CRISC

ISACA Certified in Risk and Information Systems Control

ISACAPersonnel certification (ISO 17024)GRC

Created per CertMap methodology · Updated 12 May 2026 · About the editorial team →

▾ Jump to …4 sections

Overview

What is CRISC?

Certified in Risk and Information Systems Control is the leading certification in IT risk management and is considered the gold standard for professionals at the intersection of IT risk and enterprise governance. CRISC complements CISM and CISA in the ISACA portfolio and is particularly highly valued in regulated industries (banking, insurance, healthcare). The certification was substantially revised in 2025: The new exam content emphasizes Risk Response and Reporting with 32% weighting. CRISC's strength is its direct applicability in GRC roles and strong market penetration; its weakness lies in its broad abstraction, which does not reflect technically deep skills. In career terms, CRISC is a strong signal for risk-focused leadership roles.

Quick facts

AccreditationISO/IEC 17024 by ANSI

Languagesen · de · fr · es · ja · ko · zh · it

RecognitionGlobal

Key details

Cost, prerequisites, exam & renewal

Cost over 5 years

Exam fee (acquisition)€699

AMF (5 years)€207

CPE time value (5 years)€8,000

5-year total€8,906

CPE effort: 20 h per year · 100 h over 5 years · Valued at 80 €/h.

How is TCO calculated? →

Classification

CertMap score and matching roles

Rating

Market recognition3 / 33 / 3

Scheme quality3 / 33 / 3

Practice evidence2 / 32 / 3

Maintenance2 / 32 / 3

Matching NICE roles

Systems Security Management Secure Systems Development Systems Security Analysis Cybersecurity Policy and Planning Cybersecurity Curriculum Development Cybersecurity Instruction Executive Cybersecurity Leadership Product Support Management Program Management Secure Project Management

Mapping from NIST NICE Framework SP 800-181, status 2025. NIST source ↗

This page follows CertMap methodology: editorial content is curated by hand. Score, costs and NICE mapping are aggregated from official provider documents. Score methodology → · TCO methodology →

Transparency: CertMap is operated by Daniel Thomas Heessel, who is also managing director of Threat‑Informed, a company specialising in Threat‑Informed Defense. He additionally offers consulting services on CertMap. CertMap currently receives no commissions from certification providers, no affiliate links, no sponsored placements. Podcast and interview guests are not paid for appearances and receive no affiliate commissions.

From the knowledge base

View all articles →

Methodology

About the CertMap editorial team

CertMap is an independent platform for comparing cybersecurity certifications, built on data-journalism standards that combine editorial curation with mechanical aggregation.

3 min read

Fundamentals