Skip to content
MyCyberSecurityPath

CRISC Certification Guide — Certified in Risk and Information Systems Control

What Is CRISC?

Section titled “What Is CRISC?”

CRISC (Certified in Risk and Information Systems Control) is a professional certification offered by ISACA (Information Systems Audit and Control Association) that validates expertise in IT risk identification, assessment, response, and control. It is one of the most respected GRC certifications in the industry and is specifically designed for professionals who work at the intersection of business risk and information technology.

CRISC was launched in 2010 and has grown to over 40,000 certified professionals worldwide. It is consistently ranked among the highest-paying IT certifications globally. According to ISACA’s 2024 IT Skills and Salary Report, CRISC holders earn a median salary that places it among the top five certifications by compensation — alongside CISSP, CISM, and CISA.

Unlike entry-level certifications that test broad knowledge across many domains, CRISC is a specialist credential. It is for people who are specifically building careers in risk management, GRC, or enterprise risk governance — not for general security practitioners.

When I first looked at GRC certifications, CRISC seemed intimidating because it requires work experience and is priced for enterprise professionals. But the more I looked at what GRC roles actually do — identify risks, assess controls, communicate risk to business leaders, maintain risk registers — the more I realised that CRISC maps exactly to those responsibilities. It is less about hacking and more about the business of managing risk. That made it feel far more accessible given my background.

Who Should Get CRISC?

Section titled “Who Should Get CRISC?”

CRISC is not an entry-level certification. It requires real work experience and is designed for professionals who are already working in or transitioning specifically into risk management or GRC roles.

CRISC is a strong fit if you:

  • Work in GRC, IT audit, or risk management and want formal recognition of your expertise
  • Are transitioning from a risk, compliance, audit, or governance role in another industry (finance, healthcare, legal, operations) into cybersecurity GRC
  • Already hold CISA, CISSP, or Security+ and want to specialise in risk management
  • Are targeting roles with titles like IT Risk Manager, GRC Analyst, Risk and Compliance Manager, IT Risk Officer, or Enterprise Risk Manager
  • Work in a regulated industry (financial services, healthcare, government) where IT risk governance is a formal function

CRISC is probably not your first step if you:

  • Are brand new to cybersecurity with no security or compliance work experience
  • Are primarily interested in technical security (SOC, pen testing, engineering)
  • Cannot yet meet the 3-year experience requirement

For career changers without yet meeting the experience requirement, pursuing CRISC is still worthwhile as a target — it tells you exactly what skills to develop and what experience to seek in your first GRC roles.

CRISC Exam Domains

Section titled “CRISC Exam Domains”

CRISC covers four domains. Unlike CISA’s five domains, CRISC’s four domains are tightly focused on the risk lifecycle from identification through to ongoing monitoring.

DomainWeightWhat It Covers
Domain 1: Governance26%Enterprise risk governance, risk appetite, risk tolerance, organisational structure for risk management, three lines of defence model
Domain 2: IT Risk Assessment20%Threat and vulnerability analysis, risk scenario development, risk assessment methodologies, inherent vs residual risk
Domain 3: Risk Response and Reporting32%Risk treatment options (mitigate, transfer, accept, avoid), risk ownership, risk register maintenance, risk reporting to stakeholders
Domain 4: Information Technology and Security22%IT concepts relevant to risk management, security architecture, change management, business continuity, IT service management

Domain 3 has the highest weight (32%) — risk response and reporting is where CRISC holders spend most of their professional time. This domain covers translating risk assessments into treatment plans, documenting risk decisions, and communicating risk status to business leaders and boards.

Domain 1 (Governance) is new in the current CRISC exam framework, reflecting ISACA’s recognition that risk governance — the structure of accountability, policy, and culture around risk — is as important as the technical risk assessment process itself.

