# of CRISC holders
Avg. U.S. salary
CRISC exam domains
The CRISC exam covers four job practice areas, also known as knowledge areas or domains:
Is CRISC the right ISACA certification for me?
The CRISC is ideal for all types of risk management professionals, as it’s the most respected certification focused on governance, risk and compliance (GRC).
Whether it’s enterprise-level risk, third-party risk or some other IT risk focus, CRISC will help to validate your risk management skills, explains Chris DeMale, ISACA Director of Channel Business Development.
DeMale also says the CRISC has gained significant traction in the last two years — especially among third-party vendor risk management teams — indicating this credential will likely be in demand among employers going forward.
How do I get the CRISC?
CRISC is designed for mid-level professionals, which is why applicants must have at least three years of work experience in IT risk management and IS control to qualify for the exam.
This experience must also be relatively recent (acquired within the ten-year window before the exam application date). ISACA does not accept substitutions or experience waivers for CRISC at this time.
CRISC exam FAQs
ISACA updates the CRISC exam regularly to keep up with emerging trends and market dynamics. This exam tests your knowledge of developing and implementing information systems (IS) controls in relation to detecting and managing risks at the enterprise level. CRISC was most recently updated in August 2021. The most recent version of CRISC uses a revamped set of domains, including new content and updated domain ratios. Here’s what you should know about the current CRISC exam:
How many questions are on the CRISC exam? How long is the CRISC exam?
The CRISC exam comprises 150 questions completed in a four-hour time frame. The questions are graded on a scale from 200 to 800 points, with a score of 450 being the minimum threshold for passing. Questions are multiple choice; each has four answer options and only one correct answer. In terms of format, the exam is fully computer-based regardless of test-taking location (on-site or remote).
Read our CRISC exam details and process article for more information on scheduling and taking the CRISC exam.
How hard is the CRISC exam?
The CRISC exam is moderately difficult since it’s geared towards professionals with at least three years of related professional experience. Test takers must have a deep working knowledge of the four core domains: governance, IT risk assessment, risk response and reporting, and IT and security.
To pass the CRISC exam, you must earn a minimum of 450 points out of 800. Test takers who successfully pass the exam have typically undergone a significant period of preparation, including test prep classes, study guide review, practice exams and more.
How to pass the CRISC exam?
To pass the CRISC exam, you will need to earn at least 450 points out of a total of 800 points. You’ll have a total of four hours to take the computer-based, multiple-choice exam.
Pass rates vary depending on an individual’s experience, study habits and test-taking strategies. For example, Infosec partners with ISACA to offer a CRISC Boot Camp that comes with an Exam Pass Guarantee, which means if you don’t pass the exam on your first attempt, you’ll get a second attempt at no cost to you.
For advice on passing the exam, check out our 9 tips for CRISC exam success article.
How much does the CRISC exam cost?
The cost of the CRISC exam depends on the status of your ISACA membership. ISACA members can take the exam for $575, while non-members must pay $760.
Bear in mind that once you register for the exam, you must take it within 365 days — otherwise, you’ll have to pay again. Once you earn the CRISC certification, you’ll also have to pay an annual maintenance fee of $45 for members and $85 for non-members.
The most up-to-date pricing for ISACA exams can be found on the ISACA website. You can download ISACA’s Exam Candidate Information Guide (English) in multiple languages to get the most up-to-date information about costs and other exam details.
Where do I take the CRISC exam?
The CRISC exam is administered by PSI. You can take the exam online with remote proctoring or in-person at a PSI testing center. For more information, see the “Register for the Exam” section on the ISACA CRISC page.
- Watch this PSI Test Center Experience video to learn more about testing in person at a PSI test center.
- Watch this PSI Online Proctoring Experience video to learn more about remote testing.
How to prepare for CRISC exam?
You have a variety of learning resources at your disposal to prepare for the CRISC exam. We recommend starting out with the ISACA candidate guide (check out the ISACA CRISC webpage for the most up-to-date version or to download the guide in other languages). The guide covers topics related to exam registration, important deadlines, exam domains and more. The guide is a must-read for every CRISC test taker.
Many additional training resources are provided in the free and paid CRISC training resources sections below.
How long is my CRISC certification active? How do I earn CPEs?
Once you receive your CRISC, you must complete professional education activities to keep it active.
The CRISC has a three-year renewal cycle. During that three-year period, you will need to complete a total of 120 hours of continuing professional education (CPE) activities with a minimum of 20 hours each year. In other words, you’ll need to spread these activities out rather than frontloading them during the first year or saving them all for year three.
There are many educational activities you can choose from to earn your CPEs. These options include classes, conferences, lab activities, volunteering with ISACA and more. You can find a full list of options in ISACA’s CRISC CPE Policy.
These articles are filled with a wealth of helpful information:
How much does it cost to renew my CRISC?
In addition to completing CPEs, you’ll need to pay an annual maintenance fee. The fee costs $45 for ISACA members and $85 for non-members. If you hold more than two ISACA certifications, the cost to renew each additional certification (3rd, 4th, etc.) is $25 for ISACA members and $50 for non-members.
