ISACA · Risk · GRC

CRISC — Certified in Risk and Information Systems Control

ISACA's risk-focused certification. CRISC is the strongest signal for IT risk managers and a common pairing with CISA/CISM in financial services.

// exam format
150 multiple-choice items, 4 hours, scaled score 450/800 to pass
// cost
≈ £580
// prerequisites
  • 3 years cumulative work experience across at least 2 CRISC domains, including either Governance or IT Risk Assessment
CRISC validates the ability to identify and manage enterprise IT risk and to design, implement, and maintain information systems controls. It is the dominant credential for IT risk specialists in banks, insurers, and Big 4 risk advisory practices. ## What the exam covers - Governance - IT Risk Assessment - Risk Response and Reporting - Information Technology and Security ## Prerequisites - 3 years cumulative work experience across at least 2 CRISC domains, including either Governance or IT Risk Assessment ## Study plan Plan 8–10 weeks. ISACA Review Manual + QAE (1000+ Qs). The exam rewards a quantitative risk mindset (likelihood × impact, residual vs inherent, risk appetite vs tolerance). Practise framing every answer in those terms. ## Cost (UK 2026) Exam fee approx. £580 (vendor list price; bundles + corporate discounts vary). ## Format 150 multiple-choice items, 4 hours, scaled score 450/800 to pass

Frequently asked questions

CRISC or CISM for a risk manager role?

CRISC is sharper for pure risk roles; CISM is broader for security programme management. UK financial services job adverts increasingly list both.

Does CRISC require coding or technical skills?

No coding. Conceptual technical fluency is expected (e.g. recognising what a SIEM does), but you are scored on risk judgement, not implementation.

How does CRISC differ from FAIR certification?

CRISC is broader and process-oriented; FAIR (OpenFAIR / FAIR Institute) is a specific quantitative methodology. Many risk managers hold CRISC for governance currency and FAIR for analytical depth.

Is CRISC recognised in the UK?

Yes — widely listed across UK bank and insurer risk job adverts; recognised by the FCA-aligned skills frameworks.

Practice CRISC — Certified in Risk and Information Systems Control interview questions

Run AI-graded mock interviews keyed to the CRISC — Certified in Risk and Information Systems Control body of knowledge.

Start free
// related
grc-analystcisosecurity-consultantframework · iso-27001framework · nist-csf