ISACA, or the Information Systems Audit and Control Association, was established in the late 1960s, making it an elder statesman in the family of information technology (IT) associations. It offers four IT certifications, one of which is designates individuals as Certified in Risk and Information Systems Control (CRISC). Read on to take a closer look at the ISACA certification and what it takes to earn it.
Overview of CRISC Certification
The CRISC (pronounced SEE-risk) certification is for IT pros responsible for monitoring, identifying and managing risks through every phase of an information system's creation and lifespan. ISACA has structured this certification around five specific knowledge domains:
- Risk identification, assessment and evaluation
- Risk monitoring
- Risk response
- Information system control design and implementation
- Information system control monitoring and maintenance
These are the four criteria that candidates must meet in order to earn the CRISC certification:
- Provide evidence showing they have three years of work experience in the discipline of risk management, specifically identifying experience with tasks related to the five CRISC knowledge domains. Candidates have up to five years to collect the required experience once they have passed the CRISC exam. However, the certification is not granted until the work experience requirement is met.
- Pass the CRISC certification exam.
- Agree to comply with the ISACA Code of Professional Ethics.
- Follow the CRISC Continuing Education Policy.
CRISC Certification Exam Details
The CRISC certification exam is currently offered twice each calendar year, once in June and once in December. The registration deadline is generally two months prior to each exam date. Exam registration and admission details are managed by the ISACA Certification Department.
The exam consists of 200 multiple-choice questions, and candidates have four hours in which to complete the exam. The full exam objectives and information are available in a downloadable PDF document on the CRISC Exam Preparation webpage.
Exam material is based on the five CRISC knowledge domains, and is distributed according to these approximate percentages:
- Risk identification, assessment and evaluation (31%)
- Risk monitoring (17%)
- Risk response (17%)
- Information system control design and implementation (17%)
- Information system control monitoring and maintenance (18%)
More detailed explanations of the exam knowledge domains are available from the CRISC Job Practice Areas webpage.
The CRISC certification exam is scored on a sliding scale between 200 (worst) to 800 (best). Candidates must achieve a score of 450 to pass the exam. Exam results take approximately eight weeks to be sent to candidates.
Renewing the CRISC Certification
The CRISC certification is valid for a three-year period after it has been achieved. The first three-year certification period for new CRISC earners begins on January 1 of the year following the certified date. During the three-year certification period, CRISC holders must fulfill the following requirements:
- Earn (and submit proof of) at least 120 Continuing Professional Education (CPE) hours, including no less than 20 CPE hours for any given year. A "CPE hour" consists of fifty minutes of participation in a qualifying ISACA (and some non-ISACA) professional education meetings and events.
- Pay the annual CPE maintenance fees.
- Continue to comply with the ISACA Code of Professional Ethics.
IT professionals who earn and maintain a CRISC certification can help to ensure that they're on top of the latest developments in designing, managing, and assessing risk for a company's information systems -- skills and knowledge highly valued by employers.
"Code of Professional Ethics," ISACA.org, http://www.isaca.org/Certification/Code-of-Professional-Ethics/Pages/default.aspx
"Maintain Your CRISC," ISACA.org, http://www.isaca.org/Certification/CRISC-Certified-in-Risk-and-Information-Systems-Control/Pages/Maintain-Your-CRISC.aspx
"Prepare for the CRISC Exam," ISACA.org, http://www.isaca.org/Certification/CRISC-Certified-in-Risk-and-information-systems-control/prepare-for-the-exam/Pages/Prepare-for-the-Exam.aspx
"Job Practice Areas," ISACA.org, http://www.isaca.org/Certification/CRISC-Certified-in-Risk-and-Information-Systems-Control/Pages/Job-Practice-Areas.aspx