CRISC roadmap: The highest-paying certification

Professionals with the Certified in Risk and Information Systems Control (CRISC) certification earn an average of $127,507 each year, making it the highest-paying IT certification available. Leighton Johnson, the CTO of Information Security Forensics Management Team and a CRISC-certified professional, discusses how earning your CRISC can open new career opportunities, as well as what the CRISC certification process is like. Kristin Zurovitch, director of marketing at Infosec Institute, helps guide the discussion and takes listener questions.

– Get your FREE cybersecurity training resources:
– View Cyber Work Podcast transcripts and additional episodes:

Chris Sienko: Hello and welcome to today's installment of the CyberSpeak with InfoSec Institute podcast. Each week, we aim to bring you new and informative information, security training, and security awareness topics in a variety of formats. Today's episode is from a webinar we recently hosted entitled "CRISC Roadmap: How to Earn the Highest-Paying IT Certification." As you probably know, the Certified in Risk & Information Systems Control or CRISC certification is rigorous, demanding, and pays off riches. CRISC-certified professionals command top-level salaries in the field of IT and enterprise risk management.

Our presenter is the chief technology officer of Information Security Forensics Management Team and CRISC-certified professional, Leighton Johnson. He'll be providing us with an overview of the CRISC certification exam or giving you a look at the career opportunities for CRISC-certified professionals, the benefits that come from CRISC certification, they're not all just financial, tips for CRISC exam certification success and how to prep for the CRISC exam with a boot camp course. For the inside scoop, I turn you over to Leighton Johnson.

Leighton Johnson: This morning, we're going to be talking about CRISC. We're going to be talking about risk, risk management, risk assessments, and the ideas of what is the CRISC about and how it can further your activities and the computer security, cybersecurity, and activities around risk management for each of those types of areas.

Today, we're going to be talking about what are the career opportunities, some of the benefits of the certification, some of the tips around the CRISC examination, and then we'll be talking about InfoSec's boot camp overview. Then Jerry will complete the discussion as we talk about that at the end of the webinar.

In today's best areas we see around cybersecurity, we find that the overview of understanding risk is paramount to working with all the different parts of the cyber community, the computer security community, and all the other areas that fit into those processes.

CRISC is being Certified in Risk & Information Systems Control. It is governed and delivered by ISACA, which is the international IT audit organization originally founded back in 1969. Now, it used to stand for something. Now, they just call it "ISACA." There have been 20,000-plus professionals certified in CRISC since it was introduced in 2010. More than 96% of those have maintained their certification as it rolls through its processes of keeping it up to date and what it's all about.

CRISC itself forms a foundation among the varying different activities within the organizations around what is risk, how is it done. IT professionals, risk professionals, security control professionals, business analysts, systems analysts, project managers, and compliance professionals in all of these arenas find use in understanding what is a basic foundational understanding of how to deal with risk, what is risk, first, and then how to deal with risk as we begin to walk our way through it and its understanding. It is one of the highest-ranked certifications as far as being paid. It is found to be of great value in a multitude of areas throughout both public and private organizations around the world.

One of the biggest things to understand is: What is a risk professional? A CRISC, by design, is around being a professional in the risk arena, focus primarily on IT security risk, but not exclusively. It deals with looking at identifying, assessing, and evaluating those 85% of the risks that organization face that are IT-based for the activities and looking at them, identifying them, looking at what are the probabilities that they could happen. If we do have some high possibilities that some of these things that happen, a website gets hacked or somebody goes to steal data from our particular organization, we help develop their mitigation plans around protecting those organizations from those both internal and external threats that would cause those risks to be realized.

In doing that, we assist the wide array of control proponents within each organization, the security professionals who are responsible for the varying different kinds of controls, the technology-based controls, things like firewalls and IDS components, the operational controls, dealing with people in their passwords, and then we monitor those things and we maintain those controls for each and every person as they begin to walk through and understand what are the things that go with this. Then we also report it on up the chain to the senior management so that they can make those risk-based decisions that are almost inevitably around what's the business doing and how much is it going to cost and those types of things that walk through the processes that we see today.

The benefits that we have out there around see recertification and what can happen with it and do it, clearly, of course, one of the biggest ones is that you now set yourself up to be hired, to be very in great demand. You get extra skills that go along with that, which include identifying the varying different kinds of risks that are out there. There are as many ways in as there are possible ways to look at something and each one of those has some level of risk associated with it, ensuring that you stay current to what's happening in today's world and all the different activities.

