Notice: A new CRISC job practice is effective with the June 2015 CRISC exam administration. Requirements to become CRISC-certified will also change for those who pass the exam from June 2015 and forward. Candidates who pass the CRISC exam will need to submit evidence of three (3) years cumulative work experience performing the tasks of a CRISC professional across at least two (2) of the four (4) new domains. Of these 2 required domains, one must be in either Domain 1 or 2.
View the new job practice
Exam candidates (2009-2014) will be awarded the CRISC designation who have met and continue to meet the following requirements:
- Successful completion of the CRISC examination
- Risk management and information systems control experience
- Adherence to the Code of Professional Ethics
- Adherence to the Continuing Professional Education (CPE) Policy
1. Successful completion of the CRISC examination
The examination is open to all individuals who have an interest in business and technology risk management as well as the development and implementation of IS controls. All are encouraged to work toward and take the examination. Successful examination candidates will be sent all information required to apply for certification with their notification of a passing score. For a more detailed description of the exam see the CRISC certification job practice. CRISC exam candidates should be familiar with the terminology and concepts described in ISACA’s intellectual property and other credible sources. For how best to prepare for the exam, see the CRISC Frequently Asked Questions.
2. Risk management and information systems control experience
Certification is granted initially to individuals who have successfully completed the CRISC exam and meet the following work experience requirements in the fields of risk management and IS control. A minimum of at least three (3) years of cumulative work experience performing the tasks of a CRISC professional across at least three (3) CRISC domains is required for certification. There are no substitutions or experience waivers.
Once a CRISC candidate has passed the CRISC certification exam and has met the work experience requirements, the final step is to complete and submit the CRISC Application for Certification. Experience must have been gained within the 10-year period preceding the application date for certification or within five years from the date of initially passing the examination. Retaking and passing the examination will be required if the application for certification is not submitted within five years from the passing date of the examination. All experience must be verified independently with employers.
3. Adherence to the Code of Professional Ethics
Members of ISACA and/or holders of the CRISC designation agree to a Code of Professional Ethics to guide professional and personal conduct.
4. Adherence to the Continuing Professional Education (CPE) Policy
The objectives of the continuing education program are to:
- Maintain an individual's competency by requiring the update of existing knowledge and skills in the areas of risk and information systems control.
- Provide a means to differentiate between qualified CRISCs and those who have not met the requirements for continuation of their certification
- Provide a mechanism for monitoring risk and information systems control professionals' maintenance of their competency
- Aid top management in developing sound risk and information systems control functions by providing criteria for personnel selection and development
Maintenance fees and a minimum of 20 contact hours of CPE are required annually. In addition, a minimum of 120 contact hours is required during a fixed 3-year period.
View the complete CRISC Continuing Education Policy.