The Certified in Risk and Information Systems Control (CRISC) certification guide (2023)
What is the CRISC certification?
The Certified in Risk and Information Systems Control, or CRISC certification, authenticates your mastery of risk management and ability to optimize security using an agile-based approach.
- Show your ability to identify risks in various information systems and report how those risks affect an organization’s bottom line
- Prove you know how to manage and reduce IT risks once identified
- Demonstrate your skill in governance, risk monitoring and reporting to ensure an organization’s assets are protected against future threats
Key facts
- CRISC holders: 30,000+
- Average U.S. salary for CRISC certification holders: $150,462
- Recommended experience: 3+ years
Start your journey to becoming a certified CRISC professional with Infosec.
CRISC exam overview
The ISACA CRISC certification is one of the most respected risk management credentials and confirms professional knowledge of corporate IT governance and security, IT risk assessment and risk response and reporting — skills highly valued in modern business. That’s why many people with CRISC certification go on to jobs such as chief information security officer, information security analyst, senior IT auditor and director of risk management.
The latest version of the CRISC exam covers four knowledge areas, or domains.
Domain 1: Governance (26%)
- Organizational strategy, goals and objectives
- Organizational structure, roles and responsibilities
- Organizational culture
- Policies and standards
- Business processes
- Organizational assets
- Enterprise risk management and risk management framework
- Three lines of defense
- Risk profile
- Risk appetite and tolerance
- Legal, regulatory and contractual requirements
- Professional ethics of risk management
Domain 2: IT risk assessment (20%)
- Risk events
- Threat modeling and landscape
- Vulnerability and control deficiency analysis
- Risk scenario development
- Risk assessment concepts, standards and frameworks
- Risk register
- Risk analysis methodologies
- Business impact analysis
- Inherent and residual risk
Domain 3: Risk response and reporting (32%)
- Risk treatment and response options
- Risk and control ownership
- Third-party risk management
- Issue, finding and exception management
- Management of emerging risk
- Control types, standards and frameworks
- Control design, selection, analysis and implementation
- Control testing and effectiveness evaluation
- Risk treatment plans
- Data collection, aggregation, analysis and validation
- Risk and control monitoring techniques
- Risk and control reporting techniques
- Key performance indicators
- Key risk indicators
- Key control indicators
Domain 4: Information technology and security (22%)
- Enterprise architecture
- IT operations management
- Project management
- Disaster recovery management
- Data lifecycle management
- System development lifecycle
- Emerging technologies
- Information security concepts, frameworks and standards
- Information security awareness training
- Business continuity management
- Data privacy and protection principles
Learn more about the CRISC domains.
CRISC exam details
CRISC covers everything security professionals should know about risk management — from the impact risk can have on organizations to optimizing networks and technology for risk mitigation. Discover more CRISC exam details.
| Launch date: | 2010 | Last update: | June 2019 |
| Number of questions: | 150 | Type of questions: | Multiple-choice |
| Length of test: | 4 hours | Passing score: | 450 (out of scaled score of 200-800) |
| Recommended experience: | 3+ years of IT risk management and IS control | Languages: |
English, Chinese simplified, Korean, Spanish |
| Validity duration: | Three years | CPEs needed for renewal: | 120 (at least 20 annually) |
| Exam cost: | $575 for members, $760 for non-members |
Free and self-study CRISC materials
Budget-savvy test-takers will be pleased to learn that plenty of free CRISC training resources are available to help you prepare for the CRISCM. ISACA has official study materials on its website, including a study guide and a database of exam questions. Check your local library if you're trying to train on a budget.
CRISC study guides and books
ISACA and other training providers offer numerous resources available on Amazon and elsewhere. These include:
- CRISC Official Review Manual, 7th Edition (ISACA)
- CRISC Certified in Risk and Information Systems Control All-in-One Exam Guide, 2nd Edition by Peter Gregory, Dawn Dunkerley and Bobby Rogers
- CRISC Exam Study Guide by Hemang Doshi
- 9 tips for CRISC exam success
You can also download a free ISACA Career Kit for more information from ISACA on their certifications.
