Maintaining Your CRISC Certification: Renewal Requirements

February 5, 2018 by Lester Obbayi


In this article, we will discuss some of the frequently asked questions concerning the certification renewal requirements that aspiring CRISC candidates might have. Even though there may be more questions regarding certification renewal, the most common are discussed here.

Candidates will often find themselves interested in finding answers to questions that may include the following:

What are the CRISC renewal requirements?

In order to renew your CRISC certification, ISACA requires that over the three (3) year CRISC certification period, candidates must collect Continuing Professional Education (CPE) hours as per the CPE policy. CRISC candidates also need to meet the following requirements in order to maintain their certification:

  1. Candidates are required to collect a minimum of 20 annual CPE hours, and within the three years of CRISC certification, a minimum of 120 hours cumulatively.
  2. A submission of annual CPE maintenance fees to ISACA international headquarters is also required.
  3. Candidates will be required to provide required documentation of CPE activities if audited.
  4. Candidates will be required to adhere to the ISACA code of Professional Ethics.

In the event that candidates/certification holders are unable to comply with these requirements, ISACA holds the right to revoke the individual’s CRISC designation. This also requires that their certifications be destroyed immediately.

What are the CRISC CPE maintenance requirements?

ISACA requires that candidates partake in qualifying CPE activities that have been approved by the CRISC Certification Task Force, in order to obtain or maintain CPE. These activities must be directly applicable to risk identification, assessment, evaluation, response and monitoring of IS controls. It is worth noting that CPE hours are not accepted for on-the-job activities, unless they fall into a specific qualifying professional education activity. These qualifying activities and limits that candidates may participate in include:

  1. ISACA professional education activities and meetings (no limit). These include ISACA conferences and meetings and related activities. CRISCs earn CPEs according to the number of hours of active participation.
  2. Non-ISACA professional development activities and meetings (no limit). These include in-house corporate training, university courses, conferences, seminars, workshops and professional meetings not sponsored by ISACA.
  3. Self-study courses (no-limit). These include structured courses designed for self-study that offer CPE credits. It is important to note that these are only accepted if the course provider issues a certificate of completion and the certificate contains the number of CPE hours earned for the course.
  4. Vendor sales/marketing presentations (10-hour annual limitation): These include vendor product or system specific sales presentation related to risk identification, assessment, evaluation, response and monitoring.
  5. Teaching/lecturing/presenting (no limit): These include the development and delivery of professional presentations and self-study /distance learning courses, related to risk identification, assessment, evaluation, response and monitoring, and maintenance of IS controls.
  6. Publication of article, monographs and books (no limit): These include the publication and/or review of material directly related to the risk identification, assessment, evaluation, response and monitoring and the design, implementation, monitoring and maintenance of IS controls. Submissions must appear in a formal publication or website and a copy of the article of the website address must be available if requested.
  7. Exam question development and review (no limit): This includes the development of review of items for the CRISC exam (or review materials). Two CPE hours are earned for each question accepted by an ISACA CRISC item review committee.
  8. Passing related professional examinations (no limit): This involves the pursuit of other related professional examinations. Two CPE hours are earned for each examination hour when a passing score is achieved.
  9. Working on ISACA Boards/Committee (20-hour annual limitation per ISACA certification): This involves active participation on an ISACA board, committee, sub-committee, task force or active participation as an officer of an ISACA chapter. One CPE hour is earned for each hour of active participation.
  10. Mentoring (10-hour annual limitation): Certifieds are able to receive up to 10 CPEs annually for mentoring. Activities include mentoring efforts directly related to coaching, reviewing or assisting with CRISC exam preparation or providing career guidance through the credentialing process either at the organizational, chapter or individual level. One CPE hour is earned for each hour of assistance.

More information on the accepted activities and processes followed, for example the formula of calculating CPE hours can be found here.

Can I regain membership if my certification has been terminated?

The short answer is yes. Once certified individuals have been revoked of their certification, they are required to re-take and re-pass the exam and then re-apply for certification, with the appropriate experience. If these individuals apply for reinstatement after 60 days of revocation, they may incur an additional reinstatement fee of $50. It should be noted that this reinstatement fee is in addition to any back or current certification maintenance fee needed to bring the certified individual in compliance with the CPE policy. Appeals to certificate revocation can also be made by revoked individuals, by writing a notification of the appeal to The appeal must include a detailed explanation for the reinstatement request as well as the CPE documentation from the cycle period since revocation to the current year.

How long is the CRISC certification good for?

The CRISC certification is valid for a year, after which renewal is a requirement. Nonpracticing CRISCs (those no longer working in risk identification, assessment, evaluation, response etc.) are entitled to apply for nonpracticing CRISC status. ISACA requires that applications for nonpracticing status be received no later than 15 January and accompanied by the annual renewal fees. Nonpracticing CRISCs are not required to submit CPE hours, but may not use “CRISC” or “CRISC nonpracticing” on business cards. The forms for CRISC nonpracticing, return to active, and retired can be obtained here.

The latest CRISC exam registration for the 1 February-24 May 2018 is currently available. The remaining 2018 testing windows will be 1 June-23 September 2018; and 1 October 2018-24 January 2019. If interested in checking out the exam schedule, it can be found here.

Do I have to retake the exam?

Retaking the exam is NOT necessary when renewing the CRISC certification. ISACA only requires that the number of CPE hours be met, CPE maintenance fees be met in full, required documentation be submitted in cases where individuals are selected for an annual audit and that candidates comply with the ISACA Code of Professional Ethics. Payment for the renewal of the certification can be done online at The invoice notification is sent both through email and as a hard copy in the third quarter of each calendar year by ISACA to all CRISCs. Normally, the deadline for payment and reporting of CPE is on the 15th of January.

However, according to the Certification Revocation, Reconsideration and Appeal section of the Appeals Policy, if the certification had initially been revoked, then you do have to re-take and pass the exam.

Aspiring candidates can check the Infosec Institute CRISC Boot Camp, which is a neatly tailored preparation course designed to prepare CRISC candidates for the certification. Infosec Institute offers various security articles and has been one of the most awarded (42 industry awards) and trusted information security training vendors for 19 years.


Having the right information during CRISC certification renewal can mean the difference between a successful and unsuccessful renewal. It is important that candidates familiarize with the different rules that ISACA has in place in order to maintain their credentials.



Posted: February 5, 2018
Articles Author
Lester Obbayi
View Profile

Lester Obbayi is a Cyber Security Consultant with one of the largest Cyber Security Companies in East and Central Africa. He has a deep interest in Cyber Security and spends most of his free time doing freelance Penetration Tests and Vulnerability Assessments for numerous organizations.

Leave a Reply

Your email address will not be published. Required fields are marked *