Certified in Risk & Information Systems Control (CRISC) Exam Overview [updated 2022]
In today's fast-paced business world and rapid-evolving technology, many companies pay more attention to risk management. They are relying on professionals who can implement effective measures and control frameworks within business objectives. As the State of Enterprise Risk Management 2020 report shows, the current landscape is quite complex, with the increasing use of cloud, IoT and AI technologies driving a substantial increase in risk. The professionals surveyed in State of ERM 2020 identified information and cybersecurity as the most critical risk category for their company, with a much higher significance than reputational and even financial risk.
Employing the right professionals to identify and mitigate this risk is a must. Fortunately, the Information Systems Audit and Control Association (ISACA) has met the demand of enterprises by producing the CRISC certification program to validate the knowledge and skills of subject matter experts. ISACA's credential certifies professionals who are asked to identify, analyze, evaluate, assess, prioritize and respond to information systems and technology risks.
Earn your CRISC certification, guaranteed!
What is the goal of the CRISC exam?
The CRISC designation is a great option for practitioners involved in IT risk management (ITRM) through developing, implementing and maintaining appropriate information systems (IS) controls and mitigating threats using governance best practices and continuous risk monitoring and reporting. Most are mid-career security professionals tasked with IT/IS audits to build upon their existing knowledge and experience in identifying, evaluating and prioritizing risks in real-world situations.
CRISC-certified professionals can prove their skills and know-how. They can ensure the enterprise's up-to-date knowledge of the current risk landscape and mitigation tools and techniques. They can proactively offer solutions to help implement appropriate controls before issues occur.
CRISC domains
The CRISC certification has four domains:
- Governance (26%)
- IT Risk Assessment (20%)
- Risk Response and Reporting (32%)
- Information Technology and Security (22%)
The exam was refreshed on August 1, 2021, and now focuses more on business continuity, resiliency, corporate governance and data privacy and protection.
Eligibility requirements
CRISC certification requires candidates to have a minimum of three years of work experience in IT risk management and IS control. There are no experience waivers or substitutions.
Exam questions, time and language
The CRISC exam includes 150 multiple-choice questions and must be completed in four hours. It is offered in three languages: Chinese Simplified, English and Spanish.
Applicants are challenged with a computer-based exam and need to achieve a score of 450 on a common scale of 200-800. For ISACA, that score represents the minimum consistent standard of knowledge.
The CRISC exam is administered and proctored by PSI's testing centers located in all 50 states and found in 120 countries worldwide. Exam takers have the option to participate in a test session in a computer-lab setting while being monitored by an onsite proctor; otherwise, a remote testing option is now available with examiners being monitored by a proctor via video.
Fees and additional costs
The fee structure is different for ISACA's members and non-members:
- ISACA Member: $575
- ISACA Nonmember: $760
Exam registration fees are non-refundable and non-transferrable.
When they are ready to apply for certification after passing the test, candidates will also need to pay an application processing fee of $50 for members and non-members.
Exam registration
Registration to the CRISC exam can only be accomplished through an online procedure. Candidates will need to register and pay a non-refundable and non-transferable fee before becoming eligible to apply for their exam.
ISACA exams are now administered all year round in what is known as Continuous Testing; this means candidates may register for the CRISC test whenever they are ready to sit for the examination within their 365-day window.
Here's how to register for the CRISC exam:
- First, log in to your profile or create a new profile at www.isaca.org/login.
- Once logged in, select the CRISC certification.
- Scroll down to the register for the exam section and click the "Register Now" button and complete the registration form.
- Once completed, go ahead and add to cart and checkout to complete your registration.
- You will have the option to select "Pay Later" and enter an email address you wish to have the invoice sent. After you have completed the payment for the exam, do allow 24 hours before scheduling your exam.
Scheduling an exam date
After candidates register for the exam, they'll receive an email that allows them to schedule it when they prefer, before the end of their 365-day eligibility period. They can look for the closest PSI test center or choose a remote proctoring option. The scheduling platform for PSI (ISACA's exam administrator) allows them to schedule as far as 90 days out from the current date.
