What Is on the CRISC Exam? All 4 Domains Explained Simply

The CRISC exam covers four domains, but not all of them carry equal weight, and the exam does not test them the way most candidates expect. It is not a knowledge recall test. It is a judgment test. Every question puts you in a real organizational scenario and asks you to make the risk decision that an experienced professional would make. Getting that distinction wrong early in your preparation wastes weeks of study time on the wrong things.

This article breaks down all four CRISC domains in plain language. For each one, you will see what it covers, why it matters to your career, and how it shows up in real organizational situations. By the end, you will know where to focus your study time and how to approach the exam with a clear strategy.

How the CRISC Exam Is Structured

The CRISC exam consists of 150 multiple-choice, scenario-based questions and runs for four hours. The passing score is 450 on a scale of 200 to 800. Questions are not designed to test memorization. They are designed to test how well you apply risk management thinking to realistic organizational situations, which means the way you study matters as much as how long you study.

The exam is built around four domains, each carrying a different percentage of the total question pool. Those weightings are not arbitrary. They reflect how much each area of knowledge shows up in the actual work of an IT risk professional. The domain weights help you allocate your study time where it will have the greatest impact on your results.

CRISC Domain 1: Governance (26%)

Domain 1: Governance (26%) is where the CRISC exam starts, and for good reason. Before you can identify risks, assess their impact, or design controls, you need to understand the organization to which those risks belong. Domain 1 tests your ability to see your organization from the top down: its strategy, its structure, its culture, and the risk boundaries its leadership has defined. It also tests your understanding of how enterprise risk management frameworks operate and how governance connects IT risk to business objectives. At 26% of the exam, this domain deserves serious attention from the start of your preparation.

Key Areas in Domain 1

Domain 1 is divided into two sub-sections. The first is Organizational Governance, which covers organizational strategy, goals and objectives, organizational structure, roles and responsibilities, culture, policies and standards, business processes, and organizational assets. The second is Risk Governance, which covers Enterprise Risk Management and Risk Management Frameworks, the three lines of defense model, risk profile, risk appetite and risk tolerance, legal and regulatory and contractual requirements, and the professional ethics of risk management.

Together, these two sub-sections build your understanding of how organizations define acceptable risk and how that definition should guide every risk decision you make.

Why This Domain Matters to You

Domain 1 is where you learn to stop thinking like a technician and start thinking like an advisor to leadership. Every risk decision you make as a CRISC professional needs to be grounded in what your organization is trying to achieve and how much uncertainty it is willing to accept in pursuit of those goals. If you do not understand your organization's risk appetite, you cannot recommend the right controls. If you do not understand the governance structure, you cannot assign the right ownership. This domain gives you the foundation that every other domain builds on.

Practical Example

Your organization is preparing to launch a new digital service that will process customer financial data. Leadership wants to move fast, but no one has defined the risk appetite for this initiative or reviewed the regulatory requirements that apply to it. Without that governance foundation, the project moves forward with no agreed threshold for acceptable risk, no clear ownership of risk decisions, and no policy framework to guide the development team.
 
A professional applying Domain 1 principles steps in early to help leadership define risk tolerance for the initiative, align the project with existing policies, and establish governance checkpoints before the service goes live. That intervention prevents compliance findings and unmanaged third-party risks from surfacing after launch.

CRISC Domain 2: Risk Assessment (22%)

Once you understand the organization and its governance framework, Domain 2 trains you to identify what could go wrong and why. Domain 2: Risk Assessment covers the full process of recognizing threats, analyzing vulnerabilities, building risk scenarios, and measuring the potential impact on business operations. At 22% of the exam, this domain tests a critical skill: turning technical observations into business-level insights that leadership can act on.

Key Areas in Domain 2

Domain 2 is divided into two sub-sections. The first is IT Risk Identification, which covers risk events including contributing conditions and loss results, threat modelling and the threat landscape, vulnerability and control deficiency analysis, including root cause analysis, and risk scenario development. The second is IT Risk Analysis and Evaluation, which covers risk assessment concepts, standards and frameworks, the risk register, risk analysis methodologies, business impact analysis, and the difference between inherent and residual risk.

These sub-sections work together to give you a structured process for moving from "something could go wrong" to "here is what it means for the business and what we should do about it."

Why This Domain Matters to You

Risk assessment is where your technical knowledge starts to earn its value at the business level. Being able to identify a vulnerability is useful. Being able to translate that vulnerability into a quantified risk scenario with a clear business impact is what makes you credible in front of leadership. This domain trains you to document risks in a way that drives decisions, not just fills a spreadsheet. The risk register and business impact analysis skills you build here will follow you into every risk management role you hold.

