Maintaining Your CRISC Certification: Renewal Requirements [updated 2022]

Lester Obbayi
January 1, 2022 by
Lester Obbayi

To renew your CRISC certification, ISACA requires that over the three-year CRISC certification period, candidates collect Continuing Professional Education (CPE) hours as per the CPE policy. CRISC candidates also need to meet the following requirements to maintain their certification:

  1. Candidates must collect a minimum of 20 annual CPE hours, and within the three years of CRISC certification, a minimum of 120 hours cumulatively.
  2. Submission of annual CPE maintenance fees to ISACA international headquarters is also required.
  3. Candidates will be required to provide required documentation of CPE activities if audited.
  4. Candidates will be required to adhere to the ISACA code of Professional Ethics.

If candidates/certification holders cannot comply with these requirements, ISACA holds the right to revoke the individual's CRISC designation. This also requires that their certifications be destroyed immediately.

Earn your CRISC certification, guaranteed!

Earn your CRISC certification, guaranteed!

Enroll in a CRISC Boot Camp and earn one of the highest paying industry certifications — guaranteed.

What are the CRISC CPE maintenance requirements?

ISACA requires that candidates partake in qualifying CPE activities that the CRISC Certification Task Force has approved to obtain or maintain CPE. These activities must be directly applicable to risk identification, assessment, evaluation, response and monitoring of IS controls. It is worth noting that CPE hours are not accepted for on-the-job activities unless they fall into a specific qualifying professional education activity. These qualifying activities and limits that candidates may participate in include:

  1. ISACA professional education activities and meetings (no limit). These include ISACA conferences and meetings, and related activities. CRISCs earn CPEs according to the number of hours of active participation.
  2. Non-ISACA professional development activities and meetings (no limit). These include in-house corporate training, university courses, conferences, seminars, workshops and professional meetings not sponsored by ISACA.
  3. Self-study courses (no-limit). These include structured courses designed for self-study that offer CPE credits. It is important to note that these are only accepted if the course provider issues a certificate of completion and the certificate contains the number of CPE hours earned for the course.
  4. Vendor sales/marketing presentations (10-hour annual limitation): these include vendor product or system specific sales presentations related to risk identification, assessment, evaluation, response and monitoring.
  5. Teaching/lecturing/presenting (no limit): these include the development and delivery of professional presentations and self-study/distance learning courses related to risk identification, assessment, evaluation, response and monitoring and maintenance of IS controls.
  6. Publication of articles, monographs and books (no limit): these include the publication or review of material directly related to the risk identification, assessment, evaluation, response and monitoring and the design, implementation, monitoring and maintenance of IS controls. Submissions must appear in a formal publication or website, and a copy of the article of the website address must be available if requested.
  7. Exam question development and review (no limit): this includes developing a review of items for the CRISC exam (or review materials). Two CPE hours are earned for each question accepted by an ISACA CRISC item review committee.
  8. Passing related professional examinations (no limit): this involves the pursuit of other related professional examinations. Two CPE hours are earned for each examination hour when a passing score is achieved.
  9. Working on ISACA Boards/Committee (20-hour annual limitation per ISACA certification): this involves active participation on an ISACA board, committee, sub-committee, task force or active participation as an officer of an ISACA chapter. One CPE hour is earned for each hour of active participation.
  10. Mentoring (10-hour annual limitation): certifieds can receive up to 10 CPEs annually for mentoring. Activities include mentoring efforts directly related to coaching, reviewing or assisting with CRISC exam preparation or providing career guidance through the credentialing process at the organizational, chapter or individual level. One CPE hour is earned for each hour of assistance.

More information on the accepted activities and processes followed, for example, calculating CPE hours, can be found here.

Can I regain membership if my certification has been terminated?

The short answer is yes. Once certified individuals have been revoked of their certification, they are required to retake and re-pass the exam and then re-apply for certification with the appropriate experience. If these individuals apply for reinstatement after 60 days of revocation, they may incur an additional reinstatement fee of $50. It should be noted that this reinstatement fee is in addition to any back or current certification maintenance fee needed to bring the certified individual in compliance with the CPE policy. Revoked individuals can also make appeals to certificate revocation by writing notification of the appeal to The appeal must include a detailed explanation for the reinstatement request and the CPE documentation from the cycle period since revocation to the current year.

How long is the CRISC certification good for?

The CRISC certification is valid for a year, after which renewal is a requirement. Non-practicing CRISCs (those no longer working in risk identification, assessment, evaluation, response etc.) can apply for non-practicing CRISC status. ISACA requires that applications for non-practicing status be received no later than January 15 and accompanied by the annual renewal fees. Non-practicing CRISCs are not required to submit CPE hours but may not use "CRISC" or "CRISC non-practicing" on business cards. The forms for CRISC non-practicing, return to active, and retired can be obtained here.

Do I have to retake the exam?

Retaking the exam is NOT necessary when renewing the CRISC certification. ISACA only requires that the number of CPE hours be met, CPE maintenance fees be met in full, required documentation be submitted in cases where individuals are selected for an annual audit and candidates comply with the ISACA Code of Professional Ethics. Payment for the renewal of the certification can be done online at The invoice notification is sent through email and as a hard copy in the third quarter of each calendar year by ISACA to all CRISCs. Normally, the deadline for payment and reporting of CPE is on January 15.

However, according to the Certification Revocation, Reconsideration and Appeal section of the Appeals Policy, if the certification had initially been revoked, you must retake and pass the exam.

Earn your CRISC certification, guaranteed!

Earn your CRISC certification, guaranteed!

Enroll in a CRISC Boot Camp and earn one of the highest paying industry certifications — guaranteed.

Preparing for the CRISC certification

Having the right information during CRISC certification renewal can mean the difference between a successful and unsuccessful renewal. Candidates must familiarize themselves with the different rules that ISACA has in place to maintain their credentials.



Lester Obbayi
Lester Obbayi

Lester Obbayi is a Cyber Security Consultant with one of the largest Cyber Security Companies in East and Central Africa. He has a deep interest in Cyber Security and spends most of his free time doing freelance Penetration Tests and Vulnerability Assessments for numerous organizations.