CRISC — Certified in Risk and Information Systems Control

The CRISC exam comprises 150 questions completed in a four-hour time frame. The questions are graded on a scale from 200 to 800 points, with a score of 450 being the minimum threshold for passing. Questions are multiple choice; each has four answer options and only one correct answer. In terms of format, the exam is fully computer-based regardless of test-taking location (on-site or remote).

Read our CRISC exam details and process article for more information on scheduling and taking the CRISC exam.

The CRISC exam is moderately difficult since it’s geared towards professionals with at least three years of related professional experience. Test takers must have a deep working knowledge of the four core domains: governance, IT risk assessment, risk response and reporting, and IT and security.

To pass the CRISC exam, you must earn a minimum of 450 points out of 800. Test takers who successfully pass the exam have typically undergone a significant period of preparation, including test prep classes, study guide review, practice exams and more.

To pass the CRISC exam, you will need to earn at least 450 points out of a total of 800 points. You’ll have a total of four hours to take the computer-based, multiple-choice exam.

Pass rates vary depending on an individual’s experience, study habits and test-taking strategies. For example, Infosec partners with ISACA to offer a CRISC Boot Camp that comes with an Exam Pass Guarantee, which means if you don’t pass the exam on your first attempt, you’ll get a second attempt at no cost to you.

For advice on passing the exam, check out our 9 tips for CRISC exam success article.

The cost of the CRISC exam depends on the status of your ISACA membership. ISACA members can take the exam for $575, while non-members must pay $760.

Bear in mind that once you register for the exam, you must take it within 365 days — otherwise, you’ll have to pay again. Once you earn the CRISC certification, you’ll also have to pay an annual maintenance fee of $45 for members and $85 for non-members.

The most up-to-date pricing for ISACA exams can be found on the ISACA website. You can download ISACA’s Exam Candidate Information Guide (English) in multiple languages to get the most up-to-date information about costs and other exam details.

The CRISC exam is administered by PSI. You can take the exam online with remote proctoring or in-person at a PSI testing center. For more information, see the “Register for the Exam” section on the ISACA CRISC page.

• Watch this PSI Test Center Experience video to learn more about testing in person at a PSI test center.
• Watch this PSI Online Proctoring Experience video to learn more about remote testing.

You have a variety of learning resources at your disposal to prepare for the CRISC exam. We recommend starting out with the ISACA candidate guide (check out the ISACA CRISC webpage for the most up-to-date version or to download the guide in other languages). The guide covers topics related to exam registration, important deadlines, exam domains and more. The guide is a must-read for every CRISC test taker.

Many additional training resources are provided in the free and paid CRISC training resources sections below.

Once you receive your CRISC, you must complete professional education activities to keep it active.

The CRISC has a three-year renewal cycle. During that three-year period, you will need to complete a total of 120 hours of continuing professional education (CPE) activities with a minimum of 20 hours each year. In other words, you’ll need to spread these activities out rather than frontloading them during the first year or saving them all for year three.

There are many educational activities you can choose from to earn your CPEs. These options include classes, conferences, lab activities, volunteering with ISACA and more. You can find a full list of options in ISACA’s CRISC CPE Policy.

These articles are filled with a wealth of helpful information:

• How to earn CRISC CPE credits
• How to become CRISC certified: Certification requirements

In addition to completing CPEs, you’ll need to pay an annual maintenance fee. The fee costs $45 for ISACA members and $85 for non-members. If you hold more than two ISACA certifications, the cost to renew each additional certification (3rd, 4th, etc.) is $25 for ISACA members and $50 for non-members.

According to ISACA, “This payment is due annually by 1 January and is required to renew through the upcoming calendar year. For example, to renew through the end of the current year, the current year’s maintenance fee must be paid by 1 January of the current year.”

For more information, read our article, Maintaining your CRISC certification: Renewal requirements.

