A Step by Step Guide on How to Get a Certified in Risk and Information Systems Control


Certified Risk and Information Systems Control (CRISC) is offered by ISACA. It is the only certification that prepares individuals to tackle the unique challenges of Information Technology and Enterprise Risk Management. This certification positions professionals to become strategic partners in the organization.

CRISC is also the only certification to be accredited under ISO/IEC 170242:2012, General Requirements for Bodies Operating Certification Systems of Persons by ANSI. This is a prestigious accreditation and ISACA is a proud member of an exclusive club. In accordance with the standards, ISACA commits to impartial certification activities and ensuring their objectivity.

CRISC certification indicates that a professional is an expert in identifying and managing IT risk across the enterprise. It also indicates professional skill in implementing and maintaining the requirements for information systems controls. Given its elevated status, obtaining this certification is a great boost for the career.

Is This Certification Right for You?

This certification has some prerequisites. It is for those professionals who have experience in managing enterprise risk solutions and implementing information risk system controls. This certification is suitable for

  • IT professionals
  • Risk professionals
  • Control professionals
  • Business analysts
  • Project managers
  • Compliance professionals

What are the Eligibility Criteria for CRISC Certification?

There are no academic components in crisc certification requirements. However, an individual aspiring to complete this course needs to have at least 3 years of work experience in a related field. ISACA defines for CRISC domains on which an examination would be content conducted. They are

  •   Domain one – IT Risk Identification (27%)
  •   Domain Two – IT Risk Assessment (28%)
  •   Domain Three – Risk Response and Mitigation (23%)
  •   Domain Four – Risk and Control Monitoring and Reporting (22%)

To be eligible for the exam, you need to have work experience from at least two out of the four domains on which the exam would be conducted. Of those two, at least one must be in domains one or two

What is the Certification Process for CRISC?

The certification process for Certified in Risk and Information Systems Control course is fairly simple. The exam itself consists of about 200 questions. The time period given for the exam is 4 hours. That means, a candidate must answer 200 questions within the stipulated time period of 4 hours. The questions are multiple-choice and multiple-answer patterned.

ISACA uses a system called scaled scores. This basically means that they convert the raw score that a candidate has obtained, and convert that to a common scale. This scale usually varies between 200 and 800. A minimum passing scaled score is 450. A score of 800 would mean that a candidate has a perfect grasp over the subject matter involved as part of this exam

The results are mailed to the candidates within 8 working days of the exam. Apart from the exam itself, candidates should prove their work experience. There are two ways to do this – Before attempting the exam and after writing the exam. If a candidate wants to show his work experience before attempting the exam, then such experience should be obtained within 10 years prior to the date of the exam. Each such experience should be validated with the employers.

ISACA also encourages candidates to obtain relevant work experience after writing the exam. In that case, candidates have 5 years to apply for a certification. If, for any reason, the candidate is unable to get the relevant experience, then they have to write the exam from the start again.

What is the Cost of the Certification?

The cost for obtaining this certification depends on whether you are a member with ISACA or not. Registering early will save you about $50 in exam fees. It costs $415 for members and $545 for non-members. Final registration fees is $465 for members at $595 for non-members. If you fail an exam, you need to reapply and pay the fees. Individuals can take an exam for up to 4 times in a rolling year. A rolling year means a period of 365 days from the date of initial application. That means an individual can take 3 attempts after the first one. Each of those attempts is chargeable.

How Long Does a Certification Last?

There is no set time period for which the certification is valid. However, you need to keep renewing it every 3 years. However, this certification renewal is not just on the basis of a fee. It based on something called Continuing Professional Education (CPE) program. The goal of this program is to ensure that all qualified professionals maintain knowledge of the current changes and are abreast of the knowledge and proficiency of the fields of information security, audit, and control.

Under this program, a professional should complete 20 credit hours of CPE in the year they got certified. After that, they should show 120 contact hours of CPE after the end of 3 years. Once they meet the criteria, they are eligible are renewal of their certification after paying a fee.

Salary and Job Opportunities

The annual average CRISC salary in the United States is $107,399, according to ZipRecruiter(1). You can find CRISC job opportunities in roles such as security risk strategist, IT security analyst(2), information security analyst, IT audit risk supervisor, and technology risk analyst.

Online Resources for the Certification

There are several platforms that offer certification for this course. ISACA itself has several practice guides, study material, questions, and modules available for students to prepare for the course. Apart from that, websites like Udemy offer courses that are tailored for preparing for this certification