Certified in Risk and Information Systems Control (CRISC) Fact Sheet 

CRISC Logo 

The CRISC was designed for IT and business professionals who identify and manage risks through the development, implementation and maintenance of appropriate IS controls.

Introduced in 2010, the CRISC designation is designed for IT and business professionals who identify and manage risks through the development, implementation and maintenance of appropriate information systems (IS) controls. More than 16,800 professionals have earned the CRISC designation since inception.

  View the number of ISACA certifications by region

The CRISC designation is designed for:

  • IT professionals
  • Risk professionals
  • Business analysts
  • Project managers
  • Compliance professionals
  • Business professionals

CRISC Focus Areas

The CRISC designation focuses on:

  • Risk identification, assessment and evaluation
  • Risk response
  • Risk monitoring
  • IS control design and implementation
  • IS control monitoring and maintenance

Certification Requirements

Candidates are required to do the following to earn the credential:

  • Prove at least three years of cumulative work experience performing the tasks of a CRISC professional across at least three CRISC domains (there are no substitutions or experience waivers)
  • Pass the CRISC (offered worldwide every June and December)
  • Adhere to the ISACA Code of Professional Ethics
  • Agree to comply with the CRISC Continuing Education Policy

The first CRISC exam was administered in 2011. CRISC retention is more than 95 percent.

Additional information is available at www.isaca.org/crisc.

Relationship With Other ISACA Certifications

CRISC complements ISACA’s CGEIT, CISA and CISM certifications.

  • CRISC is for IT and business professionals who are engaged at an operational level to mitigate risk, while CGEIT is for IT and business professionals who have a significant management, advisory or assurance role relating to the governance of IT, including risk management;
  • CRISC is for IT and business professionals who design, implement and maintain IS controls, while CISA is designed for IT professionals who perform independent reviews of control design and operational effectiveness;
  • CRISC is for IT professionals whose roles encompass security, operational and compliance considerations, while CISM is for individuals who manage, design, oversee and/or assess an enterprise’s information security, including the identification and management of information security risks.

CRISC in the Workplace

  • Nearly 4,100 serve as audit directors, managers or consultants and related staff.
  • More than 3,500 are employed as security directors, managers or consultants and related staff.
  • More than 3,100 are employed in managerial, consulting or related positions in IT operations or compliance.
  • Nearly 2,200 are IT directors, managers, consultants and related staff.
  • More than 1,300 are CIOs, CISOs, or chief compliance, risk or privacy officers.
  • More than 600 CRISCs are CEOs, CFOs or equivalent executives.
  • More than 400 serve as chief audit executives, audit partners or audit heads.

Recognitions

  • SC Magazine selected CRISC as the 2013 “Best Professional Certification Program” in the Professional Awards category.
  • CRISC was listed as the second-highest-paying certification in the 2012 IT Skills and Salary Survey by Global Knowledge and TechRepublic.
  • CRISC earned a place on the list of highest-paying IT security certifications in the 2012 IT Skills and Certifications Pay Index (ITSCPI) from independent research firm Foote Partners.
  • SC Magazine selected CRISC as a finalist of the 2012 “Best Professional Certification Program” in the Professional Awards category.
  • The State of West Virginia Office of Information Security and Controls is using the five CRISC domains and task statements to develop a checklist for use in risk assessments for HIPAA compliance. The task statements will be mapped to NIST standards. This checklist will be used by the West Virginia state government and its business associates who are handling West Virginia collected Protected Health Information (PHI).
  • CRISC is listed among certifications that "improve technology careers" ~ Internet@Suite101 October 2011<

In the News

  • CIO Magazine ~ In “23 IT Certifications That Mean Higher Pay,” ISACA’s CRISC and CISM certifications are listed, based on data from Foote Partners LLC’s latest IT Skills and Certifications Pay Index.
  • Computer World “Career Watch: A Certification for Risk Professionals” is a discussion on how the CRISC credential is helpful to those who are experienced in both risk and control.
  • Workspan ~ The CRISC credential has been named one of the highest-paying IT certifications in the latest Foote Partners’ IT Skills and Certifications Pay IndexTM (ITSCPI)—http://bit.ly/Oj7tF5.
  • CRISC is listed among certifications that “improve technology careers” Source: Internet@Suite101 October 2011
  • In a SearchSecurity.com article, (David) Foote (co-founder, CEO and chief research officer of Foote Partners) recommends the new CRISC certification. “Given where we see the market going [integrating more with business], that one probably will be very influential. We don't know of any other certification on the market quite like it.”

Contact:

Kristen Kessinger, +1.847.660.5512
Joanne Duffer, +1.847.660.5564
news@isaca.org