The best jobs for CRISC holders are at the mid-career level and fall within the arena of risk identification and management. Some common job titles and career paths for CRISC holders are:

• Risk manager
• Risk analyst
• Risk control specialist
• Risk and compliance investigator
• Enterprise risk manager
• Information security analyst
• IT/IS auditor
• Cyber risk specialist

Some CRISC holders also leverage their certification in jobs less directly linked to risk management. These positions include:

• Project managers
• CIOs and CISOs
• Compliance Officers
• Business Analysts

Want to learn more about your job options? Take a look at our  Common CRISC job titles and CRISC overview and career path articles.

CRISC certification holders specialize in enterprise IT risk management. While specific job duties will vary from role to role, many CRISC holders are involved with IT risk assessment, governance and legal compliance, and information system control implementation. You can find the exact areas you’ll be assessed on in the official CRISC exam outline.

The answer to this question depends on your personal career goals. If you’re interested in starting a career in IT risk management or advancing your current career, then earning CRISC will demonstrate to employers that you’re skilled, dedicated, and ready to hit the ground running.

CRISC is the only enterprise IT risk management (ITRM) certification, automatically making it the gold standard in this industry niche. CRISC can look forward to high-paying careers.

CRISC earners can look forward to a competitive salary. In fact, CRISC was ranked as the fourth top-paying certification globally by the 2020 IT Skills and Salary Report from Global Knowledge. ISACA reports a worldwide average salary of $151,000 USD. Here’s salary information for some of the most popular CRISC jobs taken from Payscale in June 2022:

• Security Analyst: $85,000
• Risk Analyst: $95,375
• Information Security Analyst: $96,097
• Information Systems Audit Manager: $109,945
• Senior Risk Manager: $140,216
• Director, Risk Management / Risk Control: $153,228

Keep in mind that this information reflects an average of national salary data. Your exact salary will reflect a unique combination of your personal experience, work history, geographic location, and more.

Read our Average CRISC salary article for more information.

There are currently more than 30,000 ISACA CRISC certification holders worldwide. Of those, 52% of holders report on-the-job improvement according to ISACA.

The CISM was created by ISACA in 2002, and there are more than 48,000 current certification holders as of 2022, according to ISACA.

About a third of the current ISACA members hold a CISM certification, ISACA’s Chris DeMale explained in a 2021 Infosec Edge Webcast. It’s the fastest-growing ISACA certification due to the increasing demand for cybersecurity professionals.

Like CRISC, the CISM (Certified Information Security Manager) is also an upper-level information certification offered by ISACA. But they differ in one very important way: CRISC is focused exclusively on the area of IT risk management. That makes CISM much broader in terms of its content and breadth.

For more information, read our articles:

• Top 5 highest-paying infosec certifications
• Which cybersecurity certifications are best for your career?
• Most valuable cybersecurity skills to learn in 2022

The CRISC and CGEIT (Certified in the Governance of Enterprise IT) are both offered by ISACA, but each targets a very different audience regarding skills and career paths.

Whereas CRISC is a broad risk management certification, CGEIT has a strong governance focus and challenges exam takers to differentiate between management and governance functions. As a result, the CGEIT may be a better fit for aspiring leaders with their eyes on a role like CTO or CIO. The CGEIT also has a higher average starting salary of $141,000.

CISA (Certified Information Systems Auditor) is another certification offered by ISACA. The CISA provides a deep dive into auditing, control, or security. The CISA is also very hands-on and has a strong practitioner focus, so it’s not the most popular choice for professionals looking to prime their resumes for a C-suite transition.

For more information, read our article, 7 top security certifications you should have in 2022.

The CompTIA Security+ certification is an entry-level credential and often the first one earned by new cybersecurity professionals. For this reason, it’s not really comparable to the CRISC, which is an advanced-level credential designed for managers and directors. However, if you’re at the start of your career and want to eventually earn the CRISC, the Security+ is an excellent stepping stone.

For more information, read our article, 7 top security certifications you should have.

The CRISC and CISSP (Certified Information Systems Security Professional) from (ISC)² overlap to a degree in terms of content, but the CISSP is considered to be more comprehensive while CRISC focuses more heavily on IT risk management. The cost of earning the CISSP is relatively similar to the CRISC at $699 USD for the exam and $125 USD for the annual maintenance fee.

For more information, read our article, 7 top security certifications you should have in 2022.