Certification Prep Guide Series:

How to Become
Certified in Risk and Information
Systems Control

1-800-COURSES www.globalknowledge.com
How to Become Certified in Risk and Information Systems Control

This Certification Prep Guide provides an overview of ISACA’s Certified in Risk and
Information Systems Control (CRISC) certification and offers helpful tips that you can
use when preparing for your CRISC certification exam.

Table of Contents
• Why get certified in risk and information systems control?
• What is the CRISC certification?
• Who should take the CRISC exam?
• How will becoming certified in risk and information systems control impact
your job and career?
• CRISC exam guide
• How to prepare for the CRISC certification
• CRISC exam: Tips & tricks
• How to maintain your CRISC certification
• Next steps after you obtain your CRISC certification

Why get certified in risk and information systems control?

Digital transformation has bred equal parts innovation and risk. And it’s not just the IT
department that’s been disrupted—technology is now the most critical risk factor for
the entire organization. It has never been more vital to have an expert on staff who
can identify and evaluate aspects of IT that are a threat to business objectives.

The enterprise’s risk exposure can take many forms:

• Poor technology decisions or disruption in IT systems or a security breach can

have a significant impact on business operations and likewise productivity and
performance.1
• Heightened regulatory requirements have placed significant pressure on
organizations operating to keep up with changing policies and legal mandates
to avoid fraud, misconduct, and sanctions.1
• Expanded partner ecosystems now mean a broader risk landscape to which all
organizations are exposed—dramatically increasing third party (or even fourth
party) and supply chain risk.1

Understanding and applying the risk matrix, proper formulas, and liability spectrum
are essential to mitigating and recovering from disruptions, as well as determining
appropriate and responsible financial measures.

Organizations cannot afford to take risk lightly—there is far too much at stake.
ISACA’s Certified in Risk and Information Systems Control (CRISC) certification

1
IDC MaturityScape: Enterprise Risk Management 1.0

Copyright ©2020 Global Knowledge Training LLC. All rights 2

reserved.
validates the skills to identify, evaluate and manage information systems and
technology risk, and help enterprises achieve their business objectives.

CRISC-certified professionals possess a unique cybersecurity skill set that is in high

demand and short supply. According to the Global Knowledge IT Skills and Salary
Report, 38% of worldwide IT decision-makers have struggled to find qualified
cybersecurity professionals. This is the fourth straight year cybersecurity has been the
most challenging hiring area.

This global shortage of cybersecurity professionals has created an in-demand market

for individuals who are willing to rise to the challenge and build their information
security skill set.

Governance, Risk, and Compliance (GRC) positions within cybersecurity organizations

are key components to a company’s cybersecurity posture, as well as the legal,
financial, and technology elements required to build, maintain, and recover vital
business practices.

What is the CRISC certification?

According to ISACA, more than 24,000 professionals have earned their CRISC
certification since it launched in 2010. CRISC demonstrates the ability to identify and
evaluate IT risk, and provide insight on that risk from an overall organizational
perspective.

Standard IT professionals often lack the skills to conduct a valid risk analysis. Having a
CRISC-certified individual on staff is vital to ensure risk is properly scrutinized and
business objectives are met.

To achieve this certification, an individual must take and pass the CRISC certification
exam, consisting of 150 questions and four job practice domains:

1. IT Risk Identification
2. IT Risk Assessment
3. Risk Response and Mitigation
4. Risk Control, Monitoring and Reporting

The exam assesses knowledge, as well as abilities that a risk and information systems
control specialist would be expected to demonstrate on the job.

CRISC is one of the most popular cybersecurity certifications—it’s fifth among the
most held and sixth among the most pursued according to 2019 data.

Who should take the CRISC exam?

CRISC is an essential certification for IT risk management professionals, control and
compliance professionals, and business analysts who are responsible for identifying

Copyright ©2020 Global Knowledge Training LLC. All rights 3

reserved.
and managing risks through the development, implementation and maintenance of
information systems (IS) controls.

CRISC-holders can be relied on to make effective risk-based decisions and prioritize

areas that are most at risk.

At least three years of relevant work experience in two of the four CRISC domains are
also required for certification, though the work can be completed after taking the
exam.

