ISACA · 2026 Edition
A complete preparation guide written by ISACA-certified engineers. Covers the exam format,all 4 blueprint domains, a week-by-week study plan, and proven tips for passing first time.
4–6 months
Prep time
Advanced
Difficulty
150
Exam questions
450/1000
Pass mark
Exam code
CRISC
Full name
CRISC
Vendor
ISACA
Duration
240 minutes
Questions
150 items
Passing score
450/1000 (scaled)
Domains covered
4 blueprint domains
Recommended experience
3 years of combined work experience in IT risk management and IS control required
Typical prep time
4–6 months
CRISC is the leading credential for IT risk professionals. It is consistently among the highest-paying IT certifications globally and is the expected credential for risk managers, internal auditors, and compliance officers in regulated industries.
Job roles this opens
Domain percentage weights are not currently available for this exam. The checklist below is still useful for planning your study.
Month 1
Governance: enterprise risk management frameworks, IT risk strategy, risk appetite
Tip: CRISC is fundamentally about aligning IT risk management with enterprise risk management (ERM). Know the major ERM frameworks: COSO ERM (enterprise-wide risk culture), ISO 31000 (risk management principles and guidelines), and NIST RMF (US government framework). Questions describe an organisation and ask which framework is most appropriate.
Month 2
IT Risk Assessment: risk identification, scenario analysis, risk and control ownership
Tip: Risk scenarios on CRISC are used to describe how threats could exploit vulnerabilities to impact business assets. Know how to build a risk scenario: threat actor → threat event → vulnerability → affected asset → business impact. Practice translating technical risks (e.g. unpatched server) into business impact scenarios (e.g. data breach, regulatory fine, reputational damage).
Month 3–4
Risk Response and Reporting (32% of exam)
Tip: CRISC risk response options: accept (document and monitor), avoid (eliminate the activity), mitigate (implement controls to reduce likelihood or impact), transfer (insurance, outsourcing). Know that risk transfer does not eliminate the risk — residual risk remains. CRISC questions ask which response is most appropriate given business constraints.
Month 5–6
IT and Security (22% of exam): control frameworks, control testing, security architecture
Tip: COBIT 2019 is the primary IT governance and risk control framework tested on CRISC. Know the 40 COBIT governance and management objectives, the design factors that influence which objectives are priorities, and how COBIT maps to other frameworks (ISO 27001, NIST CSF, ITIL). You do not need deep COBIT expertise but must understand its structure and purpose.
CRISC requires 3 years of combined work experience in IT risk management (domain 1 or 2) and IS control (domain 3 or 4). Experience must be recent (within 10 years of application) and documented by your employer.
Risk and control self-assessment (RCSA) is a key CRISC topic: it is a collaborative process where business units identify and evaluate their own risks and controls without relying solely on audit. Know how facilitated workshops and survey-based RCSAs differ in scope and output quality.
Inherent risk vs residual risk: inherent risk is the risk before any controls are applied; residual risk is the risk remaining after controls are in place. Know that the risk appetite determines the acceptable level of residual risk — if residual risk exceeds appetite, additional controls or risk transfer are required.
Control objectives are tested at a conceptual level: a control objective states what the control is designed to achieve (e.g. 'ensure that only authorised users can access financial data'), not the specific mechanism (not 'implement multi-factor authentication'). Know the distinction.
CRISC is valid for 3 years and requires 120 CPE credits, with a minimum of 20 per year. ISACA provides CPE opportunities through its online portal, chapter events, and conferences.
Apply everything in this guide with adaptive practice questions, detailed answer explanations, and domain analytics.
Deep-dive explanations of the key topics tested on CRISC — with exam key points and common misconceptions.