CRISC certification: Your ticket to the C-suite?

Is CRISC worth it? Learn about the exam, prerequisites, study guides, and potential salary.

Table of Contents
Show More

What is CRISC?

Certified in Risk and Information Systems Control (CRISC) is a certification that focuses on enterprise IT risk management. It's offered by ISACA, a nonprofit professional association focused on IT governance with a number of certifications in its stable, including CISM.

Enterprise risk management (ERM), is the process of assessing risks to identify both threats to a company’s financial well-being and opportunities in the market. A risk management program aims to balance the likelihood of a risk happening against the potential damage that would ensue if it does. Overall, the goal is to help understand an organization's tolerance for risk, categorize it, and quantify it. (For more background, read CSO's explainer on ERM or our article on risk management mistakes CISOs still make.)

This all is, obviously, a high-level set of skills, and its increasingly one that CISOs and IT security managers are expected to have in their toolkit. CRISC can be a good way to display your competence in this field—and can be a lucrative boost to your career. Like many certifications, though, it's not necessarily cheap or easy to get. We'll look at some of the details of how you can get CRISC certified in a moment, but first, let's see how CRISC stacks up against some of the other certs on the market.

CRISC vs. CISM, CISSP, and CISA

Where does CRISC stand in the world of upper-level IT security certifications? The most important thing that distinguishes it from other certs is that it's specialized and focused specifically on the area of enterprise IT risk management. So, while ISACA's CISM might, like CRISC, be a credential that a CISO or someone aiming to become a CISO might pursue, CISM covers a much wider range of material, generally encompassing the development and management of an infosec program at the enterprise level. (ISC)2's CISSP is another high-level but general-purpose cert, combining in-depth technical knowledge of a broad range of security domains with an understanding of managerial responsibilities.

Finally, there's CISA, which is yet another ISACA cert. CISA is like CRISC in that it's focused, but its area of focus is different from CRISC: CISA stands for Certified Information Systems Auditor, and is primarily pursed by those in the specialized realm of auditing. Unlike the other three certs, it's less likely that someone would have pursued a CISA certification as part of a career aiming for the C-Suite. The Netwrix blog has a great chart comparing all four of these certifications if you want get a sense of the differences and similarities at a glance.

CRISC domains

Now let's take a closer look at the content that you'll be expected to master in order to become CRISC certified. ISACA breaks down this material into what it calls domains; in earlier versions of the cert, these were sometimes referred to as job practice areas. These domains are regularly refreshed, and indeed a major overhaul just took place in August of 2021, so much of the following material is relatively new as of this writing.

There are four top-level domains—governance, IT risk assessment, risk response and reporting, and IT and security—each with a number of subdomains:

Governance

  • Organizational governance
    • Organizational strategy, goals, and objectives
    • Organizational structure, roles, and responsibilities
    • Organizational culture
    • Policies and standards
    • Business processes
    • Organizational assets
  • Risk governance
    • Enterprise risk management and risk management framework
    • Three lines of defense
    • Risk profile
    • Risk appetite and risk tolerance
    • Legal, regulatory, and contractual requirements
    • Professional ethics of risk management

IT risk assessment

  • IT risk identification
    • Risk events (e.g., contributing conditions, loss result)
    • Threat modelling and threat landscape
    • Vulnerability and control deficiency analysis (e.g., root cause analysis)
    • Risk scenario development
  • IT risk analysis and evaluation
    • Risk assessment concepts, standards, and frameworks
    • Risk register
    • Risk analysis methodologies
    • Business impact analysis
    • Inherent and residual risk

Risk response and reporting

  • Risk response
    • Risk treatment/risk response options
    • Risk and control ownership
    • Third-party risk management
    • Issue, finding, and exception management
    • Management of emerging risk
  • Control design and implementation
    • Control types, standards, and frameworks
    • Control design, selection, and analysis
    • Control implementation
    • Control testing and effectiveness evaluation
  • Risk monitoring and reporting
    • Risk treatment plans
    • Data collection, aggregation, analysis, and validation
    • Risk and control monitoring techniques
    • Risk and control reporting techniques (heatmap, scorecards, dashboards)
    • Key performance indicators
    • Key risk indicators (KRIs)
    • Key control indicators (KCIs)

IT and security

  • Information technology principles
    • Enterprise Architecture
    • IT operations management (e.g., change management, it assets, problems, incidents)
    • Project management
    • Disaster recovery management (DRM)
    • Data lifecycle management
    • System development life cycle (SDLC)
    • Emerging technologies
  • Information security principles
    • Information security concepts, frameworks, and standards
    • Information security awareness training
    • Business continuity management
    • Data privacy and data protection principles

These domains don't just define the structure of the test; they're also important when it comes to the cert's experience requirements, as we'll see in the next section.

