CRISC Frequently Asked Questions 

CRISC logo 

Get the answers you seek for the topics of Exam Registration & Administration and Certification Requirements.

Exam Registration & Administration
CRISC Certification  | Certification Requirements  |  Exam Content

Exam Registration & Administration

  1. How can I renew my certification for 2015?
  2. How can I report my CPE?
  3. When will I receive my admission ticket for the June 2015 exam?
  4. What is the exact location of the test site for my June 2015 exam?
  5. What time should I arrive at the exam site?
  6. Can I still defer my June 2015 exam?
  7. What should I bring to the exam?
  8. What is the next exam date?
  9. When will registration open for the 12 September and 12 December 2015 exams?
  10. How do I provide comments on testing conditions?
  11. What is the ISACA Exam Candidate Information Guide and where can I find this on the web?
  12. How is the exam scored?
  13. Why does it take 5 weeks to process CISA/CISM exam results and 8 weeks to process CGEIT/CRISC exam results?
  14. Why doesn’t ISACA currently offer computer-based testing (CBT)?

1. How can I renew my certification for 2015?

Certification renewals for 2015 are still currently open. ISACA CPE policies require that you earn a minimum of 120 CPE over your 3-year cycle AND 20 CPE in each cycle year. Renewing your certification for 2015 requires two steps: paying the annual maintenance fee and reporting your 2014 CPE hours.

To pay the annual certification maintenance fee—log in to www.isaca.org from the home page, which upon a successful login will redirect you to the 'My ISACA' tab click on “Renew Now” Button which is displayed on the MyISACA page under Certification Status.  If you have forgotten your password, click on ‘Forgot Password?’ link. After remitting your payment by credit card you will receive a purchase receipt online and via email in addition to a receipt by postal mail. If you are not paying by credit card and want to pay by check or bank transfer, click the ‘Pay by Check or Bank Transfer’ button when you reach the shopping cart.

To report CPE, visit www.isaca.org/reportCPE

2. How can I report my CPE?

Our CPE reporting system has recently been enhanced and certified individuals are now able to report CPE as they are earned. Take a quick tour at www.isaca.org/Certification/Additional-Resources/Pages/How-to-Earn-CPE.aspx.

To update or enter CPE hours, log in to www.isaca.org from the home page, which upon a successful login will redirect you to the 'My ISACA' tab, from there click on the 'myCERTIFICATIONS' tab where you will click 'Report Now' which will take you to the screen where CPE hours can be reported.

You can report your CPE individually as you earn them or in a single total. To enter your CPE hours:

  1. Click on MyCertifications
  2. Click on Report CPE or Manage My CPE button.
  3. Scroll down and select Add CPE button.
  4. Enter your CPE activity details.
  5. Select the appropriate CPE qualifying activity. Click on ‘Help’ for a description of the qualifying activities. If you are entering a lump sum total that combines many CPE activities into one, under Qualifying activity select: “Summary CPE – Qualifying activity not specified.” Additional CPE reporting information can also be found in the certification CPE policy.
  6. You will need to enter the number of CPE earned in this activity for each ISACA certification to which it applies.
  7. Select Save to save your changes.

3. When will I receive my admission ticket for the June 2015 exam?

Admission tickets for the June 2015 exam will be released via email the first week of May 2015. Once released, candidates can use a print out of the email e-ticket for entry into the exam.

Candidates can also reprint the ticket online. To reprint, log in to www.isaca.org from the home page, which upon a successful login will redirect you to the 'My ISACA' tab then click on the myCERTIFICATIONS tab where you will find a link to “Print Admission Ticket”.

4. What is the exact location of the test site for my June 2015 exam?

The exam details, including the exact exam location, will be listed on your exam admission ticket. To ensure that you arrive in plenty of time for the exam, we recommend that you become familiar with the exact location and the best travel route to your exam site prior to the date of the exam. Test center phone numbers and web site references will be provided (when available) to assist you in obtaining directions to the facility.

5. What time should I arrive at the exam site?

Your arrival time will be listed on your exam ticket. Please check your admission ticket for the exam time for your exam location as the time can vary by site.

NO CANDIDATE WILL BE ADMITTED TO THE TEST CENTER ONCE THE CHIEF EXAMINER BEGINS READING THE ORAL INSTRUCTIONS. Any candidate who does not attend the exam on exam day or arrives after the oral instructions have begun will not be allowed to sit for the exam and will forfeit their registration fee.

6. Can I still defer my June 2015 exam?

Candidates unable to take the June exam can request a deferral of their registration fees to the 12 September 2015 exam or the 12 December 2015 exam. The 12 September exam will only offer the CISA and CISM exams at select worldwide locations ( www.isaca.org/examlocations) and 12 December 2015 for all ISACA exams at all locations .

