- The Quick Answer: 450 to Pass
- How ISACA's 200-800 Scaled Scoring Works
- What Percentage Do You Actually Need?
- The Four CRISC Domains & Their Weights
- Do You Need to Pass Each Domain?
- Understanding Your Score Report
- CRISC Pass Rates: What to Expect
- Retake Policy If You Don't Pass
- Common Scoring Misconceptions
- Strategies to Exceed 450
- Frequently Asked Questions
You've probably heard that you need a 450 out of 800 to pass the CRISC exam. Simple math suggests that's 56.25%ābut that's not how ISACA's scoring actually works. The reality is more nuanced, and understanding the scoring system can significantly impact your study strategy and exam-day confidence.
The CRISC (Certified in Risk and Information Systems Control) exam uses a sophisticated scaled scoring methodology that adjusts for question difficulty across different exam versions. This means two candidates who answer the same percentage of questions correctly might receive different scaled scoresāand that's by design.
This comprehensive guide breaks down everything you need to know about the CRISC passing score: how scaled scoring works, what percentage you realistically need, whether you must pass each domain, and strategies to comfortably exceed the 450 threshold. Let's cut through the confusion.
The Quick Answer: 450 to Pass
Let's start with the fundamentals before diving deeper:
| Exam Detail | Specification |
|---|---|
| Total Questions | 150 multiple-choice questions |
| Scored Questions | ~135 questions (15 are unscored pretest items) |
| Time Limit | 4 hours (240 minutes) |
| Passing Score | 450 on a 200-800 scale |
| Score Type | Scaled (not raw percentage) |
| Approximate % Needed | ~70-75% correct answers |
| Results Timing | Preliminary on-screen; official within 10 business days |
A score of 450 represents the minimum consistent standard of knowledge ISACA requires for certificationāit's not simply 56% of questions correct. The scaled scoring system ensures fairness across all exam versions, regardless of difficulty variations.
How ISACA's 200-800 Scaled Scoring Works
ISACA doesn't use simple percentage-based scoring. Instead, they convert your number of correct answers into a scaled score between 200 and 800. Here's why this matters:
The Purpose of Scaled Scoring
Different exam versions contain different questions with varying difficulty levels. Scaled scoring ensures that a passing score represents the same level of competency, regardless of which specific questions you receive.
Think of it this way: if you happen to get a particularly challenging set of questions, the scaling algorithm adjusts in your favor. Conversely, an easier exam version requires more correct answers to reach the 450 threshold. The goal is consistent measurement of competency, not just counting correct answers.
What the Scale Means
- 200: Minimum possible score (essentially zero correct)
- 450: Passing thresholdādemonstrates required competency
- 800: Maximum possible score (perfect exam)
The conversion from raw score (correct answers) to scaled score is not linear. You can't simply calculate your percentage and multiply by 800. ISACA uses psychometric analysis to determine the conversion, which is why they explicitly state that domain percentages "are NOT used to calculate exam scores."
How Pretest Items Factor In
Of the 150 questions you'll answer, approximately 15 are pretest itemsāquestions being evaluated for use in future exams. These questions:
- Don't count toward your score
- Are randomly distributed throughout the exam
- Are indistinguishable from scored questions
- Should be answered as if they count (because you can't tell which are which)
This means only about 135 questions determine your actual score, but you must treat all 150 with equal importance.
What Percentage Do You Actually Need?
This is the question everyone wants answered, and while ISACA doesn't publish an official figure, we can derive reasonable estimates from candidate experiences and exam prep community data.
ISACA does not disclose the exact conversion between raw scores and scaled scores. The percentages below are estimates based on candidate reports and exam preparation provider dataānot official figures.