How will becoming certified in risk and information systems control impact your job and
career?
Aside from establishing themselves as a risk and information systems control expert,
CRISC-certified professionals are paid extraordinarily well. CRISC is associated with
the eighth highest IT salary in North America, with an annual average of $128,556. It’s
the second highest-paying cybersecurity certification in the 2019 IT Skills and Salary
Report and one of the top cybersecurity credentials to enhance your career.

In general, certified personnel are more productive and close skills gaps better than
non-certified peers. This is vitally important for cybersecurity, as skill shortages
continue to grow. According to ISACA’s State of Cybersecurity: 2019 report, 69% of
cyber professionals say their teams are understaffed and only 34% have a high degree
of confidence in their team’s ability to detect and respond to cyber threats.

Earning a cybersecurity certification signals to team members and prospective

employers that you have the knowledge, skills and ability to oversee an organization’s
information. These experts are in high demand and thus are likely to be compensated
well.

CRISC exam guide

To achieve this certification, you must pass the CRISC exam. Register for the exam at
ISACA’s Exam Registration page. From the registration date, you have 12 months to
take the exam. Registration is continuous so candidates may schedule a testing
appointment as early as 48 hours after payment of the exam fee.

Test duration: Up to four hours

Number of questions: 150
Cost: $575 for ISACA members, $760 for non-members

The questions on the CRISC exam cover the following job practice domains:

• Domain 1 – IT Risk Identification (27%)

• Domain 2 – IT Risk Assessment (28%)
• Domain 3 – Risk Response and Mitigation (23%)
• Domain 4 - Risk and Control Monitoring and Reporting (22%)

Copyright ©2020 Global Knowledge Training LLC. All rights 4

reserved.
All exam questions have four answer choices and test-takers must select the correct,
or best answer, for each option. There are also scenario-based questions where two
or more questions must be answered based on a provided scenario.

ISACA certification exams are computer-based and administered at authorized PSI

testing centers. Find your nearest PSI testing location.

On the day of the exam, mobile phones, smart watches, computers, reference
materials and bags are prohibited in the testing center. Plan to store personal items in
a locker or designated area.

If you miss your test appointment, you may reschedule without forfeiting your
registration fee. Make sure you contact PSI no later than 72 hours following the test
time and provide documentation to confirm your reason for absence.

View the ISACA Certification Exam Candidate Guide for more information about
registration, scheduling and exam-day rules.

How to prepare for the CRISC certification

A mixture of formal and informal learning provides the most value in preparation for a
certification exam.

Instructor-led training
Live, classroom training is the most immersive learning environment and the best way
to prepare for the CRISC certification exam. In a Global Knowledge training course,
students interact directly with a subject matter expert and collaborate with peers who
may share similar work challenges.

Recommended courses:
• CRISC Prep Course
o An in-depth examination all four domains of the CRISC certification
exam is covered in this instructor-led course. There’s also a module
specifically for exam review that examines key risk indicators and covers
test preparation.
• The following course is recommended prior to enrolling in the CRISC prep
course:
o Cybersecurity Specialization: Governance, Risk, and Compliance
▪ Gain the skills to design a system of governance to enforce
compliance with laws, regulations, and company policies.

Study guides
ISACA offers a number of study guides to prepare for the CRISC exam.
• CRISC Review Manual, 6th Edition eBook. This comprehensive manual is a
terrific prep resource and can be useful as a reference manual for risk
management professionals throughout their career.
• CRISC Review Questions, Answers & Explanations Manual, 5th Edition. This
study guide includes 550 practice questions for the CRISC exam.
• Exam prep community. ISACA hosts forums for all of its certification exams

Copyright ©2020 Global Knowledge Training LLC. All rights 5

reserved.
 where participants can share questions and tips, as well as get advice from
past exam takers.

Practice exam
ISACA offers a free CRISC practice quiz to test risk and information systems control
knowledge. This quiz is a reliable evaluator of CRISC skills as the questions are the
same level of difficulty as can be expected on the certification exam.

