In this guide
- What is an CRISC certification?
- More about the CRISC
- Exam requirements
- Certification cost
- Exam overview
- Certification renewal
This guide will examine the purpose and value of the CRISC certification, and we will explore this professional designation’s requirements, costs, and benefits.
The information presented in this guide can help evaluate the value of obtaining a CRISC and determine if it is the most beneficial certification for a candidate’s career path.
Professional certifications add weight to your resume. Suppose a recruiter is considering two resumes. Both candidates have similar work experience and the same academic qualifications.
Still, only one of the candidates has a certification in an area relevant to the job the recruiter is trying to fill. All other things being equal, having a professional certification will tip the scales in favor of the certificate holder.
A Certified in Risk and Information Systems Control (CRISC) certification validates your experience building a risk-management program founded on best practices for identifying, analyzing, evaluating, assessing, prioritizing, and responding to risks.
What is a CRISC certification?
The Information Systems Audit and Control Association (ISACA), which now prefers to go only by its acronym to reflect the broad range of IT governance professionals it serves, offers the CRISC certification.
ISACA created the CRISC certification to help security professionals demonstrate their proficiency and understanding of the effect of IT risk and how it pertains to their company.
Understanding risk is essential for work in the closely related cybersecurity and risk management fields.
Organizations today face a tsunami of cyber vulnerabilities, and effective remediation processes must be based on how an exploit will affect the organization’s risk profile.
The CRISC is unique because it is the only professional credential focused on enterprise IT risk management.
CRISC certification is ideal for mid-career individuals working in IT/IS audit, risk, and cybersecurity. ISACA estimates that over 30,000 CRISC-certified professionals are working in these fields today.
Holding a CRISC certification indicates that you have acquired the essential skills required to work in any of the following and other roles:
- Risk Manager
- IT Security Specialist
- Senior Risk Analyst
- Compliance Auditor
- Security Analyst
- Risk Analyst
- Security Engineer
- Data Protection Officer
It proves your skills and knowledge in applying governance best practices for continuous risk monitoring and reporting that enhances business resilience and gains increased credibility with peers, stakeholders, and regulators.
Earning a CRISC establishes that you have experience in managing IT risk and the design, implementation, monitoring, and maintenance of security and risk management controls.
The ability to frame critical business decisions concerning risk to the organization is in high demand across all business sectors.
More about the ISACA
ISACA offers multiple professional certifications, including the CISA, CRISC, CISM, CGEIT, CSX-P, and CDPSE. Each of these certifications lends credibility to practitioners of various aspects of information systems.
Incorporated in 1969 by a group of people who identified a need for a centralized source of information and guidance in the then-new field of electronic data processing audits, ISACA today serves 145,000 members in 188 countries and more than 220 chapters.
They are a resource for and connect 460,000 engaged information and cybersecurity professionals.
What are the CRISC exam requirements?
The examination is open to all individuals interested in risk and information systems control. To become certified, you must, however, apply for CRISC certification within five years of passing the exam.
The basic eligibility requirement for becoming a CRISC is three or more verifiable years of experience in IT risk management and information security control.
There are no experience waivers or substitutions, such as a graduate degree in a related field, unlike some other certifications.
If you feel ready to pass the exam, you are encouraged to take it and can work to meet the CRISC eligibility requirements during the five years following your successful exam.
Exam registration and payment are needed before you can plan and take an exam.
You will relinquish your fees if you do not schedule and take the exam during your 12-month eligibility period. No eligibility deferrals or extensions are allowed.
How much does obtaining a CRISC certification cost?
Exam registration fees are based on the candidate’s ISACA membership status at registration. The price for ISACS members is $575 and $760 for non-members.
Additional training and exam preparation courses are optional, but classes are available for candidates who want additional training before they take the exam.
ISACA offers a CRISC online review course to prepare candidates to pass the CRISC certification exam. The course covers all four CRISC domains, and each section corresponds directly to the CRISC job practice.
| ISACA Member Price | Non-Member Price | |
| Online Review Course | $795 | $895 |
| Virtual Instructor-Led Training | $995 | $1,195 |
| CRISC Review Manual | $105 | $135 |
| Questions, Answers & Explanations Database (12-Month) | $399 | $499 |
Deep dive into the CRISC exam
The CRISC (Certified in Risk and Information Systems Control) exam evaluates professionals on the latest practices in identifying and managing IT and business risks. It features 150 multiple-choice questions to be completed within 4 hours, available in English, Chinese, and Spanish.