Estimated Percentage Requirements
| Scaled Score | Estimated % Correct | Result |
|---|---|---|
| Below 400 | <60% | Significantly below passing |
| 400-449 | 60-69% | Close but not passing |
| 450-500 | 70-75% | Passing |
| 500-600 | 75-85% | Comfortable pass |
| 600-700 | 85-92% | Strong performance |
| 700+ | 92%+ | Exceptional (top performers) |
Based on candidate reports, aiming for approximately 70-75% accuracy should yield a passing score. However, due to scaling variations, the safer target is 80% or higher on practice exams before scheduling your test.
Why 56% Isn't Enough
Simple math suggests 450/800 = 56.25%. This calculation is misleading because:
- The scale doesn't start at zero: The minimum score is 200, not 0
- Scaling isn't linear: The relationship between correct answers and scaled score varies
- Question difficulty varies: Harder questions may contribute more to your scaled score
If you walk into the exam thinking you only need to get 56% correct, you will likely fail. Plan for 70-75% as your minimum target.
The Four CRISC Domains & Their 2026 Weights
The CRISC exam covers four domains, with domain weightings updated as of November 2025 to reflect evolving IT risk landscapes including AI governance and emerging technology risks.
Organizational governance, risk management framework, risk culture, legal and regulatory requirements
Risk identification, threat and vulnerability assessment, risk analysis, risk scenario development
Risk response options, control design and implementation, risk monitoring, reporting and communication
IT principles and architecture, information security, emerging technologies including AI risk
Domain 3 (Risk Response & Reporting) carries the heaviest weight at 32%. This domain covers the practical aspects of responding to identified risksādeveloping response strategies, designing controls, monitoring effectiveness, and communicating with stakeholders. Allocate your study time accordingly.
2025 Exam Content Updates
The November 2025 CRISC exam update introduced several new topics you should be aware of:
- AI and Large Language Model Risks: Governance considerations for AI implementation
- Quantum Computing Threats: Implications for cryptography and data protection
- Zero Trust Architecture: Risk considerations for modern security frameworks
- Third-Party AI Risk: Managing risks from vendor AI solutions
The 2025 update also shifted 2% from Domain 4 to Domain 2, reflecting increased emphasis on threat modeling and vulnerability assessment methodologies.
Do You Need to Pass Each Domain Separately?
This is one of the most common questionsāand the source of significant anxiety. Here's the definitive answer:
No, you do NOT need to pass each domain separately. Your pass/fail determination is based solely on your overall scaled score. Domain scores are provided for informational purposes only and don't independently determine whether you pass.
ISACA's official guidance states: "Exam scores are based on the total number of exam items answered correctly, regardless of domain."
Real-World Examples from Score Reports
Candidate reports from the exam community confirm this. Consider these documented examples:
| Overall Score | Domain 1 | Domain 2 | Domain 3 | Domain 4 | Result |
|---|---|---|---|---|---|
| 480 | 510 | 375 | 495 | 520 | PASSED |
| 522 | 594 | 531 | 486 | 477 | PASSED |
| 431 | 444 | 428 | 373 | 549 | NOT PASSED |
Notice in the first example: the candidate scored 375 in Domain 2āwell below the 450 passing thresholdābut still passed overall with a 480. The total score is what counts.
Understanding Your Score Report
After completing the CRISC exam, you'll receive your results in two phases:
Preliminary Results (Immediate)
Immediately after submitting your exam, you'll see a preliminary pass/not pass status on the screen at the testing center. This preliminary result is highly accurateācandidate experiences consistently confirm that the preliminary result matches the final official result.
If the preliminary screen shows "Not Passed," forum discussions unanimously confirm that the official result will also be "Not Passed." ISACA's preliminary indication is accurateāthe official review period doesn't change outcomes.
Official Score Report (Within 10 Business Days)
Your official score report arrives via email and becomes available in your MyISACA account within 10 business days. ISACA does not provide results by telephone under any circumstances.
