How much does the CRISC exam cost in 2026?

The 2026 CRISC exam costs $575 for ISACA members and $760 for non-members. ISACA membership is $135 per year plus a $50 one-time application fee, so joining exactly breaks even on the exam discount ($185 savings). Members also receive discounted pricing on the CRISC Review Manual, QAE Database, conferences, and CPE resources, which make membership worthwhile for anyone pursuing multiple ISACA credentials. A separate $50 CRISC application processing fee applies when you submit your experience verification after passing.

What is the passing score for CRISC?

CRISC uses a scaled scoring system from 200 to 800, with 450 as the passing score. ISACA uses equated scaling across exam forms, so there is no fixed percentage of correct answers that guarantees a pass — but training providers consistently estimate that 65-70% correct answers is approximately equivalent to a 450 scaled score. You receive a preliminary pass/fail result immediately after finishing the exam, with the official score released within 10 business days.

How many questions are on the CRISC exam and how long is it?

The CRISC exam has 150 multiple-choice questions with a 4-hour (240-minute) time limit — roughly 1 minute 36 seconds per question. All questions count equally, and CRISC uses linear-on-the-fly delivery, meaning you CAN navigate back, flag questions, and change answers within the 4-hour window. The exam is delivered by PSI Services either at a PSI test center or online-proctored from your home with strict environment controls.

What are the 4 CRISC domains and their weights?

The 4 CRISC domains per the current ISACA Job Practice (refreshed 3 November 2025) are: Domain 1 Governance (26%), Domain 2 Risk Assessment (22%), Domain 3 Risk Response and Reporting (32%), and Domain 4 Technology and Security (20%). Domain 3 is the largest at 32% and Domain 1 is second at 26% — together they make up 58% of the exam and should get the most study time. The November 2025 refresh raised Risk Assessment from 20% to 22% and dropped Technology and Security from 22% to 20% — always verify the current weights at isaca.org/credentialing/crisc/crisc-exam-content-outline.

What is the CRISC experience requirement?

CRISC requires 3 years of cumulative work experience performing the tasks of a CRISC professional across at least 2 of the 4 CRISC domains, with at least 1 of those 2 domains being either Governance or Risk Response and Reporting. Experience must be gained within the 10-year period before application or within 5 years after passing. There are no experience waivers for CRISC (unlike CISA and CISM) — the 3-year experience requirement cannot be substituted by other certifications or education. You can sit the exam at any time; the experience only matters when you apply for certification.

Is CRISC harder than CISM?

CRISC and CISM test different skill sets from the same ISACA question style. CISM is broader (governance, risk, program, incident response) and more management-focused. CRISC is narrower but deeper on risk methodology — risk identification, assessment, response, monitoring, and information systems controls. Most candidates find CRISC harder in Domain 2 (Risk Assessment) because of the quantitative methodology and the precise distinctions between inherent risk, residual risk, current risk, and projected risk. Pass rates for both hover around 55-65% for first-time takers.

Is CRISC or CISM better for my career?

CISM is for people who manage information security programs end-to-end — CISO track, Information Security Manager, Director of Security. CRISC is for people whose primary job is IT and enterprise risk — IT Risk Manager, Operational Risk Officer, GRC Manager, Risk-focused internal audit, and Chief Risk Officer track. If your current or target title contains the word "risk," CRISC is the direct match. If it contains "security manager" or "CISO," CISM is the direct match. Many senior risk and security leaders hold both.

What is the CRISC pass rate in 2026?

ISACA does not publish official CRISC pass rates. Candidate surveys, Reddit r/CRISC reports, and training provider data consistently suggest first-time pass rates of 55-65%, with candidates who use the official CRISC Review Manual plus the QAE Database of 1,000+ practice questions reporting 75%+ success. The exam is considered moderately difficult — not because the content is obscure, but because the questions force a strict risk-management mindset and precise use of ISACA terminology (treat vs transfer vs mitigate, inherent vs residual, BEST vs MOST).

How long should I study for the CRISC?

Most candidates need 100-150 hours of focused study, typically spread over 12-16 weeks. Experienced IT risk managers can prepare in 10 weeks at 10 hours/week. Security engineers or auditors pivoting into risk usually need 14-16 weeks to internalize the risk framework vocabulary (ISO 31000, NIST RMF, FAIR, three lines of defense) and practice the quantitative assessment methods. Plan to spend the final 2-3 weeks exclusively on practice questions and full-length mock exams scored under timed conditions.

How do I maintain my CRISC certification?

CRISC is valid for 3 years. To maintain it, you must complete 120 Continuing Professional Education (CPE) hours during each 3-year cycle with a minimum of 20 CPEs per year — you cannot back-load into year 3. You must also pay an annual maintenance fee of $45 for ISACA members or $85 for non-members, adhere to the ISACA Code of Professional Ethics, and comply with ISACA's IS Audit and Assurance Standards where applicable. CPEs can come from ISACA webinars, chapter meetings, conferences, university courses, self-study, teaching, and writing. ISACA audits approximately 10% of certificants yearly, so document every CPE with a certificate or agenda.

Is the CRISC worth it in 2026?

For IT risk professionals, CRISC remains one of the highest-ROI certifications in 2026. Global Knowledge / Skillsoft salary surveys have repeatedly ranked CRISC among the top 5 highest-paying IT certifications worldwide. US-based CRISC holders average $130,000+ in base salary in 2026, and the growth of AI risk, supply chain risk, third-party risk, and regulatory pressure (SEC cyber disclosure, DORA, NIS2, EU AI Act) has sharply increased demand for certified IT risk leaders. The total first-year cost of about $895 typically pays back within 3-6 months through a raise, promotion, or higher-paying role.

What is the difference between CRISC, CISM, and CISA?

All three are ISACA credentials, but they target different roles. CISA is for IT auditors who independently evaluate controls — the audit, assurance, and compliance perspective. CISM is for information security managers who build and run security programs end-to-end. CRISC is the dedicated IT risk credential — focused specifically on identifying, assessing, responding to, and monitoring IT and enterprise risk, plus designing and implementing information systems controls. If you audit, pick CISA. If you manage security, pick CISM. If you manage risk, pick CRISC. Many GRC professionals hold two or all three.

CRISC Exam Guide 2026: FREE ISACA Practice + Study Plan

CRISC in 2026: The Only Guide You Need

The ISACA CRISC (Certified in Risk and Information Systems Control) is the most recognized IT risk management credential on the planet. Global Knowledge / Skillsoft salary surveys have repeatedly placed it among the top 5 highest-paying IT certifications worldwide, and in 2026 it is more valuable than ever — every large enterprise needs certified risk professionals who can identify, assess, respond to, and monitor IT risk under rising regulatory pressure (SEC cyber disclosure, DORA, NIS2, EU AI Act, state privacy laws). That is the CRISC mandate, and this guide is built to beat every other CRISC resource on the web.

