If you work in IT risk, governance or compliance, you have almost certainly seen CRISC turn up in job adverts and LinkedIn profiles, and wondered whether it is worth chasing. This guide answers that directly. We will walk through exactly what the ISACA CRISC certification covers in 2026, the four exam domains (which were refreshed in late 2025), the real cost, the experience rules, the salary data, and an honest verdict on whether CRISC is worth it for your career.
CRISC stands for Certified in Risk and Information Systems Control. It is ISACA's flagship credential for people who identify, assess and manage IT risk, and who design the controls that keep that risk in check. If your work sits at the meeting point of technology, risk and the business, CRISC is built for you.
What Is CRISC and Who Is It For?
CRISC validates that you can do one specific job well: manage enterprise IT risk end to end. That means spotting risk, assessing how serious it is, deciding how to respond, and putting information systems controls in place to reduce it to a level the business can accept.
It is aimed at mid-career professionals rather than beginners. Typical CRISC holders work as IT risk managers, risk analysts, governance risk and compliance (GRC) analysts, control specialists, IT auditors moving into risk, and security consultants. It is also a common stepping stone towards senior roles such as IT Risk Manager, Risk and Compliance Director and, eventually, Chief Information Security Officer.
Exam Tip: CRISC is a risk management certification first and a technical certification second. If you are hoping for a hands-on hacking or configuration exam, CRISC is not it. Its value is in proving you can quantify risk and justify controls to the business.
Where ISACA's CISA proves you can audit controls and CISM proves you can lead a security programme, CRISC proves you can own the risk itself. That distinction matters, and we will come back to it later.
The Four CRISC Exam Domains (Updated for 2026)
ISACA refreshed the CRISC Exam Content Outline effective 3 November 2025, so any study material written before then may describe the old weightings. Here are the current four domains and how much of the exam each one represents.
| Domain | Focus | Exam weight |
|---|---|---|
| 1. Governance | Organisational and risk governance, business context, risk appetite and culture | 26% |
| 2. IT Risk Assessment | Identifying, analysing and evaluating IT risk scenarios | 20% |
| 3. Risk Response and Reporting | Selecting risk responses, control design, monitoring and reporting | 32% |
| 4. Information Technology and Security | The technical foundations: architecture, controls, security concepts | 22% |
Domain 1: Governance (26%)
This domain covers the organisational context that risk lives in: governance structures, the risk management framework, business processes, risk appetite and tolerance, and the risk culture of the organisation. You need to understand how IT risk connects to business objectives, not just the technology.
Domain 2: IT Risk Assessment (20%)
Here you demonstrate that you can identify risk, build realistic risk scenarios, and analyse and evaluate them. Expect questions on threat and vulnerability analysis, likelihood and impact, and how to prioritise risk once you have assessed it.
Domain 3: Risk Response and Reporting (32%)
This is the largest domain, and for good reason. It covers what you actually do once risk is identified: choosing a response (accept, mitigate, transfer or avoid), designing and implementing controls, and then monitoring and reporting risk to the people who need to act on it. If you are short on study time, this is the domain to master first.
Domain 4: Information Technology and Security (22%)
The final domain grounds everything in technical reality: enterprise architecture, IT operations, data management, and the security concepts and controls that underpin risk responses. You do not need to be an engineer, but you do need to speak the language.
CRISC Exam Format, Cost and Pass Mark
Here are the hard facts you need before booking. These are the current 2026 figures.
- Number of questions: 150 multiple-choice questions, of which 15 are unscored pretest items you will not be able to identify.
- Exam duration: 4 hours.
- Passing score: 450 on a scaled range of 200 to 800.
- Exam cost: US$575 for ISACA members and US$760 for non-members.
- Delivery: Computer-based testing at Pearson VUE centres, or online with remote proctoring.
- Languages: English, Chinese and Spanish.
Exam Tip: The 450 pass mark is a scaled score, not a raw percentage. ISACA converts your raw marks onto the 200 to 800 scale, so you cannot simply aim for "60% correct". Aim to be comfortably strong across all four domains rather than banking on one.
A quick note on the membership maths. ISACA membership costs money up front, but members pay US$575 for the exam versus US$760 for non-members, and members also pay lower annual maintenance fees. If you plan to sit the exam and keep the certification, membership usually pays for itself.
CRISC Experience and Certification Requirements
Passing the exam is only half the journey. To actually earn the CRISC designation, you must also meet an experience requirement.
You need at least three years of cumulative work experience in IT risk management and information systems control, and that experience must span at least two of the four CRISC domains. The experience must have been gained within the ten years before your application date, or within five years of passing the exam.
Two important points many candidates miss:
- There are no experience waivers or substitutions for CRISC. Unlike some certifications where a degree or another credential can shave off part of the requirement, CRISC expects the full three years of relevant, verified experience.
