will be required if the completed application for certification is not submitted within five years from the passing date of the examination.
To complete the CRISC Application for Certification, pay the $50 processing fee. If the test has been successfully passed, and the candidates meet the other requirements relative to work experience, then certification is granted. For the application to be processed, verification of work experience must be submitted using the Experience Verification Form on pages V-1 and V-2 of the application. Candidates will need to ask their employers to verify all their experience.
After obtaining the certification, all CRISCs are asked to maintain an adequate level of current knowledge and proficiency by attaining CPE hours; one must earn a minimum of 20 CPE hours annually and 120 CPE hours over three years.
What’s more, they’ll need to pay the annual maintenance fee ($45 for members, $85 for non-members) to maintain CRISC Certification.
Again, continuing professional education (CPE) is crucial to maintaining your certification status. Many opportunities to earn CPEs include participating in professional development sessions like the Insider Risk Summit — September’s virtual free event.
How to report your CPE:
- Log-in at www.isaca.org/myisaca
- Click on Certifications and CPE Management
- Click on the button to Report and Manage CPE for any certification that you hold
- Click on the button to Add New CPE Record
- Fill out the details of the CPE activity. Please include a title or description of the event, the sponsoring organization, a start and end date from when it was earned, and the appropriate qualifying activity.
- Enter the number of CPE earned for each ISACA certification that you hold
- Click Save and Close or Save and Add More if you have additional CPE to report
Failure to report CPEs will result in the revocation of the CRISC designation and membership; to restore them, candidates will need to retake and pass the CRISC exam and resubmit a completed application. Note that renewal fees and maintenance fees also apply for recertification in addition to documentation of CPE hours.
The path to CRISC certification
A CRISC certification can give professionals a way to demonstrate their skills in risk analysis and assessment. This credential, however, is not based on simply passing a test. Still, it requires a mixture of previous, specific work experiences and a life-long commitment to continuous education. That education consists of maintaining CPE hours to update existing knowledge and skills in the areas of risk and information systems control; each ISACA member must maintain an adequate level of current competence and proficiency in their field.