CertPrepNow
ISACACRISCUpdated 2026-06-15

CRISC Study Guide

Everything you need to pass the ISACA Certified in Risk and Information Systems Control exam. Structured study plans, key services, common traps, and practice questions.

You Can Pass This Exam For Free

The CRISC exam is passable with free resources if you study consistently for 8-14 weeks and adopt the ISACA risk-management mindset:

  • ISACA CRISC Exam Content Outline (free download from ISACA website)
  • ISACA free self-assessment questions (10 free practice questions)
  • NIST Risk Management Framework (SP 800-37) documentation (free)
  • NIST SP 800-30 Guide for Conducting Risk Assessments (free)
  • COBIT framework overview resources (free from ISACA)
  • ISO 31000 risk management summaries and overviews (free)
  • ISACA Engage community forums for peer discussion (free with account)
  • 500+ free practice questions on this site

CRISC is a management-level exam. Free resources cover the technical knowledge, but passing requires learning to think like a risk manager who aligns IT risk with business objectives. The ISACA QAE database ($299 for members) is the single most valuable paid resource if you can budget for one purchase.

Choose Your Study Path

You have general IT experience but limited exposure to risk management, governance, or controls. You need to build foundational knowledge and the ISACA risk-thinking mindset.

Week 1-2Study governance fundamentals: organizational governance vs risk governance, enterprise risk management (ERM), the three lines of defense model, risk appetite vs risk tolerance, and how IT risk aligns with business strategy
Week 3-4Learn risk governance frameworks: COBIT, ISO 31000, NIST RMF, COSO ERM. Understand risk profiles, legal and regulatory requirements, professional ethics, and organizational culture's role in risk management
Week 5-6Study Domain 2 (Risk Assessment): risk identification, threat modeling, vulnerability management, risk scenario development, risk assessment methodologies (qualitative, quantitative, semi-quantitative), risk registers, and business impact analysis
Week 7-8Deep dive into Domain 3 (32% of exam): risk response options (mitigate, transfer, accept, avoid), control design and implementation, control types (preventive, detective, corrective, compensating), risk and control ownership, and third-party risk management
Week 9-10Continue Domain 3: KRIs and KPIs, risk reporting to stakeholders, emerging risk identification, control testing and effectiveness evaluation, control standards and frameworks
Week 11-12Study Domain 4 (Technology and Security): enterprise architecture, IT operations management, system development lifecycle, data lifecycle management, disaster recovery, project management, and emerging technologies including Zero Trust and cloud security
Week 13Practice 300+ questions focusing on the risk management mindset. For every question ask: What would a risk MANAGER recommend, not a technician? Review all incorrect answers carefully
Week 14Take full-length practice exams (150 questions, 4 hours). Target 70%+ before scheduling. Focus on Domain 3 which is 32% of the exam and Domain 1 at 26%

Exam Overview

Format

150 multiple-choice questions, 240 minutes (4 hours). All questions are scenario-based and test risk management judgment and decision-making.

Scoring

Scaled score 200-800. Passing: 450. No penalty for wrong answers — always answer every question. Scores are scaled, so the raw number of correct answers needed varies by exam form.

Domains & Weights

  • Governance26%
  • Risk Assessment22%
  • Risk Response and Reporting32%
  • Technology and Security20%

Registration

$760 USD. Available year-round at PSI testing centers worldwide or online remote proctored. Exam fee is $575 for ISACA members, $760 for non-members. Requires 3 years of qualifying IT risk management experience across at least 2 of the 4 CRISC domains, with one of those domains being Domain 1 (Governance) or Domain 2 (Risk Assessment). Experience must be gained within the 10 years preceding the application. A $50 application processing fee is also required upon certification application. You can sit the exam before meeting the experience requirement.

Topic Priority Table

Not all topics are tested equally. Focus your study time on Tier 1 first, then Tier 2. Tier 3 topics rarely appear — just recognize what they do.

Tier 1: Must KnowYou must understand these concepts deeply, know definitions, and be able to apply them in risk management scenarios. These appear across multiple questions throughout the exam.
Tier 2: Should KnowUnderstand what these are and their key characteristics. May appear in 3-8 questions each across the exam.
Tier 3: Recognize OnlyKnow what these are at a high level. Rarely more than 1-2 questions each.
Domain 126% of exam

Governance

This domain covers how organizations establish the structures, policies, processes, and culture needed to manage IT risk effectively. It splits into organizational governance (strategy, roles, culture, policies, business processes, assets) and risk governance (ERM, three lines of defense, risk profile, risk appetite/tolerance, frameworks, legal requirements). You must understand how IT risk governance integrates with and supports overall enterprise governance.