The official report includes:
- Overall Scaled Score: Your total score on the 200-800 scale
- Pass/Not Pass Status: Based on whether you reached 450
- Domain-Level Scores: Individual scaled scores for each of the four domains
Interpreting Domain Scores
ISACA provides guidance on interpreting your domain performance:
| Domain Score | Interpretation | Recommended Action |
|---|---|---|
| Below 375 | Did not demonstrate understanding | Substantial review recommended |
| 375-450 | Demonstrated partial understanding | Additional review recommended |
| Above 450 | Demonstrated understanding | Limited review recommended |
Remember: these domain scores are for your information and professional development only. They don't affect your pass/fail status and aren't shown to employers or verifying parties.
What You Won't See
ISACA does not provide:
- Question-level results (which questions you got right or wrong)
- The number of questions answered correctly
- Identification of which questions were pretest items
- Detailed breakdowns beyond domain-level performance
CRISC Pass Rates: What to Expect
ISACA does not publish official pass rates for any of their certifications, including CRISC. However, estimates from training providers and exam prep communities provide useful guidance.
How CRISC Compares to Other ISACA Certifications
| Certification | Estimated Pass Rate | Relative Difficulty |
|---|---|---|
| CISA (IT Audit) | 50-60% | Challenging |
| CISM (Security Management) | 50-60% | Challenging |
| CRISC (IT Risk) | 60-70% | Moderate-Challenging |
| CGEIT (Governance) | 55-65% | Moderate-Challenging |
Intensive bootcamp programs report significantly higher pass rates (80-95%), but these reflect candidates who've invested in comprehensive preparation rather than general test-taker outcomes.
Retake Policy If You Don't Pass
If you don't achieve the 450 passing threshold, ISACA allows retakes with specific waiting periods:
Retake Waiting Periods
Wait 30 days after your first attempt
Wait 90 days after your second attempt
Wait 90 days after your third attempt
Maximum 4 attempts within any rolling 12-month period
Retake Costs
| Fee Type | ISACA Member | Non-Member |
|---|---|---|
| Initial Exam Registration | $575 | $760 |
| Retake Registration | $575 | $760 |
| Manual Rescore Request | $75 (within 30 days of results) | |
Note that there are no discounted retake feesāeach attempt costs the full registration amount. ISACA membership ($135/year) saves $185 per exam attempt, making it worthwhile if you anticipate needing multiple attempts.
Requesting a Manual Rescore
If you believe there was a scoring error, you may request a manual rescore in writing within 30 days of receiving your results for a $75 fee. Requests submitted after 30 days will not be processed. However, community experience suggests manual rescores rarely change outcomesāISACA's automated scoring is highly accurate.
Common Scoring Misconceptions
Let's address the myths that cause unnecessary anxiety and poor preparation strategies:
Many candidates calculate 450Ć·800 = 56.25% and assume that's all they need. This math ignores how scaled scoring works.
Some candidates believe they need to score at least 450 in every domain to pass overall.
Many experienced IT risk professionals assume their years of hands-on work will carry them through the exam.
When the screen shows "Not Passed - Results will be reviewed," candidates hope the official result might differ.
Candidates sometimes think domain weights directly translate to scoring algorithms.
Strategies to Exceed 450
Based on successful candidate experiences and exam prep best practices, here's how to position yourself well above the passing threshold:
Target 80%+ on Practice Exams
Given the uncertainty of scaled scoring and the variation between practice materials and the actual exam, aim for consistent scores of 80% or higher on practice exams before scheduling your test. This provides a comfortable margin for exam-day variables.
One candidate who achieved 706 (among the highest globally reported scores) was consistently scoring 95% on practice tests. While you don't need to aim that high, it illustrates the correlation between practice performance and actual results.
