Why CRISC is one of the five most valuable IT certifications in 2026
When ISACA created CRISC in 2010, the problem it was solving was straightforward: enterprises had no standardised way to validate that an IT professional could identify, assess, and manage IT risk at the enterprise level. Security certifications like CISSP tested the breadth of security knowledge. Audit certifications like CISA tested the ability to evaluate controls. But neither credential specifically targeted the practitioner who sits between the business and IT — the person who translates business risk appetite into IT risk frameworks, designs controls to bring risk within tolerance, and reports risk status to boards and regulators in language they can act on. CRISC filled that gap.
By 2026, the gap CRISC fills has become considerably wider. Enterprises face a convergence of risk pressures that did not exist when the certification launched: the EU AI Act imposes mandatory risk assessments for high-risk AI systems; supply chain attacks on software dependencies and cloud infrastructure have elevated third-party risk to board-level concern; ransomware groups have industrialised their operations to the point where every organisation above a certain size is a target; and the NIST Cybersecurity Framework 2.0 now explicitly includes a Govern function that mirrors the enterprise risk management vocabulary CRISC has always tested. Every one of these pressures requires exactly the skills CRISC certifies.
The salary data reflects this demand. Robert Half’s 2025 Technology Salary Guide listed CRISC as the fourth highest-paying IT certification after CCIE, CISM, and CISSP. Burning Glass Technologies and Indeed job posting data for 2026 shows CRISC listed as a requirement or strong preference in 68% of IT Risk Manager job descriptions, 52% of GRC Manager postings, and 41% of CISO and Deputy CISO postings. Among ISACA certifications, CRISC holders consistently out-earn CISA and CGEIT holders by $15k–$25k annually, reflecting the scarcity of practitioners who can both assess risk quantitatively and communicate risk posture to executive stakeholders.
Exam format and logistics
CRISC is delivered through PSI (formerly Prometrics) at authorised test centres worldwide and as an online-proctored exam. The exam consists of 150 multiple-choice questions administered over four hours. ISACA uses a scaled scoring system from 200 to 800; the passing score is 450, which corresponds to approximately 60% of questions answered correctly. ISACA does not publish the exact raw score equivalent, as the scaled score accounts for variation in question difficulty across different exam forms. Questions are scenario-based: a business or technical situation is described and candidates must select the most appropriate risk management response, control recommendation, or reporting approach.
Credential: CRISC — Certified in Risk and Information Systems Control · Issuer: ISACA · Questions: 150 MCQ · Duration: 4 hours · Passing score: 450/800 · Cost: $575 USD (member) / $760 USD (non-member) · Prerequisites: 3 years work experience (1+ year in Domain 1 or 2) · Renewal: 3-year cycle, 120 CPE credits · Delivery: PSI test centres or online proctored
Eligibility requires three years of cumulative work experience in IT risk management and information systems control, with at least one year in either Domain 1 (IT Risk Governance) or Domain 2 (IT Risk Assessment). Experience must be gained within the ten years prior to taking the exam or within five years of passing it. ISACA verifies experience claims during the application process; providing false experience information results in revocation of the credential. Unlike CISM and CISSP, which accept a wider variety of adjacent experience, CRISC is strict about requiring direct IT risk and control experience — not general IT management or general security operations.
Maintaining CRISC requires earning 120 continuing professional education (CPE) credits over the three-year renewal period and paying an annual maintenance fee ($45 USD for ISACA members, $85 USD for non-members). Candidates who also hold CISM, CISA, or CGEIT can share CPE credits across multiple ISACA credentials. ISACA conducts CPE audits and revokes credentials for non-compliance with maintenance requirements.
The four CRISC domains
Domain 1 — IT Risk Governance (26%)
The governance domain establishes the organisational context within which risk management operates. CRISC is explicitly not just a technical certification — it tests whether the practitioner understands how IT risk management connects to enterprise governance structures, regulatory requirements, and strategic objectives. The domain covers:
- Organisational risk governance: How enterprises structure their risk management functions, including the three lines of defence model (business operations, risk and compliance functions, internal audit), the role of the board and executive leadership in setting risk appetite, and how IT risk management integrates with enterprise risk management (ERM) frameworks. CRISC candidates must understand the difference between risk governance (setting the framework, appetite, and accountability) and risk management (the operational practice of identifying and treating risk).
- Risk appetite and risk tolerance: Risk appetite is the amount and type of risk an organisation is willing to accept in pursuit of its objectives. Risk tolerance is the acceptable deviation from the risk appetite threshold. CRISC tests how to translate qualitative risk appetite statements (“we have a low appetite for reputational risk”) into measurable quantitative thresholds that can be monitored and reported. Key risk indicators (KRIs) are the operational instruments for this translation.