According to ISACA, “This payment is due annually by 1 January and is required to renew through the upcoming calendar year. For example, to renew through the end of the current year, the current year’s maintenance fee must be paid by 1 January of the current year.”
For more information, read our article, Maintaining your CRISC certification: Renewal requirements.
Free and self-study CRISC materials
Budget-savvy test-takers will be pleased to learn that plenty of free CRISC training resources are available to help you prepare for the CRISCM. ISACA has official study materials on its website, including a study guide and a database of exam questions. Check your local library if you’re trying to train on a budget.
CRISC study guides and CRISC books
CRISC study guides are an excellent way to find clear, well-organized information about the exam. Study guides typically include information related to the format of the exam as well as insight into the specific content and concepts you’ll need to know.
Books offer a deep dive into each domain, technical breakdowns of the material, sample questions, and answer explanations. You can find CRISC study guides and books in the ISACA store, on Amazon and in your local library bookstore.
You can also download your free ISACA Career Kit for more information from ISACA on their certifications.
CRISC practice exams and simulations
Taking a CRISC practice exam is an excellent way to get a preview of the real deal. Not only can you get a feel for the format and pacing of the exam, but you’ll also gain valuable insight into which domains you should focus your studies on. Official and unofficial practice exam questions are available:
- CRISC Review Questions, Answers & Explanations (QAE) Manual, 6th edition (published by ISACA and also available as a 12-month subscription to the QAE Database)
- A number of services like Boson, Pocket Prep and CertLibray also provide paid CISM practice exams
Infosec partners with ISACA to provide live online CRISC boot camps that include unlimited practice exam attempts and a 12-month subscription to the ISACA QAE Database.
Other free CRISC training resources
There are a number of other free CRISC training materials being produced and shared by the community:
- Forums like TechExams and Reddit allow you to connect directly with others who are studying for or have already taken CRISC.
- Podcasts may not help you directly study for your CRISC exam, but those like the Cyber Work Podcast are a great way to learn about cybersecurity career options and your peers’ career journeys.
- Video platforms are another great place to connect with cybersecurity practitioners and learn about the CRISC exam. and many people have created free CRISC videos on YouTube, TikTok, Twitch and other platforms, including our webcast on ISACA career paths.
CRISC jobs, careers and salary
The CRISC opens new doorways for mid-career cybersecurity professionals looking to ascend into enterprise IT risk management roles. These jobs also tend to be some of the highest paying in the industry. If your current or future job involves IT/IS audits, then you’ll have much to gain from the CRISC in terms of skill development and validation. Other IT employees can also benefit from the CRISC, as this is the best credential for enterprise IT risk management (ITRM).
What are common CRISC jobs?
The best jobs for CRISC holders are at the mid-career level and fall within the arena of risk identification and management. Some common job titles and career paths for CRISC holders are:
- Risk manager
- Risk analyst
- Risk control specialist
- Risk and compliance investigator
- Enterprise risk manager
- Information security analyst
- IT/IS auditor
- Cyber risk specialist
Some CRISC holders also leverage their certification in jobs less directly linked to risk management. These positions include:
- Project managers
- CIOs and CISOs
- Compliance Officers
- Business Analysts
Want to learn more about your job options? Take a look at our Common CRISC job titles and CRISC overview and career path articles.
What does a CRISC certification holder do?
CRISC certification holders specialize in enterprise IT risk management. While specific job duties will vary from role to role, many CRISC holders are involved with IT risk assessment, governance and legal compliance, and information system control implementation. You can find the exact areas you’ll be assessed on in the official CRISC exam outline.
Is CRISC worth it?
The answer to this question depends on your personal career goals. If you’re interested in starting a career in IT risk management or advancing your current career, then earning CRISC will demonstrate to employers that you’re skilled, dedicated, and ready to hit the ground running.
CRISC is the only enterprise IT risk management (ITRM) certification, automatically making it the gold standard in this industry niche. CRISC can look forward to high-paying careers.
What is the CRISC average salary?
CRISC earners can look forward to a competitive salary. In fact, CRISC was ranked as the fourth top-paying certification globally by the 2020 IT Skills and Salary Report from Global Knowledge. ISACA reports a worldwide average salary of $151,000 USD. Here’s salary information for some of the most popular CRISC jobs taken from Payscale in June 2022:
- Security Analyst: $85,000
- Risk Analyst: $95,375
- Information Security Analyst: $96,097
- Information Systems Audit Manager: $109,945
- Senior Risk Manager: $140,216
- Director, Risk Management / Risk Control: $153,228
Keep in mind that this information reflects an average of national salary data. Your exact salary will reflect a unique combination of your personal experience, work history, geographic location, and more.
Read our Average CRISC salary article for more information.
How many people have CRISC?
There are currently more than 30,000 ISACA CRISC certification holders worldwide. Of those, 52% of holders report on-the-job improvement according to ISACA.
The CISM was created by ISACA in 2002, and there are more than 48,000 current certification holders as of 2022, according to ISACA.
