Risk and Information Systems Control (CRISC) Certification

Certified in Risk and Information Systems Control (CRISC)

CRISC is an acronym for Certified in Risk and Information Systems Control. The ISACA website defines CRISC as “the most current and rigorous assessment available to evaluate the risk management proficiency of IT professionals and other employees within an enterprise or financial institute.’’

Prerequisite for the exam

• An applicant must, first of all, have a minimum of three years of work experience in IT risk and information systems (IS) control.

• He or she must have worked in two of the areas covered by the CRISC domains to include one between Risk Identification and Risk Assessment

Exam Structure

• Domain 1: IT Risk Identification (27%)

Candidates must identify how specific IT risk contributes to the execution of the IT risk management strategy, which is in support of business objectives and in alignment with what the enterprise risk management (ERM) strategy is.

• Domain 2: IT Risk Assessment (28%)

Candidates must analyze and evaluate IT risk to determine the likelihood and impact on business objectives to enable risk-based decision making.

• Domain 3: Risk Response and Mitigation (23%)

Determine risk response options and evaluate their efficiency and effectiveness to manage risk in a way that is in alignment with business objectives.

• Domain 4: Risk and Control Monitoring and Reporting (22%)

Continuously monitor and report on IT risk and controls to relevant stakeholders to ensure the continued efficiency and effectiveness of the IT risk management strategy and its alignment to business objectives.

Exam Format and Information

Exam Name Certified in Risk and Information Systems Control (CRISC)

Exam Code 0
Exam Duration 4 hours
Exam Format Multiple Choice
Exam type 0
Number of Questions 150 Questions
Eligibility/Prerequisite 0
Exam Fee 0
Exam Language English, Spanish, Chinese simplified
Pass Score 450