Key Topics

Enterprise Risk ManagementThree Lines of DefenseCOBITISO 31000Risk Appetite FrameworkOrganizational GovernanceRisk Profile

Must-Know Concepts

  • Organizational governance components: strategy and objectives, organizational structure and roles, culture and ethics, policies and standards, business processes and resilience, and asset management
  • Risk governance components: ERM framework, three lines of defense model, risk profile definition and maintenance, risk appetite and risk tolerance, and legal/regulatory/contractual requirements
  • Three lines of defense: 1st line (operational management owns and manages risk), 2nd line (risk management and compliance provide oversight), 3rd line (internal audit provides independent assurance)
  • Risk appetite is set at the board/strategic level. Risk tolerance is set at the operational/management level. Tolerance must fall within appetite boundaries
  • Risk profile is a snapshot of the organization's overall risk exposure at a point in time, used to communicate risk posture to stakeholders and the board
  • Enterprise Risk Management (ERM) integrates all types of risk (strategic, operational, financial, compliance, IT) into a single coordinated framework
  • Governance frameworks: COBIT (IT governance), ISO 31000 (risk management), COSO ERM (enterprise risk), NIST RMF (federal/cybersecurity)
  • Organizational culture and ethics directly impact risk management effectiveness — a risk-aware culture is more valuable than risk policies alone
  • Business process owners must understand and accept their risk ownership responsibilities as part of the first line of defense
  • Legal, regulatory, and contractual requirements create mandatory risk management obligations that override organizational risk appetite

Common Exam Traps

Risk appetite is a BOARD-LEVEL strategic decision, not an IT decision. The board sets appetite; management defines tolerance within those boundaries
The three lines of defense does NOT mean three separate teams. In small organizations, the same people may fulfill multiple line responsibilities, but the functions must remain distinct
Risk governance must ALIGN WITH business strategy, not drive it. IT risk decisions support business objectives, not the other way around
Policies without enforcement are ineffective. The exam tests whether policies are implemented AND enforced, not just documented
Organizational culture cannot be changed through policies alone. Culture change requires leadership commitment, training, and reinforcement over time
Quick Check: Governance

Question 1 of 3

An organization's board of directors has defined the maximum level of risk it is willing to accept in pursuit of its strategic goals. Which term BEST describes this?

Domain 222% of exam

Risk Assessment

This domain covers the full process of identifying, analyzing, and evaluating IT risks. It includes risk identification (risk events, threat modeling, vulnerability management, risk scenario development) and risk analysis (assessment methodologies, risk registers, business impact analysis, inherent and residual risk calculations). You must demonstrate the ability to assess risk using structured methods and communicate findings to stakeholders.

Key Topics

Risk RegisterThreat ModelingVulnerability AssessmentRisk ScenariosBIAALE/SLE/ARORisk Assessment Frameworks

Must-Know Concepts

  • Risk identification components: risk events (including contributing conditions and loss results), threat modeling and threat landscape analysis, vulnerability management and root cause analysis, and risk scenario development and evaluation
  • Risk analysis concepts: qualitative assessment (High/Medium/Low), quantitative assessment (ALE = SLE x ARO), semi-quantitative assessment (numerical scales without full dollar conversion)
  • ALE formula: Annual Loss Expectancy = Single Loss Expectancy x Annual Rate of Occurrence. Know each component and how to calculate
  • Risk register contents: risk description, owner, likelihood, impact, inherent risk rating, controls, residual risk rating, treatment decision, and status
  • Business Impact Analysis (BIA): identifies critical business processes, assesses impact of disruption over time, and establishes recovery priorities including MTD, RTO, and RPO
  • Inherent risk is before controls. Residual risk is after controls. If residual risk exceeds tolerance, additional treatment or formal acceptance is required
  • Threat landscape analysis: understanding external threats (cyber attacks, natural disasters, regulatory changes) and internal threats (insider risk, process failures, human error)
  • Vulnerability management: identifying, classifying, prioritizing, and remediating vulnerabilities in systems, processes, and people
  • Risk scenario development: creating realistic scenarios that combine threat sources, vulnerabilities, and assets to describe potential risk events and their business impact
  • Risk assessment standards and frameworks: ISO 27005 (information security risk management), NIST SP 800-30 (risk assessment guide), OCTAVE, FAIR

Common Exam Traps

ALE = SLE x ARO. SLE = Asset Value x Exposure Factor. The exam tests this calculation directly. Memorize the formula and practice calculations
Qualitative assessment is FASTER and EASIER but SUBJECTIVE. Quantitative is MORE PRECISE but requires RELIABLE DATA. Know when each is appropriate
A risk register is a LIVING document that must be continuously updated, not a one-time exercise. The exam tests ongoing maintenance responsibilities
BIA identifies BUSINESS impact, not technical impact. It measures impact in terms of revenue, reputation, legal liability, and customer trust — not system downtime metrics alone
Risk scenario development is not the same as threat modeling. Scenarios combine threats + vulnerabilities + assets + impact. Threat modeling focuses on identifying threat sources and attack vectors
Quick Check: Risk Assessment

Question 1 of 3

An organization estimates that a server outage would cost $50,000 per occurrence and occurs approximately twice per year. What is the Annual Loss Expectancy (ALE)?