This guide covers the 2026 exam at full depth including the November 2025 Job Practice refresh: cost, format, eligibility, the 4 current Job Practice Domains (Governance 26%, Risk Assessment 22%, Risk Response and Reporting 32%, Technology and Security 20%), a 12-16 week study plan, pass rates, salary data, and the risk-first coaching that separates candidates who pass on the first try from those who retake. Every detail was cross-referenced against isaca.org/credentialing/crisc and the current CRISC Exam Content Outline.

free CRISC practice questionsPractice questions with detailed explanations

CRISC Exam At-a-Glance (2026)

Detail	Information
Certification Body	ISACA (Information Systems Audit and Control Association)
Exam Delivery	PSI Services — online proctored OR PSI test center
Questions	150 multiple-choice
Duration	4 hours (240 minutes)
Format	Linear on-the-fly — back-navigation and answer changes allowed
Passing Score	450 on a 200-800 scaled scale
Cost	$575 ISACA member / $760 non-member
Application Fee	$50 one-time (after passing)
Languages	English (primary); additional languages announced per cycle
Experience Requirement	3 years cumulative performing CRISC tasks in at least 2 of 4 domains (1 must be Governance or Risk Response & Reporting); no waivers or substitutions
Experience Window	5 years from passing to verify and certify
Validity	3 years, renewable
CPE Requirement	120 CPE hours every 3 years (minimum 20/year)
Annual Maintenance Fee	$45 member / $85 non-member
Exam Windows	Continuous testing, any day of the year
Retake Policy	90-day cooling-off, max 4 attempts per 12 months
Job Practice	Refreshed 3 November 2025 — 4 domains: Governance 26%, Risk Assessment 22%, Risk Response and Reporting 32%, Technology and Security 20%

FREE CRISC Prep: Practice Before You Pay

Before committing to the $760 non-member fee, prove to yourself that you can actually pass. The biggest mistake CRISC candidates make is buying a $500 bootcamp, studying for 3 months, and then failing because they never consistently scored 75%+ on timed practice exams beforehand.

Our free CRISC practice question bank covers all 4 domains with ISACA-style "best answer" questions that emphasize risk-first judgment — the defining characteristic of the CRISC exam. Every question includes a detailed explanation of why the correct answer aligns with the risk framework, why the distractors look plausible but miss the governance frame, and which domain concept the question tests.

Start CRISC practice questions nowPractice questions with detailed explanations

What CRISC Actually Is — And Why It Is Not CISM or CISA

CRISC was created by ISACA in 2010 for people whose job is IT risk. The certification validates your ability to identify, assess, respond to, and monitor IT and information systems risk, and to design and implement information systems controls that keep the organization within its risk appetite. It is the only vendor-neutral credential dedicated exclusively to IT risk management.

Here is the single most important thing to internalize before you open the Review Manual:

CRISC is a risk exam, not a security exam and not an audit exam.

Every question on the CRISC is answered by asking: What would an IT risk practitioner — one who advises risk owners, reports to the board, and is accountable for risk process quality — do here? It is not: What is the most secure technical configuration? That is CISSP / CISM territory. It is not: What would an independent auditor evaluate? That is CISA territory. It is: What aligns IT risk with enterprise risk, communicates it to the right owner, and drives the right response?

If you are a security engineer or IT auditor who has never run a risk program, you will find CRISC counterintuitive. You will want to say "add more controls," or "document the deficiency." The CRISC correct answer is almost always: "understand the risk, present response options (mitigate, transfer, avoid, accept) to the risk owner, track with KRIs, and report to governance." Learn that rhythm and you pass. Miss it and you retake.

The 2026 CRISC Market

Three forces have made 2026 the best year yet to earn CRISC:

1. Regulatory convergence on risk. SEC Cybersecurity Disclosure Rule (10-K / 4-day 8-K), EU DORA (Digital Operational Resilience Act, January 2025), NIS2, EU AI Act, and state privacy laws all require demonstrable IT risk management. Every large organization needs certified risk practitioners to own the framework.

2. AI, cloud, and third-party risk exploded. AI governance (NIST AI RMF 1.0, ISO/IEC 42001:2023, EU AI Act), cloud concentration risk, and supply chain risk management have piled onto the IT risk professional's plate. CRISC's risk-first framing is exactly the mindset this work requires.

3. CRO and risk officer talent shortage is acute. Global Knowledge's annual IT Skills and Salary Report has consistently placed CRISC among the highest-paying IT certifications for a decade. Demand continues to outpace supply, and CRISC appears in an ever-increasing share of IT Risk Manager, Operational Risk Officer, and GRC Manager job postings.

Who Should Take CRISC

CRISC is the right credential for people who make — or will soon make — risk-based decisions about IT and information systems. Sweet spot: 3-7 years of IT, security, audit, or GRC experience with exposure to risk methodology.

Role	Why CRISC Fits
IT Risk Manager	Canonical CRISC role — literally in the name.
Operational Risk Officer (IT focus)	Bridge between enterprise risk and IT risk.
GRC Manager / Director	Governance, risk, compliance — two out of three are CRISC.
Chief Risk Officer (IT / Cyber focus)	CRISC is the most recognized credential for IT-side CROs.
Information Systems Control Owner	Designing, testing, monitoring controls to manage risk.
Third-Party / Vendor Risk Manager	TPRM is a fast-growing CRISC-adjacent discipline.
Internal Auditor moving into risk	Natural pivot — similar methodology, different deliverable.
Security manager adding risk depth	Common CISM + CRISC stack.

CRISC is not the right first cert for technical specialists (OSCP, GCIH instead), entry-level analysts (Security+ first), pure IT auditors (CISA), or security program managers (CISM is more direct).

CRISC vs CISM vs CISA — The ISACA Decision Matrix

All three ISACA credentials share the 200-800 scaled scoring system and the 450 cut score. They diverge sharply on role and content.

Dimension	CRISC	CISM	CISA
Primary role	IT Risk Manager, GRC, CRO track	Security Manager, CISO track	IT Auditor, SOX, SOC
Perspective	Risk practitioner advising risk owners	Program manager running security	Independent assurance provider
Domains	Governance, Risk Assessment, Risk Response & Reporting, Technology & Security	Governance, Risk Mgmt, Security Program, Incident Mgmt	IS Audit Process, Governance, Acquisition, Operations, Protection
Experience	3 years in 2+ of 4 domains	5 years InfoSec + 3 in mgmt	5 years IS audit/control/security
Best if you	Own the risk register, report to board on risk	Run the security program	Audit controls independently
Stack with	CISM + CRISC for risk-heavy security leaders	CISM + CISA for security + audit perspective	CISA + CRISC for auditors moving into risk

Quick decision rule:

Your current or target title includes "risk" → CRISC
Your current or target title includes "security manager," "CISO," or "director of security" → CISM
Your current or target title includes "auditor," "SOX," or "assurance" → CISA

Many senior GRC leaders hold two or all three. When in doubt, search your target job titles on LinkedIn and count which cert appears most in requirements.

