This guide will examine the purpose and value of the CRISC certification, and we will explore this professional designation’s requirements, costs, and benefits. The information presented in this guide can help evaluate the value of obtaining a CRISC and determine if it is the most beneficial certification for a candidate’s career path.
Professional certifications add weight to your resume. Suppose a recruiter is considering two resumes. Both candidates have similar work experience and the same academic qualifications. Still, only one of the candidates has a certification in an area relevant to the job the recruiter is trying to fill. All other things being equal, having a professional certification will tip the scales in favor of the certificate holder.
A Certified in Risk and Information Systems Control (CRISC) certification validates your experience building a risk-management program founded on best practices for identifying, analyzing, evaluating, assessing, prioritizing, and responding to risks.
In this guide
- What is an CRISC certification?
- More about the CRISC
- Exam requirements
- Certification cost
- Exam overview
- Salary outlook
What is a CRISC certification?
The Information Systems Audit and Control Association (ISACA), which now prefers to go only by its acronym to reflect the broad range of IT governance professionals they serve, offers the CRISC certification. ISACA created the CRISC certification to help security professionals demonstrate their proficiency and understanding of the effect of IT risk and how it pertains to their company.
Understanding risk is essential for work in the closely related cybersecurity and risk management fields. Organizations today face a tsunami of cyber vulnerabilities, and effective remediation processes must be based on how an exploit will affect the organization’s risk profile. The CRISC is unique because it is the only professional credential focused on enterprise IT risk management.
CRISC certification is ideal for mid-career individuals working in IT/IS audit, risk, and cybersecurity. ISACA estimates that over 30,000 CRISC-certified professionals are working in these fields today.
Holding a CRISC certification indicates that you have acquired essential skills required to work in any of the following and other roles:
- Risk Manager
- IT Security Specialist
- Senior Risk Analyst
- Compliance Auditor
- Security Analyst
- Risk Analyst
- Security Engineer
- Data Protection Officer
It proves your skills and knowledge in applying governance best practices for continuous risk monitoring and reporting that enhances business resilience and gains increased credibility with peers, stakeholders, and regulators.
Earning a CRISC establishes that you have experience in managing IT risk and the design, implementation, monitoring, and maintenance of security and risk management controls. The ability to frame critical business decisions with respect to risk to the organization is in high demand across all business sectors.
More about the ISACA
ISACA offers multiple professional certifications, including the CISA, CRISC, CISM, CGEIT, CSX-P, and CDPSE. Each of these certifications lends credibility to practitioners of various aspects of information systems.
Incorporated in 1969 by a group of people who identified a need for a centralized source of information and guidance in the then-new field of electronic data processing audits, ISACA today serves 145,000 members in 188 countries and more than 220 chapters. They are a resource for and connect 460,000 engaged information and cybersecurity professionals.
What are the CRISC exam requirements?
The examination is open to all individuals interested in risk and information systems control. To become certified, you must, however, apply for CRISC certification within five years of passing the exam.
The basic eligibility requirement for becoming a CRISC is three or more verifiable years of experience in IT risk management and information security control. There are no experience waivers or substitutions, such as a graduate degree in a related field, unlike some other certifications.
If you feel ready to pass the exam, you are encouraged to take it and can work to meet the CRISC eligibility requirements during the five years following your successful exam.
Exam registration and payment are needed before you can plan and take an exam. You will relinquish your fees if you do not schedule and take the exam during your 12-month eligibility period. No eligibility deferrals or extensions are allowed.
How much does obtaining a CRISC certification cost?
Exam registration fees are based on the candidate’s ISACA membership status at registration. The price for ISACS members is $575.00 and $760.00 for non-members.
Additional training and exam preparation courses are optional, but classes are available for candidates who want additional training before they take the exam. However, compared to other professional security certifications, the additional costs for CRISC certification are modest.
ISACA offers a CRISC online review course to prepare candidates to pass the CRISC certification exam. The course covers all four CRISC domains, and each section corresponds directly to the CRISC job practice. The cost for this review course is $795 for ISACA members and $895 for non-members.
Periodically ISACA offers virtual instructor-led CRISC exam prep training courses. The standard cost is $995 for members and $1195 for non-members. The early bird cost is $945 for members and $1145 for non-Members.
