PECB & ISACA

CRISC: Certified in Risk and Information Systems Control

The ISACA reference credential for IT risk. Four domains bridging business risk to IS controls. The natural complement to CISA and to ISO 31000 / 27005 for the ISACA vocabulary.

ISACARisk Manager4 daysLiveSelf-pacedIn-house
  • Practitioner-led, taught by a working CISO
  • Exam & certificate included
  • Re-sit covered if needed

Right fit if you are.

  • IT risk managers, GRC analysts and risk consultants.
  • Business analysts moving into IT risk.
  • IS auditors expanding from controls testing to risk advisory.
  • CISOs and deputy CISOs needing the risk-quantification vocabulary the board recognises.

NOT for. When to skip it.

We'd rather you keep your money than buy the wrong path.

  • Pure technical risk practitioners (vulnerability management, threat hunting). Look at CISSP or specialised credentials instead.
  • ISO-trained risk practitioners who do not work in IT or IS context. ISO 31000 Lead Risk Manager is broader.
  • Practitioners under three years of relevant work experience.

What you'll be able to do

  • 1Embed IT risk management into enterprise governance.
  • 2Identify, assess and prioritise IT risk against business objectives.
  • 3Design risk response options aligned with risk appetite and tolerance.
  • 4Monitor IT risk and report to the board in language they act on.
  • 5Map the CRISC vocabulary onto ISO 31000 / 27005 / NIST RMF when working with mixed audits.

Upcoming public sessions

Open-enrolment cohorts. Pick a date and book your seat. Want a private cohort for your team instead? Request an in-house quote.

No confirmed live cohort right now. You can still:

Buyers always ask

CRISC or ISO 31000 Lead Risk Manager?+

Different markets and different methodology layers. CRISC is the ISACA credential, IT-and-IS focused, recognised internationally in Big Four engagements, banking and audit-room contexts. ISO 31000 Lead Risk Manager is the PECB credential on the ISO 31000 standard, applicable to enterprise risk broadly (operational, financial, strategic, supply-chain), not just IT.

Many practitioners hold both: CRISC for the ISACA vocabulary their audit team uses, ISO 31000 Lead Risk Manager for the framework their enterprise-risk programme is built on. If you can only do one, CRISC if you work in IT risk, ISO 31000 Lead Risk Manager if you work in enterprise risk.

How long is the CRISC exam?+

Four hours, 150 multiple-choice questions, scoring 200 to 800, passing mark 450. Computer-based at a PSI testing centre. Identical format to CISA and CISM.

What is the experience requirement?+

Three years of cumulative work experience in IT risk management and information-systems control across at least two of the four CRISC domains (governance, IT risk assessment, risk response and reporting, information technology and security). No substitutions are accepted for this requirement.

Does CRISC cover AI risk?+

The 2021 CRISC syllabus refresh added some references to emerging tech risk, but AI-specific risk is not the focus. For AI risk specifically, ISACA released AAIR (Advanced in AI Risk) in 2024 as an advanced add-on that builds on CRISC fundamentals.

Ready to get certified?

Taught by a practicing CISO. Prices shown up front. Certified or refunded.