Eligibility & the CRISC Experience Rule

Here is where most candidates get confused: you do NOT need 3 years of experience to sit the exam. You need it to become certified after you pass, and you have 5 years from the pass date to submit the paperwork.

The Experience Requirement

To earn the CRISC, you need:

3 years of cumulative work experience performing CRISC domain tasks, AND
Experience must span at least 2 of the 4 CRISC domains (Governance, Risk Assessment, Risk Response & Reporting, Technology & Security), AND
At least 1 of those 2 domains must be Governance OR Risk Response and Reporting.

Experience must be gained within the 10-year period preceding application OR within 5 years after passing the exam.

No Substitutions or Waivers

Unlike CISA and CISM, CRISC does not offer any experience waivers or substitutions — no credits for holding CISM, CISA, CGEIT, a master's degree, or any other credential. The 3 years of CRISC-domain experience is a hard requirement. Always verify current rules at isaca.org/credentialing/crisc.

What Counts as "CRISC Experience"

ISACA defines CRISC-qualifying experience as work that involves at least one of the following per domain:

Governance: Developing or maintaining the IT risk management governance framework; aligning IT risk with enterprise risk management; advising on risk appetite and tolerance.
Risk Assessment: Identifying IT risk scenarios; performing qualitative or quantitative risk analysis; maintaining the risk register; evaluating inherent vs residual risk.
Risk Response and Reporting: Recommending and implementing risk responses (mitigate, transfer, avoid, accept); designing, testing, and monitoring controls; reporting KRIs and KPIs to risk owners and governance.
Technology and Security: Understanding IT architecture, components, frameworks, and security controls enough to assess and manage their risk.

Hands-on technical work (patching, tool administration, firewall rule writing) does not count as CRISC experience on its own — it must be framed in risk methodology.

The Experience Verification Process

After you pass the exam, you have 5 years to:

Complete the CRISC application through your ISACA account.
Pay the $50 application processing fee.
List relevant experience with employer, dates, responsibilities, and a verifier (usually your supervisor).
Wait 4-8 weeks for ISACA to review and verify with your listed contacts.
Receive your certification number and digital badge.

If you do not apply within 5 years, your passing score expires and you must retake the exam.

The 4 CRISC Domains (Current Job Practice — Refreshed 3 November 2025)

ISACA refreshed the CRISC Job Practice on 3 November 2025. The current 4-domain structure and weights — applicable to all 2026 exam attempts — are below. Always confirm at the CRISC Exam Content Outline.

#	Domain	Weight	Approx. Question Count
1	Governance	26%	~39
2	Risk Assessment	22%	~33
3	Risk Response and Reporting	32%	~48
4	Technology and Security	20%	~30
	Total	100%	150

What changed in November 2025: Risk Assessment grew from 20% → 22%; Technology and Security shrank from 22% → 20%. Governance (26%) and Risk Response and Reporting (32%) held steady. Material published before November 2025 will still show the old weights — be careful when using older courses or review manuals.

Domains 3 and 1 together are 58% of the exam. If you prioritize study time incorrectly, this is where you lose points.

Domain 1 — Governance (26%)

Domain 1 establishes the structures within which IT risk is managed. It covers enterprise governance, IT risk governance, and the organizational context that shapes every downstream risk decision.

Core Topics

Topic	What You Must Know
Enterprise Risk Management (ERM)	COSO ERM 2017 framework (8 components, integrated with strategy); ISO 31000:2018 principles
IT Risk Governance Frameworks	COBIT 2019 (Governance vs Management — EDM vs APO/BAI/DSS/MEA), ISO/IEC 27005 (information security risk), NIST RMF (SP 800-37 Rev 2)
Organizational Strategy & Context	Mapping IT risk to business objectives, mission, and value chain
Risk Culture	Tone at the top; risk-aware behavior; rewarding escalation
Three Lines of Defense Model (IIA 2020)	1st line (operational owners), 2nd line (risk & compliance), 3rd line (internal audit)
Governance vs Management (COBIT)	EDM (Evaluate, Direct, Monitor) = governance; APO/BAI/DSS/MEA = management
Roles & Responsibilities	Board, executive, CRO, CISO, CIO, data owners, risk owners, control owners
Policies, Standards, Procedures, Guidelines	Policy hierarchy, approval authorities, exception management
Risk Appetite vs Risk Tolerance	Appetite = strategic, board-level; tolerance = tactical, operational bounds around appetite
Regulatory and Legal Context	GDPR, CCPA/CPRA, HIPAA, PCI-DSS 4.0, SOX, NYDFS Part 500, SEC cyber disclosure, DORA, NIS2, EU AI Act
ISACA Code of Professional Ethics	Directly tested

High-Yield: Governance vs Management

This distinction (straight from COBIT 2019) appears repeatedly on CRISC:

Governance (EDM — Evaluate, Direct, Monitor): The board and executive management set direction for IT risk, evaluate performance against that direction, and monitor compliance. Governance is about oversight.
Management (Plan, Build, Run, Monitor): The risk practitioner and risk owners execute against direction set by governance. Management is about operation.

When a CRISC question asks "who should decide X," apply this frame:

Setting risk appetite → governance (board / executive)
Approving risk management framework → governance (executive)
Performing risk assessments → management (risk practitioner)
Accepting a specific residual risk → the risk owner (management, typically business process owner with budget authority — NOT the risk practitioner)

Risk Appetite vs Risk Tolerance (Tested Every Exam)

Concept	Definition	Who Sets It	Example
Risk Appetite	The amount and type of risk the organization is willing to accept in pursuit of objectives	Board / executive	"We will accept operational disruptions of up to $5M aggregate per year."
Risk Tolerance	Specific, tactical bounds around appetite — thresholds for individual risks or processes	Executive / senior management	"No single incident may cause more than $500K loss."
Risk Capacity	The maximum amount of risk the organization could bear before existential damage	Board (implied)	Total equity / reserves / balance sheet capacity

Domain 2 — Risk Assessment (22%)

Domain 2 is where the risk methodology gets rigorous. Every question is, at its core, about how risk is identified, analyzed, and evaluated before any response is chosen.