Our threat environments are constantly changing every day. We hear new activities of concern. We've had a great deal of these changes just within the last 30 days or so. Now, we have hardware risks based upon a computer chip architecture issues that's now been added to this whole pot of the ways that risks can come through. We help to stay relevant there. We look at the ideas around those. Of course, it gives you a good handle on.

One of the things that we will talk about throughout the course and looking at it as identifying those risks and then being able to evaluate them so that you can build a mitigation plan and then assisting in putting it in. It helps with personal growth and clearly, it helps you earn more. As I said, it's one of the highest-paying certifications in the IT industry today, better than $120,000 per year as a standard across the board from the organizations that do the evaluations that we seen that have occurred and those activities.

Why would you want to be a CRISC person? Well, it helps you gain deeper understanding of what are the business risks that are out there, understanding that they're always tied back to the business. What's going on? What does the organization do if it's a for-profit company? How does it make money? If it's a not-for-profit organization that you're working with, how do they provide their service? Those types of things gives you then and shows you as value to your employer that you understand those risks and how they can be managed, how they can be worked with, how do the IT security controls work, and then gives you a competitive advantage over your competitors who don't have those types of things as part of those processes, and helps you earn more.

As it says right now in our mechanisms, the Global Knowledge Report pay-scale mechanisms show that the average series salary is in-between the audit manager and the security manager levels, around $127,000 a year on average, working its way up. We can see that this is a high-value area, a high-important area. It works with each of these arenas around those activities.

CRISC itself. CRISC itself requires a couple of different things in order to be able to sit for the examination. Number one, it requires three years of minimum work experience in at least two of the four domains. Those four domains are IT risk identification, IT risk assessment, risk responses and controls, and then risk and control monitoring and reporting. Of those, two require domain mechanisms, at least one year of experience, either has to be in identification or assessment of risk mechanisms. Looking at those, there's no extra mechanisms in place to waiver it or any of those things. The level is expecting you to be a risk professional with three years of experience in this understanding. That type of thing works with it.

Looking at risk identification. Now, of course, risk identification is very wide. It's varied in its coverage. It deals with great deal with things like documentation mechanisms: What's the threats? What's the vulnerabilities that are out there? What type of mechanisms are available to you? Understanding what's a risk scenario: What's the what-ifs that are out there? Then working with those actions and activities, building them into a tracking mechanism that the organization usually utilizes.

Now, depending on which industry you're in, they call it different things. That tracking mechanism in many commercial industries is called a "risk register." The same tracking mechanism when you work into the public side of the house is called a "poem register," those are the same things, and then shows goes and understands and works with and identifies what's the risk appetite of the organization, what are they willing to tolerate, those types of things. Those are the kinds of things that we look at as we begin to walk through the mechanisms around what as part of these activities.

Again, the four domains are IT risk identification, IT risk assessment, risk response and mitigations, and risk and control monitoring and reporting. Surprisingly enough, ISACA puts together the construct around how big and how often do you have to deal with these activities and understanding the mechanisms with percentages in each of these domains. In IT risk identification, that's 27% of the areas you need to focus on.

Risk assessment is considered to be the most important. It takes that information out of the identification arena and puts it into the assessment where we begin to walk through and identifying and looking at how likely could that happen, if it did happen, what could be an issue, those types of things in the risk-assessment area.

Then once we have that, then we develop what are the standardized risk-response mechanisms that are available to us, how are you going to treat it, how are you going to look at the risk, what's the risk transfer, how do you work through mitigation mechanisms, et cetera. That's 23%.

Then the final area is then you have to tell everybody. You monitor it and then you got to tell everybody. That's the control monitoring and reporting area and its understanding.

Now, the way ISACA presents this mechanism, they allow their testing activities foresee risks to occur in three timed windows per year as part of their processes. It's available online through a testing organization called "PSI." You sign up through and have InfoSec sign you up through the ISACA activity. Then the test examination process windows for taking those tests will be timed, you'll get scheduled. The three test windows this year are February 1st through May 24th, June 1st through September 23rd, and then October 1st through January 24th next year.

It is a computer-based examination process. It'll be done on your laptop. The test itself is 150 multiple choice questions and you have a four-hour window in order to test those areas. You take 150, multiply it by 27%, and you know how many questions are going to be in the first domain. You take the 150 times 28% and you know how many questions there'll be in the second domain, that kind of stuff. Now, they are mixed to match. They're not standard as you go through it, so you do have to shift between domains as you go through the test.