The test covers four knowledge domains:
Domain 1 — Governance (26 percent)
Domain 2 — IT Risk Assessment (20 percent)
Domain 3 — Risk Response and Reporting (32 percent)
Domain 4 — Information Technology and Security (22 percent)
The exam is available in Chinese, English, and Spanish.
All ISACA exams are computer-based and can be taken at authorized testing centers. Results are shown immediately after completion, with official scores released within 10 business days. Scores range from 200–800, and a 450 is required to pass.
Candidates may attempt the exam up to four times in 12 months. After passing, applicants must submit a $50 certification application within five years, including proof of three years of relevant work experience across at least two domains (one in Domain 1 or 2).
To maintain certification, holders must follow ISACA’s Code of Professional Ethics and earn 120 Continuing Professional Education (CPE) hours every three years (minimum of 20 per year) to ensure ongoing professional growth.
Certification Maintenance / Renewal
Holding the CRISC credential is not “one and done” — there’s a maintenance requirement:
- Continuing Professional Education (CPE)
- You must earn and report at least 20 CPE hours per year. ISACA+2Infosec Institute+2
- Over a 3-year cycle, you must accumulate at least 120 CPE hours. ISACA+1
- Activities must be relevant to CRISC domains (risk, controls, governance, etc.) and comply with ISACA rules. Infosec Institute+1
- On-the-job hours are usually not accepted unless they clearly fall under approved professional education activities. Infosec Institute
- Annual Maintenance Fee
- US $45 for ISACA members, US $85 for non-members. Infosec Institute+3ISACA+3ISACA+3
- Once you hold more than two ISACA certifications, the renewal cost for the 3rd (4th, etc.) certification is reduced to $25 (members) / $50 (non-members). ISACA
- The maintenance fee is due annually by January 1st to renew through the calendar year. ISACA
- CPE Audit
- Ethics & Compliance
- You must adhere to ISACA’s Code of Professional Ethics. ISACA+1
- If certification is revoked for non-compliance, you may appeal. If approved, you’ll need to pay outstanding fees plus a reinstatement fee (US $50) per certification. ISACA
- If the appeal fails, you may need to retake the exam to requalify. ISACA
If you don’t meet these maintenance requirements, your CRISC designation can be revoked.
CRISC salary information
The average salary for CRISC holders will vary because the certification applies to many security roles across numerous organizational types.
Obtaining this certification will qualify a candidate for advancement to higher-paying positions or entitle them to additional pay in their current role.
ISACA states that the average CRISC certification holder earns over $151,000 per year.
As a security professional’s career develops, they should consider additional professional certifications.
With the high demand for experienced cybersecurity professionals in the market today, obtaining a CRISC will open doors for mid-level positions. Read more about how to choose the best cybersecurity certifications here.
According to the job site Indeed, the average salary for cybersecurity professionals in roles that often require or compensate for CRISC certification is as follows:
The Bureau of Labor Statistics indicates that the median pay for Information Security Analysts (a job that commonly requires a CRISC) is $124,910.
The BLS expects the outlook to grow 29 percent from 2024 to 2034. This anticipated increase is much faster than the average rate of job growth.
Conclusion
Earning the CRISC certification requires more than just technical knowledge—it demands a deep understanding of governance frameworks, risk management principles, and business alignment strategies.
Since ISACA regularly updates the exam domains, staying current with the latest materials is essential. Candidates should dedicate at least 3–6 months of preparation and use diverse study resources, such as official review manuals, practice tests, and group discussions.
After certification, maintaining accurate CPE records and planning renewal timelines are crucial to remain in good standing. Lastly, ISACA membership can be a worthwhile investment, offering reduced fees and access to valuable learning resources for ongoing professional growth.
Sources
- Security Analyst information | From Bureau of Labor Statistics in Oct 2025
- ISACA Certifications | From ISACA in Oct 2025
- Salary information | From Indeed in Oct 2025