The Certified in Risk and Information Systems Control (CRISC) certification guide (2023)

What is the CRISC certification?

The Certified in Risk and Information Systems Control, or CRISC certification, authenticates your mastery of risk management and ability to optimize security using an agile-based approach.

  • Show your ability to identify risks in various information systems and report how those risks affect an organization’s bottom line
  • Prove you know how to manage and reduce IT risks once identified
  • Demonstrate your skill in governance, risk monitoring and reporting to ensure an organization’s assets are protected against future threats
The Certified in Risk and Information Systems Control (CRISC) certification guide (2023)

Key facts

Start your journey to becoming a certified CRISC professional with Infosec.

CRISC exam overview

The ISACA CRISC certification is one of the most respected risk management credentials and confirms professional knowledge of corporate IT governance and security, IT risk assessment and risk response and reporting — skills highly valued in modern business. That’s why many people with CRISC certification go on to jobs such as chief information security officer, information security analyst, senior IT auditor and director of risk management.

The latest version of the CRISC exam covers four knowledge areas, or domains.

Domain 1: Governance (26%)
  • Organizational strategy, goals and objectives
  • Organizational structure, roles and responsibilities
  • Organizational culture
  • Policies and standards
  • Business processes
  • Organizational assets
  • Enterprise risk management and risk management framework
  • Three lines of defense
  • Risk profile
  • Risk appetite and tolerance
  • Legal, regulatory and contractual requirements
  • Professional ethics of risk management
Domain 2: IT risk assessment (20%)
  • Risk events
  • Threat modeling and landscape
  • Vulnerability and control deficiency analysis
  • Risk scenario development
  • Risk assessment concepts, standards and frameworks
  • Risk register
  • Risk analysis methodologies
  • Business impact analysis
  • Inherent and residual risk
Domain 3: Risk response and reporting (32%)
  • Risk treatment and response options
  • Risk and control ownership
  • Third-party risk management
  • Issue, finding and exception management
  • Management of emerging risk
  • Control types, standards and frameworks
  • Control design, selection, analysis and implementation
  • Control testing and effectiveness evaluation
  • Risk treatment plans
  • Data collection, aggregation, analysis and validation
  • Risk and control monitoring techniques
  • Risk and control reporting techniques
  • Key performance indicators
  • Key risk indicators
  • Key control indicators
Domain 4: Information technology and security (22%)
  • Enterprise architecture
  • IT operations management
  • Project management
  • Disaster recovery management
  • Data lifecycle management
  • System development lifecycle
  • Emerging technologies
  • Information security concepts, frameworks and standards
  • Information security awareness training
  • Business continuity management
  • Data privacy and protection principles

Learn more about the CRISC domains.

CRISC exam details

CRISC covers everything security professionals should know about risk management — from the impact risk can have on organizations to optimizing networks and technology for risk mitigation. Discover more CRISC exam details.

Launch date: 2010 Last update: June 2019
Number of questions: 150 Type of questions: Multiple-choice
Length of test: 4 hours Passing score: 450 (out of scaled score of 200-800)
Recommended experience: 3+ years of IT risk management and IS control Languages:

English, Chinese simplified, Korean, Spanish

Validity duration:  Three years CPEs needed for renewal:  120 (at least 20 annually)
Exam cost: $575 for members, $760 for non-members    

Free and self-study CRISC materials

Budget-savvy test-takers will be pleased to learn that plenty of free CRISC training resources are available to help you prepare for the CRISCM. ISACA has official study materials on its website, including a study guide and a database of exam questions. Check your local library if you're trying to train on a budget.

ISACA career kit Image

CRISC study guides and books

ISACA and other training providers offer numerous resources available on Amazon and elsewhere. These include:

  • CRISC Official Review Manual, 7th Edition (ISACA)
  • CRISC Certified in Risk and Information Systems Control All-in-One Exam Guide, 2nd Edition by Peter Gregory, Dawn Dunkerley and Bobby Rogers
  • CRISC Exam Study Guide by Hemang Doshi
  • 9 tips for CRISC exam success

You can also download a free ISACA Career Kit for more information from ISACA on their certifications.

CRISC practice questions and exams

Practice exams for CRISC certification are a great way to understand the questions you’ll be asked and gauge how ready you are for the big test. While you won’t find the exact questions from the exam, practice questions reflect the exam domains. A few of the most popular  CRISC practice question options are listed below:

Most paid CRISC training courses also offer practice exams. For example, Infosec's CRISC Boot Camp includes access to the ISACA Official Question, Answer & Explanation (QAE) database.


Other free CRISC training resources

There are a number of other free CRISC training materials being produced and shared by the community:

  • Forums like TechExams and Reddit allow you to connect directly with others who are studying for or have already taken CRISC exam.
  • YouTube is another great place to connect with cybersecurity practitioners and learn about the CRISC certification exam. Although most CRISC courses cost money, there are numerous free CRISC videos.
  • Podcasts like the Cyber Work Podcast qre an accessible way to hear about the career and training journeys of fellow IT and cybersecurity professionals.

CRISC jobs and careers

CRISC certification is one of the most highly regarded risk management credentials and among the top-paying cybersecurity certifications. 


 Common CRISC job titles 

Learn more about common job titles for CRISC holders.

CRISC live boot camps and self-paced training

The CRISC certification exam covers a lot of knowledge, and professional training courses for the CRISC can help all that hard work pay off. Paid training is also a great option to get certified quickly or if you want extra assistance mastering the concepts covered on the exam.

CRISC comparisons and alternatives

CRISC certification can help you open more job opportunities, but it is not the only useful option. Here is how CRISC certification stacks up to other related credentials.


The CRISC and (ISC)² CGRC cybersecurity certifications both cover risk management and governance techniques. However, the Certified in Governance, Risk and Compliance (CGRC) credential takes a business-wide view of risk management and compliance, while CRISC focuses more on risk management from IT and IS perspectives. If you work in an industry with many regulatory compliance requirements or risk management outside of IT and IS, CGRC may be a better certification for you. In addtion, the required experience for CGRC is two years instead of three.


While both certifications are geared towards management positions, the ISACA Certified Information Security Manager (CISM) certification is a higher-level credential that focuses on managing an organization’s entire security efforts. CRISC is a better option for professionals who focus mainly on managing an organization’s system risk. The experience requirement for CISM candidates is also two years longer than CRISC’s (five years vs three), and the exam contains knowledge you may have learned while earning your CRISC certification. However, when it comes to the exam format, duration, registration and cost, both of these ISACA credentials are identical.


While both certifications require knowledge of control methods, auditing and monitoring, the ISACA Certified Information Systems Auditor certification focuses more on auditing, while CRISC deals with risk management. CISA candidates must have five years’ work experience instead of the CRISC’s three years’ experience, but average salaries for both certifications are about the same.

Explore Infosec certifications to find the best fit for your career goals.