CRISC Certification Requirements Overview
The CRISC (Certified in Risk and Information Systems Control) certification is administered by ISACA and validates expertise in enterprise IT risk management. Unlike some certifications with rigid prerequisites, CRISC offers flexibility in how you meet its requirements.
Here's what you need to earn and maintain the CRISC credential:
| Requirement | Details | Flexibility |
|---|---|---|
| Work Experience | 3 years in IT risk management across 2+ domains | Can complete after passing exam |
| Exam | Pass the CRISC exam (450/800) | Can take before meeting experience |
| Application | Submit application + $50 fee | 5 years after passing to apply |
| Ethics | Agree to ISACA Code of Professional Ethics | Required for all ISACA certifications |
| CPE Maintenance | 120 hours per 3-year cycle | Minimum 20 hours per year |
💡 Key Flexibility: Exam Before Experience
Unlike CISSP, you can take the CRISC exam before meeting the experience requirements. If you pass, you have 5 years to fulfill the experience and apply for certification. This is ideal for professionals building toward eligibility.
Experience Requirements Explained
The experience requirement is the most critical—and often most confusing—part of CRISC certification. Here's exactly what ISACA requires:
✅ CRISC Experience Requirements Checklist
⚠️ Important: Experience Must Be Verifiable
Your experience must be verified by a supervisor or manager who can attest to your work. They cannot be a family member or HR department employee. ISACA may audit applications, so ensure your experience is accurately documented.
The Four CRISC Domains
CRISC covers four domains. You need experience in at least two, with one being Domain 1 or 2. Here's what each domain covers and example qualifying tasks:
- Establishing IT risk governance frameworks
- Defining risk appetite and tolerance
- Aligning IT risk with business objectives
- Communicating risk to stakeholders
- Developing risk management policies
- Identifying IT risk scenarios
- Analyzing threats and vulnerabilities
- Assessing likelihood and impact
- Conducting quantitative/qualitative analysis
- Evaluating risk to business objectives
- Developing risk response strategies
- Designing and implementing controls
- Managing residual risk
- Defining Key Risk Indicators (KRIs)
- Reporting risk to management/board
- Implementing control frameworks
- Monitoring control effectiveness
- Managing compliance programs
- Business continuity planning
- Evaluating emerging technology risks
📌 Domain Coverage Tips
You don't need experience in every task listed for a domain. If you've performed several tasks within a domain consistently over your career, that counts. Most IT risk professionals naturally cover multiple domains in their day-to-day work.
Qualifying Job Roles
Wondering if your job title qualifies? CRISC experience typically comes from roles involving IT risk identification, assessment, response, and monitoring. Common qualifying positions include:
Title isn't everything. What matters is the actual work you perform. A "Systems Administrator" who regularly conducts risk assessments and implements controls may qualify, while someone with "Risk Analyst" in their title who only does data entry may not.
Exam Requirements
The CRISC exam is a critical requirement, but the good news is you can take it at any time—even before meeting the experience requirements.
| Exam Attribute | Details |
|---|---|
| Questions | 150 multiple-choice |
| Duration | 4 hours (240 minutes) |
| Passing Score | 450 out of 800 (scaled) |
| Format | Computer-based (testing center or remote) |
| Languages | English, Chinese (Simplified), Spanish, Korean |
| Exam Fee | $575 (ISACA members) / $760 (non-members) |
| Availability | Year-round, continuous registration |
| Eligibility Window | 12 months from registration to take exam |
💡 No Prerequisites to Take the Exam
The CRISC exam is open to anyone interested in IT risk management. You don't need to prove experience before registering. This makes it possible to "test first, qualify later" if you're building toward the experience requirement.
Application Process
Once you've passed the exam and met the experience requirements, you can apply for certification. Here's the step-by-step process:
📝 CRISC Application Steps
Pass the CRISC Exam
Score 450/800 or higher. You have 5 years from passing to complete the application process.
Pay the Application Fee
Log into your ISACA account and pay the one-time $50 application processing fee.
Complete the Application Form
Download and complete the CRISC Application for Certification. List all relevant work experience with dates, employers, and job descriptions.
Get Experience Verified
Have your supervisor or manager complete the Experience Verification Form (pages V-1 and V-2) attesting to your work in CRISC domains.
Submit Application
Submit your completed application with verification forms. ISACA will review and process within a few weeks.
Receive Certification
Once approved, you'll receive your CRISC certification and can use the CRISC designation after your name.
Work Experience Verification
Your experience must be independently verified by someone who can attest to your work. Here's what you need to know:
Who Can Verify?
- Current or former supervisor/manager
- Senior colleague who witnessed your work
- Client (for consultants)
Who Cannot Verify?