- Legal, regulatory, and contractual requirements: How to map the organisation’s risk management programme to applicable regulations (GDPR, SOX, HIPAA, PCI DSS, EU AI Act, DORA for financial services) and contractual obligations (supply chain agreements, SLAs with cloud providers, cyber insurance policy conditions). The exam tests the practitioner’s ability to identify which regulations apply to a described organisational scenario and what risk management obligations they create.
- Risk culture: The values, behaviours, and norms around risk taking and risk reporting within an organisation. CRISC tests how to assess risk culture maturity, identify indicators of a poor risk culture (such as incentives that discourage risk escalation), and recommend interventions to improve it. Risk culture is increasingly tested as regulators (particularly in financial services under DORA and the UK FCA’s Senior Managers and Certification Regime) hold boards personally accountable for risk culture failures.
Domain 2 — IT Risk Assessment (20%)
Risk assessment is the analytical core of the CRISC credential — the domain that requires genuine quantitative and qualitative reasoning skills rather than policy knowledge. The exam tests whether a candidate can actually perform a credible risk assessment, not just describe what one looks like.
- Risk identification: Techniques for systematically identifying IT risks across an enterprise environment: threat modelling (identifying threat actors, attack vectors, and attack objectives), vulnerability scanning and assessment, business impact analysis (BIA), and structured risk workshops. The exam tests which technique is most appropriate for a given scenario and how to document risk scenarios in a standardised format (risk scenario = threat source + threat event + vulnerability + asset + impact).
- Qualitative and quantitative risk analysis: Qualitative analysis assigns likelihood and impact ratings from descriptive scales (high/medium/low or 1–5 ratings). Quantitative analysis assigns monetary values using techniques such as Annual Loss Expectancy (ALE = Single Loss Expectancy × Annual Rate of Occurrence), Monte Carlo simulation for complex risk models, and factor analysis of information risk (FAIR). CRISC tests both approaches and the conditions under which each is appropriate. Quantitative analysis requires better data but produces more defensible results for board-level risk decisions; qualitative analysis is faster and appropriate when data is limited.
- Risk register management: The risk register is the central artefact of a risk management programme. CRISC tests how to design and maintain a risk register: what fields to capture (risk ID, description, likelihood, impact, risk owner, control status, residual risk rating, action plan, target date), how to prioritise risks for treatment, and how to escalate risks that exceed the organisation’s tolerance threshold. The exam tests how risk register entries are updated as the control environment changes or as risk events occur.
- Inherent risk vs. residual risk: Inherent risk is the risk that exists before any controls are applied. Residual risk is the risk that remains after controls are in place. CRISC tests how to calculate residual risk from inherent risk and control effectiveness, and how to communicate the distinction to stakeholders who may not understand why a technically controlled risk still has a non-zero residual risk rating.
Domain 3 — Risk Response and Reporting (32%)
The highest-weighted domain and the most practically oriented. Risk response is where risk management produces tangible outcomes: controls are selected and implemented, risk transfer mechanisms are put in place, and risk posture is communicated to stakeholders. CRISC holders who cannot execute this domain effectively produce risk assessments that gather dust — the credential specifically validates the ability to act on risk findings and communicate results.
- Risk response options: The four standard responses are risk avoidance (eliminate the activity that creates the risk), risk mitigation (implement controls to reduce likelihood or impact), risk transfer (shift financial consequences to a third party via insurance, contracts, or outsourcing), and risk acceptance (document and accept the residual risk within the approved tolerance). CRISC tests which response is most appropriate given the risk level, cost of mitigation, business importance of the risky activity, and availability of insurance or third-party transfer options. A fifth option — risk exploitation — applies when the “risk” is actually an opportunity the organisation should pursue.
- Control design and implementation: Controls are the mechanisms that reduce risk likelihood or impact. CRISC tests the taxonomy of controls: preventive (stop the threat from occurring), detective (identify when a threat event has occurred), corrective (restore normal state after an incident), compensating (reduce risk when the primary control is unavailable), and directive (mandate behaviours). For each risk in a register, CRISC practitioners must be able to recommend the appropriate control type, specify the control objective, and define how control effectiveness will be measured. The exam also tests the cost-benefit analysis of control implementation: a control should not cost more than the risk it mitigates.
- Key risk indicators (KRIs) and key control indicators (KCIs): KRIs are leading metrics that signal increasing risk exposure before a risk event occurs. KCIs measure how effectively a control is performing. CRISC tests how to select KRIs that provide genuine early warning (not just lagging indicators of risk that has already materialised), how to set thresholds that trigger escalation, and how to integrate KRI monitoring into enterprise dashboards and board reporting.