From 24 April to 22 May, a processing fee of US $100 will be charged. Deferral requests will not be accepted after 22 May 2015. To request a deferral, please go to www.isaca.org/examdefer to complete the process. The exam and deferral fees are nonrefundable. Please note: Deferral requests will not be processed until deferral fees have been paid in full. Payment is due in full by 13 June 2015. All deadlines are based upon Chicago, Illinois USA, 5PM CT (central time).

7. What should I bring to the exam?

In addition to your admission ticket, bring several sharpened No. 2 or HB pencils, an eraser, and an acceptable form of photo identification such as a driver’s license, passport or government ID. This ID must be a current and original government issued identification that contains both your name as it appears on the admission ticket and your photograph. Any candidate who does not provide an acceptable form of identification will not be allowed to sit for the exam and will forfeit their registration fee.

Candidates are not allowed to bring any type of communication, surveillance or recording device (including but not limited to tablets, smart glasses, smart watches, mobile devices, cell phone, PDA, Blackberry, etc.) into the test center. If a candidate is observed with any communication device during the exam administration, his/her exam will be voided and he/she will be asked to immediately leave the test site.

Please visit www.isaca.org/cisabelongings, www.isaca.org/cismbelongings, www.isaca.org/cgeitbelongings, and www.isaca.org/criscbelongings for a list of items which are permitted and are not permitted in the exam site. Note that items brought to the exam will need to be stored in the belongings area. Items stored in the belongings area will not be guarded and candidates are not allowed to access these items during the exam administration.

8. What is the next exam date?

The next opportunity to sit for the exam is 12 September for CISA and CISM only at select worldwide locations (www.isaca.org/examlocations) and 12 December 2015 for all ISACA exams at all locations .

9. When will registration open for the 12 September and 12 December 2015 exams?

Registration for the 12 September is now open. You can register for the September exam at www.isaca.org/examreg. Registration for the December exam will open mid-May.

10. How do I provide comments on testing conditions?

Candidates who wish to address any candidate exam day issues or additional comments or concerns about the examination administration including exam site comments or content of the examination should contact ISACA international headquarters by e-mail (exam@isaca.org). These comments or concerns are to be received by ISACA within 2 weeks after the examination date. Only those comments received by ISACA during the first 2 weeks after the exam administration will be considered in the final scoring process of the examination.

11. What is the ISACA Exam Candidate Information Guide and where can I find this on the web?

The ISACA Exam Candidate Information Guide provides valuable information regarding exam day rules and information as well as exam dates and deadlines. You can find the 2015 copy at www.isaca.org/examguide. This guide is also translated and translated copies available at this above link. ISACA recommends all candidates to review the guide to familiarize themselves with the exam day rules and information.

12. How is the exam scored?

ISACA uses a 200-800 point scale with 450 as the passing mark for the exams. A scaled score is a conversion of the raw score on an exam to a common scale. It is important to note that the exam score is not based on an arithmetic or percent average. For example, the scaled score of 800 represents a perfect score with all 200 questions on CISA and CISM or all 150 questions on CGEIT or CRISC answered correctly; a scaled score of 200 is the lowest score possible and signifies that only a small number of questions were answered correctly.

A candidate must receive a scaled score of 450 or higher to pass the exam. A score of 450 represents a minimum consistent standard of knowledge as established for the exam by the respective ISACA Certification Committee. The passing score of 450 represents the minimum number of questions that must be answered correctly by the candidate in order to demonstrate practical application of the job task and knowledge statements. A candidate receiving a passing score may then apply for certification if all other requirements are met.

13. Why does it take 5 weeks to process CISA/CISM exam results and 8 weeks to process CGEIT/CRISC exam results?

ISACA takes the processing of exam results very seriously. Best practice dictates that item performance be carefully reviewed after each exam administration to ensure that items performed in a fair and consistent manner. Also, ISACA’s policy is to release the results of all of our exams together, rather than individually as they are processed. CISA and CISM exam results will be released within 5 weeks of the exam administration (in place of the 8 weeks as currently exists for CGEIT and CRISC). This change was viable due to the maturity of the respective exams and item pool

ISACA works with its testing agency to administer our exams in over 240 locations worldwide. The first step in the grading process is the review of the preliminary statistical analysis, which begins when a majority of answer sheets are returned. This usually occurs a week or two after the exam administration date. This preliminary analysis is conducted on each exam item in every language that the exam item is offered. Currently, ISACA offers 4 different exams, in up to 11 languages. This step is essential because it identifies items that did not perform well based on statistics. Items with poor statistics are reviewed by the members of the respective certification committee. If an error or inconsistency is discovered within an item, the answer key is adjusted to ensure candidates are not penalized for the error.

