CRISC certification: Overview & career path [updated 2021]

Daniel Brecht
December 9, 2021 by
Daniel Brecht

What is the CRISC certification?

ISACA's Certified in Risk and Information Systems Control (CRISC) certification is an enterprise risk management qualification that is a great option for professionals looking to build upon their existing knowledge and experience of IT risk management and identification and implementation of information system controls. The CRISC certification validates experience in identifying, evaluating and prioritizing risks in real-world situations applying best practices.

In August 2021, the CRISC exam content outline was revised to consider the evolving needs of practitioners in today's workforce. The new test features an increased focus on business continuity, resiliency and corporate governance, and data privacy and protection. The refreshed domains are the results of extensive research and feedback from IT risk and control subject matter experts and industry leaders from around the world.

The changes resulted in the creation of four new domains:

  • Domain 1: Governance (26%)
  • Domain 2: IT Risk Assessment (20%)
  • Domain 3: Risk Response and Reporting (32%)
  • Domain 4: Information Technology and Security (22%)

Earn your CRISC certification, guaranteed!

Earn your CRISC certification, guaranteed!

Enroll in a CRISC Boot Camp and earn one of the highest paying industry certifications — guaranteed.

Who is CRISC for?

The ideal target group of the CRISC certification is a mid-career risk and security professionals tasked with IT/IS audits. In particular, IT practitioners in the following roles are often the main candidates for this credential:

  • Risk manager
  • Risk analyst
  • Risk control specialist
  • Risk and compliance investigator

Of course, other employees who work in IT organizations can also benefit from this certification. As the only credential focused on enterprise IT risk management (ITRM), ISACA's certification suits professionals who understand ITRM and how to act on it. It is a good option for those who want to progress in their career within their current organization and professionals looking for new opportunities in a hot field.

What are the possible career paths?

Many job roles can greatly benefit from the possession of a CRISC certification:

  • Enterprise risk manager — responsible for implementing controls that enable risk to be assessed and managed
  • Information security analyst — responsible for maintaining the security and integrity of data. They perform in-depth data analysis and evaluate risk variable factors to strengthen the control environment
  • IT/IS Auditor — responsible for carrying out audits where they'll assess system operating processes, test security posture effectiveness and recommend controls that mitigate risk
  • Cyber Risk Specialist — responsible for managing business risk with a cyber perspective

The CRISC certification, however, can also help in less linked positions:

  • Project managers — risk management is, in fact, an important part of project management.
  • CIOs and CISOs — with its focus on IT risk management, the CRISC showcases the professional's ability to assess the organization's risk tolerance and to provide the right balance between security controls and the ability of the organization to easily perform all needed functions within an established budget. There are all great features for CIOs and CISOs.
  • Compliance Officers — with its focus on governance and legal compliance, the certification is a great addition to these professionals' backgrounds.
  • Business Analysts — CRISC can validate these professionals' skills in balancing the need to secure the organization from risks by applying strict controls to ease operations and maintain budget under control.

These are some of the many opportunities that exist today and empower CRISC holders to build prosperous careers. CRISC-certified professionals can also use ISACA's Career Home webpage (a resources center) to connect with employers looking for qualified job candidates worldwide.

What are the career benefits of obtaining a CRISC certification?

Acquiring the CRISC credential can show expertise in specific technical areas when the professional is asked to identify, analyze, evaluate, assess, prioritize and respond to information systems and technology risks.

Key benefits of the CRISC certification are the following:

  • Shows your commitment to professional development
  • Provides you with third-party validation of skills and knowledge in your field
  • Gives you an advantage for promotions, lateral transfers or career progression within your company
  • It makes you stand out in today's competitive market over non-certified professionals having similar backgrounds
  • Leads to higher earning potential. This is among the IT industry's top-paying certifications in the United States ($151,995), as shown by the data elicited from more than 3,700 U.S. respondents who participated in the Global Knowledge 2020 IT Skills and Salary Survey

What are the benefits of CRISC Certification to employers?

