CRISC Frequently Asked Questions (FAQ)

February 2, 2018 by Graeme Messina

Taking the CRISC exam is an important step toward achieving your Information Assurance certification. Here are some commonly asked questions that you may wish to have answered if you are considering this certification.

When does registration begin for the 2018 exams?

If you are ready to register for the 2018 CISM exam, then we have some good news for you. The next exam registration dates are from February 1st until May 24th of this year. You will need to create a login for an ISACA account and set up your membership and profile if you haven’t already done so.

How much does it cost to take the CRISC exam?

$415 for Members and $545 for Non-Members; Final Registration is $465 for Members and $595 for Non-Members. Registering early will save you a further $50, so it is advisable for you to register as soon as possible.

Where can I find the locations for the 2018 exams?

Exams are administered at PSI testing locations around the world. You are encouraged to visit for a listing of the current exam sites that are available. These sites could change without notice, so make sure that you check regularly to see if any sites have changed or moved.

How is the exam scored?

SACA uses a 200-800 point scale with 450 as the passing mark for its exams. This is a conversion of the raw score on an exam to a common scale. The exam score is not based on an arithmetic or percent average, it is more of a sliding scale. For example, the scaled score of 800 represents a perfect score with all 150 questions answered correctly. Conversely, a scaled score of 200 is seen as the lowest score possible and would signify that only a small number of questions were answered correctly.

A candidate must therefore receive a scaled score of 450 or higher to pass the exam. A score of 450 represents the minimum understanding for a candidate as established for the exam by the ISACA Certification Committee. A candidate that receives a passing score may only then apply for their certification if all of the other requirements have been met.

When will I receive my exam results?

Those that complete the exam will receive a pass/fail result on their screen at the end of their exam. Candidates do not get a physical printout of these results on site, as the official results are emailed to candidates. This usually happens within 10 working days of the candidate writing the exam. Scores will not be released via any other method, as confidentiality must be maintained.

How do I provide comments on testing conditions?

Anybody that wishes to address any concerns about the examination administration, or pass on comments, including site conditions or the actual content of the exam, are free to contact ISACA international headquarters at within 48 hours of the conclusion of the test.

Can I take the CISA, CISM, CGEIT, and CRISC exams in the same exam window?

You can take more than one of these four exams within the same time frame if you are prepared. You will not be allowed to retake the same exam more than once within that same time period, however. For example, the CISM test can only be taken once during each administration window, so preparation is essential.

Why should I take the CRISC certification?

CRISCs are able to bring additional skills and legitimacy to whichever company they decide to join by displaying a real world body of knowledge, all while continuing their training and upskilling, and adhering to best practice policies as established by ISACA.

CRISC employees are able to:

  • Act as resources to teach users and management about the overall impact and potential dangers that IT risks present to the modern enterprise
  • Assure that the development of effective plans are created to mitigate risk to IT infrastructure and systems, and
  • Entrench a common understanding about IT risk that will inform the policies and procedures of the organization.

What is covered under each of the four domains on the CRISC exam?

The CRISC exam covers four different domains. These are:

Domain 1: IT risk identification (27%)

Candidates must identify how specific IT risk contributes to the execution of the IT risk management strategy, which is in support of business objectives and in alignment with what the enterprise risk management (ERM) strategy is. Candidates will learn how to collect and review information and document the organization’s environment, and also understand how the potential risks can impact the business objectives and operations. This domain also teaches candidates how to identify and assess all potential threats to the organization by performing IT risk analysis and threat assessments.

Other items that will be learned include stakeholder identification, user accountability within the organization, IT risk register creation and maintenance, risk appetite and tolerance identification and business objective alignment with IT risk. Here candidates will also learn how to create collaborative awareness and training programs. 

Domain 2: IT risk assessment (28%)

Candidates must analyze and evaluate IT risk to determine the likelihood and impact on business objectives to enable risk-based decision making. Analyzing risk scenarios according to organizational criteria is also a key feature of this domain, as it helps to determine the probability and damage that a specific risk would entail. This domain also relies on a candidate’s ability to identify the current state of existing controls and assess how effective they are for mitigating IT risk.

Candidates must also be able to review the results of risk and control while assessing any short falls of the current environment, while ensuring that the risk ownership is assigned to the right level so that accountability is in place. All of these results must be communicated to senior management and stakeholders and the risk register must be updated regularly.

Domain 3: Risk response and mitigation (23%)

Determine risk response options and evaluate their efficiency and effectiveness to manage risk in a way that is in alignment with business objectives. Candidates must consult the risk owners to align the recommended responses to business objectives, which will enable informed decisions with regard to risk. They must also consult with risk owners to develop risk action plans to ensure that plans include all key elements. Design and implementation is also covered in this domain, so adjusting mitigating controls can also be performed.

Accountability is also important, so clear lines of communication must be established between all parties involved in risk ownership within the enterprise. Candidates must also assist with creating effective and efficient control executions while updating any changes in the risk response in the risk register. Risk action plan validation is also covered here.

Domain 4: Risk and control monitoring and reporting (22%)

Continuously monitor and report on IT risk and controls to relevant stakeholders to ensure the continued efficiency and effectiveness of the IT risk management strategy and its alignment to business objectives. Candidates must define and establish what key risk indicators are so that they can monitor risk changes. These changes are important, as they will change the organization’s IT risk profile. It is therefore important that the changes are reported so that management can be made aware of any information that may impact their decision making.

KPIs also need to be measured as a way to control performance. Candidates must also facilitate the identification of the metrics which will assist with the decision making structures in management.

A full break down of the domains can also be found here.

What does the CRISC continuing professional education program require?

In order for a candidate to become and remain a CRISC, they must first agree to comply with the CRISC continuing professional education program, also known as the CPE. This program requires that an individual earns a minimum of 20 CPE hours annually and 120 CPE hours over a 3-year cycle. In addition to this, an annual maintenance fee of US $45 (ISACA member and US $85 non-members) is required. The CPE form can be downloaded here.

Find Out More

Below are useful links that will help you to get more information about the CRISC exam, helping you to prepare and pass.

Posted: February 2, 2018
Articles Author
Graeme Messina
View Profile

Graeme is an IT professional with a special interest in computer forensics and computer security. When not building networks and researching the latest developments in network security, he can be found writing technical articles and blog posts at InfoSec Resources and elsewhere.

Leave a Reply

Your email address will not be published. Required fields are marked *