Core Topics

Topic	What You Must Know
Risk Identification Techniques	Asset-based, threat-based, vulnerability-based, scenario-based, process-based, control-based
Threat Modeling	STRIDE, PASTA, LINDDUN, Attack Trees
Risk Analysis Methods	Qualitative (heat maps, matrices), Quantitative (ALE = SLE × ARO, FAIR), Semi-quantitative
Risk Register	Required fields: risk ID, scenario, owner, likelihood, impact, inherent/residual, response, KRI, status
Inherent vs Residual vs Current vs Projected Risk	The four risk states CRISC tests explicitly
Heat Maps / Risk Matrices	Likelihood × Impact; 3x3, 4x4, 5x5; limitations (clustering near center)
Quantitative Risk (FAIR)	Loss Event Frequency (LEF) × Loss Magnitude (LM); Primary Loss vs Secondary Loss
ALE Calculations	SLE = AV × EF; ALE = SLE × ARO; ROSI = (ALE_before − ALE_after − Cost) / Cost
Risk Scenarios	Structured narratives with threat, actor, asset, event, consequence
Emerging Risk	AI/ML model risk, cloud concentration, quantum computing threat to cryptography, supply chain
Third-Party / Vendor Risk	Due diligence, SOC 2 Type II, continuous monitoring, SBOM
BIA (Business Impact Analysis)	RPO, RTO, MTD, WRT; financial and non-financial impact

The Four Risk States (Memorize Precisely)

State	Meaning	Example
Inherent Risk	Risk BEFORE any controls (gross risk)	90% likelihood of breach without MFA
Current Risk	Risk TODAY given actual implemented controls	30% likelihood — MFA partially deployed
Residual Risk	Risk AFTER planned/designed controls fully operate	10% likelihood — MFA everywhere, fully tested
Projected Risk	Expected future risk given planned changes / emerging threats	Rises to 15% if AI-phishing volume doubles

CRISC questions are often resolved by correctly identifying which risk state the question is asking about.

The Quantitative Risk Formulas

SLE (Single Loss Expectancy) = Asset Value × Exposure Factor
ALE (Annual Loss Expectancy) = SLE × ARO
ARO (Annual Rate of Occurrence) = expected incidents per year
ROSI (Return on Security Investment) = (ALE_before − ALE_after − Control Cost) / Control Cost

Example: An asset worth $500,000 has a 20% exposure factor per incident and an expected 3 incidents per year. SLE = $100,000. ALE = $300,000. A $200,000 annual control reduces ARO to 0.5. New ALE = $50,000. ROSI = ($300,000 − $50,000 − $200,000) / $200,000 = 25%.

Qualitative vs Quantitative — When to Use Which

Method	Strengths	Weaknesses	Use When
Qualitative	Fast, low-cost, intuitive	Subjective, not financially defensible	Early-stage, low-data, broad risk surveys
Quantitative	Financial, defensible, decision-ready	Data-hungry, slow, requires actuarial inputs	Major investments, capital decisions, board-level
Semi-quantitative	Balances both	Neither fully precise nor fully fast	Common default for mature programs

Domain 3 — Risk Response and Reporting (32%)

Domain 3 is the largest single domain on CRISC — 32% of the exam, roughly 48 questions. This is where risk assessment becomes action: choosing a response, designing/testing controls, and reporting to governance.

Core Topics

Topic	What You Must Know
Risk Response Options	Mitigate (treat/modify), Transfer (share), Avoid, Accept (retain) — ISO 31000 terminology
Control Design	Preventive, Detective, Corrective, Deterrent, Compensating; Administrative/Technical/Physical
Control Categories	Entity-level, process-level, activity-level; IT General Controls (ITGC) vs Application Controls
Control Testing	Design effectiveness vs Operating effectiveness; sample sizing; evidence retention
Control Monitoring	Continuous control monitoring (CCM), automated testing, exception reporting
Key Risk Indicators (KRIs)	Leading indicators of risk materialization (e.g., % of privileged accounts without MFA)
Key Performance Indicators (KPIs)	Operational measures of process performance (e.g., mean time to patch)
Key Control Indicators (KCIs)	Measures of control effectiveness (e.g., % access reviews completed on time)
Three Lines of Defense	Responsibilities for each line; independence requirements
Risk Reporting	To risk owners, executive management, audit committee, board; cadence and content
Risk Register Maintenance	Updating on change, event, or periodic cycle
Exception Management	Policy exceptions, temporary acceptances, compensating controls
Project and Program Risk	Integrating risk into SDLC, agile, DevOps, cloud migrations

The Risk Response Decision Framework

Option	When to Use	Example
Mitigate (Modify / Treat)	Risk exceeds appetite and cost-effective controls exist	Add MFA to reduce account takeover risk
Transfer (Share)	Risk can be shifted at acceptable cost	Cyber insurance, outsourcing to SOC-2-certified vendor
Avoid	Risk is unmanageable and activity is non-essential	Discontinue a product line, exit a market
Accept (Retain)	Risk is within appetite OR mitigation cost exceeds benefit	Explicit sign-off by risk owner; document rationale

CRISC Terminology Trap: ISACA uses "Mitigate/Transfer/Avoid/Accept" most commonly, but also uses the ISO 31000 language "Modify/Share/Avoid/Retain." Both map to the same four choices. The exam will switch between the two sets to test whether you understand the concepts, not just memorized a word list. "Treat" = "Mitigate" = "Modify" all mean the same thing in CRISC.

Exam tip: The risk practitioner never accepts risk alone. The risk owner (typically the business process owner with budget authority) accepts risk. The risk practitioner identifies, assesses, and recommends.

KRIs, KPIs, KCIs — The Metrics Hierarchy

Metric Type	Purpose	Example
KRI (Key Risk Indicator)	Leading indicator of risk materializing	% privileged accounts without MFA; # overdue critical patches
KPI (Key Performance Indicator)	Measure of operational performance	Mean time to patch; backup success rate
KCI (Key Control Indicator)	Measure of control effectiveness	% access reviews completed on time; % control tests passed

A good KRI is: predictive, measurable, actionable, and tied to appetite. "Number of malware alerts" is NOT a good KRI — it is noisy and not predictive. "Percentage of endpoints without current EDR" IS a good KRI — it is a leading indicator of breach likelihood.