CRISC Risk Lifecycle

Section titled “CRISC Risk Lifecycle”

CRISC Risk Management Lifecycle

Four domains working together as an integrated risk management cycle

Governance
Domain 1 — 26%
Risk appetite & tolerance
Risk governance structure
Three lines of defence
IT Risk Assessment
Domain 2 — 20%
Threat identification
Vulnerability analysis
Risk scenario development
Risk Response & Reporting
Domain 3 — 32%
Treatment strategies
Risk register
Board reporting
IT and Security
Domain 4 — 22%
Security architecture
Change management
Business continuity
Idle

Prerequisites and Experience Requirements

Section titled “Prerequisites and Experience Requirements”

CRISC has firm experience requirements with no waiver path:

To become CRISC certified, you must:

  1. Pass the CRISC exam — required first
  2. Have at least 3 years of cumulative work experience in IT risk management and IS control
  3. Experience must span at least two of the four CRISC domains
  4. Experience must be within the last 10 years at the time of certification application
  5. Agree to ISACA’s Code of Professional Ethics
  6. Apply for certification within 5 years of passing the exam

What counts as qualifying experience:

  • IT risk assessment, risk register management, or enterprise risk reporting
  • IT audit, assurance, or internal control review
  • Information security governance, policy, or compliance roles
  • Third-party risk management, vendor risk assessment
  • Business continuity or disaster recovery planning in an IT context
  • GRC tool administration (Archer, ServiceNow GRC, MetricStream)

What does not count:

  • General IT support, system administration, or developer roles (unless directly involving risk management responsibilities)
  • Academic study or self-directed learning (practical work experience only)

For career changers: If you are transitioning from finance, healthcare, legal, or operations with compliance or risk responsibilities, that experience may qualify — review ISACA’s official experience verification guidelines.

Exam Format, Cost, and Logistics

Section titled “Exam Format, Cost, and Logistics”
DetailCRISC (2024 format)
Number of questions150 questions
Question typesMultiple choice (4 options)
Time allowed4 hours
Passing score450 on a scale of 200-800
Cost$575 USD (ISACA members) / $760 USD (non-members)
Testing providerPSI (online or at test centres)
LanguagesEnglish, Chinese (simplified), Spanish, French, German, Japanese, Korean
Validity3 years (CPE credits required for renewal)
CPE requirement120 CPE credits over 3-year renewal cycle (20 minimum per year)

ISACA membership is worth it. The $135 annual membership fee more than pays for itself in exam savings alone ($185 discount on the CRISC exam). Membership also includes access to ISACA’s study resources, journal, and professional network.

Exam details source: isaca.org/credentialing/crisc (verified March 2026). ISACA updates exam content periodically — always verify current details before scheduling.

Study Plan for Career Changers

Section titled “Study Plan for Career Changers”

Recommended timeline: 3-6 months of preparation at 8-12 hours per week.

Phase 1 — Framework (Weeks 1-4):

Read the ISACA CRISC Review Manual cover to cover. Do not try to memorise — understand the concepts and how the four domains relate to each other. Focus on the terminology: risk appetite, risk tolerance, inherent risk, residual risk, key risk indicators (KRIs), key control indicators (KCIs), and the three lines of defence model.

Phase 2 — Deep Study (Weeks 5-12):

Work through each domain systematically using the CRISC Review Manual and ISACA’s official practice questions. Domain 3 (Risk Response and Reporting) has the highest weight — give it proportionally more time. For Domain 4, focus on how IT concepts connect to risk scenarios rather than memorising technical specifications.

Phase 3 — Practice Exams (Weeks 13-20):

Use ISACA’s official question bank (included with membership or available for purchase). Aim for consistent scores above 70-75% on full practice exams before scheduling. Review every wrong answer to understand not just why your choice was wrong but why the correct answer is right.

Recommended study resources:

  • ISACA CRISC Review Manual — official study guide, essential
  • ISACA CRISC Review Questions, Answers & Explanations — official question bank, essential
  • CRISC QAE Online Database — searchable practice question database, highly rated
  • ISACA CRISC Study Hall — adaptive learning platform from ISACA (paid, but included with some exam bundles)
  • Destination Certification CRISC videos — free YouTube content covering all four domains

Study approach for career changers:

The most important thing to understand about CRISC is that it tests you on how to think about risk in a business context, not on technical security configurations. When you see a question about what to do with a newly identified risk, the correct answer is almost always about formal documentation, risk register update, stakeholder notification, and treatment planning — not about immediately running a scan or patching a system. CRISC rewards the discipline of process over the urgency of technical response.