Practical Example

Your organization migrates a core business application to a cloud platform. The project team completes the migration on schedule, but no formal risk assessment was conducted before go-live. Three weeks later, a misconfigured identity policy exposes sensitive customer records to unauthorized access. A professional applying Domain 2 principles would have identified the identity and access management risks during the threat modelling phase, built a risk scenario documenting the likelihood and potential business impact of a misconfiguration, and presented that analysis to leadership before deployment.

The result would have been a clear decision about whether to implement additional controls or accept the risk with eyes open, rather than discovering the exposure after the fact.

CRISC Domain 3: Risk Response and Reporting (32%)

Domain 3: Risk Response and Reporting (32%) carries the heaviest weight on the CRISC exam, and that weighting reflects reality. Identifying and assessing risk is only useful if the right people respond to it with the right controls and the right communication. Risk Response and Reporting tests your ability to select appropriate risk treatment strategies, design and implement effective controls, assign clear ownership, and report on risk in a way that drives timely decisions at the leadership level. If you only have limited study time, this domain deserves the most of it.

Key Areas in Domain 3

Domain 3 is divided into three sub-sections. The first is Risk Response, which covers risk treatment and risk response options, risk and control ownership, third-party risk management across the full vendor relationship lifecycle, issue and finding and exception management, and the management of emerging risk. The second is Control Design and Implementation, which covers control types, standards and frameworks, control design, selection and analysis, control implementation, and control testing and effectiveness evaluation.
 
The third is Risk Monitoring and Reporting, which covers risk treatment plans, data collection, aggregation, analysis, and validation, risk and control monitoring techniques, and risk and control reporting techniques, including heatmaps, scorecards, and dashboards, as well as Key Performance Indicators, Key Risk Indicators (KRIs), and Key Control Indicators (KCIs).

Why This Domain Matters to You

This domain is where risk management becomes visible to the rest of the organization. You can run a perfect risk assessment, but if you cannot communicate the findings clearly, assign ownership of the response, and monitor whether the controls are working, the assessment produces no real value.
 
Domain 3 trains you to close that loop. It also covers third-party risk management in depth, which is increasingly critical as organizations depend on vendors and cloud providers for core business functions. The reporting skills covered here, including how to build dashboards and scorecards that executives actually use, are among the most transferable skills the CRISC certification develops.

If you want to see how ISACA frames risk response and reporting questions before you dive into full preparation, the free CRISC Practice Questions from Destination Certification give you a realistic feel for the scenario-based logic the exam expects across this domain.

Practical Example

During a vendor review, your organization discovers that a third-party provider handling sensitive payroll data has weak access controls and no multi-factor authentication requirement. The business depends heavily on this vendor and cannot simply terminate the relationship. A professional applying Domain 3 principles classifies the risk, assigns ownership to the appropriate internal team, updates the third-party risk register, and builds a mitigation plan that includes stronger contractual controls, an MFA implementation requirement, and a monitoring schedule tied to specific KRIs.
 
Leadership receives a clear risk report showing the current exposure, the treatment plan, and the expected residual risk once controls are in place. The risk does not disappear overnight, but it is managed transparently and moved toward an acceptable level.

CRISC Domain 4: Information Technology and Security (20%)

Domain 4 brings the exam full circle by grounding risk management in how IT systems actually work. This domain tests your understanding of how technology is built, operated, and secured, and how those technical realities create or reduce risk. It also covers the principles of information security and how to build a risk-aware culture across your organization. At 20% of the exam, it carries the lightest weight, but it is not a domain you can skip. The questions here test whether you understand IT and security from a risk oversight perspective, not a technical implementation perspective.

Key Areas in Domain 4

Domain 4 is divided into two sub-sections. The first is Information Technology Principles, which covers enterprise architecture, IT operations management, including change management, IT assets, problems and incidents, project management, disaster recovery management, data lifecycle management, the System Development Life Cycle (SDLC), and emerging technologies. The second is Information Security Principles, which covers information security concepts, frameworks, and standards, information security awareness training, business continuity management, and data privacy and data protection principles.

Why This Domain Matters to You

This domain is where CRISC separates itself from purely technical security certifications. You are not being tested on how to build a firewall or configure an identity management system. You are being tested on whether you understand how IT operations and security practices create or close risk gaps across the organization.
 
