How to Earn CRISC Certification


As one of the fastest growing professions globally, Information & Cyber Security related certifications are in high demand. The volume of information sharing and distribution continues to increase exponentially every year. Along with that trend, the number of high profile and multi-million dollar security breaches has grown just as rapidly. This means there is a great need for businesses to hire technical resources that specialize in protecting systems and data from all types of threats.

Regardless of the industry and size, nearly all companies are searching for information security professionals at all experience levels for this support. They often lean towards hiring individuals that have deep experience, but are just as focused on the credentials that validate the potential hire’s level of competence.

In short, there has been an explosion of risk and security-related job postings in recent years and this is a trend that is not slowing down.

Whether you’ve been in information security for decades or are just starting your career, becoming Certified in Risk and Information Systems Controls (CRISC) through ISACA is one of the best qualifications to have. With CRISC, you’ll learn how to identify and assess risks to an enterprise so effective mitigation plans can be designed and deployed. This certification builds a mindset and set of competencies in you to better manage information security systems and processes.

CRISC CertificationSource: ISACA

Below you will find our complete guide of the important details to help you become Certified in Risk and Information Systems Controls (CRISC).

Who should get CRISC certified and what positions will it benefit?

  • IT Risk Management Professionals
  • Cyber and Information Security Management Professionals
  • IT Security Consultants and Architects
  • Chief Information Security Officers
  • Executive and Senior IT Leadership

What does a CRISC professional do?

Certified CRISC employees help companies to:

  • Assess and understand degrees of IT and Enterprise risks and what impact it may have on the company.
  • Prepare mitigation strategies and tactical plans to effectively manage and respond to risk.
  • Evaluate various risk scenarios and make mitigation decisions.
  • Define and establish appropriate guidelines and procedures for risk management within the company.

What is on the CRISC certification exam?

ISACA offers the exam during Testing Windows each year. There will be a total of 150 multiple choice questions on the exam covering the four (4) domains below.

CRISC Domains & Percent of Exam

  • Domain 1—IT Risk Identification (27%)
  • Domain 2—IT Risk Assessment (28%)
  • Domain 3—Risk Response and Mitigation (23%)
  • Domain 4—Risk and Control Monitoring and Reporting (22%)

After you pass the exam and have met all prerequisites, you may apply for certification. Your CISM certification will be valid for three years.

Where can I find CRISC exam training or practice tests?

For those on a tighter budget or without company reimbursement, there are outstanding online courses to get you up to speed. The flexibility of a web-based exam prep course also allows you to learn at your own pace and on your own time. You will feel confident sitting for the exam since the training options we recommend are all designed based on the exam content and questions.

Best online CRISC certification training:

  1. 2018 CRISC Certification Exam Training by Certified InfoSec: This is one of the best-valued courses out there that was developed based on the four (4) CRISC domains. The material has been tailored to cover the questions and concepts on the exam. You’ll be well prepared for anything with this CRISC exam prep course. You only have 180 days of access to the course content, but this should be ample time to build your knowledge and successfully pass the exam.
  2. Certified in Risk and Information Systems Control (CRISC) Certification Training by Simplilearn: This course offers 20 hours of self-paced training videos, two (2) practice exams, and knowledge check questions to get you ready. The content covered in this course is comprehensive and builds your competency in the CRISC domains with a good amount of depth. You’ll be in a great position to complete the exam after successfully completing the course.
  3. CRISC Online Review Course by ISACA: This is the only training course published by the ISACA organization. The course reviews all of the core subjects you need to know in order to pass the exam. The cost for a year of access to the course is high, but it’s hard to beat training from the organization that also manages the exam. (ISACA Members: $795 / Non-members: $895)

Best instructor-led CRISC training boot camp:

If you are looking for instructor-led training, our top recommended vendor for CRISC prep training is InfoSec Institute. They are well known as a high-quality provider for ISACA training and exam preparation. This is also a resource recommended by several certified risk and information security professionals in my network.

InfoSec’s training is great for organizations looking to certify multiple employees at a time, but you can’t beat it even if you’re pursuing it for personal development. They have an exam pass guarantee where they will cover a second sitting if you do not pass on your first attempt.

The best course for exam readiness is InfoSec’s three (3) day CRISC Bootcamp. In this focused course, you will learn the concepts of the four (4) domains in great detail. It would be incredibly difficult not to pass the 150 question exam by the time the course is over.

You also get access to the course material for future reference and an exam voucher is included as a way to encourage you to take the final step to get certified.

What are the CRISC certification requirements?

First, you must have a minimum of at least three (3) years of work experience demonstrating and performing the responsibilities that define a CRISC professional across at least two (2) of the four (4) CRISC domains.

Of the two (2) required domains, one (1) must be in either Domain 1—IT Risk Identification or Domain 2—IT Risk Assessment. The reason for this is that these domains are key to demonstrating your ability to identify and assess possible points of risk. This is important to support the definition of a strategy to effectively respond to risks and mitigate them.

Once you’ve met the work experience requirements, the next step will be to register and sit for the CRISC exam at an ISACA testing site administered by PSI.

Before doing so, it is highly recommended to take a CRISC exam prep course, online training, and practice exams no matter your experience level. These resources will help you learn the terminology and content from each domain that will be on the exam.

How much does CRISC certification cost?

The CRISC certification cost will depend on whether you are an ISACA member or not. For ISACA members, the CRISC exam cost is $575. Non-members will pay $760 to sit for the exam.

ISACA membership requires you to pay their $10 New Member Fee (online only), $135 International Dues, and Local Chapter Dues (see Chapter Dues Table). Most chapter dues range between $20-100 depending on location and whether you are a student or recent graduate.

After you pass the exam, you’ll need to apply for certification by sending in your verified evidence of work experience. There is a $50 processing fee that helps cover ISACA’s efficient and quality certification administration.

What is the average CRISC salary?

Based on a sample of data from PayScale, the CRISC certification average salary in 2019 is $118,000. The top cities that pay well above average for this certification include New York, Washington D.C., and Philadelphia. These cities are also where many financial and insurance companies are located which are always in high demand for CRISC professionals.

What are related information and cyber security certifications?

You may also be interested in the following related certifications which will further build your expertise in risk and information security management:

We hope you have found this collection of resources useful to get you on the right track to becoming Certified in Risk and Information Systems Control (CRISC). Please share your thoughts in the comments and contact us with any questions.

We will be happy to hear your thoughts

Leave a reply