About a third of the current ISACA members hold a CISM certification, ISACA’s Chris DeMale explained in a 2021 Infosec Edge Webcast. It’s the fastest-growing ISACA certification due to the increasing demand for cybersecurity professionals.
Where can I find CRISC jobs?
The CRISC is the best credential for enterprise IT risk management (ITRM). It’s listed in cybersecurity management job openings as a way to validate your knowledge and skills. To find CRISC job openings on general job boards like Indeed, Monster, Glassdoor, LinkedIn and CareerBuilder, search for the keywords “CRISC,” “ISACA” or “Risk manager.”
Security-focused job boards such as ClearedJobs and infosec-jobs.com are also good sources of roles for CRISC holders. Other good sources of security job postings are cybersecurity groups like ISACA and others (ISSA, BSides, OWASP, Women in Cybersecurity ) and cybersecurity websites.
Before your interview, check out our free ebook of cybersecurity interview tips, “How to stand out, get hired and advance your career.”
Paid CRISC training and exam prep
When it comes to preparing for the CRISC exam, you can choose to train yourself with books and free resources, or you can find a paid course. Most CRISC courses fall into two categories: live online CRISC camps or on-demand CRISC courses where you go at your own pace.
Live CRISC boot camps
Live CRISC boot camps provide direct instruction where you can interact with your instructor and classmates. Live boot camps can be at a location or online. For example, Infosec partners with ISACA to provide a five-day CRISC boot camp that you can take live online or in person.
The benefits of a live CRISC Boot Camp include:
- Live training and Q&A: CRISC is an advanced certification, and interacting with a group of seasoned professionals in a live setting often provides a great learning experience.
- Complete training package: Most CRISC boot camps come with everything you need: instruction, exam vouchers, books, the ISACA QAE database and labs. Training with a live instructor is more expensive, so when shopping around, be sure you know what’s included in your purchase — and what you may have to pay extra for.
- Improved pass rates: Boot camp providers like Infosec stand by their training with an Exam Pass Guarantee. That means if you fail your CRISC exam on your first attempt, you’ll get a second attempt to pass — for free.
Self-paced CRISC training
If you’re not in a hurry to earn your CRISC, the go-at-your-own-pace model can be a great (and more affordable) option. These types of courses usually consist of a number of pre-recorded videos, along with practice exams and labs or exercises you can do on your own to reinforce the material.
The benefits of on-demand CRISC training include:
- Train when you want: You’re in charge of your training schedule, whether that’s daily on your lunch break or cramming all weekend long. For further motivation, you can join a study group or connect with others who are preparing for the exam.
- Build an individual training plan: Don’t waste time learning what you already know. Since you’re not tied to a group, you can focus more on the areas you need to learn most.
- Accredited training partner: ISACA accredited partners regularly work with ISACA to ensure their training content is up to date and meets ISACA’s quality standards.
CRISC comparisons and alternatives
It’s common for cybersecurity professionals to hold a multitude of certifications, but which ones are right for you? Here is how CRISC compares to some of the other popular certifications in the risk management space.
CRISC vs. CISM
Like CRISC, the CISM (Certified Information Security Manager) is also an upper-level information certification offered by ISACA. But they differ in one very important way: CRISC is focused exclusively on the area of IT risk management. That makes CISM much broader in terms of its content and breadth.
For more information, read our articles:
CRISC vs. CGEIT
The CRISC and CGEIT (Certified in the Governance of Enterprise IT) are both offered by ISACA, but each targets a very different audience regarding skills and career paths.
Whereas CRISC is a broad risk management certification, CGEIT has a strong governance focus and challenges exam takers to differentiate between management and governance functions. As a result, the CGEIT may be a better fit for aspiring leaders with their eyes on a role like CTO or CIO. The CGEIT also has a higher average starting salary of $141,000.
CRISC vs. CISA
CISA (Certified Information Systems Auditor) is another certification offered by ISACA. The CISA provides a deep dive into auditing, control, or security. The CISA is also very hands-on and has a strong practitioner focus, so it’s not the most popular choice for professionals looking to prime their resumes for a C-suite transition.
For more information, read our article, 7 top security certifications you should have in 2022.
CRISC vs. Security+
The CompTIA Security+ certification is an entry-level credential and often the first one earned by new cybersecurity professionals. For this reason, it’s not really comparable to the CRISC, which is an advanced-level credential designed for managers and directors. However, if you’re at the start of your career and want to eventually earn the CRISC, the Security+ is an excellent stepping stone.
For more information, read our article, 7 top security certifications you should have.
CRISC vs. CISSP
The CRISC and CISSP (Certified Information Systems Security Professional) from (ISC)² overlap to a degree in terms of content, but the CISSP is considered to be more comprehensive while CRISC focuses more heavily on IT risk management. The cost of earning the CISSP is relatively similar to the CRISC at $699 USD for the exam and $125 USD for the annual maintenance fee.
For more information, read our article, 7 top security certifications you should have in 2022.