- Risk reporting to stakeholders: Different stakeholders require different risk communications. Boards need aggregate risk posture against appetite with trend data. Executive leadership needs risk status by business unit or strategic initiative. Operations teams need granular risk and control status for the systems they manage. The exam tests how to tailor risk reporting to each audience and how to use heat maps, dashboards, and risk trend narratives effectively. CRISC practitioners must be able to explain a risk-adjusted capital allocation decision to a CFO and a control gap finding to a system owner — the same underlying information, two completely different communications.
- Third-party and supply chain risk: Risk that originates in vendors, cloud providers, managed service providers, software supply chains (SBOM), and other third parties. CRISC tests how to assess third-party risk through due diligence questionnaires, SOC 2 Type II report reviews, and on-site assessments; how to include risk requirements in contracts; how to monitor third-party risk on an ongoing basis; and how to respond when a third-party incident affects the organisation’s risk posture. Supply chain risk has been elevated to a primary CRISC topic in the 2022 job practice update, reflecting the SolarWinds, Log4Shell, and subsequent supply chain incidents that demonstrated how cascading third-party risk can materialise in practice.
Domain 4 — Information Technology and Security (22%)
The fourth domain tests the IT and security literacy that enables CRISC practitioners to assess risk accurately in technical environments. CRISC is not a technical hands-on certification — it does not test ability to configure security tools or write code — but it does require practitioners to understand technical concepts well enough to evaluate risk in cloud, application, network, and data environments.
- IT infrastructure and architecture: Cloud computing models (IaaS, PaaS, SaaS) and the shared responsibility model that determines which risks the organisation owns versus which risks the provider owns. Virtualisation and containerisation risk. Network architecture concepts relevant to risk assessment: DMZ design, network segmentation and microsegmentation, Zero Trust network access (ZTNA), and the risk implications of flat vs. segmented networks. The exam tests how to assess infrastructure risk rather than how to configure infrastructure.
- Data management and governance: Data classification frameworks (public, internal, confidential, restricted), data lifecycle management, and the risk implications of each stage (creation, storage, processing, transmission, archival, destruction). Data sovereignty and residency risks for multi-cloud and cross-border data flows. Privacy risk under GDPR, CCPA, and sector-specific data protection regulations. The exam tests how to assess the risk profile of a data asset and recommend appropriate controls based on its classification.
- Application security risk: OWASP Top 10 vulnerabilities as a risk taxonomy, secure development lifecycle (SDL) risk controls, third-party library and dependency risk (software composition analysis), and API security risks. The exam tests how to assess the risk posture of an application environment and recommend risk-appropriate security controls without requiring a practitioner to write code or perform penetration testing.
- Cybersecurity frameworks and standards: NIST Cybersecurity Framework 2.0 (Identify, Protect, Detect, Respond, Recover — plus the new Govern function), ISO 27001:2022 Annex A controls as a control catalogue, and CIS Controls v8 as a prioritised control implementation framework. The exam tests how to use these frameworks to structure a risk assessment and select risk-appropriate controls, not to implement them at a technical level.
- Emerging technology risk: AI and machine learning risk (model bias, hallucination, adversarial attacks, and the EU AI Act risk classification tiers), generative AI deployment risk in enterprise environments, Internet of Things (IoT) and operational technology (OT) risk in industrial and healthcare settings, and quantum computing risk to current encryption standards. These topics have grown significantly in the 2022 job practice update and are expected to be tested more heavily in future exam updates as AI and OT risk mature as disciplines.
CRISC is the only ISACA credential that specifically tests the practitioner who translates between business strategy and IT risk — the person who can tell a board “our current residual risk from ransomware exposure is $8.7 million annually, and a $400,000 investment in endpoint detection reduces that exposure by 60%” and be believed.
CRISC salary data for 2026
CRISC is consistently listed among the five highest-paying IT certifications globally, alongside CCIE, CISM, CISSP, and PMP in enterprise technology surveys. The salary premium reflects both the scarcity of qualified CRISC holders (approximately 43,000 active CRISC certifications globally as of 2025, compared to 160,000+ CISSP holders) and the seniority of roles that require it.
- IT Risk Analyst / GRC Analyst (CRISC as primary credential): $100k–$130k. Entry to mid-level roles in risk and compliance teams at mid-size enterprises, conducting risk assessments and maintaining risk registers.
- IT Risk Manager / GRC Manager (CRISC as primary credential): $130k–$165k. Managing a risk management programme, reporting to a CISO or CRO, leading a team of risk analysts. The most common CRISC target role.
- Senior IT Risk Manager / Enterprise Risk Manager (CRISC + CISM or CISSP): $150k–$185k. Leading enterprise-wide risk programmes at large enterprises, financial institutions, or healthcare organisations. Frequently includes board-level reporting responsibility.