Reporting Metrics to the Board

Avoid the rookie mistake of reporting activity metrics. Translate into risk and business-outcome language:

Avoid (Activity)	Prefer (Risk Outcome)
"We blocked 1.2M malware events"	"Residual ransomware risk decreased 40% YoY"
"We patched 5,000 CVEs"	"KRI 'high-severity vulns > SLA' reduced from 250 to 30"
"We conducted 12 phishing simulations"	"Phishing click rate 18% → 4%; credential-theft risk reduced 60%"
"SOC monitored 24x7"	"MTTD 72h → 4h; residual incident impact risk meaningfully reduced"

Domain 4 — Technology and Security (20%)

Domain 4 ensures CRISC holders understand the IT and security concepts deeply enough to assess and manage their risk. This is not a pure technical domain — it is applied IT knowledge through a risk lens. Note: the November 2025 Job Practice refresh trimmed this domain from 22% to 20% (weight moved to Risk Assessment).

Core Topics

Topic	What You Must Know
CIA Triad	Confidentiality, Integrity, Availability — mapped to risk scenarios
Enterprise Architecture	TOGAF basics, architecture layers, data flows
IT Operations	Change management, configuration management, release management, ITIL basics
Frameworks & Standards	NIST CSF 2.0 (6 functions incl. new Govern), COBIT 2019, ISO/IEC 27001:2022, ISO/IEC 27005, NIST SP 800-53 Rev 5, CIS Controls v8
Security Architecture	Defense in depth, zero trust (NIST SP 800-207), network segmentation
Identity & Access Management	Lifecycle, RBAC/ABAC, privileged access, SSO, federation (SAML, OIDC)
Data Protection	Classification, encryption at-rest and in-transit, key management, DLP, tokenization
Application Security	Secure SDLC, SAST/DAST/SCA, OWASP Top 10, API security
Cloud Risk	Shared responsibility, concentration risk, SaaS/PaaS/IaaS risk profiles, CSPM, CASB
Third-Party & Supply Chain Risk	Vendor risk management, SBOM, continuous vendor monitoring, DORA ICT third-party provisions
Vulnerability Management	Scanning, prioritization (CVSS, EPSS), SLAs, remediation vs mitigation
Incident Response	NIST SP 800-61 Rev 2 lifecycle (Preparation, Detection/Analysis, Containment/Eradication/Recovery, Post-Incident)
BCP and DRP	RTO, RPO, MTD, WRT; 3-2-1 backup; hot/warm/cold DR sites
Emerging Technologies	AI/ML risk, generative AI, quantum, IoT, OT/ICS

NIST Cybersecurity Framework 2.0 (Released February 2024)

6 core functions (up from 5 in CSF 1.1): Govern (NEW), Identify, Protect, Detect, Respond, Recover
The new Govern function covers organizational context, risk management strategy, roles and responsibilities, policy, oversight, and supply chain risk — heavily relevant to CRISC Domain 1.
Implementation uses Tiers 1-4 (Partial, Risk Informed, Repeatable, Adaptive).
Profiles describe current and target cybersecurity states.

ISO/IEC 27001:2022 and 27005

27001:2022: Information Security Management System (ISMS) requirements. 10 clauses; 93 Annex A controls in 4 themes (Organizational 37, People 8, Physical 14, Technological 34).
27005:2022: Guidance on information security risk management — the "how" under 27001's "what." Directly aligned with CRISC methodology.

Breach Notification Windows (2026 Reality — Domain 4 Risk Context)

Regulation	Notification Window	To Whom
GDPR	72 hours from awareness	Supervisory authority; subjects if high risk
HIPAA Breach Notification Rule	60 days from discovery	Individuals, HHS; media if 500+ in a state
US State Breach Laws (varies)	Typically "without unreasonable delay," often 30-90 days	State AG, affected residents
NYDFS Part 500	72 hours	NYDFS Superintendent
SEC Cyber Disclosure (public co.)	4 business days of materiality determination	8-K filing
EU NIS2 Directive	24h early warning + 72h incident notification + 1-month final report	National CSIRT
EU DORA (financial sector)	Initial, intermediate, final reports per regulatory technical standards	Competent authority

Cross-Domain High-Yield: The Concepts That Cut Across Every Question

These concepts appear in 20-30% of CRISC questions regardless of labeled domain.

The Decision Rights Principle

The risk practitioner identifies, assesses, and recommends. The risk owner decides. The governance body oversees.

When a question asks "who should decide X," apply this filter:

Decision	Decider
Accept a specific residual risk	Risk owner (business process owner with budget authority)
Approve the IT risk management framework	Executive management / board (governance)
Set organizational risk appetite	Board of directors (governance)
Implement a specific control	Control owner / IT team (operations)
Report KRIs to the board	Risk practitioner + CRO/CISO (per governance cadence)
Exception approval (short-term)	Risk owner + risk function co-approval
Exception approval (long-term / high)	Governance body

Control Classifications

Type	Purpose	Examples
Preventive	Stop incidents before they happen	Firewalls, access controls, MFA, encryption
Detective	Identify incidents that have occurred	Logs, IDS, SIEM, CCTV
Corrective	Restore after an incident	Backups, incident response, patches
Deterrent	Discourage threats	Warning signs, visible cameras
Compensating	Alternate control when the primary is infeasible	Manager review when automated segregation cannot be implemented

Administrative, Technical, Physical

Administrative (Managerial): Policies, procedures, training, background checks
Technical (Logical): Firewalls, encryption, ACLs, IDS
Physical: Locks, guards, cameras, fences

CRISC Pass Rate & Difficulty Reality Check

ISACA does not publish official pass rates. Here is what we know from candidate surveys, training providers, and community data:

Source	Reported First-Time Pass Rate
Gleim CRISC customer survey	~78% (self-selected study-committed users)
Hemang Doshi course completers	~75%
Reddit r/CRISC self-reports	55-65%
Industry average across all candidates	~55-65%
Candidates using official Review Manual + QAE DB	75-80%
Auditors and engineers who skip risk-mindset coaching	35-50%

Why the range? First-time pass rates depend heavily on:

Materials used — official CRISC Review Manual (7th or 8th edition — use whichever is current at exam time) + QAE Database is the evidence-based winning stack.
Practice volume — 1,000+ practice questions correlates with roughly 2x pass rates vs under 300.
Experience — working risk practitioners pass at higher rates than auditors and engineers.
Mindset adjustment — the #1 reason candidates fail CRISC is failing to shift from a "secure the system" or "audit the controls" to a "manage the risk" mindset.

Plan on 100-150 hours of study. Do not schedule the exam until you are consistently scoring 75%+ on full-length timed practice exams.

FREE CRISC Practice, Round 2

Practice is what separates the candidates who pass from those who retake. Before we get to the study plan, make sure you have your practice environment ready.

Start practicing nowPractice questions with detailed explanations

12-16 Week CRISC Study Plan

This plan assumes 10 hours per week. Scale up or down based on your schedule. Experienced IT risk managers can compress to 10 weeks at 12 hours/week; auditors and engineers pivoting to risk should extend to 14-16 weeks.

