CRISC Exam Guide: Format, Domains, and How to Pass
A complete CRISC exam guide — the fixed-form format, all 4 job-practice domains and their weights, the 450/800 passing score, experience requirements, and how to prepare for ISACA’s risk credential.
CRISC (Certified in Risk and Information Systems Control) is ISACA’s credential for professionals who identify, assess, and manage IT risk and design the controls that keep it in check. It sits between audit (CISA) and security management (CISM): where an auditor evaluates controls and a security manager runs the program, a CRISC holder owns the risk — finding it, sizing it, responding to it, and reporting it to the business.
This guide covers what the exam is, how it is scored, what it tests, and how to prepare. ISACA revises the job practice periodically, so confirm the current details on the official ISACA site before you book.
The CRISC exam format: fixed-form
CRISC is a fixed-form, linear exam — every candidate answers the same number of questions and the test does not adapt to your performance. There are 150 multiple-choice questions and a four-hour window. Because the form is fixed, you can move freely: answer what you know, flag the rest, and come back. That rewards a deliberate strategy and steady pacing of roughly 90 seconds per question.
Same exam shape as CISA and CISM
If you have sat CISA or CISM, CRISC will feel familiar: 150 questions, four hours, scaled 200–800, pass at 450. The difference is the lens — every question is asked from the risk practitioner’s seat.
The 4 CRISC domains
The CRISC job practice is organized into four domains, each carrying a different exam weight. Allocate study time to match the weights rather than studying everything evenly.
- Governance (~26%) — organizational and risk governance, strategy, policies, and the business context that risk decisions live in.
- IT Risk Assessment (~20%) — identifying and analyzing IT risk: events, scenarios, likelihood, and impact.
- Risk Response and Reporting (~32%) — the heaviest domain: selecting risk responses, designing and monitoring controls, and reporting risk to stakeholders.
- Information Technology and Security (~22%) — the technology and security concepts underlying risk: architecture, data, and controls.
What the questions are really like
CRISC questions are written from the risk practitioner’s chair. They rarely ask you to recall a definition; instead they describe a situation and ask what best manages the risk — what to assess first, which response is most appropriate, what to report and to whom. The expected answer reflects risk-based thinking aligned to business objectives, not the answer a pure technologist or auditor would give.
A common trap is choosing the most thorough technical fix when the question is really asking for the most appropriate risk response given cost, likelihood, and business priorities. Train yourself to ask: what best reduces risk to an acceptable level in this context?
Scoring and the passing standard
CRISC is reported on a scaled score from 200 to 800, and the passing standard is 450. The scaled score is not a raw percentage — ISACA converts your performance onto a common scale so results are comparable across exam forms. The practical takeaway: do not chase a percentage on practice tests; build consistent competence across all four domains, because one weak domain can drag a scaled score below the line.
Experience requirements and certification
Passing the exam is one part of becoming certified. CRISC requires a minimum of three years of relevant experience in IT risk management and IS control across at least two of the four domains, and substitutions are limited. You can sit and pass the exam before you have the full experience, then apply for certification once you meet the requirement. Confirm the current rules on the ISACA site, as they are periodically adjusted.
A study plan that tells you when you are ready
CRISC rewards steady, structured study over cramming. The candidates who pass practice in the risk-practitioner mindset, review what they miss on a schedule, weight their time to the heavy domains, and measure readiness rather than hours. A plan that works:
- Start with a diagnostic to rank all four domains on day one.
- Study 20–40 focused minutes daily — weakest domain first, due reviews always, weighted toward Risk Response and Reporting (32%).
- Use spaced repetition so missed concepts return at the right interval.
- Drill scenario questions and explain why the best risk response beats the most thorough technical one.
- Book your real exam when your readiness score clears the passing zone and a full simulation confirms it.
Know your number
A readiness score that blends accuracy, domain coverage, and consistency tells you when the data says you will pass — so you book the exam when you are ready, not when you simply run out of time to study.
Frequently asked questions
How many questions is the CRISC exam?+
The CRISC exam has 150 multiple-choice questions delivered in a fixed-form (non-adaptive) format, with a four-hour time limit. Confirm the current question count and timing on the official ISACA site.
What is the CRISC passing score?+
CRISC is reported on a scaled score from 200 to 800, and you need 450 to pass. The scaled score is not a raw percentage correct — ISACA converts your performance onto a common scale.
How much experience do I need for CRISC?+
CRISC requires a minimum of three years of relevant experience in IT risk management and IS control across at least two of the four domains. You can pass the exam first and apply for certification once you meet the requirement.
How is CRISC different from CISA and CISM?+
CISA audits and reports on controls; CISM manages a security program; CRISC owns IT risk — identifying it, assessing it, choosing responses, and reporting it. They are complementary ISACA credentials for different roles in governance, risk, and assurance.
Find out if you're actually ready.
Take a real adaptive exam and get a readiness score that means something — free.
Start free