CRISC
What is CRISC?
CRISCAn ISACA certification for IT risk and control professionals covering governance, IT risk assessment, response, reporting, and control selection across four domains.
Certified in Risk and Information Systems Control (CRISC) is issued by ISACA and targets risk officers, control owners, and IT auditors who design and operate enterprise-risk programs. The exam covers four domains: Governance, IT Risk Assessment, Risk Response and Reporting, and Information Technology and Security. It includes 150 multiple-choice questions over four hours with a passing score of at least 450 on the 200 to 800 scale. CRISC requires three years of cumulative experience in at least two of the four domains, including domain one or two as mandatory. Candidates submit experience verification within five years of passing the exam.
● Examples
- 01
A risk officer maps SOX IT controls to CRISC domain two for assurance reporting.
- 02
An internal auditor uses CRISC to design a quantitative IT risk register and KRIs.
● Frequently asked questions
What is CRISC?
An ISACA certification for IT risk and control professionals covering governance, IT risk assessment, response, reporting, and control selection across four domains. It belongs to the Compliance & Frameworks category of cybersecurity.
What does CRISC mean?
An ISACA certification for IT risk and control professionals covering governance, IT risk assessment, response, reporting, and control selection across four domains.
How does CRISC work?
Certified in Risk and Information Systems Control (CRISC) is issued by ISACA and targets risk officers, control owners, and IT auditors who design and operate enterprise-risk programs. The exam covers four domains: Governance, IT Risk Assessment, Risk Response and Reporting, and Information Technology and Security. It includes 150 multiple-choice questions over four hours with a passing score of at least 450 on the 200 to 800 scale. CRISC requires three years of cumulative experience in at least two of the four domains, including domain one or two as mandatory. Candidates submit experience verification within five years of passing the exam.
How do you defend against CRISC?
Defences for CRISC typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for CRISC?
Common alternative names include: Certified in Risk and Information Systems Control.
● Related terms
- compliance№ 176
CISM
An ISACA management-level certification for information security managers covering governance, risk, program development, and incident management across four domains.
- compliance№ 175
CISA
An ISACA certification for information systems auditors covering audit process, governance, acquisition, operations, and protection of information assets across five domains.
- compliance№ 177
CISSP
A senior-level vendor-neutral security certification from ISC2 covering eight domains of the Common Body of Knowledge and requiring five years of paid work experience.
- compliance№ 735
NIST SP 800-30
A NIST Special Publication that provides guidance for conducting risk assessments of information systems and the missions they support.
- compliance№ 736
NIST SP 800-37
The NIST Risk Management Framework, defining a seven-step process for managing security and privacy risk across the system lifecycle.