Weeks 1-2: Mindset Reset + Domain 1 (Governance)

Read CRISC Review Manual Chapter 1.
Watch Hemang Doshi's or Prabh Nair's Domain 1 overview (YouTube or course).
Build a one-page "CRISC mindset cheat sheet": governance vs management, risk owner vs risk practitioner, appetite vs tolerance, Three Lines of Defense.
Practice: 75 Domain 1 questions. Review every wrong answer with focus on why the risk-first answer is correct.

Weeks 3-4: Domain 2 — Risk Assessment

Read Chapter 2.
Memorize the quantitative risk formulas (SLE, ALE, ROSI) and run 10 example calculations.
Build a comparison table: qualitative vs quantitative vs semi-quantitative; inherent vs residual vs current vs projected.
Practice translating business impact into risk register entries.
Practice: 75 Domain 2 questions.

Weeks 5-8: Domain 3 — Risk Response and Reporting (BIGGEST DOMAIN)

Read Chapter 3 — this is the longest chapter.
Week 5: Risk response options (mitigate/transfer/avoid/accept + treat/modify/share/retain terminology).
Week 6: Control design, control testing (design vs operating effectiveness), continuous monitoring.
Week 7: KRIs, KPIs, KCIs — what makes a good indicator; designing metric hierarchies.
Week 8: Reporting cadence and content to risk owners, executives, audit committee, board.
Practice: 200 Domain 3 questions across the four weeks.

Weeks 9-10: Domain 4 — Technology and Security

Read Chapter 4.
Week 9: CIA, architecture, IAM, data protection, NIST CSF 2.0, ISO 27001:2022.
Week 10: Cloud risk, third-party risk, vulnerability management, IR lifecycle, BCP/DRP, breach notification windows.
Practice: 100 Domain 4 questions.

Weeks 11-12: Full-Length Practice Exams + Weakness Targeting

Take 2 full 150-question timed practice exams in 4-hour blocks.
After each, spend 6-8 hours analyzing wrong answers, grouping them by domain and by "why I got this wrong" (knowledge gap, wrong mindset, misread).
Re-study weak areas.

Weeks 13-14: Final Mock Exams + High-Yield Review

Take 2 more full mocks at the same time of day you will sit the real exam.
Target: consistent 75%+ scores.
Final review of high-yield flashcards: COBIT EDM/PBRM, ISO 27005, NIST RMF 7 steps, ALE formulas, the 4 risk states, treat/transfer/mitigate/avoid mapping, notification windows, Three Lines of Defense.

Weeks 15-16: Taper + Exam

Light review only — no new material in the final week.
Day 2 of final week: 1 last mock exam.
Days 3-5: targeted flashcard review.
Day 6: rest.
Day 7: exam day.

Recommended Resources (Free-First)

Free

Resource	Why
ISACA Official Exam Candidate Guide (PDF, free from isaca.org)	Authoritative source for 2026 exam policies
Prabh Nair YouTube channel	Gold standard of free CRISC video content — 40+ hours of domain videos
Hemang Doshi YouTube channel and blog	The CRISC study community's most-cited free resource
OpenExamPrep free CRISC practice	Free ISACA-style questions with AI tutor explanations — start here
ISACA Free Webinars	Monthly webinars count as CPE post-certification
ISACA Risk IT Framework (white papers)	Free downloads on risk taxonomy and scenarios
NIST Publications	SP 800-37 (RMF), 800-39 (Risk Management), 800-30 (Risk Assessment) — free
r/CRISC subreddit	Trip reports and current-week study updates

Paid (Only After Exhausting Free)

Resource	What It Is	Who Should Buy
ISACA CRISC Review Manual (current edition — 7th or 8th)	The official prep book. The primary source.	Every candidate. Non-negotiable.
ISACA QAE Database (Questions, Answers, Explanations)	1,000+ official practice questions with digital analytics	Every candidate. Highest-ROI paid resource.
Hemang Doshi CRISC Mock Papers	6 full mock exams with detailed rationale	Every candidate who wants realistic timed practice
DestCert CRISC MasterClass	Comprehensive video course with mind maps	Candidates who learn best via structured video
Mike Chapple CRISC Study Guide (Sybex/Wiley)	Alternative textbook with a different teaching style	Candidates who want a second reference
Gleim CRISC Review	Complete course with question bank	Candidates who want maximum structure
Pearson/Kaplan CRISC Cert Guide	Alternative textbook format	Candidates who want a third reference

The lean budget stack: Official Review Manual (~~$139 member) + ISACA QAE 12-month subscription (~~$299 member) + Hemang Doshi Mock Papers (~$50) + free practice + Prabh Nair YouTube. Total: under $550, covers everything.

Exam-Day Strategy: The CRISC Stamina Game

The CRISC is 150 questions in 240 minutes — roughly 1 minute 36 seconds per question. The exam is linear on-the-fly, meaning you CAN navigate back, flag questions, review, and change answers within the 4-hour window. Use it.

Pacing

Minute 0-80: Answer questions 1-50. If a question takes more than 90 seconds, flag it and move on.
Minute 80-160: Answer questions 51-100.
Minute 160-220: Answer questions 101-150.
Minute 220-240: Revisit flagged questions. Change answers only when you have a concrete reason — first instincts are correct about 75% of the time.

The CRISC Question Archetypes

Every CRISC question falls into one of three archetypes. Identify which before you answer:

Archetype	Signal	Strategy
Knowledge Check	"Which of the following is defined as..."	Pick the definition. Move fast.
Scenario / Best Answer	A 3-5 sentence scenario ending in "What is the BEST action for the risk practitioner?"	Identify the role, apply decision-rights filter, eliminate options that bypass the risk owner
First / Next / Greatest	"What should the practitioner do FIRST?" / "Which presents the GREATEST risk?"	Read all options — all may be plausible. Pick based on the risk-first frame.

BEST vs MOST — The ISACA Keyword Trap

ISACA uses precise qualifying words. Read them carefully:

BEST — the single most effective or appropriate answer among those presented
MOST / GREATEST — the answer with the highest magnitude of the attribute asked about
FIRST — the answer that must happen before the others (order of operations)
PRIMARY — the answer most directly related to the purpose asked about

Multiple options may be technically correct. The qualifier tells you which one to pick.

The Elimination Engine

For hard questions, eliminate in this order:

Eliminate answers that bypass the risk owner. The risk practitioner does not accept, modify, or avoid risks on behalf of the business.
Eliminate technical-only answers. CRISC tests risk judgment, not technical execution.
Eliminate absolutes. "Always," "never," "all" are almost always wrong.
Eliminate answers that skip governance. Major decisions require governance approval.
Choose the answer that an experienced, risk-aware practitioner would document in the risk register and defend at the next risk committee.

