Average CRISC Salary [2023 update]

Greg Belding
September 15, 2023 by
Greg Belding

ISACA’s Certified in Risk and Information Systems Control (CRISC) certification helps to verify that the certification holder has the in-demand skills of Security Risk Management and has ranked as one of the top-paying IT certifications since its release in 2017. This begs the question in 2023 — how much will I make on average if I earn the CRISC certification?

Earn your CRISC certification, guaranteed!

Earn your CRISC certification, guaranteed!

Enroll in a CRISC Boot Camp and earn one of the highest paying industry certifications — guaranteed.

Average CRISC salary

To not “hide the ball” or otherwise make you wade through paragraphs of information that you are not necessarily looking for, let’s jump right into it. According to the salary reporting websites, below is the average CRISC salary in 2023:

  • Payscale - $143,000

  • Coursera - $151,995

  • Certification Magazine - $156,390

We can calculate an average CRISC salary of $150,462 based on these three different average salaries. This figure is far above the national average wage in the United States, even for all IT certifications. If you work in Security Risk Management and want to boost your salary, you may want to consider earning this certification.

CRISC salaries by city

The good thing about averages is that it does not necessarily mean that your salary will be at that level, as there could be a laundry list of cities where you would get paid more than the average. Below is a list of cities where you would make considerably more than the national average salary for CRISC.

  • San Diego, CA $128,992

  • Boston, MA $130,000

  • Orlando, FL $140,418

  • Princeton, NJ $151,500

  • St. Louis, MO $140,000

  • Mountain View, CA $145,000

  • Reston, VA $157,460

  • San Francisco, CA $204,930

  • Alpharetta GA $144,416

  • Phoenix, AZ $149,733

As you can see, the national average salary for CRISC is as much as 25% below what you could get in the highest-paid city on the list. At times like this, the adage “location, location, location” finds new life.

Average Salary for CRISC by job title

The determinative factor for the average salary of a CRISC cert holder is not always where you work. The job title that you are working as a CRISC holder can also affect your average salary. Below is a list of job titles seeking CRISC certification holders and their average salaries.

Job title Average

  • Chief Information Security Officer $191,038
  • Director, Computing/Networking/Information Technology (IT) Security $176,082
  • Director, Risk Management/Risk Control $165,000
  • Information Security Manager $132,452
  • Information Security Officer $122,456
  • Information Security Analyst $97,666
  • Senior Information Technology (IT) Auditor $91,759

More on the CRISC certification

According to the hosting organization ISACA, CRISC is the only IT Risk certification focusing on Enterprise Risk Management. While it should be noted that there are other Security Risk Management certifications on the market, CRISC has cornered the market on the Enterprise Risk Management end of things. The latest version of the certification exam has expanded to focus on governance, risk response and reporting. 

What are the CRISC prerequisites?

The only prerequisite for the CRISC certification you must satisfy to become fully CRISC certified is an experience requirement. The experience requirement for CRISC is three or more years of experience in IT Risk Management and IS control. It should be noted that ISACA does not allow for any experience waivers for substitutions, so this prerequisite should be considered a hard requirement you will have to live with.

The CRISC certification exam

After obtaining the necessary work experience, you will still have to pass the CRISC certification exam to earn the cert. This exam is in the multiple-choice format, and certification candidates will have four hours (240 minutes) to answer 150 questions.

The cost of registering for the CRISC exam depends on whether you are an ISACA member. For ISACA members, registering for the exam is $575. Non-members will be required to pay $760. 

What information is covered on the CRISC certification exam?

The CRISC certification exam covers four Domains of Knowledge. Below is a list of each Domain with the percentage weight of exam content they represent:

  • Domain 1 - Governance (26%)

  • Domain 2 - IT Risk Assessment (20%)

  • Domain 3 – Risk Response and Reporting (32%)

  • Domain 4 – Information Technology and Security (22%)

Earn your CRISC certification, guaranteed!

Earn your CRISC certification, guaranteed!

Enroll in a CRISC Boot Camp and earn one of the highest paying industry certifications — guaranteed.

CRISC job outlook

Security breaches are simply a part of today’s world that organizations need to accept and prepare for.  The best way to prepare for breaches is to have a top-flight information security auditor on staff, and one of the top certifications for security auditors is CRISC.  As such, CRISC certification holders are very much in demand.  Data breaches are likely going nowhere in the near to distant future, so you can expect the career outlook for CRISC holders to be quite bright. 

CRISC helps information security auditors stay relevant and competitive in the information security auditing sector, which is getting hotter yearly.  You will also be ahead of the curve in terms of competition when searching for new information security auditor roles. In other words, it will help you land your dream auditor role easier in the face of growing competition.

Pursuing the CRISC certification 

CRISC can give many a significant salary boost, which should be considered along with other factors in deciding whether to earn this certification. To learn more about CRISC jobs, study resources and more, visit our CRISC hub


  1. CRISC Salary, Payscale

  2. Salary Survey Extra: Deep Focus on ISACA CRISC, Certification Magazine

  3. IT Salary Overview: How Much Can You Make?, Coursera

Greg Belding
Greg Belding

Greg is a Veteran IT Professional working in the Healthcare field. He enjoys Information Security, creating Information Defensive Strategy, and writing – both as a Cybersecurity Blogger as well as for fun.