If a development team skips SDLC security checkpoints, you need to recognize the risk that creates, not fix the code yourself. If a business continuity plan has not been tested, you need to understand the operational risk that it represents. Domain 4 trains you to evaluate the IT and security environment from a governance and risk perspective, which is exactly the role CRISC professionals play.

Practical Example

Your organization's development team is under pressure to deliver a new internal application by the end of the quarter. To meet the deadline, the team skips the security testing phase of the SDLC and pushes the application into production. Two weeks later, a vulnerability in the application's authentication logic allows unauthorized access to internal HR records.
 
A professional applying Domain 4 principles would have identified the missing SDLC security checkpoint during project oversight, flagged the risk to leadership before go-live, and required the team to complete vulnerability testing before deployment. The short-term cost is a delayed launch. The avoided cost is a data protection incident, a compliance finding, and the remediation work that follows.

How Each Domain Translates to Real-World Skills

The four CRISC domains are not just exam topics. They map directly to the decisions you will make as a risk professional from your first week in a CRISC-aligned role.

Domain 1 gives you the ability to read your organization's risk posture and advise leadership from a governance perspective. When executives are making decisions about new initiatives, acquisitions, or technology investments, you are the person who connects those decisions to the organization's defined risk appetite and regulatory obligations.

Domain 2 gives you the structured approach to identify what could go wrong before it does. You build risk scenarios, populate risk registers, and quantify business impact in a way that moves leadership from general concern to specific action. This is the skill that makes you valuable before an incident, not just after one.

Domain 3 gives you the tools to close the loop between risk identification and risk reduction. You select and implement controls, assign ownership, manage vendor risk, and report on risk status in formats that executives understand and act on. This is where the visible output of your work lives: the dashboards, the scorecards, the treatment plans that show leadership whether the organization's risk profile is improving.

Domain 4 gives you the credibility to evaluate IT and security practices without losing the risk management perspective. You understand how systems are built and operated, which means you can spot the gaps that purely technical teams sometimes miss because they are focused on delivery rather than governance.

Together, the four domains build a professional who can operate across the full risk lifecycle: from understanding the organization and identifying threats, to designing responses and reporting outcomes to leadership.

Exam Preparation and Strategy for the CRISC Domains

Knowing what the domains cover is only half the preparation. Knowing how to study them is what determines your result on exam day.

Start by allocating your study time in proportion to the domain weightings. Domain 3 at 32% deserves the most attention, followed by Domain 1 at 26%, Domain 2 at 22%, and Domain 4 at 20%. That does not mean you ignore lighter domains, but it does mean you should not spend equal time on all four if your schedule is tight.

Study from the ISACA mindset, not your current job habits. The exam does not test how your organization handles risk today. It tests how risk should be governed at the enterprise level according to ISACA's framework. When you encounter a practice question, ask yourself which answer best protects the organization, aligns with governance principles, and assigns clear ownership. That framing will serve you better than memorizing definitions.

Use practice questions as a learning tool rather than a score tracker. When you get an answer wrong, the goal is not to note the correct answer and move on. The goal is to understand why that answer is correct and why each of the others falls short. ISACA's scenario-based questions often include multiple answers that sound reasonable. The differentiator is almost always governance alignment, ownership clarity, or risk response logic.

Identify your weakest domain early and give it extra attention in the first half of your preparation. Most candidates have a natural strength in either the technical domains or the governance domains, depending on their background. If you come from a hands-on IT or security role, Domain 1 and Domain 3's reporting sub-section will likely need the most work. If you come from a governance or compliance background, Domain 4's technical content may need more attention.

The Destination Certification CRISC Exam Strategy Guide is a free resource that walks through how ISACA frames risk-based questions and what consistent exam preparation looks like across all four domains. It is worth reading before you build your study plan.

FAQ

How to Pass the CRISC Exam on Your First Attempt

The four CRISC domains cover a lot of ground, but they follow a clear logic. Governance sets the foundation. Risk Assessment builds on it. Risk Response and Reporting is where you act on what you have found. Information Technology and Security anchors everything in how real IT environments operate. Study them in that order, focus your time according to the weightings, and practice thinking the way ISACA expects you to think.

If you want the most focused and efficient way to work through all four domains before your exam, the Destination Certification CRISC online bootcamp covers everything in three intensive days. Led by Kelly Handerhan, the bootcamp gives you practical, scenario-based instruction across all four domains.

If you are not ready to enroll yet, start with the free CRISC Exam Strategy Guide to understand how ISACA structures its questions and what a strong preparation plan looks like before you commit to a study schedule.

Sign up today and build the risk management skills that carry you through the exam and into your next role with confidence.