CRISC certification can help you advance to infosec management.Enterprise risk management (ERM) is the “process of planning, organizing, leading and controlling the activities of an organization in order to minimize the effects of risk on the organization’s capital and earnings.”

ERM is a major issue for many multinational corporations doing business with thousands, if not millions, of customers around the world on a daily basis, with electronic transactions occurring hundreds of millions of times a day, often across unsecure networks.

The rapid spread of the Internet of Things (IoT), makes the risk of loss to cybercriminals more acute than ever. According to a recent survey by PwC and InfoSecurity Europe, less than 40 percent of large organizations ensure that their data, held by external providers, is encrypted. To make matters worse, 88 percent of global executives report that employees regularly use their personal computing technologies for business purposes.

With such exposure the cost of a data breach can destroy a business. Add to that the damage done to a corporate reputation and we can see why one of the hottest credentials on the market is ISACA’s CRISC (Certified in Risk and Information Systems Control).

CRISC validates that IT professionals have the skills to address the increasingly unique challenges facing enterprise risk management. It is a globally recognized industry standard of excellence with hundreds of or CRISC earners successfully filling CEO and CFO positions, while hundreds more serve as chief audit executives, audit partners or audit heads.

Enterprises like having CRISC-certified individuals on staff because of the added level of professionalism they bring. They possess a quantifiable standard of knowledge, commitment to regular and in-depth development via continuing education, and adherence to a standard of ethical conduct established by ISACA.

It should be noted that the CRISC is not really a “techie” type certification. It’s more of a managerial certification — although a strong degree of technical knowledge is required to pass the exam. Earning CRISC requires clearing an intensive exam designed to verify your knowledge of IT and business risk and controls. You will also need verifiable work experience in risk identification and implementation of proven Information System controls (IS) controls.

A successful CRISC candidate will also have knowledge of laws, regulations, standards and compliance requirements for their industry, as well as of trends and emerging technologies.

Possessing a CRISC also offers a number of tangible and intangible benefits:

  • It shows that you are a Security Risk professional, thus making you marketable to many large accounting and IT firms which offer audit and compliance based services.
  • It makes you a very valuable employee in the corporation you work for.
  • It gives you a very strong competitive advantage when it comes time for a job review and promotion.
  • You have full access to the ISACAs global community and collaboration with other CRISC professionals.
  • The financial rewards are great; you can earn as much as $125,000 U.S. per year.


CRISC candidates must have a minimum of three (3) years of cumulative work experience performing the tasks of a CRISC professional across at least two (2) of the four (4) CRISC domains covered on the exam.

Domain 1 — IT Risk Identification

Domain 2 — IT Risk Assessment

Domain 3 — Risk Response and Mitigation

Domain 4 — Risk and Control Monitoring and Reporting

Of these two (2) required domains, one (1) must be in either Domain 1 or 2. There are no substitutions or experience waivers.

Work experience must also be verified independently with employers. Candidates have to complete and submit a CRISC Application for Certification. Note that your work experience must have been gained within the 10-year period preceding the application date for certification or within five years from the date of initially passing the examination. If the application for certification is not submitted within five years from the passing date of the examination you will need to retake and clear the examination again.


The exam consists of 150 multiple-choice questions to be completed in a four (4) hour session. The exam itself can be quite expensive with costs ranging anywhere from $440 U.S. to $675 U.S., depending of course on when you register (the earlier the better), and if you are member of the ISACA or not — members receive a certain percentage off the exam price as a discount.

ISACA currently offers the exam in 240 locations around the world. Unfortunately, the exam is only given in a paper-based format. ISACA feels that this makes it easier to maintain the integrity of the exam and the examination centers, and keep costs reasonable.

The CRISC exam is scheduled several times a year, with the next on set for 10 December. The last day to register for the December exam is 21 October.

As mentioned above, the CRISC exam covers four domains.

Domain 1 Risk Identification: Knowledge of potential IT threats and vulnerabilities; developing specific IT Risk scenarios; identifying stakeholders to be held for accountability; and developing risk assessment and educational awareness programs.

Domain 2 Risk Assessment: Analyzing risk scenarios; examining the state of existing IT controls and evaluating their effectiveness; reviewing the results of the risk assessments; communicating the results of those assessments and effectively communicating it upper management to enable sound decision making.

Domain 3 Risk Response and Mitigation: Ability to align risk responses with business objectives; meeting with key stakeholders to in order to ensure that any risk mitigation plans include key security elements; and working with IT and Risk Management owners to develop effective documentation which will enable efficient and effective control execution.

Domain 4 Risk Control Monitoring and reporting: Defining and establishing Key Risk Indicators (KRIs) to enable the efficient monitoring of risk mitigation controls; monitoring and gauging these KRIs to identify and changes to the corporation’s IT risk profile; setting thresholds to determine the actual effectiveness of the KRIs; reporting on the results of the KRIs to the key stakeholders in order to enable efficient decision making.

The exam uses scaled scoring — conversion of a raw score to a common scale. ISACA uses and reports scores on a common scale from 200 to 800. 800 represents a perfect score; Candidates must earn a score of 450 or higher to clear the exam. The clearing score of 450 represents a “minimum consistent standard of knowledge as established by the respective ISACA Certification Committee.”

If you fail to clear the exam you can retake it by registering and paying the appropriate fee for a future exam. To help with re-studying efforts, ISACA sends a results letter to each candidate showing a score analysis by content area. There is no limit to the number of times candidates can retake the exam.

Remember that clearing the exam doesn’t grant the CRISC designation. You also have to earn the required job experience and submit a CRISC application. Once your application is received and approved, you will be CRISC certified.

Exam Preparation

Review courses are offered in various countries though established ISACA chapters. To be honest, clearing the exam is not going to be easy. You will need an organized plan of attack. Fortunately, ISACA gives strong support in helping candidates master the exam. They recommend two publications:

ISACA also offers a 12-month subscription to the CRISC Practice Question Database, a comprehensive pool of 500-questions. Access is available via the web and the database is compatible for Windows and MAC. Subscribers can take practice exams with randomly generated questions and see results for each domain.

One very useful feature is that questions generated during study sessions are sorted based on previous scoring history. This enables candidates to identify their strengths and weaknesses and focus their study efforts accordingly. Other features include the ability to select sample exams for specific job practice domains, and view questions previously answered incorrectly.

ISACA also sponsors a CRISC study community. This is a resource to help candidates prepare by interacting with ISACA chapter coordinators, community leaders and other exam candidates. While specific discussions about exam questions and concepts isn’t allowed, and will be deleted, you can discuss question types, study methods and materials, and what to expect on exam day.

Maintaining CRISC

CRISC certification can help you advance to infosec management.The next step is maintaining your CRISC as a way to show that you retain the adequate knowledge and proficiency. An annual maintenance fee of $45 U.S. per year for ISACA members is required. The fee for non-members is $85.

You also have to earn and report a minimum of 120 Continuing Professional Education hours (CPEs) over a three-year time span, and report a minimum of at least 20 CPEs on an annual basis. It is the responsibility of each CRISC to earn and report their CPEs in a timely manner. CRISCs that do so will receive confirmation from ISACA of the number of CPE hours accepted and the number remaining to be earned.

Unfortunately, use of the CRISC logo on your business cards, web sites or promotional materials isn’t allowed by ISACA.


Possessing some knowledge of risk management, and a few years of experience in the field, will make you a hot-commodity in the Indian IT job market for sure. But to truly show that you have a mastery of risk management, consider investing your time and money into earning the CRISC. You won’t be disappointed.