Now, the test itself is scored on a common scale of two to 800. The maximum number if you got every question right would be 800, so obviously, the questions are weighted. Of course, ISACA's close-held secret is what each question's weighting is. That's how they maintain their management mechanism. In order to pass, you got to get a 450 or better on that 200-to-800 scale. It's understanding where it's at and what it's looking for and the processes that go along with it.

Now, as we begin to walk through this process, one of the things that you'll find out is there is a very strong area of understanding you need to have that's unique to understanding how risk works in the information systems arena, the IT arena, the security arena, the auditor arena, all of these areas, and looking at their mechanisms and seeing how the activity is required.

One of the best things I can recommend for you to do as you prepare for a CRISC exam itself, if you're going to take it in one of those three windows, which I hope you will, is to build yourself a study plan first. Look at the kinds of mechanisms are available. Get copies of the official ISACA resources, either through InfoSec Institute if you plan on doing it through this or in general, just from the ISACA activities. Download that candidate information guide. That's the first thing you need to do. It will give you the basic structure of the kinds of areas you need to look at for each of those four domains that are covered in CRISC.

Then as you begin to look at those areas and begin to look at what parts you have a good understanding on, which parts you think you need to work with, get a copy of the review manual for the CRISC, which is a detailed discussion, a student study manual which walks through each of the particulars for each of the tasks involved and looking at what's required for CRISC and looking at those mechanisms and each area. As you begin to walk through it, that review manual will point out the different types of things that you need to know.

Then the third thing I would do is to work with the QA&E manual that ISACA has put out, which is review questions, answers, and the explanations for those answers that they have produced as part of this process for CRISC. We are on the sixth version of the CRISC review manual and this is now been out eight years, so as you can see, they try to keep it really relatively current. They update it about once every 18 months or so and they keep that review manual and then the attending QA&E for questions, answers, and explanations that go along right with it.

There are a number of online communities available on Reddit and tech-exam areas and other places. YouTube has a lot of videos to help the people who have walked through CRISCs. These are all areas that I would recommend that you supplement your learning with that you can do as well. Of course, enroll in a CRISC prep course as part of this process. These are typically three days long where they talk about the four domains and they go through each of these areas of tasks that are necessary to understand each particular domain and its understanding as well.

As an example, the mechanisms around the first area include for IT risk identification include the universal risk: What does it do with risk management? How does that tie to an enterprise risk organizational activity? How do you look at, do identifications? What's a threat assessment? What's the vulnerability assessment? Building scenarios for risk, all sorts of different things that go along with that particular domain.

The second on they'll talk about when they're giving you this prep, they'll talk about what is a risk assessment, how do you build a risk assessment, how do you adjust it for what your organization has, what are the potential likelihoods and impacts of risks and those types of things, walking through the current states of your controls that you have out there, understanding appropriately the results of the outputs of the risk assessment.

The third domain being the risk response, looking at the four ways of working with risk and evaluating their efficiencies, their effectiveness in managing risks and showing that that's aligned with the business objectives as well.

Then there's the fourth domain, which is the risk and control monitoring where you're looking at the key risk indicators and understanding where they are and how they into the key performance indicators for the organization by looking at your overall risk profile.

Take some sample exams, practice exams. I know most boot camp, especially this CRISC prep course that InfoSec produces has sample exam questions for each of the areas to give you an idea of the kinds of ways that the mechanisms are done and those processes.

You'll get those core concepts, as we were talking about, for risk identification, risk assessment, risk response and risk and control, how to design, how to implement, how to monitor those mechanisms in place, and then what are the regulatory environments that we are operating in these days that have a great deal of information around and guidance for dealing with risk, anything and everything, from a publicly-traded company having to report risk under their Sarbanes-Oxley-required reporting to financial reporting of risks through GLBA to governmental reporting under FISMA, et cetera, et cetera. With the new advent of all the data protection requirements coming out of Europe under GDPR that goes into effect in May, we see even more coming from that side as well as what we see.

