How to become Certified in Risk and Information Systems Control

How to become Certified in Risk and Information Systems Control

The Certified in Risk and Information Systems Control (CRISC) certification is one of the newer qualifications offered by the ISACA having been launched in 2010 and aimed at IT and business professionals who identify and manage risk as part of their roles.

Pronounced “see risk”, the course content was developed through input from global subject matter experts and covers modules on risk identification, assessment and evaluation, risk response, monitoring and maintenance, and IS control design and implementation.

As a qualified professional, CRISC should give you the ability to better understand corporate risks and have the knowledge to apply information system controls.


As a first step to certification, a candidate must register for and pass the CRISC exam.

The content is grouped into five domains that cover:

  • Risk Identification, Assessment and Evaluation (31%) – Identify, assess and evaluate risk to enable the execution of the enterprise risk management strategy.
  • Risk Response (17%) – Develop and implement risk responses to ensure that risk factors and events are addressed in a cost-effective manner and in line with business objectives.
  • Risk Monitoring (17%) – Monitor risk and communicate information to the relevant stakeholders to ensure the continued effectiveness of the enterprise’s risk management strategy.
  • Information Systems Control, Design and Implementation (17%) – Design and implement information systems controls in alignment with the organisation’s risk appetite and tolerance levels to support business objectives.
  • IS Control, Monitoring and Maintenance (18%) – Monitor and maintain information systems controls to ensure that they function effectively and efficiently.

The exam consists of 200 multiple-choice questions based on the percentage split as outlined above.

Candidates are also required to confirm that they adhere to the Code of Professional Ethics and comply with the Continuing Education Policy in order to apply for the certification.

Work Experience

Once you have mastered the exam it is important to show that you have the necessary experience to implement your new knowledge.

As a general guide, at least three years of cumulative work experience is required which covers at least three of the domains featured in the CRISC exam. Unlike other ISACA qualifications there are no substitutions or waivers for this experience.

Additionally, as a requirement of retaining your certification the ISACA has laid down the amount of continuing professional education (CPE) hours that must be undertaken to demonstrate that you have maintained your knowledge within the subject area.

You will need to report a minimum of 20 CPE hours each year and accumulate at least 120 hours over the first three years following certification.


The value of the CRISC certification is that it requires candidates to have relevant work experience and to maintain their knowledge after the exam. It is also fairly inexpensive when compared to other courses, especially if it’s paid for by your current employer!

 Did you find this post useful? Share it on LinkedIn!

Tags: ,

About the Author


Ben has over six years experience working for a Big 4 consultancy within IT Advisory and over ten years experience within the IT industry as a whole having previously worked as a Business Analyst and Project Manager.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to Top ↑
  • Subscribe!

    Want access to exclusive free offers and content? Enter your Name and Email address below

  • IS Risk Jobs