ISACA · CRISC
Validates expertise in IT risk management across governance, risk assessment, risk response and reporting, and technology and security domains.
Questions
761
Duration
240 minutes
Passing Score
450/800
Difficulty
ProfessionalLast Updated
Jan 2026
Use this CRISC practice exam to prepare for Certified in Risk and Information Systems Control (CRISC) with realistic questions, detailed explanations, and focused study modes. The practice bank includes 761 questions for ISACA CRISC, so you can review the exam steadily instead of relying on one long cram session.
As you practice, pay extra attention to recurring topics such as Governance (26%), Risk Assessment (22%), Risk Response and Reporting (32%), and Technology and Security (20%). Start with short sessions to identify weak areas, then move into timed quizzes once your accuracy is consistent.
The explanations are especially useful when you want to connect exam wording to the responsibilities and scenarios described in the official certification guidance. Use the free preview first, then unlock the full question bank when you are ready to build a complete study routine.
The Certified in Risk and Information Systems Control (CRISC) is an ISACA credential that validates a professional's expertise in enterprise IT risk management and information systems control. It is the only professional certification specifically focused on IT risk management, making it uniquely positioned among risk and security credentials. The exam covers four core domains: Governance, Risk Assessment, Risk Response and Reporting, and Technology and Security — spanning the full lifecycle of identifying, analyzing, evaluating, and responding to IT-related business risks. The certification was updated in November 2025 to reflect evolving enterprise risk landscapes and the growing intersection of governance, technology, and cybersecurity risk.
Since its inception in 2010, more than 46,000 professionals worldwide have earned the CRISC designation. It is consistently ranked among the top-paying IT certifications globally — ISACA data places it at #4 worldwide by average compensation. Holding the CRISC demonstrates the ability to apply risk governance best practices, design and implement information system controls, and communicate risk findings to senior stakeholders and boards.
CRISC is designed for mid-to-senior-level IT and business professionals who are directly involved in managing enterprise risk. Primary target roles include IT Risk Managers, Chief Information Security Officers (CISOs), IT Auditors, Compliance Officers, Security Consultants, and Information Systems Control professionals. It is particularly relevant for those who bridge technical IT functions and executive-level governance responsibilities.
The credential suits professionals with several years of hands-on experience in risk identification, assessment, and mitigation — not entry-level candidates. Those working in financial services, healthcare, technology, consulting, or government sectors will find the certification especially aligned with regulatory and operational demands in those industries. Professionals seeking to transition from purely technical roles into risk management leadership will also benefit significantly.
ISACA does not impose formal educational prerequisites for sitting the CRISC exam. However, to achieve full certification after passing the exam, candidates must demonstrate at least three years of cumulative work experience in IT risk management and information systems control, spanning at least two of the four CRISC job practice domains. This experience must have been gained within the 10-year period preceding the certification application date. The exam result is valid for five years, giving candidates time to accumulate the required experience after passing.
While not required to register, candidates are strongly advised to have a working knowledge of enterprise risk frameworks (such as COBIT, ISO 31000, or NIST), IT governance principles, and information security fundamentals before attempting the exam. Familiarity with risk assessment methodologies, control design concepts, and regulatory compliance environments will significantly ease preparation.
The CRISC exam consists of 150 scored multiple-choice questions administered over 240 minutes (4 hours). The exam is computer-based and can be taken at authorized PSI testing centers worldwide or via remote proctoring. All questions test practical, scenario-based judgment aligned with real-world job tasks performed by risk professionals, rather than pure memorization of definitions.
Scoring uses a scaled system ranging from 200 to 800, and the minimum passing score is 450. Exam registration is continuous — there are no fixed testing windows — and candidates can schedule their appointment as early as 48 hours after paying the registration fee. Once registered, candidates have a 12-month eligibility window to sit the exam. Registration costs US$575 for ISACA members and US$760 for non-members, plus a US$50 application processing fee upon certification.
CRISC-certified professionals command some of the highest compensation in the IT and security fields. ISACA reports an average annual salary exceeding US$151,000 for credential holders, and the certification consistently ranks in the top five globally for IT compensation. In high-demand markets such as financial services, healthcare, and government contracting — particularly in cities like New York, Washington D.C., and San Francisco — salaries can run 20–40% above average. Consulting and contract rates for CRISC holders typically range from US$50 to over US$100 per hour depending on experience.
Beyond compensation, CRISC opens doors to senior leadership roles including IT Risk Manager, CISO, Compliance Program Manager, and VP of Enterprise Risk. It is especially valued for enabling career transitions from technical IT or audit roles into governance and risk management leadership. As regulatory requirements intensify globally and organizations face growing operational, cyber, and third-party risks, demand for credentialed risk professionals continues to strengthen. CRISC differentiates candidates from those holding broader security credentials (such as CISSP or CISM) by demonstrating specialized depth in enterprise IT risk governance and control design.
