ProfessionalVendor-neutralISO 17024ISACA· issued from US

CRISC

Certified in Risk and Information Systems Control

Enterprise risk identification, assessment, and response + IT controls.

Official page at ISACA ↔ Compare with another cert

Exam fee

$760

Ongoing

$45/yr AMF · 40 CPE/yr

Study time

100–200 hrs

Delivery

Test center

Validity

3 yrs (renewal cycle)

› Quality score

24.0 / 40

Four-axis SecProve rubric, each 0–10. SecProve editorial assessment — each axis carries a written justification so you can push back on any single call without dismissing the whole score.

Blueprint rigor

How well-defined and rigorous the exam blueprint is.

Four practice domains tightly aligned to FAIR / NIST RMF. ISACA's task-and-knowledge statements are explicit.

8.5/10

Practical evidence

Hands-on labs / written reports vs pure MCQ.

MCQ only. Risk-register scenarios are read, not built.

1.0/10

Currency & upkeep

How aggressively content is kept current with the field.

Refresh every ~3 years; current blueprint (2024) added third-party and AI risk topics.

7.5/10

Market recognition

How often this signal actually moves a hiring decision.

Strong inside ISACA-aligned organisations and risk-track roles; less universal than CISSP. [Holders: 30k, 2024-12]

7.0/10

› Market signals

public, citable inputs to the recognition score

Holders worldwide

30,000

as of 2024-12 · source

› Built for these roles

IT Risk ManagerRisk & Controls ConsultantCompliance ManagerEnterprise Risk Analyst

› Exam format

150 multiple-choice questions over 4 hours, English. Pearson VUE proctored. ISACA's risk-and-controls-focused exam — heavy on risk register, KRI, and treatment scenarios.

Passing score

450/800 (scaled)

Retake policy

Fee: $575 per attempt

Wait: 30d between attempts

Cap: 4 attempts/year

ISACA member $575 / non-member $760. Max 4 attempts per 12-month window.

› Recertification

120 CPEs over the three-year cycle (avg 40/yr) plus the $45/yr ISACA member fee ($85/yr non-members).

› 3-year cost of ownership

Exam (1×)

$760

AMF (3×)

$135@$45/yr

Total

$895

Excludes study materials, training, retake risk, and lost-wage opportunity. Use as a floor estimate.

› NICE Framework work roles

The NIST NICE work-role IDs this cert maps to. NICCS lookup.

OG-WRL-014OG-WRL-002OG-WRL-007

Recognition

GlobalUSEUUKDACH

Exam languages

enjaeszh

› Core domains covered

The 2 domains this cert is centrally about. Passing the exam demonstrates working knowledge of each.

A1Governance, Risk & Compliance

Risk frameworks (NIST RMF, ISO 31000, FAIR), policy development, audit, regulatory compliance, third-party risk.

A18Security Leadership

Cyber risk quantification, board communication, security program development, budget & ROI.

› Also touched

Present in the blueprint but not the primary focus — you’ll be introduced but shouldn’t expect depth.

A13Supply Chain Security

SBOM, vendor risk assessment, software supply chain attacks, dependency management.

C7AI Governance & Risk

EU AI Act compliance, NIST AI RMF, AI risk assessment, model cards, algorithmic auditing, AI incident response.

› Prerequisites

Experience

Three years of cumulative work experience in risk identification, assessment, response, and monitoring.

Knowledge assumed

Risk-management frameworks (FAIR, NIST RMF)
IT controls and audit fundamentals

› Progression

requiredrecommended

Where this cert fits in the typical learning path. Required edges are vendor-gated; recommended edges reflect de facto industry progression.

Required prereqs (0)

No vendor-gated prereqs.

Recommended priors (0)

No de facto priors typically expected.

CRISC

ISACA

Required by (0)

No certs require this one.

Recommended next (1)

CRAIISACA

› Study materials

Curated starting points. Not exhaustive — vet each against your learning style and the current exam version.

Official guides

CRISC Review Manual, 7th Ed. — ISACA
CRISC QAE Database — ISACA

Training providers

ISACA Official CRISC Online Course

Practice tests

ISACA QAE Database
Pocket Prep CRISC

Free / community

r/CRISC

› Version & lifecycle

Current version

2021 job-practice analysis

Released

2021-08

Four domains: IT risk identification, assessment, response, monitoring.

› Salary signal

IT risk analyst / IT risk manager, US, 5+ years.

$115K–$165K

median $135K

+9% reported cert premium

ISACA Salary Survey + Robert Half Salary Guide · 2024 · US base only · p25–p75 range

› How it compares

CISA

CISA emphasizes audit execution; CRISC emphasizes risk identification + response.

↔ Compare side-by-side

CISM

CISM is security-program management; CRISC is risk-program emphasis. Often paired.

↔ Compare side-by-side

› Careers that commonly pursue this cert

GRC / Compliance Analyst

Manage risk, ensure regulatory compliance, and build governance frameworks. Where security meets business strategy.

CISO / Security Leader

Lead security strategy, communicate risk to the board, and build security programs. Executive-level cybersecurity leadership.

See this cert’s domains highlighted on the interactive map, or compare it against the rest of the catalog.

Highlight on the domain map Browse all certifications