- You can pass the exam first and earn the experience later, as long as you complete the application within five years of passing. So a slightly less experienced candidate can still sit the exam now and certify once they hit the three-year mark.
What Does CRISC Cost to Maintain?
The exam fee is a one-off, but CRISC is an ongoing commitment. To keep the certification active you must:
- Earn a minimum of 20 CPE (Continuing Professional Education) hours every year, and a total of 120 CPE hours across each rolling three-year cycle.
- Pay an annual maintenance fee, due by 1 January each year. In 2026 that is US$45 for members and US$85 for non-members.
- Comply with ISACA's Code of Professional Ethics.
If you already hold more than two ISACA certifications, the maintenance fee for your third and any further certifications drops to US$25 for members and US$50 for non-members, which softens the blow of collecting several ISACA credentials.
CRISC Salary and Career Value in 2026
This is the question most people really came for: does CRISC pay off? The salary data is genuinely strong.
CRISC-certified professionals report an average annual salary of around US$151,000, with a typical national range of roughly US$143,000 to US$165,000. High-cost metros push higher still, with San Francisco reported at around US$204,000. There are more than 30,000 CRISC holders worldwide, so it is established and recognised without being so common that it has lost its edge.
The demand behind those numbers is easy to explain. AI governance, tighter regulation, cloud migration and a relentless threat landscape have all made enterprise risk management a board-level concern. Organisations across banking, healthcare, government, telecoms and manufacturing want people who can put a credible number on risk and justify what to do about it. CRISC is one of the clearest signals that you can.
Exam Tip: CRISC's ROI is strongest for people already working in or moving towards a GRC or risk role. If you are still in a purely hands-on technical seat with no risk responsibilities, you may get more immediate value from a foundational cert first, then add CRISC as you move up.
CRISC vs CISM vs CISA: Which ISACA Cert Should You Take?
ISACA's three heavyweight certifications overlap enough to confuse people, so here is the clean distinction.
| Certification | Core focus | Best for |
|---|---|---|
| CRISC | Identifying and managing enterprise IT risk and controls | Risk analysts, GRC specialists, IT risk managers |
| CISM | Leading and governing an information security programme | Security managers and aspiring CISOs |
| CISA | Auditing and assuring information systems and controls | IT auditors and assurance professionals |
The simplest way to remember it: CISA audits the controls, CRISC manages the risk, and CISM leads the security programme. They complement each other, which is why plenty of senior GRC professionals eventually hold two or all three.
If your day job is risk assessment, control design and reporting risk to the business, CRISC is the natural fit. If you want to compare the other two head to head, see our guides on CISA vs CISM and whether CISM is worth it in 2026.
So, Is CRISC Worth It in 2026?
For the right person, yes, clearly. Here is the honest breakdown.
CRISC is worth it if:
- You already work in, or are moving into, IT risk, governance or compliance.
- You want a recognised credential that maps directly to GRC and risk manager roles.
- You can meet (or will soon meet) the three-year experience requirement.
- You want a strong salary signal in a field where risk is increasingly a board-level priority.
CRISC is probably not the right first move if:
- You are brand new to IT with no risk exposure yet. Start with a foundational cert and build towards CRISC.
- You want a hands-on technical exam. CRISC is conceptual and management-focused.
- You have no path to the three years of qualifying experience within the required window.
The combination of a roughly US$151,000 average salary, growing demand for risk professionals, and a manageable (if not trivial) exam makes CRISC one of the higher-ROI certifications available to mid-career IT and risk professionals in 2026. The refreshed 2025 exam outline also means the content is current and closely aligned with how enterprises actually manage risk today.
How to Prepare for CRISC
CRISC rewards understanding over memorisation. The exam is full of scenario questions that ask for the best response, so you need to think like a risk manager, not just recall definitions. A sensible study plan looks like this:
- Learn the four domains in order of weight. Start with Risk Response and Reporting (32%) and Governance (26%), then IT Risk Assessment (20%) and Information Technology and Security (22%).
- Practise scenario questions relentlessly. The gap between passing and failing CRISC is usually the ability to pick the "best" answer among several plausible ones. Only high-quality practice questions train that instinct.
- Ground everything in your own work. Map each domain to real situations you have handled. That context makes the scenarios far easier on exam day.
- Review your weak domain before the exam, not your strongest one. A balanced score across all four domains is what gets you over the 450 line.
If you like ISACA's exam style, you may also want to look at newer options such as the ISACA CCOA as your risk and cybersecurity career develops.
Ready to Start Practising?
CRISC is won on scenario questions, and the only way to get comfortable with them is to practise under realistic conditions until picking the best answer becomes second nature. CertCrush gives you domain-aligned practice questions and full mock exams built around the current CRISC outline, so you know exactly where you stand before you book.
Browse the full range of ISACA and risk certification prep on our courses page, then create your free account to start practising CRISC questions today. Put the study hours in the right places, and that US$151,000-average credential is well within reach.