ISACA · CRISC
Validates expertise in IT risk management across governance, risk assessment, risk response and reporting, and technology and security domains.
Questions
761
Duration
240 minutes
Passing Score
450/800
Difficulty
ProfessionalLast Updated
Jan 2026
Use this CRISC practice exam to prepare for Certified in Risk and Information Systems Control (CRISC) with realistic questions, detailed explanations, and focused study modes. The practice bank includes 761 questions for ISACA CRISC, so you can review the exam steadily instead of relying on one long cram session.
As you practice, pay extra attention to recurring topics such as Governance (26%), Risk Assessment (22%), Risk Response and Reporting (32%), and Technology and Security (20%). Start with short sessions to identify weak areas, then move into timed quizzes once your accuracy is consistent.
The explanations are especially useful when you want to connect exam wording to the responsibilities and scenarios described in the official certification guidance. Use the free preview first, then unlock the full question bank when you are ready to build a complete study routine.
The Certified in Risk and Information Systems Control (CRISC) is an ISACA credential that validates a professional's expertise in enterprise IT risk management and information systems control. It is the only professional certification specifically focused on IT risk management, making it uniquely positioned among risk and security credentials. The exam covers four core domains: Governance, Risk Assessment, Risk Response and Reporting, and Technology and Security — spanning the full lifecycle of identifying, analyzing, evaluating, and responding to IT-related business risks. The certification was updated in November 2025 to reflect evolving enterprise risk landscapes and the growing intersection of governance, technology, and cybersecurity risk.
Since its inception in 2010, more than 46,000 professionals worldwide have earned the CRISC designation. It is consistently ranked among the top-paying IT certifications globally — ISACA data places it at #4 worldwide by average compensation. Holding the CRISC demonstrates the ability to apply risk governance best practices, design and implement information system controls, and communicate risk findings to senior stakeholders and boards.
CRISC is designed for mid-to-senior-level IT and business professionals who are directly involved in managing enterprise risk. Primary target roles include IT Risk Managers, Chief Information Security Officers (CISOs), IT Auditors, Compliance Officers, Security Consultants, and Information Systems Control professionals. It is particularly relevant for those who bridge technical IT functions and executive-level governance responsibilities.
The credential suits professionals with several years of hands-on experience in risk identification, assessment, and mitigation — not entry-level candidates. Those working in financial services, healthcare, technology, consulting, or government sectors will find the certification especially aligned with regulatory and operational demands in those industries. Professionals seeking to transition from purely technical roles into risk management leadership will also benefit significantly.
ISACA does not impose formal educational prerequisites for sitting the CRISC exam. However, to achieve full certification after passing the exam, candidates must demonstrate at least three years of cumulative work experience in IT risk management and information systems control, spanning at least two of the four CRISC job practice domains. This experience must have been gained within the 10-year period preceding the certification application date. The exam result is valid for five years, giving candidates time to accumulate the required experience after passing.
While not required to register, candidates are strongly advised to have a working knowledge of enterprise risk frameworks (such as COBIT, ISO 31000, or NIST), IT governance principles, and information security fundamentals before attempting the exam. Familiarity with risk assessment methodologies, control design concepts, and regulatory compliance environments will significantly ease preparation.
The CRISC exam consists of 150 scored multiple-choice questions administered over 240 minutes (4 hours). The exam is computer-based and can be taken at authorized PSI testing centers worldwide or via remote proctoring. All questions test practical, scenario-based judgment aligned with real-world job tasks performed by risk professionals, rather than pure memorization of definitions.
Scoring uses a scaled system ranging from 200 to 800, and the minimum passing score is 450. Exam registration is continuous — there are no fixed testing windows — and candidates can schedule their appointment as early as 48 hours after paying the registration fee. Once registered, candidates have a 12-month eligibility window to sit the exam. Registration costs US$575 for ISACA members and US$760 for non-members, plus a US$50 application processing fee upon certification.
CRISC-certified professionals command some of the highest compensation in the IT and security fields. ISACA reports an average annual salary exceeding US$151,000 for credential holders, and the certification consistently ranks in the top five globally for IT compensation. In high-demand markets such as financial services, healthcare, and government contracting — particularly in cities like New York, Washington D.C., and San Francisco — salaries can run 20–40% above average. Consulting and contract rates for CRISC holders typically range from US$50 to over US$100 per hour depending on experience.
Beyond compensation, CRISC opens doors to senior leadership roles including IT Risk Manager, CISO, Compliance Program Manager, and VP of Enterprise Risk. It is especially valued for enabling career transitions from technical IT or audit roles into governance and risk management leadership. As regulatory requirements intensify globally and organizations face growing operational, cyber, and third-party risks, demand for credentialed risk professionals continues to strengthen. CRISC differentiates candidates from those holding broader security credentials (such as CISSP or CISM) by demonstrating specialized depth in enterprise IT risk governance and control design.
5 sample questions with answers and explanations. Start a practice session to test yourself across all 761 questions.
