ISACA CRISC Certification

Certification guide

Certified in Risk and Information Systems Control (CRISC) is ISACA’s credential for the people who sit between the technology and the boardroom — risk practitioners, control professionals, and IT leaders who identify what could go wrong, size it honestly, choose the response, and report it in language the business can act on. Where CISA proves you can audit the environment and CISM proves you can manage the security program, CRISC proves you can run the risk conversation itself: building risk scenarios from business objectives, defending a rating under pressure, designing KRIs that warn before the loss instead of after it, and knowing when a risk should be treated, transferred, accepted, or walked away from.

It is consistently one of the highest-paying certifications in the industry, and for a reason: enterprises have learned that a wall of controls without a working risk practice is just expensive guesswork. The exam reflects the 2021 job practice — the current outline — and it is a judgment exam. Nearly every question offers two or three defensible actions and asks which one is best, first, or most important. Memorizing definitions gets you to the two survivors; only practiced practitioner judgment picks between them.

150 questions 4-hour exam Scaled 450 / 800 to pass 4 domains 3 yrs experience to certify $575 member / $760 non-member

The exam draws from four domains. The weights below are ISACA’s official blueprint, and every Certifym practice set mirrors them question for question.

Governance

Domain 1 · 26%

Two halves of one discipline. Organizational governance: strategy, structure, roles, culture, policies and standards, business processes, and organizational assets. Risk governance: the three-lines model, risk appetite, tolerance, and capacity, the risk profile, legal, regulatory, and contractual obligations, and professional ethics. Expect questions on who owns a risk, who may accept one, what the board should see, and what to do when leadership pressures you to soften a rating.

IT Risk Assessment

Domain 2 · 20%

Turning uncertainty into something decidable: identifying threats and vulnerabilities, building risk scenarios with a cause, an event, and a business consequence, maintaining the risk register, and analyzing risk with both qualitative and quantitative methods — heat maps and their limits, ALE arithmetic, FAIR, sensitivity analysis, and the discipline of inherent versus residual risk. The exam loves asking what to do FIRST when an assessment surfaces something ugly.

Risk Response and Reporting

Domain 3 · 32%

The heaviest domain by a wide margin. Choosing among accept, mitigate, transfer, and avoid on cost-benefit grounds; control types, design versus operating effectiveness, compensating and bridge controls; third- and fourth-party risk; exception management and the mechanics of a defensible risk acceptance. Then the reporting half: KRIs, KPIs, and KCIs, threshold setting, dashboards executives actually read, and telling the truth when remediation dates slip.

Information Technology and Security

Domain 4 · 22%

The technology literacy a risk practitioner must carry: change and configuration management, the SDLC and CI/CD pipelines, business continuity and disaster recovery with RTO/RPO reasoning, data classification and lifecycle, identity and access management, network security, SIEM and incident response, cloud shared responsibility, and the emerging-technology risks — including machine learning models that drift after deployment.

Each Certifym practice set is a full-length, 150-question exam weighted exactly to the blueprint above — 39 Governance, 30 IT Risk Assessment, 48 Risk Response and Reporting, and 33 IT and Security questions per set — with a four-hour timer to build real exam stamina. ISACA reports results on a 200–800 scale with 450 to pass; our sets use a 65% pass mark, the honest raw-score equivalent, so a clean pass here means you covered the whole blueprint, not luck in the heavy ones. Every question carries a detailed explanation of why the best answer beats the near-miss options — because on this exam, the near-misses are the whole game.

ISACA CRISC - Practice Exam

Full-length 150-question ISACA CRISC practice exam weighted to the official exam content outline: Governance 26%, IT Risk Assessment 20%, Risk Response and Reporting 32%, Information Technology…

150 questions 240 min pass 65%
Subscribe to start

Certifying requires three or more years of cumulative work experience performing the tasks of at least two CRISC domains, with no waivers or substitutions — though you may sit the exam first and submit the experience within five years of passing. Once certified, the credential is maintained with 20 CPE hours annually and 120 across each three-year cycle.

Trademark notice & independence. ISACA®, CRISC®, CISA®, and CISM® are registered trademarks of ISACA. Certifym is an independent study resource and is not affiliated with, sponsored by, or endorsed by ISACA. The CRISC exam content outline and its domain structure are the property of ISACA; candidates should download the official, current exam guide directly from isaca.org.

All questions, answers, and explanations on Certifym are original content created for practice purposes. They are not actual ISACA examination questions and are not represented as such. Practicing with these materials does not guarantee a passing result on any live certification exam.