How to Become CRISC Certified 


The CRISC is awarded to those experienced in the management of IT risk and the design, implementation, monitoring and maintenance of IS controls.


Requirements for CRISC Certification – 2015 exams and later

1. Successful completion of the CRISC examination

The examination is open to all individuals who have an interest in business and technology risk management as well as the development and implementation of IS controls. All are encouraged to work toward and take the examination. Successful examination candidates will be sent all information required to apply for certification with their notification of a passing score. For a more detailed description of the exam see the CRISC certification job practice. CRISC exam candidates should be familiar with the terminology and concepts described in ISACA’s intellectual property and other credible sources.  For how best to prepare for the exam, see the CRISC Frequently Asked Questions.

2. IT risk management and information systems control experience 

Certification is granted initially to individuals who have successfully completed the CRISC exam and meet the following work experience requirements in the fields of IT risk management and IS control. A minimum of at least three (3) years of cumulative work experience performing the tasks of a CRISC professional across at least two (2) of the four (4) CRISC domains is required for certification. Of these two (2) required domains, one (1) must be in either Domain 1 or 2. There are no substitutions or experience waivers.

Once a CRISC candidate has passed the CRISC certification exam and has met the work experience requirements, the final step is to complete and submit the CRISC Application for Certification. Experience must have been gained within the 10-year period preceding the application date for certification or within five years from the date of initially passing the examination. Retaking and passing the examination will be required if the application for certification is not submitted within five years from the passing date of the examination. All experience must be verified independently with employers.

3. Adherence to the Code of Professional Ethics

Members of ISACA and/or holders of the CRISC designation agree to a Code of Professional Ethics to guide professional and personal conduct.

4. Adherence to the Continuing Professional Education (CPE) Policy

The objectives of the continuing education program are to:

  • Maintain an individual's competency by requiring the update of existing knowledge and skills in the areas of risk and information systems control.
  • Provide a means to differentiate between qualified CRISCs and those who have not met the requirements for continuation of their certification
  • Provide a mechanism for monitoring risk and information systems control professionals' maintenance of their competency
  • Aid top management in developing sound risk and information systems control functions by providing criteria for personnel selection and development

Maintenance fees and a minimum of 20 contact hours of CPE are required annually. In addition, a minimum of 120 contact hours is required during a fixed 3-year period.

View the complete CRISC Continuing Education Policy.