Preview — answers shown1. An insurance company evaluates control maturity using CMMI capability levels. The incident response process successfully handles security events and achieves its purpose, but procedures vary across different teams with no organization-wide standards. Incident metrics are not collected or analyzed. At which CMMI level does this process operate? (Select one!)
Explanation
The process operates at Level 1 - Performed. The incident response achieves its purpose of handling security events but is not institutionalized with consistent procedures across the organization. Level 1 processes work but lack standardization and measurement. Level 0 would mean the process fails to achieve its purpose. Level 2 requires managed processes with repeatability and basic metrics. Level 3 requires organization-wide standards and proactive approaches. The absence of standards and metrics prevents progression beyond Level 1.
2. A financial services organization defines its risk governance structure. The board approves a maximum potential loss of $50 million for operational risk events. Management sets operational risk appetite at $30 million based on strategic objectives. Risk tolerance is established at $35 million to allow tactical flexibility during market volatility. A new digital banking initiative presents an operational risk exposure of $32 million after proposed controls. What action should risk management recommend? (Select one!)
Explanation
The initiative should be accepted because the $32 million risk exposure falls within the established risk tolerance of $35 million. Risk tolerance represents acceptable deviation from risk appetite and serves as the trigger point for risk response decisions. While the risk exceeds the stated appetite of $30 million, it remains within the tolerance band that management established to provide tactical flexibility. The risk capacity of $50 million represents the absolute maximum the organization can absorb without jeopardy. Rejecting projects solely for exceeding appetite without considering tolerance would eliminate beneficial tactical flexibility. The risk does not equal capacity so board escalation is not required. Additional controls may be prudent but are not mandatory since the risk is within tolerance.
3. A telecommunications company evaluates control effectiveness for its network security controls using the CMMI maturity model. The security team documents that firewall rules are configured based on standard templates, processes are repeatable across projects, and configurations are reviewed quarterly. However, there are no quantitative metrics for rule effectiveness and no statistical process control. At which CMMI level are these controls operating? (Select one!)
Explanation
Level 3 Defined represents organization-wide standards, proactive approach, and documented processes that are consistently followed. The described scenario shows standard templates, repeatable processes, and regular reviews indicating defined processes across the organization. Level 1 Performed means processes achieve purpose but are not institutionalized. Level 2 Managed indicates project-level management and repeatability but lacks organization-wide standardization. Level 4 Quantitatively Managed requires measured and controlled processes using statistical techniques, which is explicitly absent in this scenario. The lack of quantitative metrics and statistical control prevents this from being Level 4.
4. An organization's information security management system implements controls at CMMI Capability Level 2. Control processes are documented, repeatable across projects, and managed according to established procedures, but lack organization-wide standardization. What is the next maturity level the organization should target? (Select one!)
Explanation
CMMI Capability Level progression follows: Level 0 (Incomplete), Level 1 (Performed), Level 2 (Managed), Level 3 (Defined), Level 4 (Quantitatively Managed), Level 5 (Optimizing). The organization currently operates at Level 2 where processes are managed and repeatable at the project level. Level 3 (Defined) represents the next maturity stage, characterized by organization-wide standard processes, proactive approaches, and enterprise-level consistency rather than project-specific implementation. Level 4 adds statistical process control and Level 5 focuses on continuous improvement.
5. A risk committee reviews the organization's risk response strategy. The Chief Risk Officer presents four risks: a 15% probability of ransomware causing $2 million loss, a 5% probability of regulatory fine creating $500,000 impact, a 40% probability of system downtime resulting in $100,000 loss, and a 2% probability of data breach generating $5 million consequences. The organization's risk tolerance threshold is $50,000 expected annual loss. Which risk requires immediate response action based on expected loss exceeding tolerance? (Select one!)
Explanation
The ransomware risk requires immediate response because its expected annual loss of $300,000 (calculated as 0.15 × $2,000,000) significantly exceeds the $50,000 risk tolerance threshold. Risk response is triggered when expected loss exceeds tolerance, not when impact alone is high. The regulatory fine expected loss is $25,000 (0.05 × $500,000), which falls below the tolerance threshold. System downtime expected loss is $40,000 (0.40 × $100,000), also below tolerance. While the data breach has the highest potential impact at $5 million, its expected annual loss is only $100,000 (0.02 × $5,000,000), and although this exceeds tolerance, it is lower than the ransomware expected loss requiring most urgent attention.
Certified Information Security Manager (CISM)
CISM · 1196 questions
Certified Information Systems Auditor (CISA)
CISA · 895 questions
Certified Data Privacy Solutions Engineer (CDPSE)
CDPSE · 749 questions
IoT Fundamentals Certificate
IoT-Fund · 630 questions
IT Audit Fundamentals Certificate
IT-Audit-Fund · 627 questions
IT Risk Fundamentals Certificate
Risk-Fund · 616 questions
$17.99
One-time access to this exam