ISACAProfessional Level2026 Updated

Certified in Risk and Information Systems Control

Updated May 1, 202612 min readWritten by Certsqill experts

Quick facts — CRISC

Exam cost

$575 USD

Questions

150 items

Time limit

4 hours

Passing score

450/800

Valid for

3 years

Testing

PSI

Who this exam is for

The Certified in Risk and Information Systems Control certification is designed for professionals who work with or want to work with ISACA technologies in a professional capacity. It is taken by cloud engineers, DevOps practitioners, IT administrators, and technical professionals looking to validate their expertise.

You do not need extensive prior experience to attempt it, but you will benefit from hands-on familiarity with the subject matter. The exam tests applied knowledge and architectural judgment, not just memorization. If you can reason about trade-offs and real-world scenarios, structured practice will handle the rest.

Domain breakdown

The CRISC exam is built around official domains, each with a fixed percentage of the question pool. This distribution should directly inform how you allocate your study time.

Domain

Weight

Focus areas

Governance

26%

Organizational governance and risk governance frameworks, risk appetite and tolerance establishment, integration of risk management with enterprise governance, and the role of the risk practitioner.

IT Risk Assessment

20%

Risk identification methodologies, threat and vulnerability analysis, risk analysis techniques (qualitative and quantitative), risk scenario development, and risk ownership assignment.

Risk Response & Reporting

32%

Selecting and implementing risk responses (accept, mitigate, avoid, transfer), control design and implementation, risk and control monitoring, and KRI development and management.

Information Technology & Security

22%

IT concepts relevant to risk management, enterprise architecture from a risk perspective, IT operations risk, emerging technology risks, and security control frameworks.

Note the domain with the highest weight — many candidates under-invest here because it feels conceptual. In practice, this is where the exam is most precise, with scenario-based questions that test specifics.

What the exam actually tests

This is not a memorization exam. Questions require applied judgment under constraints. Almost every question includes a scenario with explicit requirements and asks you to select the most appropriate solution.

Here are examples of the question types you will encounter:

Risk Response Selection

A risk assessment identifies a low-likelihood, high-impact risk. The cost of mitigation is $500,000 but the asset value is only $100,000. Which risk response is MOST appropriate?

When mitigation cost exceeds asset value or expected loss, CRISC answers favor risk acceptance or risk transfer (insurance). Know when each response is appropriate: accept (low likelihood/impact or high mitigation cost), transfer (insurable, residual risk), mitigate (cost-effective controls), avoid (eliminate the activity).

KRI vs KPI Distinction

A risk manager wants to proactively detect increasing levels of risk before a negative event occurs. Which metric type should be used?

Key Risk Indicators (KRIs) are forward-looking metrics that signal increasing risk levels before incidents occur. Key Performance Indicators (KPIs) measure efficiency and effectiveness of processes. Key Control Indicators (KCIs) measure whether controls are operating. CRISC tests all three distinctions.

Inherent vs Residual Risk

Before any controls are implemented, a system is assessed as having a high vulnerability to SQL injection attacks. After implementing a WAF and parameterized queries, the risk level drops to low. The post-control risk level is BEST described as:

Inherent risk is the risk level before controls. Residual risk is the risk level after controls are applied. Risk appetite is the amount of risk the organization is willing to accept — if residual risk exceeds risk appetite, additional controls are needed.

How to prepare — 4-week study plan

This plan assumes one hour per weekday and roughly 30 minutes of lighter review on weekends. It is calibrated for someone with some relevant experience. If you are starting from zero, add an extra week before Week 1 to familiarise yourself with the basics.

Week 1: Risk Governance & Framework

Study Domain 1: enterprise risk governance, risk appetite vs tolerance vs capacity definitions
Learn key risk frameworks: ISO 31000, NIST RMF, COBIT for Risk, and how they integrate
Study the three lines of defense model and the risk practitioner's role within it
Complete 80 practice questions on governance and risk governance topics

Week 2: IT Risk Assessment

Study Domain 2: risk identification methods, threat modeling, and vulnerability assessment techniques
Master quantitative risk analysis: ALE (Annual Loss Expectancy), ARO, SLE calculations
Study qualitative risk analysis: risk matrices, heat maps, and Delphi technique
Practice 100 risk assessment scenario questions; focus on risk scenario development

Week 3: Risk Response, Controls & Reporting

Study Domain 3: control types (preventive, detective, corrective), control design principles
Learn KRI development: what makes a good KRI, leading vs lagging indicators, and thresholds
Study risk monitoring: control effectiveness testing, continuous monitoring, and exception reporting
Complete 120 practice questions on risk response and KRI/KPI/KCI topics

Week 4: IT Security Domain & Mock Exams

Study Domain 4: IT operations risk, cloud risk, third-party risk, and emerging technology risks
Complete 2 full 150-question mock exams under 4-hour timed conditions
Review all incorrect answers with focus on risk response selection and KRI questions
Ensure you can distinguish inherent risk, residual risk, and risk appetite in any scenario

Common mistakes candidates make

These patterns appear repeatedly among candidates who resit this exam. Knowing them in advance is worth several percentage points.

Confusing inherent risk with residual risk

Inherent risk is the risk level with no controls in place. Residual risk is what remains after controls are applied. A common trap: questions ask about the risk level "after implementing controls" — that is always residual risk. If residual risk exceeds risk appetite, more controls are needed.

Not understanding risk appetite vs risk tolerance

Risk appetite is the broad amount of risk the organization is willing to accept in pursuit of objectives. Risk tolerance is the acceptable variation around that appetite — more specific and operational. ISACA tests these terms precisely and wrong answers often swap the two.

Weak on KRI concepts and design

CRISC is the only major certification that deeply tests Key Risk Indicator design. KRIs must be measurable, forward-looking, and tied to a specific risk. Know the difference: KRI (risk signal) vs KPI (process performance) vs KCI (control effectiveness). Domain 3 questions frequently pivot on this.

Selecting mitigation when acceptance or transfer is correct

CRISC candidates from security backgrounds default to mitigate for every risk. The exam rewards selecting the most cost-effective and appropriate response. When asset value is low, mitigation cost is high, or risk likelihood is very low, acceptance or insurance transfer is the better CRISC answer.

Is Certsqill right for you?

Honestly: Certsqill is built for candidates who have already done some studying and want to convert knowledge into exam performance. If you have never touched the subject, start with a foundational course first — then come to Certsqill when you are ready to practice.

Where Certsqill is strong: question depth, AI-powered explanations, and domain analytics. Every question is mapped to the exam blueprint. When you get something wrong, the AI tutor explains why the right answer is right and why each wrong answer fails under the specific constraints in the question.

Where Certsqill is not a replacement: video courses and hands-on labs. Use Certsqill to test and sharpen — not as your first exposure to a topic you have never encountered.

Ready to start practicing?

760 CRISC questions. AI tutor. 5 mock exams. 7-day free trial.