Become CRISC Certified

CRISC stands for certified in risk and information systems control. It is a specialized certification for IT managers, data analysts, and cybersecurity professionals, and demonstrates that the certificate holder is an expert in cybersecurity and risk assessment. The certification is awarded by the Information Systems Audit and Control Association (ISACA), an international regulatory body that sets the standards for terminology in IT. There are only 25,000 CRISC certificate holders, which means that CRISC holders are highly-sought after by potential employers.^[1] To earn a CRISC certification, you must have 3 years of work experience in a relevant field and pass the certification test.

Steps

Getting the Required Experience

1. Graduate from a 4-year university and major in an IT-related field. After high school, apply to universities with a strong computer science or IT program. Choose a major that relates directly to a career in cybersecurity, IT, or risk assessment. Good options include computer science, computer engineering, data science and analysis, or information technology. Complete your 4-year degree on time and graduate with a high GPA to give yourself a boost on the job market.^[2]
   • If you want to double-major, choose a programming-related major to pair with your IT degree. Computer graphics, software engineering, and web development are great options.
2. Find a position in cybersecurity, risk evaluation, or information technology. You cannot earn a CRISC certification if you don’t have experience in a field relevant to the certification. Look online for IT-related jobs and submit a resume and cover letter. Accept a position with responsibilities that relate to at least 2 of the 4 CRISC domains to ensure that your position can lead towards a CRISC certification.^[3]{{greenbox:The 4 CRISC Domains: The 4 CRISC domains are the 4 categories covered by the CRISC exam. Your work experience must include experience in 2 of these 4 domains to be eligible for certication. The 4 domains are:
   *IT Risk Identification
   *IT Risk Assessment
   *Risk Response and Mitigation
   *Risk and Control Monitoring and Reporting}}
   • The CRISC certification isn’t really relevant outside of the fields of IT, data analysis, and cybersecurity, so there are no real benefits to pursuing it if you aren’t working in one of these careers.
3. Work in your field for at least 3 years as a full-time employee. Once you find a position that deals with at least 2 of the 4 CRISC domains, work in your position for at least 3 years. You cannot apply for a CRISC certification with less than 3 years of experience. The 3 years do not have to be concurrent or at the same company though, so feel free to accept promotions and change roles as they become available to you.^[4]
   • The 3 years of experience must be completed in a 10-year time frame. In other words, you can not apply for certification if you get 2 years of experience, change your career for 9 years, then return to the field.
   • All 3 years of experience must have something to do with the 4 domains of the certification, however you can bounce back and forth between domains. For example, you can work as a risk assessor for 2 years and an IT technician for 1 year.
   • The CRISC endorsement is a certification for veterans in the IT fields. To increase the odds you earn the certification, consider waiting until you have 5-10 years of experience.
4. Track your work experience and hold on to the supporting documents. While you complete your work experience, keep track of your start and end dates of each role you have. Store emails or work forms that prove that your responsibilities fall within 2 of the 4 CRISC domains. This may include emails from managers, previous work, filmed presentation, and performance reviews.^[5]
   • You won’t need to submit any of these documents for your certification, but you can use these forms of documentation to dispute any claims by ISACA that you don’t have the necessary experience.
5. Ask your past and current employers to fill out the verification forms. Give your manager a copy of the CRISC verification form. Ask them to fill out the information regarding your start and end dates. Your employer must also indicate that your role directly related to 2 of 4 CRISC domains, so explain the significance of each domain ahead of time. Collect each form after they’ve filled it out for you.^[6]
   • If you completed your experience at multiple companies, ask each manager to complete a verification form.
   • The verification form can be found online at http://www.isaca.org/Certification/CRISC-Certified-in-Risk-and-Information-Systems-Control/Documents/CRISC-Application-2015-Later-frm_Eng_0818.pdf.