Working-Memory Conservation

Read the question and the final sentence first; then read the options; then re-read the scenario with the options in mind.
Do NOT re-read passages multiple times. One read, decide, flag if unsure, move on.
Hydrate. PSI allows water at test centers (check per-site rules).
If online-proctored: set up a quiet room, close all other apps, test the webcam, keep government ID ready, and clear your desk of all materials.

Cost Breakdown, Retake Policy & Recertification

Total First-Year Cost

Item	ISACA Member	Non-Member
Exam fee	$575	$760
ISACA membership (optional)	$135 + $50 one-time	n/a
Application processing fee (after passing)	$50	$50
Annual maintenance fee	$45	$85
Year 1 Total (minimum path)	~$855	~$895

Membership math: joining costs $185 first year ($50 application + $135 dues) and saves you $185 on the exam fee. You break even in year 1 and win in year 2+ via discounted resources, lower maintenance, and discounted conferences.

Retake Policy

After a failed attempt, wait 90 days before retesting.
Maximum 4 attempts per 12-month period.
You pay the full exam fee on each retake.

Recertification (3-Year Cycles)

120 CPE hours per 3-year cycle.
Minimum 20 CPE hours per year — no back-loading into year 3.
Annual maintenance fee: $45 member / $85 non-member.
Adhere to the ISACA Code of Professional Ethics.
ISACA audits approximately 10% of certificants each year — keep documentation of every CPE.

CPE activities include ISACA chapter meetings, webinars, conferences, vendor training, university courses, teaching, writing, serving on committees, and reading vetted risk and cybersecurity publications. All five ISACA credentials share a single 3-year cycle, so if you stack CRISC + CISM + CISA, one CPE can count across all three.

Salary & Career: What a CRISC Actually Earns

Global Knowledge / Skillsoft salary surveys, Robert Half's 2026 Salary Guide, and ISACA's 2024 State of Cybersecurity converge on these 2026 US numbers:

Role	CRISC-Certified Base Salary (US)
IT Risk Analyst	$90,000 - $120,000
IT Risk Manager	$110,000 - $160,000
Senior IT Risk Manager / Principal	$140,000 - $185,000
Director of IT Risk / GRC	$170,000 - $230,000
Chief Risk Officer (IT / Cyber)	$220,000 - $400,000+
Operational Risk Officer	$130,000 - $190,000
Third-Party / Vendor Risk Manager	$115,000 - $160,000
Big 4 Risk Advisory Manager	$140,000 - $180,000

The CRISC Premium

CRISC has been a top-paying IT certification in Global Knowledge's IT Skills and Salary Report year after year. In 2026, dedicated IT risk roles remain understaffed, and regulatory drivers (SEC cyber disclosure, DORA, NIS2, EU AI Act) continue to increase demand. CROs with CRISC at large enterprises frequently exceed $400,000 total comp.

Career Paths

IT Risk track: Analyst → Manager → Director → CRO (IT/Cyber). CRISC expected at Manager and above.
GRC track: GRC Analyst → Manager → Director of GRC. CRISC increasingly required at Manager.
Consulting track: Big 4 / boutique risk advisory — Consultant → Manager → Senior Manager → Partner. CRISC standard at Manager.
Audit-to-risk pivot: Internal audit → IT risk → CRO track. CRISC is the bridge credential.

Common Mistakes That Tank First-Time Candidates

Mistake #1: Picking "The Most Secure" Answer

CRISC is a risk exam, not a security-engineering exam. The right answer is the one a risk practitioner would document in the risk register, present to the risk owner, and defend at the risk committee — usually the one that frames risk, presents response options, and respects decision rights.

Wrong: "Deploy MFA everywhere immediately." Right: "Assess the authentication risk, present mitigation options (cost, coverage, business impact) to the risk owner, and track implementation with a KRI."

Mistake #2: The Risk Practitioner Accepts Risk

Candidates routinely pick answers where the risk practitioner accepts a residual risk. Wrong.

The risk owner (business process owner with budget authority) accepts risk. The risk practitioner identifies, assesses, and recommends. When in doubt, an answer that has the risk practitioner unilaterally accepting, rejecting, or modifying a business-owned risk is wrong.

Mistake #3: Confusing Treat / Transfer / Mitigate / Avoid / Accept

ISACA sometimes uses ISO 31000 terminology (Modify, Share, Avoid, Retain) and sometimes classic risk response (Mitigate, Transfer, Avoid, Accept). Treat = Mitigate = Modify. Transfer = Share. Accept = Retain. Avoid is just Avoid. If you memorize only one set, the other will trip you up.

Mistake #4: Confusing Inherent, Residual, Current, and Projected Risk

These four states are tested explicitly. Inherent = before controls. Current = today with actual controls. Residual = after planned controls fully operate. Projected = future with expected changes. Misreading "residual" as "current" (or vice versa) flips the right answer.

Mistake #5: Ignoring the BEST vs MOST Keyword

ISACA uses precise qualifiers. BEST means "the single most effective"; MOST / GREATEST means "the answer with the highest magnitude of the attribute asked about"; FIRST means "the action that must come before the others." Ignoring the qualifier is the #1 reason smart candidates pick wrong-but-plausible answers.

Mistake #6: Under-Practicing

100 practice questions is not enough. You need 1,000+, with the final 2 weeks spent on timed, full-length sets in a 4-hour block.

Mistake #7: Skipping the Manual for Bootcamps

Bootcamps and YouTube summarize. ISACA writes the exam from the CRISC Review Manual. If you skip it, you will miss the wording nuances that make the difference between a pass and a fail.

Mistake #8: Under-Studying Domains 3 and 1

Domains 3 (32%) and 1 (26%) are 58% of the exam. Candidates who over-invest in Domain 4 (Technology and Security, 20%) and under-prepare on Risk Response and Governance routinely fail. Front-load Domain 1 in weeks 1-2 and start Domain 3 by week 5 of a 12-16 week plan.

