A Guide to ISACA’s CRISC Certification

In 2024, cyber incidents posed the greatest risk to US businesses, according to a Statista survey of risk management experts [1]. Business interruptions, including supply chain disruptions, were the second-biggest risk, noted by 33 percent of respondents [1]. 

If you hold a position overseeing risks within an organization, obtaining a Certified in Risk and Information Systems Control (CRISC) certification can help you develop optimal risk management strategies and improve business resilience.

Read on to learn more about the CRISC certification and how to become certified.

What is the CRISC certification?

The Certified in Risk and Information Systems Control (CRISC) certification is a credential granted by ISACA (previously known as the Information Systems Audit and Control Association). Earning the CRISC certification shows that you are knowledgeable in risk management. 

As of 2025, the CRISC exam is accessible in four languages: English, Chinese Simplified, Spanish, and Korean [2].

Who should attempt the CRISC exam?

The CRISC certification is tailored for individuals managing IT risk and overseeing the design, implementation, monitoring, and maintenance of information system controls.

Upon registering, ISACA provides you with a 12-month eligibility window to complete your examination [3].

CRISC certification requirements

You are eligible for certification if you have three or more years of experience in IT risk management and information system control [2]. 

Even if you lack the prerequisite experience, you can still take the CRISC exam. However, meeting the requirements is necessary for certification. 

CRISC certification cost for ISACA members and nonmembers

The CRISC certification fee varies depending on whether you are an ISACA member or a nonmember [3]. Here’s how:

• Member: $575

• Non-member: $760

The CRISC exam registration is always open, allowing you to sign up anytime. You can also schedule a test 48 hours after paying the registration fees [3].

What’s on the CRISC exam? 

The CRISC exam includes 150 questions to assess your knowledge and expertise in the following domains [4]:

1. Governance (26 percent)

2. IT risk assessment (20 percent)

3. Risk response and reporting (32 percent)

4. Information technology and security (22 percent)

You will have four hours (240 minutes) to complete your CRISC exam [2]. 

Read more: 11 Good Study Habits to Develop

How to register for the CRISC exam

Registering for the exam is an online process that requires creating an ISACA account. After registering and paying for the exam, you can expect to receive a “Notification to Schedule” email, including details on how to schedule your exam appointment.

ISACA conducts CRISC certification exams via computer-based testing at authorized PSI testing centers worldwide or through remotely proctored exams.

Note: You have five years from your exam passing date to apply for your CRISC certification [5]. Processing the application incurs a $50 fee [5]. 

Benefits of being CRISC certified

Besides skill development, the other perks of obtaining a CRISC certification include the following:

• Organizations and governmental agencies worldwide acknowledge the CRISC certification.

• As accredited by the American National Standards Institute (ANSI), earning and maintaining an ISACA certification holds significant weight in the hiring process [3].

• CRISC ranks as the fourth highest-paying certification globally, according to ISACA [3]. 

CRISC vs. CISSP: What’s the difference?

Both the CRISC and the Certified Information Systems Security Professional (CISSP) certifications pertain to information security. However, here is how they differ:

Is CRISC harder than CISSP?

You may find CRISC easier than CISSP, as CISSP covers a wider range of security domains. While CRISC can help validate your ability to manage an organization’s IT risks, CISSP can highlight your ability to spearhead an organization’s information security program. 

Learning options for CRISC 

ISACA provides varied CRISC exam prep resources, such as group training, self-paced learning, and multilingual study materials.

For instance, in the CRISC Online Review Course, there is video content, interactive e-learning modules, downloadable job aids, case studies, and practice exams. You have the flexibility to advance through the course at your preferred pace. 

Additionally, you may complement the course with the CRISC Questions, Answers & Explanations Database, accessible through ISACA PERFORM (a web-based learning platform). The database contains up to 600 practice question sets with comprehensive explanations for each answer choice. 

Lastly, you can participate in ISACA’s online Engage community to connect with peers and seek guidance for your CRISC exam.

What salary could you earn with the CRISC certification?

According to Payscale, being CRISC certified can allow for an annual average base salary of $145,000 [6]. The certification is typically chosen by enterprise risk managers, information security auditors, information security analysts, compliance officers, chief information security officers (CISOs), and various other IT or cybersecurity professionals.

How to maintain your CRISC certification

To maintain your CRISC certification, you need to acquire at least 20 Continuing Professional Education (CPE) credits annually and a total of 120 CPEs over a three-year period [7].

You can earn your CPE credits in numerous ways, including but not limited to:

• Attending ISACA conferences (32 CPEs) 

• Completing ISACA’s Training Week courses (32 CPEs)

• Attending ISACA webinars and virtual instructor-led training (36 CPEs per year)

• Completing on-demand learning courses (28 CPEs per course) 

• Volunteering with ISACA (20 CPEs per year)

In addition to adhering to ISACA’s Code of Professional Ethics, you may also need to comply with the organization’s Annual CPE Audit if selected. The selection of auditees occurs randomly, regardless of the reported number or category of CPE. The annual maintenance fee for CRISC is $45 for members and $85 for nonmembers [7].

Your certification will have an “Active” status as long as you fulfill the maintenance requirements. It is possible to obtain a CRISC certification with a “Non-Practicing” status if you’re:

• Unemployed or disabled

• Contemplating or planning a return to work

• Have explicit permission from ISACA’s Certification Working Group

You may receive “Retired” status for CRISC if you are over 55 and retired or unable to work due to permanent disability [7].

Prepare for CRISC and build in-demand cybersecurity skills on Coursera

Strengthen your security governance skills with the University of California, Irvine’s Introduction to Cybersecurity & Risk Management Specialization, on Coursera. Intended for beginners, the three courses in this Specialization cover security governance, risk management, and personnel and third-party security. No prior experience is necessary to enroll. Upon completing the program, you will receive a shareable Professional Certificate from the university to include in your resume, CV, or LinkedIn profile.