Partnered with
iVox.ai
Sign Up
Login
Sign Up
Login

Certified in Risk and Information Systems Control (CRISC)

About CRISC

The Certified in Risk and Information Systems Control (CRISC) certification is globally recognized for IT professionals, project managers, and others who identify and manage risks through the development, implementation, and maintenance of information systems controls.

The topics included in the CRISC Common Body of Knowledge (CBK) ensure its relevancy across all disciplines in the field of risk management. Successful candidates are competent in the following four domains:

  • Governance
  • IT Risk Assessment
  • Risk Response and Reporting
  • Information Technology and Security

Exam Requirements

Candidates must have a minimum of three years cumulative paid work experience in IT risk management and information systems control. Substitutions for experience may be available for certain educational and other professional certifications.

A candidate who does not have the required experience to become a CRISC may become an Associate of ISACA by successfully passing the CRISC examination. The Associate of ISACA will then have six years to earn the required experience. More information about CRISC experience requirements and how to account for part-time work and internships can be found at www.isaca.org/certifications/crisc.

Accreditation

CRISC is accredited by the American National Standards Institute (ANSI) standard.

Job Task Analysis (JTA)

ISACA has an obligation to its membership to maintain the relevancy of the CRISC. Conducted at regular intervals, the Job Task Analysis (JTA) is a methodical and critical process of determining the tasks that are performed by risk management professionals who are engaged in the profession defined by the CRISC. The results of the JTA are used to update the examination. This process ensures that candidates are tested on the topic areas relevant to the roles and responsibilities of today's practicing risk management professionals.

Examination Information

Length of exam 4 hours
Number of items 150
Item format Multiple choice
Passing grade 450 out of 800 points
Exam language availability English, Spanish, Chinese, and Japanese
Testing center Pearson VUE Testing Center

Domains

A—Organizational Governance
  • Organizational Strategy, Goals, and Objectives
  • Organizational Structure, Roles and Responsibilities
  • Organizational Culture
  • Policies and Standards
  • Business Processes
  • Organizational Assets
B—Risk Governance
  • Enterprise Risk Management and Risk Management Framework
  • Three Lines of Defense
  • Risk Profile
  • Risk Appetite and Risk Tolerance
  • Legal, Regulatory and Contractual Requirements
  • Professional Ethics of Risk Management
A—IT Risk Identification
  • Risk Events (e.g., contributing conditions, loss result)
  • Threat Modelling and Threat Landscape
  • Vulnerability and Control Deficiency Analysis (e.g., root cause analysis)
  • Risk Scenario Development
B—IT Risk Analysis and Evaluation
  • Risk Assessment Concepts, Standards and Frameworks
  • Risk Register
  • Risk Analysis Methodologies
  • Business Impact Analysis
  • Inherent and Residual Risk
A—Risk Response
  • Risk Treatment / Risk Response Options
  • Risk and Control Ownership
  • Third-Party Risk Management
  • Issue, Finding and Exception Management
  • Management of Emerging Risk
B—Control Design and Implementation
  • Control Types, Standards and Frameworks
  • Control Design, Selection and Analysis
  • Control Implementation
  • Control Testing and Effectiveness Evaluation
C—Risk Monitoring and Reporting
  • Risk Treatment Plans
  • Data Collection, Aggregation, Analysis and Validation
  • Risk and Control Monitoring Techniques
  • Risk and Control Reporting Techniques (heatmap, scorecards, dashboards)
  • Key Performance Indicators
  • Key Risk Indicators (KRIs)
  • Key Control Indicators (KCIs)
A—Information Technology Principles
  • Enterprise Architecture
  • IT Operations Management (e.g., change management, IT assets, problems, incidents)
  • Project Management
  • Disaster Recovery Management (DRM)
  • Data Lifecycle Management
  • System Development Life Cycle (SDLC)
  • Emerging Technologies
B—Information Security Principles
  • Information Security Concepts, Frameworks and Standards
  • Information Security Awareness Training
  • Business Continuity Management
  • Data Privacy and Data Protection Principles

Exam Preparation

Preparation for the CRISC exam can be intensive. ISACA provides a variety of resources including review manuals, online training, and interactive exam preparation resources. Candidates are encouraged to join study groups and participate in training sessions to enhance their preparation. Engaging in practical exercises and scenario-based questions is crucial for success on the exam. Additionally, using the WannaPractice platform can enhance your preparation with interactive practice questions and scenarios that are specifically tailored to the CRISC domains.

Responsive Footer