Passing the CRISC Exam

1. Become a member of ISACA to earn discounts on a CRISC prep course. The CRISC course is exceptionally difficult without test preparation or many years of experience, and a test preparation class can cost $400-2,000. However, you get a discount on class fees if you’re a member of the ISACA. You also get a $170 discount on the CRISC exam if you join the IASCA, so it’s worth joining for the discounts alone. Visit the ISACA website and enroll on their website.^[7]
   • It costs $50 a year to be a member of the ISACA.
   • This isn’t mandatory, but joining the IASCA is a good idea anyway since you can put it on your resume for future employers. It’s an internationally-recognized and reputable organization that standardizes language in the IT and risk assessment fields, so it’s not a bad group to join!
   • The discount differs from course to course. Generally, it’s a 10-20% discount. The class operator gets credit with IASCA for enrolling their members.
2. Sign up for a CRISC preparation course online if you want to be prepared. Go online and search for a CRISC preparation course. Typically, these classes are 12-36 hours long and take place through on-demand training online. They also offer test prep materials to help you get familiar with the exam format and test your skills. Find a reputable course online, check the reviews to make sure that the materials are helpful, and pay to sign up for the course.^[8]Template:Greenbox:'''Tip:''' If you have over 5 years of experience in the 4 domains on the test, you probably have enough knowledge of the subject that you can skip the test preparation materials altogether. It’s completely up to you, though.
   • If you can, sign up for a course that has a money-back guarantee if you don’t pass the test, or at least offers an extension on the course materials if you don’t pass the first time.
   • The IASCA offers their own review course. This is probably your best option. Other popular choices include SuperReview, SimpliLearn, and Ed2Go.
3. Study the 4 domains of the exam and complete all lectures and quizzes. Watch the test preparation lectures and take the practice quizzes on each domain. Study how to assess network vulnerabilities, manage malicious intrusions, and utilize risk assessment methods. Complete the practice exams and review the material you learn after every lesson. Spend 1-6 weeks completing the preparation material before signing up for the exam.^[9]
   • If you aren’t paying for test materials, you can get a sense for the format of the exam by taking the ISACA practice exam at https://m.isaca.org/info/crisc-practice-quiz/index.html. Unfortunately, it’s only 10 questions long. You’ll need to sign up for a prep course to get complete practice exams.
4. Sign up for the CRISC exam on the IASCA website and pay the registration fee. Visit the ISACA online and go to the exam registration page. Check the exam schedule at testing centers in your area and sign up for an exam near you. The exam takes 4 hours to complete, so clear your schedule to take the exam. Pay for the test to complete your registration. It costs $595 for non-IASCA members, and $415 for members of the IASCA.^[10]
   • The CRISC exam is always completed at a private testing facility.
   • You can sign up for the exam at http://www.isaca.org/Certification/Pages/Exam-Registration.aspx.
5. Show up on time and complete the exam at a private testing facility. Show up 20-30 minutes ahead of time and bring your state ID and registration receipt. Turn your cell phone and other technology into the testing facility and sit down at the computer you’re assigned to work at. Complete the 150 multiple choice questions in 4 hours and collect your things before you leave.
   • Make sure that you get a good night’s sleep the day before the exam and eat a healthy breakfast. If you’re tired or hungry, you’re unlikely to perform well on the exam.
6. Wait roughly 6-8 weeks for your results and certification to arrive. Your test results and certification will come in the mail after 6-8 weeks. It will include your overall score and break your performance down by the 4 domains. This is a great way to determine where you’re strong and where you may want to develop professionally in the future.
   • You must score a 450 out of 800 to pass the CRISC exam. If you don’t pass it the first time, you can sign up to take it again.

Keeping Your Certification Valid

1. Complete 120 hours of professional development over 3 years. For your first 3 years as a certified CRISC specialist, you are on a probationary period. Complete 120 total hours of professional development over the next 3 years to pass this probationary period. You can do this by completing online training through the IASCA, or by completing classwork at an independent third-party provider that works with the IASCA.^[11]
   • These hours are referred to as CPEs. CPE stands for continuing professional education.
2. Submit proof that you completed at least 20 hours every year by December 31st. Before the end of the year, go online to your IASCA profile and submit a log of the professional development hours that you completed over the course of the year. Upload any supporting documents as requested by the IASCA. Do this for the first 3 years until you hit 120 hours.^[12]Template:Greenbox:'''Warning:''' You have to complete at least 20 of these 120 hours every year, so don’t put it all off until the end of the year and expect to complete it all at once.
   • Professional development you complete for your employer does not count towards these hours.
   • You are completely certified at this point, but the IASCA requires professional development to ensure that their certificate holders remain on the cutting edge of the IT and risk analysis fields.
3. Comply with IASCA audits by submitting documentation they request. For 3 years, hold on to proof that you’ve completed your CPE hours. Keep receipts for online classes, and hold to on to the coursework that you complete. The IASCA audits some CRISC certificate holders randomly to ensure that people are completing the work. Failure to comply with these audits or submit the necessary paperwork results in an immediate revocation of your CRISC certificate.^[13]
4. Pay your yearly maintenance fees to keep your certification active. The IASCA requires certificate holders to pay a small annual fee to keep their nonprofit organization functioning. Do this online through the IASCA website. It costs $45 a year for members of the IASCA and $85 for non-members.
   • If you aren’t already a member of the IASCA, keep in mind that it only costs $50 a year. This means that you’ll only save $40 a year on your maintenance fees.

Tips

• You get a discount on any further certifications you pursue through the IASCA if you’ve already earned your CRISC certification.

References