Items with performance statistics on translated exams are also reviewed to determine if errors in translation occurred, impacting the candidate’s ability to answer an item correctly. This review is performed by multilingual ISACA members who hold the respective certifications.

Once the answer keys are finalized, a passing point is determined and approved by the Certification Committee for each certification. At this point, the testing agency processes each of the exam candidate’s final grades by converting it into a score between 200 and 800.

ISACA and our testing agency are dedicated to the efficient processing of exam results. We are also committed to performing the proper due diligence so that test results are reliable.

14. Why doesn’t ISACA currently offer computer-based testing (CBT)?

ISACA is often asked why our exams are not offered in an online environment. It’s a great question, especially given that ISACA members and certifieds are primarily IT professionals. It is also an issue that ISACA’s Credentialing Board and certification committees continue to evaluate each and every year. There are three primary objectives that ISACA considers when offering exams:

  • Can exams be offered more efficiently?
  • Can exams be offered more securely?
  • Can exams be offered more affordably?

In order to determine whether to move from paper-based testing to computer-based testing, ISACA has weighed various factors including, but not limited to, being assured that:

  • Exam candidates are offered a consistent and suitable exam experience regardless of where they sit for the exam
  • Exam items are properly safeguarded
  • Exams are offered at a reasonable and fair fee

It is clear that there are advantages and disadvantages to offering exams in both paper-based and computer-based formats. Research has indicated that suitable CBT sites are not available in many of the more than 240 locations that ISACA currently offers exams, and many other CBT sites are not viable and secure for high-stakes exams. In addition, we have seen others who have shifted from paper-based testing to CBT increase their exam fees significantly (often by 100%) given the higher administrative costs.

At this time, ISACA’s Credentialing Board has determined that the cost of transitioning to CBT would outweigh the benefits to test takers and to ISACA as a whole. ISACA is proud of the success and demand for our certifications that has been achieved, and is committed to continuing to look at additional options for offering ISACA exams.

Exam Registration & Administration :: CRISC Certification
Certification Requirements :: Exam Content


CRISC Certification

  1. What does the CRISC continuing professional education program require?
  2. How do I renew my certification and/or report my CPE?
  3. Does ISACA provide discount on certification maintenance (renewal) fees if I have multiple certifications?
  4. What type of work experience do I need for CRISC certification?
  5. Where can I view details on the job practice domains?
  6. Where can I learn more about the CRISC certification?
  7. How do I best prepare for the CRISC exam?

1. What does the CRISC continuing professional education program require?

In order to become and remain a CRISC, an individual must agree to comply with the CRISC continuing professional education program. This program requires an individual to earn a minimum of 20 CPE hours annually and 120 CPE hours over their 3-year cycle. In addition, an annual maintenance fee of US $45 ISACA member and US $85 non-member is required.

  Download CPE policy

2. How do I renew my certification and/or report my CPE?

To renew the certification requires earning and reporting CPE hours annually and over a fixed 3-year cycle period and paying an annual certification maintenance fee.

 Our CPE reporting system has recently been enhanced and certified individuals are now able to report CPE as they are earned.

Play View the Video Quick Tour
     Download the PDF Quick Tour
     CPE Reporting FAQs

How to report your CPE:

To pay the annual maintenance fee:

If you have forgotten your password, click on the "Forgot Password?" link. After remitting your payment by credit card you will receive a purchase receipt online and via email, in addition to a receipt by postal mail. If you are not paying by credit card and want to pay by check or bank transfer, click the "Pay by Check or Bank Transfer" button when you reach the shopping cart.

3. Does ISACA provide a discount on certification maintenance (renewal) fees if I have multiple certifications?

Yes, for those individuals who renew 3 or more ISACA certifications, ISACA offers a discount on the 3rd and 4th renewal fees of $20 for members and $35 for nonmembers.

4. What type of work experience do I need for CRISC certification?

The Certified in Risk and Information Systems Control certification (CRISC, pronounced “see-risk”) is intended to recognize a wide range of professionals for their knowledge of enterprise risk and their ability to design, implement, monitor, and maintain IS controls to mitigate such risk. It is particularly designed for IT professionals who have hands-on experience with risk identification, assessment and evaluation; risk response; risk monitoring; IS control design and implementation; and IS control monitoring and maintenance. Please see the job tasks and knowledge statements that relate to this certification at Job Practice.

5. Where can I view details on the job practice domains?

Please visit Job Practice to view the CRISC task and knowledge statements.

6. Where can I learn more about the CRISC certification?

Please visit the CRISC page.