- Immediate or extended family members
- Human Resources department staff
- Anyone who didn't directly observe your work
⚠️ Verification Form Details
The verifier must confirm specific tasks you performed within each domain, not just your job title. They'll check boxes on the verification form indicating which domain tasks they can attest to. You don't need every box checked—just enough to demonstrate substantial experience in that domain.
CPE Maintenance Requirements
After certification, you must maintain your CRISC through Continuing Professional Education (CPE). This ensures your knowledge stays current in the evolving risk management field.
Ways to Earn CPE Credits
| Activity | CPE Credits | Notes |
|---|---|---|
| ISACA conferences/events | Varies (up to 40+) | Great for networking too |
| Professional training courses | 1 CPE per hour | Must be risk/security related |
| Webinars and online learning | 1 CPE per hour | ISACA offers many free options |
| Publishing articles/books | Varies | On relevant IT risk topics |
| Teaching/lecturing | 1 CPE per hour | Preparation time may count |
| ISACA chapter activities | Varies | Local chapter meetings, volunteering |
| Self-study (reading) | Limited | Caps apply; document what you read |
💡 Multiple ISACA Certifications?
If you hold multiple ISACA certifications (CISA, CISM, CGEIT), the same CPE credits can count toward all of them as long as the content is relevant. You don't need to earn separate CPEs for each certification.
Code of Professional Ethics
All CRISC holders must agree to abide by ISACA's Code of Professional Ethics. The code includes commitments to:
- Support the implementation of appropriate policies and procedures for IT governance
- Perform duties with objectivity, due diligence, and professional care
- Maintain privacy and confidentiality of information obtained
- Maintain competency in your field and undertake only activities you're qualified to perform
- Disclose all material facts that could affect outcomes
- Support professional education of stakeholders
Violations can result in investigation and potential revocation of your certification.
Flexible Certification Timeline
One of CRISC's advantages is its flexible timeline. You don't have to follow a rigid path—you can adapt to your career situation:
📅 CRISC Timeline Flexibility
Take Exam Any Time
No prerequisites to register and take the exam. Ideal if you want to validate your knowledge while building experience.
12-Month Exam Eligibility
After registering, you have 12 months to schedule and take the exam. If you don't take it, you forfeit fees.
5 Years to Apply for Certification
After passing the exam, you have 5 years to meet the experience requirement and submit your application. This gives you time to build your career.
10-Year Experience Window
Your qualifying experience must be within 10 years of your application date. Older experience doesn't count.
3-Year CPE Cycles
Once certified, you maintain through 3-year CPE cycles with annual minimums. Easy to manage with normal professional development.
Ready to Start Your CRISC Journey?
Test your knowledge with our comprehensive practice questions and see if you're ready for the exam.
Start Free Practice Test →Frequently Asked Questions
Yes! The CRISC exam is open to anyone interested in IT risk management. You can take and pass the exam first, then have 5 years to fulfill the experience requirement and apply for certification. This is a unique flexibility ISACA offers that many other certifications don't.
No. Unlike CISSP (which allows a one-year waiver for certain degrees), ISACA does not offer any waivers or substitutions for the CRISC experience requirement. You must have 3 years of actual work experience in IT risk management.
No. You need experience in at least two of the four domains, with one of those being either Domain 1 (Governance) or Domain 2 (IT Risk Assessment). Most IT risk professionals naturally have experience across multiple domains.
If your direct manager is unavailable (left the company, etc.), you can use a former supervisor, senior colleague who observed your work, or even a client (for consultants). The key is finding someone who can credibly attest to the specific tasks you performed.
ISACA does conduct random audits of applications. If selected, you may need to provide additional documentation. Most applications are approved without issue, but ensure your claimed experience is accurate and can be verified if questioned.
Yes, overlapping experience can count toward multiple ISACA certifications if the work relates to both domains. For example, IT audit experience with risk assessment components could count toward both CISA and CRISC.
If you fail to meet annual CPE minimums or the 3-year total, your certification can be suspended or revoked. ISACA offers a grace period and reinstatement options, but it's best to track your CPEs throughout the year to avoid issues.
Most applications are processed within 4-6 weeks after submission. Complex applications or those selected for audit may take longer. You can track your application status through your ISACA account.
Check Your CRISC Readiness
Take our free practice test to assess your current knowledge level.
Take Free Practice Test →Conclusion: Your Path to CRISC Certification
CRISC certification requires a combination of professional experience, exam success, and ongoing commitment to professional development. The good news is ISACA offers flexibility in how you meet these requirements.
Key takeaways:
- You need 3 years of IT risk management experience across 2+ domains (one must be D1 or D2)
- You can take the exam before meeting experience requirements
- You have 5 years after passing to complete your application
- Experience must be verified by a supervisor or manager
- Ongoing maintenance requires 120 CPE hours per 3-year cycle
With over 30,000 CRISC-certified professionals worldwide, this credential is both achievable and highly valued. If you have relevant experience and are committed to advancing your IT risk management career, CRISC certification is within your reach.