CRISC: Overview of domains [updated 2021]

Daniel Brecht
November 15, 2021 by
Daniel Brecht

Being certified in Risk and Information Systems Control (CRISC) means filling IT-related risk management roles and effectively evaluating the organization's people, processes, and technology security threats and vulnerabilities. CRISC professionals' oversight augments the risks and cybersecurity preparedness of companies. Due to the rate at which cybercriminal activities are evolving, experts who possess the knowledge tested by the different domains in the CRISC exam can be invaluable for a business.

Through this certification, professionals can demonstrate competencies that focus on enterprise IT risk management and in high-demand areas like identifying and managing risks through developing, implementing and maintaining appropriate information systems (IS) controls.

The CRISC certification, provided by the Information Systems Audit and Control Association (ISACA), effectively caters to any risk analyst that may be asked to look at cybercriminal activity that could arise and impact a business's critical services and related assets they remain as safe as possible.

Earn your CRISC certification, guaranteed!

Earn your CRISC certification, guaranteed!

Enroll in a CRISC Boot Camp and earn one of the highest paying industry certifications — guaranteed.

The CRISC certification domains

On August 1, 2021, the CRISC exam content outline was updated to reflect changes in IT risk professionals' work practices and to account for new trends and market dynamics. The four work-related domains listed below are the results of extensive research, feedback and validation from IT risk and control subject matter experts and industry leaders based worldwide.

This refreshed exam has updated job practice areas developed by the CRISC Task Force that considers the evolving needs of practitioners in the workforce today. In particular, it features a heightened focus on business continuity, risk monitoring and reporting, resiliency and corporate governance, as well as data privacy and protection.

Here are the key domains, subtopics and associated tasks candidates will be tested on:

Domain 1: Governance (26%)


  • Organizational strategy, goals and objectives
  • Organizational structure, roles and responsibilities
  • Organizational culture
  • Policies and standards
  • Business processes
  • Organizational assets


  • Enterprise risk management and risk management framework
  • Three lines of defense
  • Risk profile
  • Risk appetite and risk tolerance
  • Legal, regulatory and contractual requirements
  • Professional ethics of risk management

Domain 2: IT Risk assessment (20%)


  • Risk events (e.g., contributing conditions, loss result)
  • Threat modeling and threat landscape
  • Vulnerability and control deficiency analysis (e.g., root cause analysis)
  • Risk scenario development


  • Risk assessment concepts, standards and frameworks
  • Risk register
  • Risk analysis methodologies
  • Business impact analysis
  • Inherent and residual risk

Domain 3: Risk response and reporting (32%)


  • Risk treatment/risk response options
  • Risk and control ownership
  • Third-party risk management
  • Issue, finding and exception management
  • Management of emerging risk


  • Control types, standards and frameworks
  • Control design, selection and analysis
  • Control implementation
  • Control testing and effectiveness evaluation


  • Risk treatment plans
  • Data collection, aggregation, analysis and validation
  • Risk and control monitoring techniques
  • Risk and control reporting techniques (heatmap, scorecards and dashboards)
  • Key performance indicators
  • Key risk indicators (KRIs)
  • Key control indicators (KCIs)

Domain 4: Information technology and security (22%)


  • Enterprise architecture
  • IT operations management (e.g., change management, IT assets, problems and incidents)
  • Project management
  • Disaster recovery management (DRM)
  • Data lifecycle management
  • System development life cycle (SDLC)
  • Emerging technologies


  • Information security concepts, frameworks and standards
  • Information security awareness training
  • Business continuity management
  • Data privacy and data protection principle

As shown, all facets of successful governance, IT risk assessment, risk response and reporting, along with information technology and security, are examined. According to ISACA, "the credential is ideal for mid-career IT, risk and security professionals and teams, validating practitioners' experience in building a well-defined, agile risk-management program, based on best practices to identify, analyze, evaluate, assess, prioritize and respond to risks."

Exam info

To test, candidates need three or more years of experience in IT risk management and IS control. No experience waivers or substitutions are allowed.

The test is available in English, Spanish and Chinese Simplified. It consists of 150 multiple choice questions to be answered in less than 240 minutes. ISACA "reports scores on a common scale from 200 to 800 […]. A score of 450 represents a minimum consistent standard of knowledge."

Test takers can register through PSI Test Centers for both in-person or for remote-proctoring testing.

The cost is $575 for ISACA members and $760 for all other candidates.

Preparing for the exam

Obtaining this certification is a significant investment in both time and cost. Professionals should look for official, certified study materials and training to ensure they have a thorough understanding of each topic covered in the exam and increase their chances of passing it on the first attempt.

Reviewing the outline of the domains and topics covered in the test is the first step to quickly identify strengths and weaknesses based on subject areas, thus helping candidates focus study efforts accordingly. In particular, reviewing the percentage of questions within each domain assessed by the certification exam can help concentrate efforts on the most needed areas. Check out the "9 Tips for CRISC Exam Success" for a few more practical ideas to help you secure your certification.

As mentioned, the best approach is using official material (e.g., books, guidelines and other official publications), like the CRISC Review Manual 7th Edition. This comprehensive reference guide can assist candidates in understanding essential concepts and studying the following job practice areas. The material in this eBook is sure to enhance a candidates' knowledge or understanding when preparing for the certification.

To have an idea of the type of questions you might find on the test, check out ISACA's provided 10-question challenge:

CRISC Practice Quiz - Test Your Knowledge of Risk ... - ISACA

An exam for IT/IS risk practitioners

As ISACA states, CRISC is the only certification that prepares and enables IT professionals for the unique challenges of IT risk management (ITRM).

The CRISC is particularly designed for IT professionals who have hands-on experience with organizational governance, continuous risk monitoring and reporting, information security and data privacy considerations for effective ITRM.

IT risk and control personnel will continue to be in demand over the coming years. Given these professionals' increasing role within companies, employers are sure to look for proof that they have the expertise and skills to effectively manage risks and assess the effectiveness of key controls.

Then, the certification offers subject matter experts in the field a very effective way to demonstrate they have the necessary competencies to stand out from other employees or job applicants and better compete for promotions and job opportunities.

According to ISACA, CRISC also affects earnings. It ranks fourth among the top 15 highest-paying certifications globally for 2020, per the 2020 IT Skills and Salary Report conducted by Global Knowledge. The survey shows an average salary of $146,480 in the United States and $114,000 worldwide. The 2019 report, instead, showed how CRISC ranked in the top five in the popularity of cyber certifications in all regions.

And the credential's popularity is still growing. The Certification Magazine shows how in a survey of IT professionals looking at which certification they were planning to acquire in the next 12 months, CRISC was 12th of 50 within the most cited answers.

Earn your CRISC certification, guaranteed!

Earn your CRISC certification, guaranteed!

Enroll in a CRISC Boot Camp and earn one of the highest paying industry certifications — guaranteed.

Learning all about CRISC

Suppose you are an IT professional in a role that includes managing security and overseeing compliance tasks, or you are asked to assess risks and respond to them to promptly restore business functionalities. In that case, a CRISC certification can fit your career needs. The four domains tested by ISACA give an understanding of all involved in IT-related business risk management roles and responsibilities to include assessing, identifying, responding and reporting risks for the best protection of business assets.



Daniel Brecht
Daniel Brecht

Daniel Brecht has been writing for the Web since 2007. His interests include computers, mobile devices and cyber security standards. He has enjoyed writing on a variety of topics ranging from cloud computing to application development, web development and e-commerce. Brecht has several years of experience as an Information Technician in the military and as an education counselor. He holds a graduate Certificate in Information Assurance and a Master of Science in Information Technology.