5 sample questions with answers and explanations. Start a practice session to test yourself across all 761 questions.
Preview — answers shown1. An organization's risk governance framework assigns risk management responsibilities across three lines of defense. The Chief Risk Officer reports directly to the CEO and provides frameworks, policies, and oversight of business unit risk activities. In which line of defense does the Chief Risk Officer operate? (Select one!)
Explanation
The Chief Risk Officer operates in the Second Line of Defense, which provides frameworks, policies, tools, and oversight of first-line risk management activities while challenging and enabling risk identification. The First Line consists of operational management who own and manage risks daily. The Third Line is Internal Audit providing independent assurance reporting to the board. The governing body (board of directors) oversees all three lines but is not part of the Three Lines Model operational structure.
2. A university implements ISO 27001:2022 and completes Clause 8 (Operation) activities including risk assessment execution and risk treatment implementation. The CISO identifies that 8 of 93 Annex A controls are not applicable to the university's operating environment, 82 controls are implemented, and 3 applicable controls cannot be implemented due to budget constraints requiring compensating controls. Which document must be created and maintained to demonstrate compliance? (Select one!)
Explanation
The Statement of Applicability (SoA) is mandatory under ISO 27001 Clause 6.1.3 and must document: which Annex A controls are applicable, which are implemented, justification for exclusion of any applicable controls, and explanation for non-applicable controls. The SoA demonstrates compliance by showing systematic control selection and providing audit trail for decisions. Risk Treatment Plan documents how selected risks will be treated but does not justify control applicability. Internal Audit Plan schedules audits but is not the control selection documentation. Management Review Report evaluates ISMS performance but does not document control applicability decisions. The SoA is the authoritative reference linking risk assessment outcomes to control selection and is required for ISO 27001 certification audits.
3. An organization's risk appetite statement specifies maximum acceptable financial loss of $500,000 per incident for operational risks. The risk tolerance for the same category allows deviations up to $650,000 before requiring executive escalation. A newly identified ransomware risk has a residual risk exposure of $625,000 after implementing current controls. What is the appropriate action? (Select one!)
Explanation
The risk exposure of $625,000 is within the stated tolerance level of $650,000, so no immediate action is required beyond normal monitoring. Risk response is triggered when risk exceeds tolerance, not when it exceeds appetite. The risk does exceed the $500,000 appetite, but tolerance allows acceptable deviation up to $650,000. Risk capacity is not mentioned and is typically much higher than tolerance. Additional controls are not mandatory when risk remains within tolerance, though they may be considered.
4. A security analyst is documenting a risk scenario involving unauthorized access to customer payment data. The analyst has identified the external threat actor (cybercriminal group), the asset affected (payment database), and the potential event (data exfiltration through SQL injection). Which additional component is required to complete the risk scenario according to ISACA best practices? (Select one!)
Explanation
A complete IT risk scenario requires five essential components: Threat Actor, Threat Type, Event, Asset/Resource, and Time. The timing component includes duration of occurrence, when the event might happen, and time to detect. Since the scenario already includes threat actor (cybercriminal group), asset (payment database), and event (data exfiltration via SQL injection), the missing element is the timing/time component. Control effectiveness ratings are assessed during risk analysis after the scenario is constructed, not during scenario development. Residual risk scores and treatment plans are outputs of risk assessment and response processes that occur after complete scenarios are defined. The scenario itself must stand independent of control assessments and treatment decisions.
5. A cloud services provider implements detective, deterrent, and corrective control types across administrative, technical, and physical categories. The security team deploys motion-activated cameras in data centers that record all physical access attempts and trigger real-time alerts to security operations. How should this control be classified? (Select two!)
Multiple correct answersExplanation
Motion-activated security cameras are detective controls (they identify when physical access occurs) within the physical category (tangible measures protecting facilities). Detective controls identify threats after occurrence through monitoring and detection mechanisms, which describes camera recording and alerting. Physical controls are tangible measures protecting physical assets, which includes surveillance cameras. Preventive controls stop threats before occurrence, but cameras don't prevent access. Technical controls are hardware/software based and logical rather than physical. Administrative controls are policies and procedures. The control matrix classification places surveillance cameras at the intersection of detective type and physical category.
Certified Information Security Manager (CISM)
CISM · 1196 questions
Certified Information Systems Auditor (CISA)
CISA · 895 questions
Certified Data Privacy Solutions Engineer (CDPSE)
CDPSE · 749 questions
IoT Fundamentals Certificate
IoT-Fund · 630 questions
IT Audit Fundamentals Certificate
IT-Audit-Fund · 627 questions
IT Risk Fundamentals Certificate
Risk-Fund · 616 questions
$17.99
One-time access to this exam