- Deputy CISO / Chief Risk Officer (CRO) (CRISC + CISM + CISSP or advanced degree): $175k–$230k. Executive-level risk governance roles. CRISC is a common baseline credential for Deputy CISOs who own the risk management function while the CISO focuses on security strategy and operations.
The financial services sector commands the highest CRISC premiums. Banks, insurers, asset managers, and fintech firms operating under Basel III, DORA (Digital Operational Resilience Act, mandatory for EU financial entities from January 2025), and SEC cybersecurity disclosure rules have created sustained demand for CRISC-certified risk practitioners who understand both regulatory requirements and IT risk management practice. CRISC holders in financial services earn a 15%–25% premium over those in other industries at equivalent seniority levels.
CRISC vs. CISM: Which ISACA cert should you pursue first?
ISACA CRISC vs. CISM side-by-side
- CRISC — Certified in Risk and Information Systems Control. Tests the ability to identify, assess, respond to, and report on IT risk. Practitioner-level: you are doing the risk work, not just directing it. Four domains: governance, risk assessment, risk response and reporting, IT security. $575 USD member. 3 years experience required (1 year in Domain 1 or 2). Best for: IT auditors moving into risk, security engineers moving into GRC, compliance officers who manage IT risk.
- CISM — Certified Information Security Manager. Tests the ability to design, manage, and oversee an enterprise information security programme. Manager-level: you are governing and directing others who do the risk and security work. Four domains: information security governance, information risk management, information security programme, incident management. $575 USD member. 5 years experience required (3 years in information security management). Best for: senior security managers, aspiring CISOs, security directors who report to the board.
- Key difference: CRISC is more analytical and quantitative — it requires comfort with risk modelling, KRI design, and control cost-benefit analysis. CISM is more strategic and governance-oriented — it requires comfort with programme design, resource allocation, and executive communication. CRISC practitioners typically become CISM candidates as they advance into senior management roles; the knowledge transfer between the two credentials is significant (both cover risk management, governance, and incident response domains with material overlap).
- Dual-certification path: Many CISO-track professionals hold both CRISC and CISM. CRISC first is the recommended path for practitioners earlier in their careers who are doing active risk assessment and control work; CISM first (or simultaneously) is common for those already in security management or director roles who are targeting CISO positions. ISACA offers CPE credit sharing across credentials, reducing the ongoing maintenance burden for dual-certificate holders.
Who should pursue CRISC in 2026
CRISC is the right certification for four distinct candidate profiles in 2026.
IT auditors expanding into risk management. CISA-certified auditors who want to move from evaluating controls retroactively to designing risk management programmes proactively. CRISC builds on the control framework knowledge from CISA and adds the risk identification, quantification, and treatment skills that enable auditors to advise on risk rather than just assess it. CRISC-holding auditors earn $25k–$40k more annually than CISA-only holders in comparable roles.
Security engineers and architects moving into GRC. Technical professionals who want to transition from implementing security controls to governing the risk framework that determines which controls are needed. CRISC provides the governance, communication, and reporting vocabulary that technical professionals typically lack when making this career shift. Many CISSP-holders who want to move from technical architecture to risk leadership pursue CRISC as the credential that legitimises the transition.
Compliance officers who manage IT risk. Professionals in compliance, legal, or operational risk roles who are increasingly expected to assess and manage IT risk alongside their traditional compliance functions. DORA in financial services, the EU AI Act across sectors, and NIS2 for critical infrastructure operators all create compliance obligations that require genuine IT risk management expertise — not just audit knowledge. CRISC provides the IT risk vocabulary and framework that compliance professionals need to fulfil these obligations credibly.
Senior IT managers targeting CISO-track roles. IT directors, infrastructure managers, and cloud architects who are building toward a security leadership role and need to demonstrate enterprise risk management competency alongside their technical credentials. A CRISC combined with AWS or Azure architect certifications is an increasingly common combination in organisations where cloud risk has become the dominant enterprise IT risk concern.
ISACA’s official CRISC Review Manual is the canonical preparation resource and the only study material guaranteed to align exactly with the current job practice. Supplement it with the ISACA QAE (Questions, Answers & Explanations) database for scenario-based practice questions. A typical study period is 8–12 weeks for experienced IT risk professionals; candidates with less direct risk management experience should plan for 12–16 weeks. Focus on Domain 3 (Risk Response and Reporting, 32% of the exam) — it has the highest weighting and tests the most nuanced judgement about risk treatment decisions and stakeholder communication. Practice explaining risk decisions in business terms: the exam is as much about communication and judgement as it is about technical knowledge.
Practice for ISACA CRISC, CISM, CISSP, and other risk and security certifications with free practice questions on CertQuests.
Browse Risk & Security Practice Tests →