CRISC certification requirements and fees

There are three steps you need to take in order to attain CRISC certification:

We'll dive into the exam in more detail in the next section, but let's pause here for a moment to discuss those work requirements. As noted, CRISC is intended as a relatively high-level cert, and so its holders have to show that they have real-world experience, not just book smarts. To that end, in order to be certified, you need to have:

  • At least three years of work experience performing the tasks covered by at least two of the four domains we discussed in the previous section; and
  • At least one of those domains needs to be one of the first two listed (governance or IT risk assessment)

To ensure that you're at least relatively current on industry trends, you have to have accrued this experience over the 10 years before you apply for the credential. But if you don't have this experience yet and are itching to take the exam, that's OK too: you can apply up to five years after you pass the test. (In fact, you can't actually formally apply for the credential until you pass the exam.)

Once your CRISC application has been accepted, you need to adhere to ISACA's Continuing Professional Education (CPE) program to maintain it. That means taking at least 120 hours of CPE training over each three-year reporting period after you've attained the credential. For more information on how you can meet this requirement, download the CRISC CPE Policy from ISACA.

CRISC exam

Still, as is true for most certifications, the exam is the heart of the CRISC certification experience. The exam lasts four hours and consists of 150 multiple-choice questions. The exam is available in English, Spanish, and Simplified Chinese, and you can take it either at a PSI Exam Site or as an online proctored exam from your home; in the latter scenario, a proctor will be watching you through your webcam, so be warned if you find that a little off-putting.

For more details, check out ISACA's exam candidate guide and scheduling guide, as well as information on special accommodations.

CRISC exam fee and application fee

ISACA has a pretty thorough breakdown of the costs associated with getting CRISC certified, but the basics are as follows:

  • First up is the exam fee, which is $575 for ISACA members and $760 for non-members. (ISACA membership dues are $135, so if you're planning on taking one of the certification exams this year, you will come out ahead from the get-go.) You have a year to take the exam after registering to do so, but you will not be refunded if you don't take it in time.
  • Once you've passed the exam, you must formally apply to be CRISC certified, and the fee for this application is $50.
  • Subsequently, you must pay an annual maintenance fee to remain in good standing with your certification. This fee is $45 for members and $85 for nonmembers.

CRISC training

ISACA offers an online CRISC review course that costs $795 for members and $895 for non-members.

There are also, as is the case with almost all certs, numerous third-party training course out there to help you on your journey. Digital Defynd has a good and recently updated roundup, and the prices range from Udemy's $19.99 online course to the Infosec Institute's $4,000 boot camp.

But as we noted, it's important to keep in mind that the test was recently extensively revamped. While you can assume ISACA's in-house training material is adapted for the latest version of the test, you will want to double-check to make sure this is true of any third-party material you reference. 

CRISC study materials and exam questions

That same caveat also applies to third-party study materials. The 7th Edition of ISACA's CRISC Review Manual, which costs $105 for ISACA members and $135 for non-members, is up to date. Other books that we might normally recommend for studying for a cert exam, like the All-In-One Guide, are as of this writing behind the times. You'll want to check the publish date of anything you're considering to make sure it's after the August 2021 revamp.

Most of the training courses you can take include sample questions that will prepare you for the exam. If you just want to take a quick look to get a sense of what to expect, you can check out ISACA's practice quiz. If you're willing to spend some money, you can pay $299 (as an ISACA member) or $399 (as a non-member) for access to ISACA's CRISC Review Questions, Answers, and Explanations Database.

CRISC jobs and salary

Most people pursue credentials because they believe that it will help them either gain or demonstrate skills that burnish their resume and advance their career. And because this process isn't cheap, the obvious question that arises is whether the benefits are worth the cost.

For CRISC, the answer certainly seems to be yes at first glance. The Netwrix blog lists a very high-powered list of potential jobs associated with the credential:

  • CIO
  • CISO
  • Security Director
  • Security Manager
  • System Engineer
  • Security Analyst
  • Security Manager
  • Security Auditor
  • Network Architect
  • Enterprise Leadership
  • Control Professional
  • Risk Professional
  • Business Analyst
  • Compliance Pro
  • Control and Assurance Pro

The Global Knowledge database of top-paying IT certifications for 2021 tells a similar story. According to their figures, the average salary of a CRISC holder is $151,995, 57% of those holders are in management, and their most common job titles are CISO, CSO, and ISO.

But anyone telling you that a particular certification guarantees a certain salary is trying to sell you something (probably a certification). Global Knowledge also notes that the average CRISC certification holder is 48 years old and also holds four other certifications—in other words, they're well advanced in their career, as you would expect from a certification with an experience requirement the one like CRISC has. There is definitely a question of causation vs. correlation here: is CRISC your ticket to a high-paying job, or is CRISC a credential pursued by people who already have the skills and experience to provide a lucrative career?

The answer is probably somewhere in between. CRISC won't magically boost your paycheck, but is definitely a feather in your cap that can make your manager—or hiring managers at other companies—take notice.

Copyright © 2021 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline