What are the CRISC Requirements? Eligibility and Experience Explained

Not every cybersecurity certification is built for the same professional, and CRISC is no exception. Before you register for the exam or build a study plan, you need to know whether your current experience qualifies, what the application process actually involves, and what happens after you pass. Getting clarity on the CRISC requirements upfront saves you from investing time and money before you are ready, and helps you plan your path to certification with a realistic timeline.

This article walks you through every eligibility requirement ISACA sets for CRISC certification, from the exam itself to the experience documentation, application fee, and ongoing maintenance obligations. If you are evaluating whether now is the right time to pursue CRISC, this is where to start.

Who Can Pursue CRISC Certification?

CRISC is designed for professionals who are already working in IT risk management, governance, audit, or control-related roles. Unlike some certifications that target early-career professionals building foundational knowledge, CRISC validates hands-on experience in enterprise risk management. That means the eligibility criteria reflect real-world competency, not just exam readiness.

The good news is that the experience threshold is lower than many comparable credentials. CRISC requires three years of qualifying work experience, which is achievable earlier in your career than certifications like CISA or CISSP, both of which require five years. If you are working in a risk, compliance, audit, or security role and have been doing so for three or more years, there is a strong chance you already qualify or are close to qualifying.

Step 1: Pass the CRISC Exam

The first requirement is passing the CRISC exam. ISACA allows anyone with an interest in information systems risk to sit the exam, regardless of whether they have met the experience requirement yet. That means you can take the exam now and complete your certification application once your experience is in order. Candidates have five years from the date they pass the exam to submit their certification application, which gives you meaningful flexibility if you are still building toward the three-year experience threshold.

Once you pass, ISACA will send you your results along with the details you need to begin the application process. From that point, your five-year application window begins.

What the CRISC Exam Covers

The CRISC exam consists of 150 scenario-based multiple-choice questions across four domains: Governance (26%), Risk Assessment (22%), Risk Response and Reporting (32%), and Technology and Security (20%). The exam runs for four hours and requires a passing score of 450 on a scale of 200 to 800. Questions are designed to test how you apply risk management thinking to realistic organizational situations, not how well you recall definitions.

If you want to get a feel for how the exam questions are framed before you commit to a study plan, the free CRISC Practice Questions from Destination Certification are a practical starting point.

Step 2: Meet the Work Experience Requirements

Passing the exam is only one part of earning your CRISC certification. You also need to demonstrate a minimum of three years of professional work experience in information systems auditing, control, or security as described in the CRISC job practice areas. That experience must have been gained within the ten years preceding your certification application date. You have five years from your exam passing date to apply, so if your experience is still in progress when you sit the exam, you have time to complete it before submitting your application.

Your experience must span at least two of the four CRISC domains. This requirement exists because CRISC is a role-based certification. ISACA wants to confirm that you have not just studied risk management but have actually practiced it across multiple areas of the job function.

Which Roles Count Toward CRISC Experience?

Qualifying experience does not have to come from a role with "risk" in the title. What matters is whether your responsibilities align with the CRISC job practice areas. Roles that typically qualify include IT Risk Analyst, IT Auditor, Compliance Analyst, Security Analyst, Information Security Manager, IT Control Specialist, and Governance and Risk Consultant. If your work has involved identifying risks, evaluating controls, assessing vulnerabilities, managing compliance requirements, or advising leadership on risk decisions, that experience is likely to count toward your eligibility.

Part-time work can qualify on a prorated basis, and experience does not need to come from a single employer. If your three years of qualifying experience span multiple organizations or roles, you can document each position separately in your application.

How to Document Your Experience

ISACA requires your work experience to be verified by a supervisor, manager, or colleague who can confirm the nature and duration of your responsibilities. The online application form walks you through what to include for each position: your job title, employer, dates of employment, a description of your risk-related responsibilities, and the CRISC domains your work aligns with.

If you are currently working in a risk management role and want to build a stronger documentation habit before you apply, the free Risk Register Template from Destination Certification gives you a practical structure for capturing and tracking risk management activities that can support your experience documentation when the time comes.

Step 3: Pay the Application Fee

Once your official exam scores have been released and you are ready to apply, you need to pay a one-time application processing fee of $50. This fee is separate from the exam registration fee and is paid through your MYISACA account. ISACA recommends paying this fee before submitting your application to avoid delays in processing. The fee applies regardless of ISACA membership status and is non-refundable once paid.

