Average CRISC Salary in 2022

January 5, 2022 by Greg Belding

ISACA’s Certified in Risk and Information Systems Control (CRISC) certification helps to verify that the certification holder has the in-demand skills of Security Risk Management and has ranked as one of the top-paying IT certifications since its release in 2017. This, of course, begs the question — how much will I make on average if I earn the CRISC certification?

Average CRISC salary

To not “hide the ball” or otherwise make you wade through paragraphs of information that you are not necessarily looking for, let’s jump right into it. The average pay for a CRISC in 2021 is $132,266. This figure is far above the national average salary in the United States, even that for all IT certifications. If you work in Security Risk Management and want to give your salary a healthy boost, you may want to consider earning this certification.

CRISC salaries by city

The good thing about averages is it does not necessarily mean that your salary will be at that level, as there could be a laundry list of cities where you would get paid more than said average. Below is a list of cities where you would make considerably more than the national average salary for CRISC.

San Mateo, CA $166,997
Berkeley, CA $161,617
Daly City, CA $161,167
Richmond, CA $156,361
Stamford, CT $152,256
Bellevue, WA $151,869
Brooklyn, NY $149,767
San Francisco, CA $148,959
New Haven, CT $148,440
Lakes, AK $147,972

As you can see, the national average salary for CRISC is as much as 25% below what you could get paid in the highest-paid city on the list. At times like this, the old adage of “location, location, location” finds new life.

Average Salary for CRISC by job title

The determinative factor for the average salary of a CRISC cert holder is not always where you work. The job title that you are working as a CRISC holder can also affect your average salary. Below is a list of job titles seeking CRISC certification holders and their average salaries.

Job title Average
Chief Information Security Officer $180,853
Director, Computing/Networking/Information Technology (IT) Security $173,976
Director, Risk Management/Risk Control $140,000
Information Security Manager $125,282
Information Security Officer $122,539
Information Security Analyst $92,455
Senior Information Technology (IT) Auditor $90,702

The CRISC certification

CRISC is a Security Risk Management intended for IT and Information Security professionals. This certification verifies that the holder has the knowledge and skills to mitigate risk and implement and maintain Information System Controls. According to the hosting organization ISACA, CRISC is the only IT Risk certification focusing on Enterprise Risk Management. While it should be noted that there are other Security Risk Management certifications on the market, CRISC has cornered the market on the Enterprise Risk Management end of things. The latest version of the certification exam has expanded to focus on governance, risk response and reporting. 

What are the CRISC prerequisites?

The only prerequisites for the CRISC certification you will have to satisfy to become fully CRISC certified is an experience requirement. The experience requirement for CRISC is three or more years of experience in IT Risk Management and IS control. It should be noted that ISACA does not allow for any experience waivers for substitutions, so this prerequisite should be considered a hard requirement that you will have to live with.

The CRISC certification exam

After obtaining the necessary work experience, you will still have to pass the CRISC certification exam to earn the cert. This exam is in the multiple-choice format, and certification candidates will have four hours (240 minutes) to answer 150 questions.

The cost of registering for the CRISC exam depends upon whether you are an ISACA member or not. For ISACA members, registering for the exam is $575. Non-members will be required to pay $760. 

What information is covered on the CRISC certification exam?

The CRISC certification exam covers four Domains of Knowledge. Below is a list of each Domain with the percentage weight of exam content they represent:

  • Domain 1 – Governance (26%)
  • Domain 2 – IT Risk Assessment (20%)
  • Domain 3 – Risk Response and Reporting (32%)
  • Domain 4 – Information Technology and Security (22%)

Pursuing the CRISC certification 

CRISC would give many a significant salary boost, and this should be considered along with other factors in deciding whether to earn this certification. 



Posted: January 5, 2022
Greg Belding
View Profile

Greg is a Veteran IT Professional working in the Healthcare field. He enjoys Information Security, creating Information Defensive Strategy, and writing – both as a Cybersecurity Blogger as well as for fun.