Certified in Risk and Information Systems Control (CRISC)

A Certified in Risk and Information Systems Control® (CRISC®) certification will make you a Risk Management expert. Studying a proactive approach based on Agile methodology, you’ll learn how to enhance your company’s business resilience, deliver stakeholder value, and optimize Risk Management across the enterprise.

  • Validate your proficiencies for handling the challenges and responsibilities of a modern risk management expert with a CRISC, which focuses on these domains:
    • Corporate IT Governance
    • IT Risk Assessment
    • Risk Response and Reporting
    • Information Technology and Security

IT risk management professionals with at least 3 years of relevant professional work experience in IT risk and information systems control.

  • Professionals preparing to become CRISC certified
  • Risk practitioners
  • Students or recent graduates
Organizational Governance
o Organizational Strategy, Goals, and Objectives
o Organizational Structure, Roles, and Responsibilities
o Organizational Culture
o Policies and Standards
o Business Processes
o Organizational Assets
Risk Governance
o Enterprise Risk Management and Risk Management Framework
o Three Lines of Defence
o Risk Profile
o Risk Appetite and Risk Tolerance
o Legal, Regulatory, and Contractual Requirements
o Professional Ethics of Risk Management
IT Risk Identification
o Risk Events
o Threat Modelling and Threat Landscape
o Vulnerability and Control Deficiency Analysis
o Risk Scenario Development
IT Risk Analysis and Evaluation
o Risk Assessment Concepts, Standards, and Frameworks
o Risk Register
o Risk Analysis Methodologies
o Business Impact Analysis
o Inherent and Residual Risk
Control Design and Implementation
o Control Types, Standards, and Frameworks
o Control Design, Selection, and Analysis
o Control Implementation
o Control Testing and Effectiveness Evaluation
Risk Monitoring and Reporting
o Risk Treatment Plans
o Data Collection, Aggregation, Analysis, and Validation
o Risk and Control Monitoring Techniques
o Risk and Control Reporting Techniques
o Key Performance Indicators
o Key Risk Indicators (KRIs)
o Key Control Indicators (KCIs)
Information Technology Principles
o System Development Life Cycle (SDLC)
o Emerging Technologies
o Enterprise Architecture
o IT Operations Management
o Project Management
o Disaster Recovery Management (DRM)
Information Security Principles
o Data Privacy and Data Protection Principles.
o Information Security Concepts, Frameworks, and Standards
o Information Security Awareness Training
o Business Continuity Management
Length of exam 4 hours
Number of questions 150
Question format Multiple choice
Passing grade 450 out of 800 points
Exam availability English, Chinese Simplified, Spanish.
Testing center PSI Testing Center



CPE Information:

  • To maintain your CRISC, you must earn and report a minimum of 120 CPE hours every 3-year reporting cycle period.
  • Earn and report an annual minimum 20 CPE hours. These hours must be appropriate to the currency or advancement of the CRISC’s knowledge or ability to perform CRISC-related tasks.
  • Comply with the annual CPE audit if selected
  • Comply with ISACA’s Code of Professional Ethics