Certified in Risk and Information Systems Control (CRISC)

Why should you attend?

Become a CRISC and defend, protect and future-proof your enterprise.

CRISC is the only certification that prepares and enables IT professionals for the unique challenges of  IT and enterprise risk management, and positions them to become strategic partners to the enterprise.

CRISC is the most current and rigorous assessment available to evaluate the risk management proficiency of IT professionals and other employees within an enterprise or financial institute.

Those who earn CRISC help enterprises to understand business risk, and have the technical knowledge to implement appropriate IS controls.

Benefits of CRISC

  • Denotes a prestigious, lifelong symbol of knowledge and expertise as a risk professional
  • Increases your value to your organization as it seeks to manage IT risk
  • Gives you a competitive advantage over peers when seeking job growth
  • Gives you access to ISACA’s global community of knowledge and the most up-to-date thinking on IT risk management
  • Helps you achieve a high professional standard through ISACA’s requirements for continuing education and ethical conduct

CRISCs bring additional professionalism to any organization by demonstrating a quantifiable standard of knowledge, pursuing continuing education, and adhering to a standard of ethical conduct established by ISACA.

CRISC employees:

  • Build greater understanding about the impact of IT risk and how it relates to the overall organization
  • Assure development of more effective plans to mitigate risk
  • Establish a common perspective and language about IT risk that can set the standard for the enterprise


The job practice domains and task and knowledge statements are as follows:

Domain 1 – IT Risk Identification (27%)

Domain 2 – IT Risk Assessment (28%)

Domain 3 - Risk Response and Mitigation (23%)

Domain 4 - Risk and Control Monitoring and Reporting (22%)

Learning Objectives

Knowledge of:

  1. laws, regulations, standards and compliance requirements
  2. industry trends and emerging technologies
  3. enterprise systems architecture (e.g., platforms, networks, applications, databases and operating systems)
  4. business goals and objectives
  5. contractual requirements with customers and third-party service providers
  6. threats and vulnerabilities related to:
    1. 6.1. business processes and initiatives
    2. 6.2. third-party management
    3. 6.3. data management
    4. 6.4. hardware, software and appliances
    5. 6.5. the system development life cycle (SDLC)
    6. 6.6. project and program management
    7. 6.7. business continuity and disaster recovery management (DRM)
    8. 6.8. management of IT operations
    9. 6.9. emerging technologies
  7. methods to identify risk
  8. risk scenario development tools and techniques
  9. risk identification and classification standards, and frameworks
  10. risk events/incident concepts (e.g., contributing conditions, lessons learned, loss result)
  11. elements of a risk register
  12. risk appetite and tolerance
  13. risk analysis methodologies (quantitative and qualitative)
  14. organizational structures
  15. organizational culture, ethics and behavior
  16. organizational assets (e.g., people, technology, data, trademarks, intellectual property) and business processes, including enterprise risk management (ERM)
  17. organizational policies and standards
  18. business process review tools and techniques
  19. analysis techniques (e.g., root cause, gap, cost-benefit, return on investment [ROI])
  20. capability assessment models and improvement techniques and strategies
  21. data analysis, validation and aggregation techniques (e.g., trend analysis, modeling)
  22. data collection and extraction tools and techniques
  23. principles of risk and control ownership
  24. characteristics of inherent and residual risk
  25. exception management practices
  26. risk assessment standards, frameworks and techniques
  27. risk response options (i.e., accept, mitigate, avoid, transfer) and criteria for selection
  28. information security concepts and principles, including confidentiality, integrity and availability of information
  29. systems control design and implementation, including testing methodologies and practices
  30. the impact of emerging technologies on design and implementation of controls
  31. requirements, principles, and practices for educating and training on risk and control activities
  32. key risk indicators (KRIs)
  33. risk monitoring standards and frameworks
  34. risk monitoring tools and techniques
  35. risk reporting tools and techniques
  36. IT risk management best practices
  37. key performance indicator (KPIs)
  38. control types, standards, and frameworks
  39. control monitoring and reporting tools and techniques
  40. control assessment types (e.g., self-assessments, audits, vulnerability assessments, penetration tests, third-party assurance)
  41. control activities, objectives, practices and metrics related to:
    1. 41.1. business processes
    2. 41.2. information security, including technology certification and accreditation practices
    3. 41.3. third-party management, including service delivery
    4. 41.4. data management
    5. 41.5. the system development life cycle (SDLC)
    6. 41.6. project and program management
    7. 41.7. business continuity and disaster recovery management (DRM)
    8. 41.8. IT operations management
    9. 41.9. the information systems architecture (e.g., platforms, networks, applications, databases and operating systems)

General Information

A CRISC job practice analysis has been completed, resulting in a new CRISC job practice which reflects the vital and evolving responsibilities of IT risk and IS control practitioners. A job practice serves as the basis for the exam and the requirements to earn the certification. This new job practice consists of task and knowledge statements representing the work performed in IT risk identification, assessment, response, mitigation and monitoring. These statements and domains are the result of extensive research, feedback, and validation from IT risk and control subject matter experts and prominent industry leaders from around the globe.

The below job practice is organized by domains that will be tested for the first time on the June 2015 CRISC exam. The major change to the CRISC job practice is the combining of IT risk and control tasks within the domains which resulted in a decrease from five (5) to four (4) domains. Starting in June 2015, the CRISC exam will contain 150 questions testing the new job practice.

The requirements for CRISC Certification are:

Certification is granted initially to individuals who have successfully completed the CRISC exam and meet the following work experience requirements in the fields of risk management and IS control. A minimum of at least three (3) years of cumulative work experience performing the tasks of a CRISC professional across at least three (3) CRISC domains is required for certification. There are no substitutions or experience waivers. Once a CRISC candidate has passed the CRISC certification exam and has met the work experience requirements, the final step is to complete and submit the CRISC Application for Certification. Experience must have been gained within the 10-year period preceding the application date for certification or within five years from the date of initially passing the examination. Retaking and passing the examination will be required if the application for certification is not submitted within five years from the passing date of the examination. All experience must be verified independently with employers.

How do I get started with CRISC Training?

If you are willing to take the challenge and obtain a CRISC certification, our experts will ensure a valuable experience, whereby your needs will be met and you will become part of our global network.

Contact us to begin with the first step.

Signup to our Newsletter!

You will always be updated on news and courses of our company