How CRISC Compares to CISA and CGRC

Section titled “How CRISC Compares to CISA and CGRC”

CRISC vs CISA — Two GRC Career Paths

CRISC
  • Risk specialistFocuses specifically on IT risk identification, assessment, response, and control — a deep specialist credential in risk management
  • 3 years experience requiredMust have experience in IT risk management or IS control across at least 2 of the 4 domains — no waiver path
  • 4 domainsGovernance, IT Risk Assessment, Risk Response and Reporting, Information Technology and Security
  • Higher average salaryCRISC holders tend to command slightly higher salaries than CISA in comparable markets, reflecting the risk specialist premium
  • Target rolesIT Risk Manager, GRC Analyst, Risk and Compliance Manager, Enterprise Risk Officer, Chief Risk Officer pathway
VS
CISA
  • Audit generalistCovers IT audit, assurance, control, and governance broadly — the most widely recognised IT audit credential globally
  • 5 years experience requiredMust have experience in IS audit, control, assurance, or security — some waiver paths available for education
  • 5 domainsIS Auditing Process, Governance, Acquisition, Operations, and Protection of Information Assets
  • Wider job marketCISA is the most requested GRC certification globally — appears in more job postings than CRISC
  • Target rolesIT Auditor, IS Audit Manager, Compliance Analyst, Internal Audit roles across all industries
Verdict: Get CRISC if you want to specialise in risk management and GRC analytics. Get CISA if you want the broadest career flexibility in audit and assurance. Many senior GRC professionals hold both.
Use case
Career changers often find CISA easier to qualify for (education waivers available) and more broadly applicable. CRISC is the right next step after 2-3 years of GRC experience.

Career Impact and Salary Uplift

Section titled “Career Impact and Salary Uplift”

CRISC salary benchmarks (2024):

RoleSalary range (USD)Notes
GRC Analyst (with CRISC)$85,000 - $115,000Entry-to-mid level with 3-5 years experience
IT Risk Manager$110,000 - $145,000Mid-level with 5-8 years
Senior Risk Manager$130,000 - $175,000Senior with 8-12 years
Enterprise Risk Officer$150,000 - $220,000Director/VP level

Salary ranges are approximate benchmarks sourced from ISACA IT Skills and Salary Report 2024 and industry survey data as of early 2026. Individual results vary significantly based on location, employer size, industry, and experience. These figures are US market estimates — Australian, UK, and other market salaries will differ.

Career roles that list CRISC:

CRISC appears most frequently in job postings for: IT Risk Manager, GRC Manager, Risk and Compliance Analyst, Senior Risk Analyst, Chief Risk Officer (CRO) pathway, and Enterprise Risk Manager. Financial services, healthcare, government, and large technology companies are the most common employers.

The value beyond salary: CRISC signals to employers that you think about risk in a structured, documented, business-aligned way. In organisations where risk management is taken seriously, CRISC holders are given more responsibility, more autonomy, and more visibility to leadership than uncertified colleagues doing equivalent work.

CRISC is all about risk — and that's exactly what this guide teaches. It covers the risk assessment fundamentals, frameworks, and templates you'll need to both pass CRISC and perform the role.

Risk Management Playbook

Practical risk assessment for non-technical professionals. 8 ready-to-use templates.

See what's included → $29

Summary and Key Takeaways

Section titled “Summary and Key Takeaways”
  • CRISC is the specialist risk management certification from ISACA — it validates expertise specifically in IT risk identification, assessment, response, and control.
  • It requires 3 years of qualifying experience across at least two of the four domains. There is no waiver path — the experience requirement is firm.
  • Domain 3 (Risk Response and Reporting) carries the most weight (32%) — risk treatment decisions, risk register maintenance, and stakeholder communication are the core of what CRISC validates.
  • The exam is 150 questions over 4 hours with a passing score of 450/800. Expect scenario-based questions that reward process thinking over technical specificity.
  • CRISC vs CISA: CRISC is the risk specialist; CISA is the audit generalist. CISA has more job postings and an education waiver path. Many senior GRC professionals hold both.
  • CRISC holders earn strong salaries — median compensation ranks among the top five IT certifications globally, particularly in financial services and large enterprises.
  • For career changers: Build toward CRISC as a 3-5 year goal. Start with Security+ and CGRC (entry-level GRC), gain qualifying experience, then pursue CRISC for the specialist credential.

