The CRISC® (Certified in Risk and Information Systems Control®) certification from ISACA® is a globally recognised credential for IT and business professionals. Launched in 2010, it has become the benchmark for validating expertise in enterprise risk governance and control management.
CRISC is aimed at those operating in or aspiring to work in IT risk management roles, such as risk analysts, control professionals, IT managers and compliance officers. It bridges technical knowledge and strategic risk governance capability.
Over 30,000 professionals hold CRISC certifications today.
What are the 4 CRISC domains?
The CRISC exam tests candidates across four domains, structured to reflect practical job responsibilities. Here’s the current exam weighting:
| CRISC domain | Exam weighting |
| 1. Governance | 26% |
| 2. IT Risk Assessment | 20% |
| 3. Risk Response and Reporting | 32% |
| 4. Information Technology and Security | 22% |
As of 3 November 2025, the weighting will change to:
| CRISC domain | Exam weighting from November 2025 |
| 1. Governance | 26% |
| 2. IT Risk Assessment | 22% |
| 3. Risk Response and Reporting | 32% |
| 4. Information Technology and Security | 20% |
Our CRISC Training Course prepares candidates across all four domains, using official ISACA training materials.
Summary of the CRISC domains
1. Governance
This domain covers your understanding of organisations’ business and IT environments, strategy, goals and objectives, and how IT risks could affect them. It accounts for 26% of the exam and includes:
| A – Organizational Governance | B – Risk Governance |
| Organizational Strategy, Goals, and Objectives | Enterprise Risk Management and Risk Management Framework |
| Organizational Structure, Roles and Responsibilities | Three Lines of Defense |
| Organizational Culture | Risk Profile |
| Policies and Standards | Risk Appetite and Risk Tolerance |
| Business Processes | Legal, Regulatory and Contractual Requirements |
| Organizational Assets | Professional Ethics of Risk Management |
2. IT Risk Assessment
This domain confirms your understanding of the threats and vulnerabilities that could affect an organisation’s people, processes and technology. It also covers how to assess the likelihood and potential impact of different risks and scenarios. It accounts for 20% of the exam and includes:
| A – Risk Identification | B – IT Risk Analysis and Evaluation |
| Risk events (e.g. contributing conditions, loss result) | Risk Assessment Concepts, Standards and Frameworks |
| Threat Modelling and Threat Landscape | Risk Register |
| Vulnerability and Control Deficiency Analysis (e.g. root-cause analysis) | Risk Analysis Methodologies |
| Risk Scenario Development | Business Impact Analysis |
| Threat Modelling and Threat Landscape | Inherent and Residual Risk |
3. Risk Response and Reporting
This domain focuses on developing and managing risk treatment plans with key stakeholders. It involves reviewing existing controls, improving how effectively they reduce IT risk, and making sure the right risk and control information is shared with the right people. It accounts for 32% of the exam and includes:
| A – Risk Response | B – Control Design and Implementation | C – Risk Monitoring and Reporting |
| Risk Treatment/Risk Response Options | Control Types, Standards and Frameworks | Risk Treatment Plans |
| Risk and Control Ownership | Control Design, Selection and Analysis | Data Collection, Aggregation, Analysis and Validation |
| Third-Party Risk Management | Control Implementation | Risk and Control Monitoring Techniques |
| Issue, Finding and Exception Management | Control Testing and Effectiveness Evaluation | Risk and Control Reporting Techniques (heatmap, scorecards, dashboard) |
| Management of Emerging Risk | Key Performance Indicators | |
| Key Risk Indicators | ||
| Key Control Indicators |
4. Information Technology and Security
This domain looks at how well business practices align with risk management and information security frameworks and standards. It also covers how to build a risk-aware culture and put effective security awareness training in place. It accounts for 22% of the exam and includes:
| A – Information Technology Principles | B – Information Security Principles |
| Enterprise Architecture | Information Security Concepts, Frameworks and Standards |
| IT Operations Management (e.g., change management, IT assets, problems, incidents) | Information Security Awareness Training |
| Project Management | Business Continuity Management |
| Disaster Recovery Management (DRM) | Data Privacy and Data Protection Principles |
| Data Lifecycle Management | |
| System Development Life Cycle (SDLC) | |
| Emerging Technologies |
CRISC exam format and maintenance
- Format: 150 multiple-choice questions
- Duration: 4 hours (240 minutes)
- Passing score: Minimum scaled score of 450 (on a scale of 200–800)
- Experience requirements: Three years’ cumulative work experience in IT risk management and control across at least two CRISC domains, one of which must be Domain 1 or 2. Experience may be accrued within five years of passing the exam.
- Cost: £600 +VAT
- Maintenance: 120 CPE (Continuing Professional Education) hours over 3 years, with a minimum of 20 hours per year and adherence to ISACA’s Code of Professional Ethics
Why choose CRISC?
CRISC validates a combination of strategic risk management, governance awareness and control expertise. It helps position candidates for leadership and specialist roles in IT risk, control assurance and compliance:
- Recognised worldwide as the standard for IT risk and control management
- Particularly valued in regulatory, financial services and governance environments
- Supports careers such as risk manager, control manager, IT auditor and compliance lead
- Aligns with COBIT, ISO 31000, SOX and major frameworks
Earn your CRISC credential
IT Governance is an ISACA Accredited Partner. Our CRISC Training Course has been designed to help you pass the exam first time, using the official ISACA curriculum and the CRISC Review Questions, Answers & Explanations Manual.
The course is available in a range of learning formats – Live Online or in person – and successful completion leads to 28 CPD points.
IT Governance Training – Introductory to Advanced – In Person or Online