Certified in Risk and Information Systems Control (CRISC) Fact Sheet 

CRISC Logo 

The CRISC was designed for IT and business professionals who identify and manage risks through the development, implementation and maintenance of appropriate IS controls.

Introduced in 2010, the CRISC certification is for IT and business professionals—including risk and compliance professionals, business analysts and project managers—who identify and manage risks through the development, implementation and maintenance of appropriate information systems (IS) controls. More than 17,000 professionals have earned the CRISC designation since inception. CRISC retention is more than 93 percent.

  View the number of ISACA certifications by region


CRISC Focus Areas

The CRISC designation focuses on:

  • Risk identification, assessment and evaluation
  • Risk response
  • Risk monitoring
  • IS control design and implementation
  • IS control monitoring and maintenance

CRISC Certification Requirements

To earn the CRISC certification, candidates are required to:

  • Prove at least three years of cumulative work experience performing the tasks of a CRISC professional across at least three CRISC domains
  • Pass the CRISC (offered worldwide every June and December)
  • Adhere to the ISACA Code of Professional Ethics
  • Agree to comply with the CRISC Continuing Education Policy


CRISC Relationship With Other ISACA Certifications

CRISC complements ISACA’s CISA, CISM and CGEIT certifications:

  • CRISC is for IT and business professionals who design, implement and maintain IS controls, while CISA is designed for IT professionals who perform independent reviews of control design and operational effectiveness.
  • CRISC is for IT professionals whose roles encompass security, operational and compliance considerations, while CISM is for individuals who manage, design, oversee and/or assess an enterprise’s information security, including the identification and management of information security risk.
  • CRISC is for IT and business professionals who are engaged at an operational level to mitigate risk, while CGEIT is for IT and business professionals who have a significant management, advisory or assurance role relating to the governance of IT, including risk management.

CRISC in the Workplace

  • More than 3,900 serve as audit directors, managers or consultants.
  • Nearly 3,500 are employed as security directors, managers or consultants.
  • More than 3,200 are employed in managerial, consulting or related positions in IT operations or compliance.
  • Nearly 2,100 are IT directors, managers or consultants.
  • More than 1,300 are CIOs, CISOs, or chief compliance, risk or privacy officers.
  • More than 600 CRISCs are CEOs, CFOs or equivalent executives.
  • More than 400 serve as chief audit executives, audit partners or audit heads.


CRISC Recognitions

  • The Australian Signals Directorate listed CRISC as a prerequisite for its Information Security Registered Assessor Program.
  • CRISC is listed among the highest-paying certifications in the Foote Partners IT Skills and Certifications Pay Index™ (ITSCPI) for 1 July 2013 – 1 October 2013. CRISC was also noted for earning above-average pay premiums that have been growing at an above-average rate for the last six months.
  • SC Magazine selected CRISC as the 2013 “Best Professional Certification Program” in the Professional Awards category. CRISC was a finalist in 2012.
  • CRISC was listed as the second-highest-paying certification in the 2012 IT Skills and Salary Survey by Global Knowledge and TechRepublic.
  • The State of West Virginia Office of Information Security and Controls used the five CRISC domains and task statements to develop a checklist for use in risk assessments for HIPAA compliance.


CRISC In the News

Contact

Kristen Kessinger, +1.847.660.5512
Joanne Duffer, +1.847.660.5564
Rachel Acevedo, +1.847.660.5617
news@isaca.org