7. How do I best prepare for the CRISC exam?

Exam candidates should have a solid understanding of CRISC terminology and concepts. The CRISC exam will primarily align with the terminology and concepts described in The Risk IT Framework, The Risk IT Practitioner Guide, and COBIT 4.1. This will include applications in the evaluation and monitoring of Information Systems (IS)-based risk, as well as the design and implementation of IS controls. It is also critical that the CRISC candidate is familiar with the CRISC Job Practice, and is able to apply the concepts associated with each of the 5 domains.

It is important for a CRISC candidate to be able to distinguish functional terms and apply concepts associated with “risk,” “threats,” and “vulnerabilities.”  These terms should not be used interchangeably.

  • “Risk” refers to the likelihood (or frequency) and magnitude of loss that exists from a combination of asset(s), threat(s), and control conditions.  As a derived value, it cannot take a plural form (i.e., “risks”).  Consequently, when referring to conditions that represent some amount of risk, terms such as “risk factors,” “risk scenarios” or “risk concerns” will be used.
  • “Threat” refers to anything (e.g., object, substance, human) that is capable of acting against an asset in a manner that can result in loss or harm.
  • “Vulnerability” refers to control conditions that are deemed to be deficient relative to requirements or the threat levels being faced.  It is a weakness in design, implementation, operation, or internal controls.

As much of the test focuses on practical application of terminology and concepts, simply reading The Risk IT Framework, The Risk IT Practitioner Guide, and COBIT 4.1 will not lend enough knowledge to pass the CRISC exam. Exam candidates will need to draw from their experience implementing the concepts illustrated.

Exam Registration & Administration :: CRISC Certification
Certification Requirements :: Exam Content


Certification Requirements

  1. What do I need to do if I have received a revocation notice?
  2. Where can I find the CRISC Application for certification?
  3. Is there a fee to apply for certification?
  4. What are the qualifications to earn the CRISC credential?
  5. What does the CRISC continuing professional education policy require?
  6. Do I need to submit documentation for my CPE hours?
  7. Does ISACA provide a discount on certification maintenance (renewal) fees if I have multiple certifications?

1. What do I need to do if I have received a revocation notice?

If you have received a revocation notice, please contact certification@isaca.org.

2. Where can I find the CRISC Application for Certification?

The CRISC application is available at www.isaca.org/criscapp.

3. Is there a fee to apply for certification?

For certification applications received on 1 June 2012 and forward, an application processing fee of US $50 will be required to apply for certification. The application processing fee will support our dedication to efficient and proper processing of certification applications according to industry standards. The fee will also help support the integrity of the application process, which in turn reinforces the strength and reputation of the overall certification programs.

Payment for the CRISC application processing fee can be made online at www.isaca.org/criscpay.

4. What are the qualifications to earn the CRISC credential?

To become CRISC certified requires passage of the CRISC exam and 3 years work experience requirements in the fields of risk management and IS control. A minimum of at least three (3) years of cumulative work experience performing the tasks of a CRISC professional across at least three (3) CRISC domains is required for certification. There are no substitutions or experience waivers. Individuals must apply for certification by completing and submitting a CRISC Application for Certification.

5. What does the CRISC continuing professional education policy require?

In order to become and remain a CRISC an individual must agree to comply with the CRISC continuing professional education program. This program requires an individual to earn a minimum of 20 CPE hours annually and 120 CPE hours over the 3 year cycle years. In addition, an annual maintenance fee of US $45 ISACA member and US $85 non-member is required. To view the CRISC CPE policy, visit www.isaca.org/crisccpepolicy.

6. Do I need to submit documentation for my CPE hours?

Documentation of CPE hours does not need to be provided to ISACA unless you are selected for an audit of your CPE hours. If you are selected for an audit of your CPE hours, you will be notified via email and hard copy via the postal mail.

7. Does ISACA provide a discount on certification maintenance (renewal) fees if I have multiple certifications?

Yes, for those individuals who renew 3 or more ISACA certifications, ISACA offers a discount on the 3rd and 4th renewal fees of $20 for members and $35 for nonmembers

Exam Registration & Administration :: CRISC Certification
Certification Requirements :: Exam Content


Exam Content

  1. How long is the exam?
  2. What does the CRISC exam cover?

1. How long is the exam?

A candidate is given 4 hours to complete a 200-questions multiple-choice exam.

2. What does the CRISC exam cover?

The CRISC exam covers 5 risk and control job practice areas, each of which is further defined and detailed through task and knowledge statements. For more complete details, please go to CRISC Job Practice areas.

Exam Registration & Administration :: CRISC Certification
Certification Requirements :: Exam Content