CRISC practice questions and exams
Practice exams for CRISC certification are a great way to understand the questions you’ll be asked and gauge how ready you are for the big test. While you won’t find the exact questions from the exam, practice questions reflect the exam domains. A few of the most popular CRISC practice question options are listed below:
- ISACA’s free CRISC practice quiz
- CRISC Review Questions, Answers & Explanations Manual, 6th Edition (ISACA)
Most paid CRISC training courses also offer practice exams. For example, Infosec's CRISC Boot Camp includes access to the ISACA Official Question, Answer & Explanation (QAE) database.
Other free CRISC training resources
There are a number of other free CRISC training materials being produced and shared by the community:
- Forums like TechExams and Reddit allow you to connect directly with others who are studying for or have already taken CRISC exam.
- YouTube is another great place to connect with cybersecurity practitioners and learn about the CRISC certification exam. Although most CRISC courses cost money, there are numerous free CRISC videos.
- Podcasts like the Cyber Work Podcast qre an accessible way to hear about the career and training journeys of fellow IT and cybersecurity professionals.
CRISC jobs and careers
CRISC certification is one of the most highly regarded risk management credentials and among the top-paying cybersecurity certifications.
Common CRISC job titles
- IT audit manager
- Security director
- Chief compliance officer
- Privacy manager
- Risk officer
- IT auditor
- Chief information officer
Learn more about common job titles for CRISC holders.
CRISC live boot camps and self-paced training
The CRISC certification exam covers a lot of knowledge, and professional training courses for the CRISC can help all that hard work pay off. Paid training is also a great option to get certified quickly or if you want extra assistance mastering the concepts covered on the exam.
Live CRISC Boot Camp
Live online or in-person boot camps can provide a premium CRISC training experience. For example, Infosec partners with ISACA to provide live online CRISC Boot Camps, including unlimited practice exam attempts and a 12-month subscription to the ISACA QAE Database.
Advantages of enrolling in a boot camp include:
- Live instruction: Interact with instructors and peers who have useful industry or exam experience to share.
- Complete certification package: Infosec boot camps include training materials, exam vouchers and other resources with no additional costs.
- High pass rates: Boot camps prepare you to pass the exam on your first attempt, and Infosec's CRISC Boot Camp includes an Exam Pass Guarantee.
Learn more about live CRISC Boot Camps.
Self-paced CRISC training
Some people absorb new knowledge better when they study at their own pace. Others’ lifestyles don’t fit traditional schedules. Infosec offers self-paced CRISC courses so you can complete training on your schedule.
The benefits of sefl-paced CRISC training include:
- Flexible scheduling: Train when it’s convenient for you — whether that’s 30 minutes over lunch or a few hours on evenings and weekends.
- Convenient test times: With a self-study approach, you can take the exam when you feel ready or when the material is freshest in your mind.
- Self-paced prep: With on-demand training, you can take your time preparing for your CRISC exam.
Learn more about our self-paced CRISC courses.
CRISC comparisons and alternatives
CRISC certification can help you open more job opportunities, but it is not the only useful option. Here is how CRISC certification stacks up to other related credentials.
CRISC vs. CGRG
The CRISC and (ISC)² CGRC cybersecurity certifications both cover risk management and governance techniques. However, the Certified in Governance, Risk and Compliance (CGRC) credential takes a business-wide view of risk management and compliance, while CRISC focuses more on risk management from IT and IS perspectives. If you work in an industry with many regulatory compliance requirements or risk management outside of IT and IS, CGRC may be a better certification for you. In addtion, the required experience for CGRC is two years instead of three.
CRISC vs. CISM
While both certifications are geared towards management positions, the ISACA Certified Information Security Manager (CISM) certification is a higher-level credential that focuses on managing an organization’s entire security efforts. CRISC is a better option for professionals who focus mainly on managing an organization’s system risk. The experience requirement for CISM candidates is also two years longer than CRISC’s (five years vs three), and the exam contains knowledge you may have learned while earning your CRISC certification. However, when it comes to the exam format, duration, registration and cost, both of these ISACA credentials are identical.
CRISC vs. CISA
While both certifications require knowledge of control methods, auditing and monitoring, the ISACA Certified Information Systems Auditor certification focuses more on auditing, while CRISC deals with risk management. CISA candidates must have five years’ work experience instead of the CRISC’s three years’ experience, but average salaries for both certifications are about the same.
Explore Infosec certifications to find the best fit for your career goals.
