Risk Management

CRISC Certification Guide 2026: Exam, Cost and Salary

Standarity Editorial Team·CRISC-Certified IT Risk Practitioners
··6 min read

CRISC certification, short for Certified in Risk and Information Systems Control, is an ISACA credential that validates the ability of a professional to identify, assess and respond to enterprise IT risk and to design effective controls. It is widely held by IT risk managers, GRC analysts and information security leaders worldwide.

What is CRISC and who is it for

CRISC sits at the intersection of risk management and information systems. Where other credentials lean toward audit or security operations, CRISC focuses squarely on the discipline of IT risk: framing it for decision makers, quantifying it, treating it and reporting on it to the board. ISACA, the standards body behind COBIT, has positioned CRISC as its flagship risk credential since 2010.

In our experience the people who benefit most are those who already sit between technology and the business. That includes IT risk managers, GRC and compliance analysts, internal auditors moving into risk, security managers, and project leaders who must speak the language of risk to executives. If your day involves explaining why a control matters in business terms, CRISC will sharpen that skill.

The four CRISC domains

The exam content is organised into four job-practice domains, each weighted to reflect how much of the working day it represents. Knowing the weighting tells you where to invest study time.

  • Governance (26 percent): risk strategy, frameworks, culture, and aligning IT risk with business objectives.
  • IT Risk Assessment (20 percent): identifying, analysing and evaluating risk scenarios and their impact.
  • Risk Response and Reporting (32 percent): selecting risk treatments, designing controls, and reporting on risk and key risk indicators. This is the largest domain.
  • Information Technology and Security (22 percent): the technical foundations, from architecture and data to security controls and emerging technology.

Notice that Risk Response and Reporting is the heaviest single domain. That reflects a clear message from ISACA: identifying risk is only half the job, and the value lies in treating it and communicating it credibly. Our guide to ISO 31000 risk management covers the same response-and-monitoring cycle in framework-neutral terms if you want a wider grounding.

Exam format and passing score

The CRISC exam is 150 multiple-choice questions to be completed in 240 minutes. Your raw score is converted to a scaled score on a range of 200 to 800, and you need a scaled score of 450 or higher to pass. The scaling means you cannot simply translate the pass mark into a fixed percentage of correct answers, so aim comfortably above the minimum in practice tests.

CRISC-certified professionals in the United States earn a median near US$151,000, with figures ranging from roughly US$90,000 to US$192,000, and there are around 1,900 open US roles that specifically require the credential (Invensis Learning, 2026; ZipRecruiter, 2026).

Cost and the experience requirement

The 2026 exam registration fee is US$575 for ISACA members and US$760 for non-members. After you pass you submit a one-time certification application with a US$50 fee, and you then pay an annual maintenance fee of US$45 for members or US$85 for non-members to keep the credential active. Each exam attempt is a separate paid registration, so a focused first attempt saves real money.

CRISC also carries an experience requirement. You must demonstrate at least three years of cumulative work experience performing the tasks of the CRISC job practice across at least two of the four domains, with at least one of those years in Governance or IT Risk Assessment. You can sit the exam first and earn the experience afterward, but the certification is only granted once both the exam and the experience are verified within a five-year window.

How CRISC compares to CISM and CISA

All three are ISACA credentials, so the choice is about emphasis rather than prestige. CISA is the audit and assurance credential, ideal if your work is reviewing and testing controls. CISM is the management credential, built for those running an information security programme. CRISC is the risk credential, the right fit if your remit is identifying, quantifying and treating enterprise IT risk and reporting it upward.

If you genuinely sit across all three areas, pick the one that matches your next role rather than your current one. Many practitioners eventually hold two, and CRISC pairs naturally with either CISA or CISM because risk language underpins both audit and security management.

How to get CRISC certified: the steps

  • Confirm you can meet the three-year experience rule, even if you plan to earn it after the exam.
  • Create an ISACA account and weigh membership, since the member discount on the exam often offsets the membership fee.
  • Study against the current exam content outline, weighting your time toward the Risk Response and Reporting and Governance domains.
  • Register for and pass the exam with a scaled score of 450 or higher.
  • Submit the certification application with verified experience and the US$50 fee.
  • Maintain the credential through continuing professional education and the annual maintenance fee.

Is CRISC hard? It is a senior credential, and candidates consistently report that the questions test judgement rather than memorised facts. The scenarios ask what a risk professional should do first, or what is most important, which rewards real experience over rote learning. Structured practice with scenario questions is, in our experience, the single highest-return preparation activity.

For most people in or near an IT risk role, CRISC is worth it. The salary data is strong, demand is global and growing on the back of AI governance and cyber resilience programmes, and the credential signals exactly the judgement that hiring managers struggle to assess in interviews.

Frequently Asked Questions

How much does the CRISC certification cost in 2026?

The exam registration fee is US$575 for ISACA members and US$760 for non-members. After passing you pay a one-time US$50 certification application fee, plus an annual maintenance fee of US$45 for members or US$85 for non-members.

How many questions are on the CRISC exam and what is the passing score?

The CRISC exam has 150 multiple-choice questions and a 240-minute time limit. Scores are scaled from 200 to 800, and you need 450 or higher to pass.

What are the four CRISC domains?

Governance (26 percent), IT Risk Assessment (20 percent), Risk Response and Reporting (32 percent), and Information Technology and Security (22 percent). Risk Response and Reporting is the most heavily weighted domain.

Do I need work experience to get CRISC certified?

Yes. You need at least three years of cumulative experience across at least two of the four domains, including at least one year in Governance or IT Risk Assessment. You may sit the exam first and complete the experience within five years.

Is CRISC harder than CISA or CISM?

They are different rather than strictly harder. CISA targets audit and assurance, CISM targets security management, and CRISC targets IT risk. All three test applied judgement, so the hardest one is the one furthest from your daily work.

Is the CRISC certification worth it?

For IT risk, GRC and security professionals, yes. CRISC holders in the US earn a median near US$151,000, demand is strong across major markets, and the credential signals the risk judgement that hiring managers value highly.

Explore Courses on Udemy

Intermediate

ISO 31000: Risk Management Implementation Step by Step

Intermediate

Risk Management For Busy Learners

Intermediate

CRISC Certification — IT Risk Management with AI Tools