CRISC vs CISM vs CISA vs CISSP — And How to Stack

Cert	Body	Focus	Experience	Best For
CRISC	ISACA	IT risk management	3 years in 2+ of 4 domains	IT Risk Managers, CROs, GRC
CISM	ISACA	Information security management	5 years InfoSec, 3 in mgmt	Security managers, CISOs
CISA	ISACA	IT audit, control, assurance	5 years IS audit/control/security	IT auditors, compliance pros
CISSP	ISC2	Security management + technical	5 years in 2+ domains	Senior security engineers, CISOs
CGEIT	ISACA	Executive IT governance	5 years IT governance, 1 in leadership	CIOs, IT governance leaders
CDPSE	ISACA	Privacy engineering + assurance	3 years privacy + technical	Privacy engineers, DPOs

CRISC vs CISM: The Closest Comparison

Dimension	CRISC	CISM
Primary audience	IT Risk Manager, CRO track	Security Manager, CISO track
Depth on risk	Very deep (methodology, quantitative, register)	Moderate (one of four domains)
Depth on security program	Moderate (one of four domains, IT & Security)	Very deep (Program is 33% of CISM)
Depth on incident response	Light	Heavy (30% of CISM)
Best if your title has	"Risk"	"Security Manager" or "CISO"

Stacking Strategy

CRISC + CISM: Most common ISACA stack. Risk depth + security management. Ideal for CISOs who also own enterprise risk.
CRISC + CISA: Audit-to-risk pivot. Common in Big 4 and internal audit.
CRISC + CISSP: Technical-to-risk pivot. Senior engineer who now owns risk.
CRISC + CGEIT: Executive track. CIO / CRO combination.
CRISC + CDPSE: Risk + privacy — growing fast with AI governance.

Your Next Steps After CRISC

Natural follow-ups: CISM (security management), CISA (audit perspective), CGEIT (executive governance), CDPSE (privacy), AAIA (ISACA AI audit), FAIR certification (Open FAIR for deeper quantitative risk), or ISO 31000 / ISO 27005 training.

All five ISACA credentials share a single 3-year CPE cycle when held simultaneously — so CRISC + CISM + CISA maintenance is the same 120 hours as CRISC alone.

Final CTA: Start Practicing Today

CRISC is a pass-able exam with a clear roadmap. The candidates who fail almost always share one trait: they treated it like a security or audit exam. You can fix that right now.

Start practicing nowPractice questions with detailed explanations

The 2026 IT risk job market has more openings than qualified candidates. CRISC is the fastest credential path into those openings. The only thing between you and that IT Risk Manager or CRO title is the 150-question exam — and a study plan that actually works.

Good luck. You can do this.

Official Sources

ISACA CRISC program home: https://www.isaca.org/credentialing/crisc
ISACA Exam Candidate Guide (PDF): available from the CRISC program page
ISACA Code of Professional Ethics: https://www.isaca.org/credentialing/code-of-professional-ethics
ISACA Risk IT Framework: https://www.isaca.org/resources/risk-it
COBIT 2019 Framework: https://www.isaca.org/resources/cobit
ISACA 2024 State of Cybersecurity report: https://www.isaca.org
PSI Services (delivery vendor): https://www.psionline.com
NIST SP 800-37 Rev 2 (Risk Management Framework): https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/final
NIST SP 800-30 Rev 1 (Risk Assessment): https://csrc.nist.gov
NIST Cybersecurity Framework 2.0: https://www.nist.gov/cyberframework
ISO/IEC 27005:2022: https://www.iso.org/standard/80585.html
ISO 31000:2018: https://www.iso.org/iso-31000-risk-management.html
SEC Cybersecurity Disclosure Rule: https://www.sec.gov

Information current as of April 2026. Always verify specific fees, dates, domain weights, and eligibility details at isaca.org before applying or registering.

✓Key Facts

CRISC in 2026: The Only Guide You Need

CRISC Exam At-a-Glance (2026)

FREE CRISC Prep: Practice Before You Pay

What CRISC Actually Is — And Why It Is Not CISM or CISA

The 2026 CRISC Market

Who Should Take CRISC

CRISC vs CISM vs CISA — The ISACA Decision Matrix

Eligibility & the CRISC Experience Rule

The Experience Requirement

No Substitutions or Waivers

What Counts as "CRISC Experience"

The Experience Verification Process

The 4 CRISC Domains (Current Job Practice — Refreshed 3 November 2025)

Domain 1 — Governance (26%)

Core Topics

High-Yield: Governance vs Management

Risk Appetite vs Risk Tolerance (Tested Every Exam)

Domain 2 — Risk Assessment (22%)

Core Topics

The Four Risk States (Memorize Precisely)

The Quantitative Risk Formulas

Qualitative vs Quantitative — When to Use Which

Domain 3 — Risk Response and Reporting (32%)

Core Topics

The Risk Response Decision Framework

KRIs, KPIs, KCIs — The Metrics Hierarchy

Reporting Metrics to the Board

Domain 4 — Technology and Security (20%)

Core Topics

NIST Cybersecurity Framework 2.0 (Released February 2024)

ISO/IEC 27001:2022 and 27005

Breach Notification Windows (2026 Reality — Domain 4 Risk Context)

Cross-Domain High-Yield: The Concepts That Cut Across Every Question

The Decision Rights Principle

Control Classifications

Administrative, Technical, Physical

CRISC Pass Rate & Difficulty Reality Check

FREE CRISC Practice, Round 2

12-16 Week CRISC Study Plan

Weeks 1-2: Mindset Reset + Domain 1 (Governance)

Weeks 3-4: Domain 2 — Risk Assessment

Weeks 5-8: Domain 3 — Risk Response and Reporting (BIGGEST DOMAIN)

Weeks 9-10: Domain 4 — Technology and Security

Weeks 11-12: Full-Length Practice Exams + Weakness Targeting

Weeks 13-14: Final Mock Exams + High-Yield Review

Weeks 15-16: Taper + Exam

Recommended Resources (Free-First)

Free

Paid (Only After Exhausting Free)

Exam-Day Strategy: The CRISC Stamina Game

Pacing

The CRISC Question Archetypes

BEST vs MOST — The ISACA Keyword Trap

The Elimination Engine

Working-Memory Conservation

Cost Breakdown, Retake Policy & Recertification

Total First-Year Cost

Retake Policy

Recertification (3-Year Cycles)

Salary & Career: What a CRISC Actually Earns

The CRISC Premium

Career Paths

Common Mistakes That Tank First-Time Candidates

Mistake #1: Picking "The Most Secure" Answer

Mistake #2: The Risk Practitioner Accepts Risk

Mistake #3: Confusing Treat / Transfer / Mitigate / Avoid / Accept

Mistake #4: Confusing Inherent, Residual, Current, and Projected Risk

Mistake #5: Ignoring the BEST vs MOST Keyword

Mistake #6: Under-Practicing

Mistake #7: Skipping the Manual for Bootcamps

Mistake #8: Under-Studying Domains 3 and 1

CRISC vs CISM vs CISA vs CISSP — And How to Stack

CRISC vs CISM: The Closest Comparison

Stacking Strategy

Your Next Steps After CRISC

Final CTA: Start Practicing Today

Official Sources

Free Study Resources

CRISC Certified in Risk and Information Systems Control