Now, these boot camp mechanisms offer you classroom training. Now, InfoSec's mechanism is award-winning courseware as developed by the processors and the experts with instruction. You get the CRISC, the exam voucher itself as part of your enrollment. You will get a copy of the manual. You get a copy of the QA&E manual. You'll also get expert mentoring for myself or others CRISCs that have been teaching this for you and they will allow you to either resit in an in-person or live online activity of this mechanism either way for one year. If you manage not to pass the test the first time, you can certainly have the ability to resit.

Kristin Zurovitch: Leighton, like I mentioned, we have some good questions that have been queued up. I'd like to start with one that came in from someone who says, "I have a good networking background, but I'm new to security. Do you think CRISC is the right certification to start with to enter the security world?" What are your thoughts on that?

Leighton: You have a networking background and you want to know if CRISC is a good place to start? Absolutely, because there's so many risks that are coming in from the network side of the house. That certainly gives you a leg up on doing the risk identification, so I would absolutely say that's a very good place to start from to understanding everything that goes along with CRISC.

Kristin: Very good. I have another question here from Kevin. He asks about the four different domains in the CRISC exam. He's wondering, "Where in your experience have you seen students having the most difficulty and do you have any recommendations on how someone might prepare for that?"

Leighton: Well, two. Typically, risk identification, which is the main one, is usually the one that causes most people to have the biggest areas of concern because they want to make sure they got everything covered. Since risk identification expands out and works in alignment with the enterprise risks strategy of the organization, it's virtually wide open as to what could cause a risk, so the risk identification mechanisms are often part of that. We work through understanding how do you build a risk scenario, the what-if scenarios that assist with that risk identification.

Leighton: The second one is the one that is the strongest and the and the one that's at 28%, which is risk assessment. Everybody has their own way of looking at assessments. We have qualitative methodologies, we have quantitative methodologies, we got hot charts, we've got all sorts of different ways depending upon which industry you're in on how you do a risk assessment. The idea behind that one, then, is you're given an idea of the process. That way, you begin to understand from a core foundation mechanism on how to do risk assessments under your own rotation, but that typically is the second area that people have the hardest timeline.

Kristin: Okay. A question here from Chelsea. She's wondering that "With ISACA's shift now to computer-based testing for the CRISC exam, has anything actually changed with the exam?"

Leighton: No. Straight up, no. It hasn't.

Kristin: Very good. Two questions here from Eric. The first one is: "Can I take the exam twice within the same exam window?"

Leighton: No, you can only do one per exam window, but since the windows are so close, like one ends at May and the next one begins in June, you can do that, but no, each window only allows you to test once.

Kristin: Got it. Very good. His other question, then, as a follow-up was: "Can CPE credits from the same activity be applied to multiple ISACA certification?"

Leighton: Absolutely. I do that all the time. I have all of the I certifications, so yes. As an example, if I get CPEs because I'm talking at convention or a conference, I do it across the board on all of them. They get rated different, so you'll get different amounts for each, but you can take the same event that gives you CPEs and then apply it across the board.

Kristin: Leighton, thank you so much for your time today. Thanks for sharing your insights on the CRISC, on the exam, how to prepare. Appreciate that. Have a great day, everyone.

Chris: Thank you for joining us for this week's episode. Remember, you can subscribe to our weekly podcast, CyberSpeak with Infosec Institute or by visiting our channel on YouTube. Just search for the InfoSec Institute YouTube channel to see all of our videos. If you like what you heard and you want to learn more about information security training and security awareness, please visit our website, We also have a blog which is updated every week with new articles, videos, and tutorials on topics ranging from project management to penetration testing, which can be found at Thanks again for listening and we'll see you back here next week.

Free cybersecurity training resources!

Infosec recently developed 12 role-guided training plans — all backed by research into skills requested by employers and a panel of cybersecurity subject matter experts. Cyber Work listeners can get all 12 for free — plus free training courses and other resources.


Weekly career advice

Learn how to break into cybersecurity, build new skills and move up the career ladder. Each week on the Cyber Work Podcast, host Chris Sienko sits down with thought leaders from Booz Allen Hamilton, CompTIA, Google, IBM, Veracode and others to discuss the latest cybersecurity workforce trends.


Q&As with industry pros

Have a question about your cybersecurity career? Join our special Cyber Work Live episodes for a Q&A with industry leaders. Get your career questions answered, connect with other industry professionals and take your career to the next level.


Level up your skills

Hack your way to success with career tips from cybersecurity experts. Get concise, actionable advice in each episode — from acing your first certification exam to building a world-class enterprise cybersecurity culture.