ISACA Certification

CRISC

Certified in Risk and Information Systems Control

ISACA | 4 domains · 61 modules | Ready

This track is built to help you understand how ISACA frames risk — so you can think through scenarios the way the exam expects, not just recall definitions.

Exam Details

Detail CRISC
Format 150 multiple-choice questions
Time 4 hours
Cost $575 USD (ISACA member) / $760 USD (non-member)
Passing Score 450 out of 800
Experience 3 years in IT risk management and IS control, with at least 1 year in Domain 1 or 2
Renewal 20 CPE hours/year, annual fee $45 (member) / $85 (non-member)

What You'll Learn

  • Understand how ISACA frames risk across governance, assessment, response, and monitoring
  • Build decision frameworks for approaching IT risk scenarios under uncertainty
  • Practice scenario-based questions that mirror ISACA's exam style
  • Develop structured readiness self-assessments to know when you're exam-ready
Let's Get Started →
Domain 1 — Governance

Organizational business and IT environments, strategy, goals and objectives, and the potential or realized impacts of IT risk to business objectives and operations.

Module A — Organizational Governance

  1. 1 Organizational Strategy, Goals, and Objectives
  2. 2 Organizational Structure, Roles and Responsibilities
  3. 3 Organizational Culture
  4. 4 Policies and Standards
  5. 5 Business Processes
  6. 6 Organizational Assets
  7. Section A Review: Organizational Governance

Module B — Risk Governance

  1. 7 Enterprise Risk Management and Risk Management Framework
  2. 8 Three Lines of Defense
  3. 9 Risk Profile
  4. 10 Risk Appetite and Risk Tolerance
  5. 11 Legal, Regulatory and Contractual Requirements
  6. 12 Professional Ethics of Risk Management
  7. Section B Review: Risk Governance

Domain 1 Review

  1. Capstone Review: GOVERNANCE
Domain 2 — Risk Assessment

Threats and vulnerabilities to the organization's people, processes and technology, as well as the likelihood and impact of threats, vulnerabilities and risk scenarios.

Module A — IT Risk Identification

  1. 13 Risk Events
  2. 14 Threat Modelling and Threat Landscape
  3. 15 Vulnerability and Control Deficiency Analysis
  4. 16 Risk Scenario Development
  5. Section A Review: IT Risk Identification

Module B — IT Risk Analysis and Evaluation

  1. 17 Risk Assessment Concepts, Standards and Frameworks
  2. 18 Risk Register
  3. 19 Risk Analysis Methodologies
  4. 20 Business Impact Analysis
  5. 21 Inherent and Residual Risk
  6. Section B Review: IT Risk Analysis & Evaluation

Domain 2 Review

  1. Capstone Review: RISK ASSESSMENT
Domain 3 — Risk Response and Reporting

Development and management of risk treatment plans, evaluation of existing controls for IT risk mitigation, and assessment of relevant risk and control information to applicable stakeholders.

Module A — Risk Response

  1. 22 Risk Treatment / Risk Response Options
  2. 23 Risk and Control Ownership
  3. 24 Third-Party Risk Management
  4. 25 Issue, Finding and Exception Management
  5. 26 Management of Emerging Risk
  6. Section A Review: Risk Response

Module B — Control Design and Implementation

  1. 27 Control Types, Standards and Frameworks
  2. 28 Control Design, Selection and Analysis
  3. 29 Control Implementation
  4. 30 Control Testing and Effectiveness Evaluation
  5. Section B Review: Control Design & Implementation

Module C — Risk Monitoring and Reporting

  1. 31 Risk Treatment Plans
  2. 32 Data Collection, Aggregation, Analysis and Validation
  3. 33 Risk and Control Monitoring Techniques
  4. 34 Risk and Control Reporting Techniques
  5. 35 Key Performance Indicators
  6. 36 Key Risk Indicators (KRIs)
  7. 37 Key Control Indicators (KCIs)
  8. Section C Review: Risk Monitoring & Reporting

Domain 3 Review

  1. Capstone Review: RISK RESPONSE AND REPORTING
Domain 4 — Technology and Security

Alignment of business practices with risk management and information security frameworks and standards, risk-aware culture, and security awareness training.

Module A — Information Technology Principles

  1. 38 Enterprise Architecture
  2. 39 IT Operations Management
  3. 40 Project Management
  4. 41 Disaster Recovery Management (DRM)
  5. 42 Data Lifecycle Management
  6. 43 System Development Life Cycle (SDLC)
  7. 44 Emerging Technologies
  8. Section A Review: Information Technology Principles

Module B — Information Security Principles

  1. 45 Information Security Concepts, Frameworks and Standards
  2. 46 Information Security Awareness Training
  3. 47 Business Continuity Management
  4. 48 Data Privacy and Data Protection Principles
  5. Section B Review: Information Security Principles

Domain 4 Review

  1. Capstone Review: TECHNOLOGY AND SECURITY

Career Benefits

  • Average salary: $107,000–$151,000 (varies by region and experience)
  • Recognized as the premier IT risk management certification worldwide
  • DoD 8570.01-M / 8140 compliance for IAM Level II/III
  • Required or preferred for IT Risk Manager, Risk Analyst, GRC Analyst roles

How It Compares

CRISC focuses specifically on IT risk management and control, while CISM covers broader security management including governance, programs, and incident response. If you work in risk management or GRC, CRISC is likely your best fit. If your role is more security program leadership, consider CISM. See the full comparison →

Head-to-head comparisons: CRISC vs CISM · CRISC vs CISSP · Security+ vs CRISC