To what extent is ISACA’s Certified in Risk and Information Systems Control a gateway to high-level IT security leadership roles? Check out our CRISC certification guide to find out.
What is CRISC certification?
Certified in Risk and Information Systems Control (CRISC) is an upper-level IT professional certification focused on enterprise IT risk management. CRISC is offered by ISACA, a nonprofit professional association devoted to IT governance that offers a number of certifications popular among IT professions, including CISM.
Enterprise risk management (ERM) is the process of assessing risks to identify both threats to a company’s financial well-being and opportunities in the market. A risk management program aims to balance the likelihood of a risk happening against the potential damage that would ensue if it does. Overall, the goal is to help understand an organization’s tolerance for risk, categorize it, and quantify it.
This high-level set of skills is increasingly vital for CISOs and IT security managers, and CRISC certification can be a good way to not only display your competence in this field but also boost your career.
CRISC vs. CISM, CISSP, and CISA
What distinguishes CRISC from other upper-level IT security certifications is its focus on enterprise IT risk management. Whereas ISACA’s CISM might, like CRISC, be a credential that a CISO or someone aiming to become a CISO might pursue, CISM covers a much wider range of material, generally encompassing the development and management of an infosec program at the enterprise level. ISC2’s CISSP is another high-level but general-purpose cert, combining in-depth technical knowledge of a broad range of security domains with an understanding of managerial responsibilities.
ISACA’s CISA is a domain-specific cert, like CRISC, but its area of focus differs from CRISC’s. CISA, which stands for Certified Information Systems Auditor, is primarily pursued by those in the specialized realm of auditing — and is less likely to have been achieved as part of a career aiming for the C-suite. The Netwrix blog has a great chart comparing all four of these certifications if you want get a sense of the differences and similarities at a glance.
CRISC requirements
There are three steps you need to take to attain CRISC certification:
- Pass the CRISC exam
- Adhere to the CRISC Code of Professional Ethics
- Demonstrate the required minimum work experience
As noted, CRISC is intended as a relatively high-level cert; as such its holders must demonstrate real-world experience. To be certified, you must have at least three years of work experience performing tasks involved in two of the four domains covered by the exam, with one of those domains being either governance or IT risk assessment.
To ensure you’re relatively current on industry trends, you must have accrued this experience within the past 10 years prior to applying for the credential. But if you don’t have this experience and are itching to take the exam, that’s OK: You have up to five years after you pass the test to complete the required work experience.
Once your CRISC application has been accepted, you need to adhere to ISACA’s Continuing Professional Education (CPE) program to maintain it. That means taking at least 120 hours of CPE training over each three-year reporting period after you’ve attained the credential. For more information on how you can meet this requirement, download the CRISC CPE Policy from ISACA.
CRISC exam and certification fees
ISACA has a pretty thorough breakdown of the costs associated with getting CRISC certified, but the basics are as follows:
- Exam fee: $575 for ISACA members; $760 for non-members. (ISACA membership dues are $135.) You have a year to take the exam after registering to do so, but you will not be refunded if you don’t take it in time.
- Application fee: $50. Once you’ve passed the exam, you must formally apply to be CRISC certified and pay the application fee.
- Annual maintenance fee: $45 for members; $85 for nonmembers.
CRISC exam
The CRISC certification exam lasts four hours and consists of 150 multiple-choice questions. It is available in English, Spanish, Korean, and Simplified Chinese, and you can take it either at a PSI Exam Site or as an online proctored exam from your home; in the latter scenario, a proctor will be watching you through your webcam, so be warned if you find that a little off-putting.
For more details, check out ISACA’s exam candidate guide and scheduling guide, as well as information on special accommodations.
As for the exam itself, it is broken down into four top-level domains, weighted as follows:
- Governance (26%): This domain comprises organizational governance and risk governance, including strategy, goals, structure, roles, responsibilities, culture, policies, standards, risk management frameworks, risk appetite and tolerance, regulatory requirements, and ethics of risk management.
- IT risk assessment (20%): This domaininvolves risk identification, risk analysis, and risk evaluation, including threat modelling, risk scenario development, vulnerability and control deficiency analysis, risk analysis methodologies, and business impact analysis.
- Risk response and reporting (32%): This domain includes such facets as risk treatment, control ownership, third-party risk management, exception management, control design and implementation, risk treatment plans, risk monitoring, KPIs, key risk indicators (KRIs), key control indicators (KCIs).
- IT and security (22%): This domain covers the principles of IT and information security, including enterprise architecture, IT operations management, disaster recovery, data lifecycle management, information security awareness training, business continuity management, and data privacy and protection.
As previously mentioned, these domains don’t just define the structure of the test; they’re also important when it comes to the cert’s experience requirements.
CRISC training
ISACA offers an online CRISC review course that costs $795 for members and $895 for non-members.
There are also, as is the case with almost all certs, numerous third-party training course out there to help you on your journey, including Udemy, Cybary on YouTube, and PluralSight’s range of offerings around CRISC, as well as Infosec’s CRISC bootcamp.
CRISC study materials and exam questions
The 7th Edition of ISACA’s CRISC Review Manual, which costs $109 for ISACA members and $139 for non-members, is worth considering as you study up for the exam. Other books that we might normally recommend for studying for a cert exam, like the All-In-One Guide, are as of this writing behind the times. You’ll want to check the publish date of anything you’re considering to make sure it’s after the August 2021 revamp.
Most of the training courses you can take include sample questions that will prepare you for the exam. If you just want to take a quick look to get a sense of what to expect, you can check out ISACA’s practice quiz. If you’re willing to spend some money, you can pay $299 (as an ISACA member) or $399 (as a non-member) for access to ISACA’s CRISC Review Questions, Answers, and Explanations Database.
CRISC jobs and salary
Most people pursue credentials because they believe that it will help them either gain or demonstrate skills that burnish their resume and advance their career. And because this process isn’t cheap, the obvious question that arises is whether the benefits are worth the cost.
For CRISC, the answer certainly seems to be yes at first glance. The Netwrix blog lists a very high-powered list of potential jobs associated with the credential:
- CIO
- CISO
- Security Director
- Security Manager
- System Engineer
- Security Analyst
- Security Manager
- Security Auditor
- Network Architect
- Enterprise Leadership
- Control Professional
- Risk Professional
- Business Analyst
- Compliance Pro
- Control and Assurance Pro
Skillsoft’s database of top-paying IT certifications tells a similar story. According to its figures, the average salary of a CRISC holder is $133,616, with the majority of those holders in management, with job titles such as CISO, CSO, and ISO.
But anyone telling you that a particular certification guarantees a certain salary is trying to sell you something (probably a certification). CRISC certification holders tend to be well advanced in their career — and hold several certifications. There is definitely a question of causation vs. correlation here: is CRISC your ticket to a high-paying job, or is CRISC a credential pursued by people who already have the skills and experience to provide a lucrative career?
The answer is probably somewhere in between. CRISC won’t magically boost your paycheck, but it is definitely a feather in your cap that can make your manager — or hiring managers at other companies — take notice.