Exam details, experience requirements, and certification policies verified in March 2026 against ISACA’s official CRISC page (isaca.org/credentialing/crisc). ISACA updates exam content periodically — always verify current details before scheduling.

Salary data is approximate and varies by location, employer, and experience. Individual results vary. This guide provides general guidance and does not guarantee employment outcomes.

Frequently Asked Questions

What does CRISC stand for?

CRISC stands for Certified in Risk and Information Systems Control. It is a professional certification from ISACA that validates expertise in identifying, assessing, responding to, and monitoring IT risk within organisations.

How long does it take to get CRISC certified?

From starting your studies, budget 3-6 months of exam preparation. However, the certification also requires 3 years of qualifying work experience — which means the total timeline depends on when in your career you pursue it. Many professionals sit the exam while accumulating experience and apply for full certification once the experience requirement is met.

Is CRISC harder than Security+?

Yes, significantly. CRISC is a professional-level credential requiring real work experience and testing deep domain knowledge in IT risk management. Security+ is entry-level and tests broad security concepts. CRISC questions are scenario-based and require you to reason about risk governance decisions in a business context, not just recall security facts.

Can I get CRISC without IT experience?

CRISC requires 3 years of qualifying work experience in IT risk management or IS control. However, experience does not have to come from traditional IT roles — professionals with backgrounds in financial risk, healthcare compliance, legal governance, operational risk management, or internal audit may have qualifying experience. Review ISACA's experience verification guidelines carefully.

How much does CRISC cost in total?

The exam costs $575 USD (ISACA member) or $760 (non-member). ISACA membership costs $135/year. The annual maintenance fee after certification is $45 (ISACA member). Add study materials — the official Review Manual and question bank cost approximately $200-400 depending on format. Total investment for a non-member is approximately $900-1,100 plus study time.

What is the three lines of defence model?

The three lines of defence is a risk governance model covered in CRISC Domain 1. The first line is operational management — the people who own and manage risks day-to-day. The second line is risk and compliance functions — who establish frameworks, monitor risk, and report. The third line is internal audit — who provide independent assurance that the first and second lines are working. CRISC tests your understanding of how each line functions and interacts.

What is a key risk indicator (KRI)?

A KRI is a measurable metric that provides early warning of increasing risk exposure. For example, a KRI for ransomware risk might be the percentage of systems with unpatched critical vulnerabilities. KRIs are monitored against thresholds — when a KRI breaches its threshold, it triggers escalation and risk treatment review. KRIs are a core CRISC Domain 3 concept.

Should I get CRISC before or after CISA?

For most career changers, CISA comes first because it has an education waiver path (reducing the experience requirement) and is more broadly applicable. CRISC is better pursued after 2-3 years of GRC or audit experience when you are specifically specialising in risk management. Many senior GRC professionals hold both certifications.

Related sections

CISA Certification Guide

The broader IT audit credential that many GRC professionals pursue before or alongside CRISC.

Explore Compliance Frameworks Overview

The NIST CSF, ISO 27001, SOC 2, HIPAA, and PCI-DSS frameworks that CRISC-level risk management applies to.

Explore Risk Management

The foundational concepts behind CRISC's four domains — risk equation, treatment strategies, and risk registers.

Explore

More resources

ISACA CRISC Official Page

Official exam details, experience requirements, and certification application process for CRISC.

Visit ISACA CRISC Review Manual

The official ISACA study guide covering all four CRISC domains — the primary study resource for exam preparation.

Visit ISACA IT Skills and Salary Report

Annual survey of IT professional salaries by certification, role, and region — includes CRISC compensation benchmarks.

Visit ISACA Local Chapter Finder

Find your local ISACA chapter for networking, study groups, CPE events, and mentorship from CRISC-certified professionals.

Visit