Students can also purchase a CRISC Questions, Answers, and Explanations manual for $72, a review manual for $105, and a 12-month online subscription to a database of review questions for $399.
Independent third-party training centers also offer courses designed to prepare students for taking the CRISC exam. These have varying costs.
Deep dive into the CRISC exam
The CRISC exam is based on the latest work practices and knowledge needed for tackling real-world threats in today’s business landscape. The exam consists of 150 multiple choice questions, and you will have up to 4 hours to complete the test.
The test covers four knowledge domains:
Domain 1 — Governance (26 percent)
Domain 2 — IT Risk Assessment (20 percent)
Domain 3 — Risk Response and Reporting (32 percent)
Domain 4 — Information Technology and Security (22 percent)
The exam is available in Chinese, English, and Spanish.
All ISACA certification exams are computer-based and administered at authorized testing centers. You can register at any time and have one year to complete the exams after registering.
At the testing center, you will be able to view your preliminary passing status on-screen immediately following the completion of your exam. Your official score will be available online and emailed within ten business days. When you are successful, you will receive details on how to apply for certification.
Exam scores are scaled. A scaled score is a conversion of a candidate’s raw score on an exam to a common scale. The purpose of a scaled score is to guarantee that a standard way of reporting outcomes is used across the various exam versions so that different versions are comparable and fair. ISACA uses and reports scores on a scale from 200 to 800.
You must receive a score of 450 or higher to pass the exam, which represents the minimum standard of knowledge.
You will have four attempts to pass the exam within a rolling twelve-month period. If you do not pass on your first attempt, you are allowed to retake the exam three more times within twelve months from the date of your first attempt. Please note that you must pay the registration fee for each exam attempt.
Passing the exam is your first step toward certification. To become certified, you must pay a $50 application fee and submit your application within five years of your exam date. ISACA will verify your work experience at that time.
The specific work experience requirements are a minimum of three years of cumulative work experience performing the tasks of a CRISC professional across at least two of the four CRISC domains. Of these two required domains, one must be in either Domain 1 or 2. You must earn the work experience within the ten years preceding the application date for certification.
You must adhere to the Code of Professional Ethics and the Continuing Professional Education (CPE) Program.
The CRISC CPE policy requires that you attain and report a minimum of one hundred and twenty CPE hours for a three-year reporting period and attain and report an annual minimum of twenty CPE hours. These hours must be appropriate to advancing your knowledge or ability to perform CRISC-related tasks. The use of these hours towards meeting the CPE requirements for multiple ISACA certifications is permissible when the professional activity applies to satisfying the job-related knowledge of each certification.
CRISC salary information
The average salary for CRISC holders will vary because the certification applies to many security roles across numerous organizational types. Obtaining this certification will qualify a candidate for advancement to higher-paying positions or entitle them to additional pay in their current role.
ISACA states that the average CRISC certification holder earns over $151,000 per year.
As a security professional’s career develops, they should consider additional professional certifications. With the high demand for experienced cybersecurity professionals in the market today, obtaining a CRISC will open doors for mid-level positions. Read more about how to choose the best cybersecurity certifications here.
According to the job site Indeed, the average salary for cybersecurity professionals in roles that often require or compensate for CRISC certification is as follows:
- Risk Manager – $88,770
- Security Engineer – $109,118
- Senior Risk Analyst – $93,595
- Security Analyst – $85,269
- Risk Analyst – $81,902
The Bureau of Labor Statistics indicates that the median pay for Information Security Analysts (a job that commonly prefers a CRISC) is $102,600. The BLS expects the outlook to grow 33 percent from 2020 to 2030. This anticipated increase is much faster than the average rate of job growth.
ISACA certifications are accepted and recognized worldwide. They combine the achievement of passing an exam with credit for your work and educational experience. The CRISC will give you the credibility you need to move ahead in your career, either with your current employer or in a new job.
The CRISC proves to employers that you have what it takes to add value to their enterprise by creating a risk-management program founded on best practices for identifying, analyzing, evaluating, assessing, prioritizing, and responding to risks. The demand for professionals with the skills and abilities signified by attaining a CRISC is rapidly growing, and certified risk professionals are highly sought after globally.