In an ever-evolving threat landscape, having CRISC-certified professionals on staff is a valuable option. 

CRISC-certified employees bring forth the following benefits to employers:

  • Knowledge of IT security models, controls, and processes.
  • Experience in designing risk-based controls for information systems.
  • Competence in complying with an organization's risk management and control plans.
  • Skills in devising strategies to mitigate risks in an enterprise environment.
  • Ability to mediate between risk controls and business needs.
  • Understanding of governance as well as legal and compliance requirements in addition to technical skills.

How can I obtain the CRISC Certification?

Several requirements need to be met to become CRISC-certified.

First of all, to meet the eligibility requirements, a candidate needs to have a minimum of three years of work experience in IT risk management and IS control. No experience waivers or substitutions are allowed. The work experience must be gained within five years from the certification application date and no more than 10 years prior to the application date. All experience must be verified through the relevant employers. Any candidates who pass the test and eventually do not meet these requirements will take the exam again.

The exam registration and payment are required before scheduling and taking the test. Applicants need to complete the CRISC Application for Certification and pay the US$50 processing fee. The exam cost is $575 for ISACA members and $760 for all other candidates. Test takers can then register through PSI Test Centers for both in-person or remote-proctoring testing. Exams are now administered all year round in what is known as Continuous Testing, so candidates can register whenever they are ready to sit for the examination within their 365-day window.

The test is available in English, Spanish and Chinese Simplified. 

Applicants will be presented with a computer-based exam that consists of a 150-questions that must be completed in four hours. ISACA "reports scores on a common scale from 200 to 800 […]. A score of 450 represents a minimum consistent standard of knowledge." Once the exam has been taken and passed, candidates can apply for certification if all other requirements have been met.

Note: CRISC holders must adhere to ISACA's Code of Professional Ethics and comply with the continuing professional education (CPE) program: certified professionals need to complete a minimum of 20 CPE hours annually and 120 CPE hours over three years. The CRISC annual maintenance fee is $45 for members, $85 for non-members.

What is the best way to train for the CRISC exam?

When preparing for and before taking the exam, even experienced professionals need to familiarize themselves with the topics covered by the four domains of the test to discover any possible gaps and concentrate on weaker areas. ISACA's official bookstore provides plenty of resources to include in preparation, such as printed and e-version books, study guides and questions and answers manuals. However, multiple options for training are available from reputable educational providers online to match any training learning style and needs.

Is the CRISC certification worth the effort? A look at salary

According to PayScale, the average salary of a CRISC-certified professional in the United States is $125,000, with peaks of $177,000 and $167,000 for certified CISO and director of computing/networking/information technology (IT) security, respectively.

ISACA itself reports an average salary of over $114,000 worldwide, mentioning that the credential was reported as the fourth top-paying certification worldwide by the 2020 IT Skills and Salary Report from Global Knowledge.

Earn your CRISC certification, guaranteed!

Earn your CRISC certification, guaranteed!

Enroll in a CRISC Boot Camp and earn one of the highest paying industry certifications — guaranteed.

The job and salary benefits of a CRISC certification 

Obtaining the CRISC certification can give professionals a way to demonstrate their familiarity with organizational governance, continuous risk monitoring and reporting, information security and data privacy considerations for effective ITRM.

The CRISC credential is a globally recognized enterprise risk and controls accreditation, providing significant value to its holders and employers or clients. As the demand continues to grow and certified professionals are in relatively short supply (although more than 30,000 professionals have earned the CRISC designation since its inception in 2017), a CRISC certification can give a competitive advantage over peers to ultimately secure more prominent positions and higher salaries.



Daniel Brecht
Daniel Brecht

Daniel Brecht has been writing for the Web since 2007. His interests include computers, mobile devices and cyber security standards. He has enjoyed writing on a variety of topics ranging from cloud computing to application development, web development and e-commerce. Brecht has several years of experience as an Information Technician in the military and as an education counselor. He holds a graduate Certificate in Information Assurance and a Master of Science in Information Technology.