Additionally, there are published works of practice exams available via commercial
outlets (such as Amazon.com) with a multitude of helpful practice questions and
tests. For a properly qualified candidate, there is no substitute for the time and energy
spent going through practice exams and gauging the progress before undergoing the
official exam.

CRISC exam: Tips & tricks

The CRISC exam is designed to test the comprehensive knowledge needed by risk
managers and control professionals to lead complex organizations in risk evaluation
and mitigation. In doing so, the certification exam uses questions that not only seek
the right answer, but also the best answer, based on many factors. Some of the
questions are scenario-based, and most reflect a need to be prepared to understand
the complex requirements for successful risk management.

Properly preparing for the exam includes detailed note-taking and attention to
nuance in the anecdotes and guidance offered by the classroom instructor, as well as
vigilance to the keywords and meanings offered up in each domain of preparation.

Continuous practice questions can help prepare your mind for the question format
and expectations. Learning the interoperabilities and correct practice between the
business units and the security teams are key to having an overall comprehension for
many of the questions needed to pass.

When taking the exam, make sure you answer all of the questions. You will not be
penalized for an incorrect answer so it’s not in your best interest to leave any
questions unanswered. Also, you have four hours to complete the exam, so make sure
to pace yourself and don’t rush through the questions. Read each question carefully
and make sure you select the most correct answer.

How do you know if you pass?

Exam results will appear immediately on screen following the completion of your
exam. Your score will also be emailed to you and available online within 10 working
days. If you pass, you will receive details on how to apply for certification.

ISACA scores are based on a scale of 200 to 800, with 800 representing a perfect
score. Candidates must record a score of 450 or higher to pass.

What happens if you don’t pass the exam?

Candidates who fail to pass the CRISC exam on their first try may retake the exam up
to three times within 12 months of their first attempt. The first retake cannot occur

Copyright ©2020 Global Knowledge Training LLC. All rights 6

reserved.
until 30 days have passed from the first attempt, while the second and third retakes
cannot occur until 90 days have passed after previous attempts.

How to maintain your CRISC certification

ISACA’s Continuing Professional Education (CPE) policy requires CRISC-certified
individuals to “maintain an adequate level of current knowledge and proficiency in the
field of information systems security management.”

CRISC-certified professionals must attain and report a minimum of 20 CPE hours a

year and 120 CPE hours over a three-year period. These hours must be dedicated to
CRISC-related tasks or demonstrate CRISC-related abilities.

To renew the CRISC certification, an annual maintenance fee must be paid ($45 for
ISACA members, $85 for non-members) and reporting of CPE hours must be
submitted.

Next steps after you obtain your CRISC certification

Freshly certified CRISCs will find many options in their career path. CRISCs are
generally highly sought, as digital transformation has heightened the need for proper
risk management. The need for IT professionals who can evaluate business risk and
implement IS controls continues to grow.

Professionals who have their CRISC certification may generally pursue cybersecurity
specialties like ISACA’s Certified Information Security Manager (CISM) certification, as
well as the Certified Information Systems Security Professional (CISSP) certification
from (ISC)2. Each credential supports a new level of confidence in the industry
regarding your proven skill and competence level as a cybersecurity professional.

Once you pass the certification, to get maximum exposure, you’ll want to immediately
load your certificate into your LinkedIn Profile (don’t forget to include your actual
certificate number—LinkedIn refers to this as a “License Number”).

About the Authors

Brad Puckett
Brad Puckett, ITIL® and PMC II, is the Global Product Director for Cybersecurity and
Emerging Technologies at Global Knowledge, the worldwide leader in IT and
professional training. Brad has over 20 years of experience in information technology
and cybersecurity in applied practice, education, thought leadership, evangelism, and
business direction. He lives near Raleigh, N.C.

Copyright ©2020 Global Knowledge Training LLC. All rights 7

reserved.
Ryan Day
Ryan Day is a Content Marketing Manager for Global Knowledge and has over 15
years of experience in the communications field. He is an award-winning journalist and
editor, having worked for a daily newspaper in upstate New York. He also served as
an editorial manager for PR Newswire in Washington, D.C. He currently lives with his
wife and daughter in Durham, N.C.

Copyright ©2020 Global Knowledge Training LLC. All rights 8

reserved.