Follow these steps to schedule an exam date:
- First, log in to your ISACA profile at www.isaca.org/MyISACA and click on the "Certifications & CPE Management" tab. Scroll down until you find the exam that you registered for.
- Select "Schedule Exam."
- Select your delivery mode: in-person test center or online remote proctored. Click continue.
- Select the correct exam language from the drop-down menu.
- Enter your preferred country, city, or postal code and month. Click "Search Exam Center."
- Click your preferred exam location from the search results to view the available dates and times.
- Select the date and time of your choice.
- Scroll down and click continue.
- Review your schedule details. If everything is correct, click continue. You will then see a pop-up box stating your exam was successfully booked.
Rescheduling and deferrals
Extensions and deferrals are no longer available, given the extended 365-day testing window. However, if you have a scheduled exam time that you cannot attend, you may reschedule for no fee at least 48 hours before the new scheduled exam date and time. A scheduled exam cannot be rescheduled or canceled within 48 hours from the scheduled time. Registration charges will be forfeited if you do not reschedule your exam before this deadline.
Note: if you cannot take an exam during the 365-day eligibility period, you will forfeit your exam fees.
Exam scores and retakes
Preliminary results (pass or not pass) are shown on the candidate's screen immediately following the completion of the exam. Instead, the official score is available within 10 business days from the exam date.
Exam results are provided in two ways:
- Email notification (encrypted) — sent to the email address listed on your profile
- Online results — available on your ISACA Profile
- Log in to your account at www.isaca.org/myisaca
- Select the Certifications and CPE Management tab
- Scroll down to the Exam Summary section
- Click Print Results Letter to view a printable version of your exam results.
If you score less than 450 on your exam and fail, you can retake the exam. This requires registration, payment and scheduling of another exam appointment. Individuals can take an exam four times in a rolling year. After taking and not passing the exam (attempt 1):
- Retake 1 (attempt 2): Customers must wait 30 days from the date of the first attempt
- Retake 2 (attempt 3): Customers must wait 90 days after the date of the second attempt
- Retake 3 (attempt 4): Customers must wait 90 days after the date of the third attempt
How applicants become fully certified
Successful candidates who pass the exam can apply for certification. The application for certification must be submitted within five years from the date the test was passed. If you fail to do so, you must retake and pass it.
Studying for the certification
Candidates have the option to obtain ISACA's material that covers all topics featured in the exam content outline containing the new four work-related domains. In addition, accredited training partners and several reputable online training institutions provide updated materials that can fit any professionals' learning needs.
The CRISC Review Manual 7th Edition reference guide that focuses on the four domains covered by the exam and the ISACA Engage online forum or community (CRISC Exam Prep) created for registrants serves as an additional resource to help candidates prepare themselves for examination.
Earn your CRISC certification, guaranteed!
Maintaining your certification
The CRISC Continuing Professional Education (CPE) policy requires certified holders to collect CPE hours over an annual and three-year period to maintain their certification. Requirements include:
- Completing at least 20 CPE hours annually and 120 CPE hours in three years; this requirement is to ensure all CRISCs maintain an adequate level of current knowledge and proficiency in the field
- Submitting the annual CPE maintenance fees to ISACA international headquarters
- Providing the required documentation of CPE activities if audited
- Adhering to the ISACA's Code of Professional Ethics
- Paying the annual maintenance fee ($45 for members, $85 for non-members) to retain active status
Sources:
- CRISC, ISACA
- CRISC FAQ, ISACA
- State of ERM 2020, ISACA
- Get CRISC Certified, ISACA
- Engage Online Community, ISACA
- Store – Exam Prep: CRISC, ISACA
- Tips to Prepare for ISACAs CRISC Exam, ISACA
- ISACA Exam Candidate Information Guide, ISACA
- ISACA's CRISC Exam Updated to Reflect Latest Work Practices and Knowledge Used by Risk Practitioners, ISACA