Master "The ISACA Way"
The most consistent advice from successful candidates: think like an ISACA risk advisor, not like your organization's specific practices. Questions are written from the perspective of how organizational leadership should respond, emphasizing:
- Governance first: Consider board and executive perspectives
- Risk-based decision making: Balance risk against business objectives
- Framework alignment: Reference ISACA standards and best practices
- Communication focus: Emphasize stakeholder reporting and transparency
Know the Key Terminology
Master these ISACA-specific terms and acronyms that appear frequently:
- RTO (Recovery Time Objective) and RPO (Recovery Point Objective)
- ALE (Annual Loss Expectancy), ARO (Annual Rate of Occurrence), SLE (Single Loss Expectancy)
- Inherent risk vs Residual risk
- Risk appetite vs Risk tolerance
- BCP (Business Continuity Planning) and DRP (Disaster Recovery Planning)
- BIA (Business Impact Analysis)
- Delphi technique for expert consensus
- Risk register and Risk profile
Watch for Question Keywords
CRISC questions often use specific keywords that signal what the question is really asking:
- "MOST important" ā Multiple answers may be valid, but one is definitively superior
- "BEST" ā Several options might work, but identify the optimal choice
- "FIRST" ā Sequence matters; what's the priority action?
- "PRIMARY" ā What's the main reason or objective?
- "LEAST" ā Identify the weakest or least appropriate option
Allocate Time Strategically
With 150 questions in 240 minutes, you have an average of 1.6 minutes per question. However, scenario-based questions may require more time. Candidates report that CRISC questions require careful readingārushing leads to misinterpretation of what's being asked.
Recommended approach:
- First pass: Answer questions you're confident about, flag uncertain ones
- Second pass: Return to flagged questions with fresh perspective
- Never leave questions blankāthere's no penalty for guessing
- Reserve 15-20 minutes at the end for review
Prioritize Domain 3
At 32% of the exam, Domain 3 (Risk Response and Reporting) is the heaviest weighted area. Ensure you're strong in:
- Risk response options: accept, mitigate, transfer, avoid
- Control design, implementation, and assessment
- Risk monitoring and key risk indicators (KRIs)
- Reporting methodologies and stakeholder communication
Frequently Asked Questions
The CRISC passing score is 450 on a 200-800 scaled score. This represents ISACA's benchmark for demonstrating adequate IT risk management competency. Due to scaled scoring, this translates to approximately 70-75% of questions answered correctly, not 56% as simple math might suggest.
ISACA uses a scaled scoring methodology that converts your raw number of correct answers into a score between 200 and 800. The conversion accounts for question difficulty and ensures consistent measurement across different exam versions. Approximately 135 of the 150 questions are scoredāthe remaining 15 are pretest items being evaluated for future exams.
No. Your pass/fail determination is based solely on your overall scaled score. ISACA provides domain-level scores for informational purposes only. Candidates regularly pass with individual domain scores below 450 when their total score exceeds the threshold.
While ISACA doesn't publish official figures, community estimates suggest approximately 70-75% correct answers yield a passing scaled score. To account for exam-day variables, aim for 80%+ on practice tests before scheduling your actual exam.
ISACA does not publish official pass rates. Estimates from training providers suggest a 60-70% first-attempt pass rate for general candidates. Intensive bootcamp participants report higher rates (80-95%), reflecting comprehensive preparation rather than general outcomes.
You'll see a preliminary pass/not pass result on screen immediately after completing the exam. Official results with your scaled score and domain breakdown arrive via email within 10 business days and become available in your MyISACA account. ISACA does not provide results by telephone.
You must wait 30 days after your first attempt to retake. After the second attempt, the waiting period extends to 90 days for subsequent attempts. A maximum of 4 attempts is allowed within any rolling 12-month period. Each retake requires paying the full registration fee.
No. Community experience unanimously confirms that preliminary results shown at the testing center match final official results. While ISACA notes results may be reviewed, this is proceduralāthe outcome doesn't change. If you see "Not Passed," begin preparing for your retake.
Pass = 450/800 scaled score (~70-75% correct). You don't need to pass each domain separatelyāonly your total score matters. Aim for 80%+ on practice exams before scheduling. Master "the ISACA way" of thinking rather than relying on your organization's specific practices. Domain 3 carries the heaviest weight at 32%āprioritize it in your studies.
Ready to Score Above 450?
Practice with our comprehensive CRISC exam questions covering all four domains with detailed explanations