Step 4: Submit Your Application

After paying the application fee, you complete and submit your certification application through the ISACA online portal. The application requires you to document your qualifying work experience, provide verifier contact information for each position, and confirm that you meet all eligibility criteria. ISACA reviews applications and follows up with verifiers directly, so make sure the contact information you provide is current and that your verifiers are expecting to hear from ISACA.

Non-English applications are available for candidates who need them. Once your application is approved and your experience is verified, ISACA will grant your CRISC certification. Remember that the entire application process must be completed within five years of your exam passing date.

Maintaining Your CRISC Certification

Earning your CRISC certification is not a one-time achievement. ISACA requires you to maintain your CRISC through ongoing professional development and annual reporting. This keeps your credentials current as risk frameworks, regulations, and enterprise technology environments continue to evolve.

To maintain your CRISC certification, you must earn at least 20 CPE hours annually and a total of 120 CPE hours over each three-year reporting cycle. CPE hours can be earned through a wide range of ISACA-approved activities, including conferences, webinars, on-demand training courses, and volunteer work with ISACA chapters. If you hold multiple ISACA certifications, the same CPE hours can count toward more than one designation, which reduces the total effort required to maintain your full credential portfolio.

You also need to pay an annual maintenance fee of $45 for ISACA members or $85 for non-members. Reduced fees apply if you hold three or more ISACA certifications. In addition to CPE and fee requirements, you must adhere to ISACA's Code of Professional Ethics as a condition of maintaining your certification in good standing.

If you are currently responsible for running security reviews or risk reporting as part of your ongoing CPE activities, the free Quarterly Security Review Toolkit gives you a structured format for organizing and presenting risk status to leadership, which can support both your professional obligations and your CPE documentation.

The Four CRISC Domains Your Experience Must Cover

Your qualifying work experience must span at least two of the four CRISC domains. Understanding what each domain covers helps you map your existing experience to the right areas and identify any gaps before you apply.

Domain 1: Governance covers organizational strategy, risk governance frameworks, risk appetite and tolerance, and legal and regulatory requirements. If your work has involved advising on risk policy, supporting compliance programs, or contributing to enterprise risk governance, this domain is likely covered by your experience.

Domain 2: Risk Assessment covers threat identification, vulnerability analysis, risk scenario development, and business impact analysis. If your work has involved conducting risk assessments, maintaining a risk register, or evaluating the likelihood and impact of IT risk events, this domain applies to your background.

Domain 3: Risk Response and Reporting covers risk treatment strategies, control design and implementation, third-party risk management, and risk monitoring and reporting. This is the heaviest-weighted domain on the exam and one of the most common areas of qualifying experience for professionals in risk, security, and compliance roles.

Domain 4: Technology and Security covers enterprise architecture, IT operations, disaster recovery, the SDLC, and information security frameworks. If your work has involved evaluating security controls, supporting IT operations from a risk perspective, or contributing to business continuity planning, this domain is likely part of your experience profile.

What to Do If You Don't Meet the Requirements Yet

If you are not quite at the three-year threshold yet, the most practical step is to be intentional about the roles and responsibilities you pursue in the near term. Look for positions that give you direct exposure to at least two CRISC domains. Risk Analyst, IT Auditor, Compliance Specialist, and Security Governance roles are all strong options for building qualifying experience efficiently.

You can also sit the exam before you meet the experience requirement. Many professionals choose to pass the exam first while the material is fresh from their preparation, then complete the experience requirement and submit their application within the five-year window. This approach lets you confirm your exam readiness early and gives you a clear certification milestone to work toward while you build your experience.

If you are mapping out a longer-term career path from your current role toward CRISC and beyond, the free Entry Level to CISO Roadmap gives you a practical framework for understanding how CRISC fits into the progression from mid-level risk roles all the way to executive leadership.

FAQ

Pass the CRISC Exam on Your First Attempt with Destination Certification

Meeting the eligibility requirements gets you to the starting line. Passing the exam on your first attempt is what gets you certified efficiently and without the cost and delay of a retake. The Destination Certification CRISC online bootcamp gives you the most focused path to doing exactly that.

Led by Kelly Handerhan, a Top 100 Trainer with over 20 years of IT and cybersecurity experience and her own CRISC certification, the three-day live bootcamp covers all four CRISC domains with practical, scenario-based instruction. Sign up today and build the risk management expertise that carries you through the exam and into your next role with confidence.

Before you enroll, the free CRISC Exam Strategy Guide is a strong first step. It walks you through how ISACA structures its scenario-based questions and what a focused preparation plan looks like across all four domains, so you go into your study period with a clear strategy rather than guessing where to start.