Domain 332% of exam

Risk Response and Reporting

The heaviest domain at 32% of the exam. Covers risk treatment and response options, risk and control ownership, third-party risk management, emerging risk identification, control design, implementation, testing and evaluation, and risk reporting including KRIs. Master this domain or you will not pass. You must demonstrate the ability to select appropriate risk responses, design effective controls, and communicate risk status to stakeholders.

Key Topics

Risk Treatment OptionsControl DesignKRIsThird-Party RiskRisk OwnershipControl TestingRisk Reporting

Must-Know Concepts

  • Four risk treatment options: mitigate (reduce), transfer (shift financial impact), accept (acknowledge formally), avoid (eliminate the activity). Must select based on cost-benefit and risk appetite
  • Risk and control ownership: risk owners (typically business process owners in 1st line) are accountable for managing risk within their area. Control owners ensure controls operate effectively
  • Third-party risk management lifecycle: vendor selection and due diligence, contract requirements (SLAs, right-to-audit, data protection clauses), ongoing monitoring, and exit strategy
  • Emerging risk identification: monitoring the external and internal environment for new or evolving risks from technology changes, regulatory updates, geopolitical events, and market shifts
  • Control design principles: controls must be appropriate to the risk, cost-effective, aligned with business objectives, and sustainable over time
  • Control implementation: deployment, documentation, training, and communication to ensure controls are operational and understood by all relevant parties
  • Control testing methods: self-assessment, compliance testing, substantive testing, penetration testing, and continuous monitoring. Different methods provide different levels of assurance
  • Control effectiveness evaluation: assessing whether controls actually reduce risk to acceptable levels, not just whether they exist on paper
  • KRI design and monitoring: KRIs must be measurable, relevant to risk appetite and tolerance, provide early warning capability, and trigger defined responses when thresholds are breached
  • Risk reporting: different audiences need different information — boards need strategic risk summaries, management needs operational risk dashboards, regulators need compliance reports

Common Exam Traps

Risk TRANSFER does not eliminate accountability. When you outsource a process, operational risk transfers but REPUTATIONAL risk and REGULATORY responsibility typically remain with the organization
Risk ACCEPTANCE is not risk IGNORANCE. Acceptance requires a formal, documented decision by an authorized risk owner, not simply failing to address a risk
Control testing proves controls WORK. Control design proves controls are APPROPRIATE. A well-designed control that is not tested provides false assurance
KRIs must be LEADING indicators (forward-looking), not lagging indicators. If a metric only tells you about past events, it is a KPI, not a KRI
Third-party risk does not end at contract signing. Ongoing monitoring, periodic reassessment, and defined exit procedures are essential throughout the vendor lifecycle
Quick Check: Risk Response and Reporting

Question 1 of 3

An organization decides to purchase cyber insurance to address the financial impact of a potential data breach. Which risk treatment option is being applied?

Domain 420% of exam

Technology and Security

This domain covers the technical foundations that support IT risk management: enterprise architecture, IT operations management, project management, disaster recovery management, data lifecycle management, system development lifecycle, and emerging technologies. The 2025 update explicitly added Zero Trust Architecture. You must understand how technology decisions create, mitigate, and transform risk, and how security controls integrate into IT operations.

Key Topics

Enterprise ArchitectureIT OperationsSDLCDisaster RecoveryData LifecycleZero TrustCloud Security

Must-Know Concepts

  • Enterprise architecture frameworks: TOGAF, Zachman. How architecture decisions (cloud vs on-premise, centralized vs distributed) create risk trade-offs
  • IT operations management: change management, configuration management, patch management, release management, and incident management processes
  • Zero Trust Architecture: never trust, always verify. Continuous authentication and authorization, micro-segmentation, least privilege access, and assume-breach mentality
  • Disaster recovery: recovery site types (hot site — ready immediately, warm site — hours to activate, cold site — days to activate), testing methods, and RTO/RPO alignment
  • Data lifecycle management: creation, classification, storage, use, sharing, archival, and destruction. Privacy and security controls at each stage
  • System Development Life Cycle (SDLC): requirements, design, development, testing, deployment, maintenance. Security must be integrated at EVERY phase, not added at the end
  • Project risk management: risk identification for IT projects, scope creep, resource constraints, technology uncertainties, and how project risks feed the enterprise risk register
  • Change management: request, assess risk, approve/reject, implement, verify, close. All changes must be assessed for risk impact before implementation
  • Emerging technologies and their risks: cloud computing (shared responsibility, data sovereignty), AI/ML (bias, transparency), IoT (expanded attack surface), blockchain (immutability challenges)
  • Security controls in technical environments: network segmentation, encryption, access controls, logging and monitoring, vulnerability scanning, and penetration testing

Common Exam Traps

Zero Trust does NOT mean distrust everything permanently. It means VERIFY every access request regardless of source, location, or previous authentication
Hot site is MOST EXPENSIVE but has the SHORTEST recovery time. Cold site is CHEAPEST but has the LONGEST recovery time. The exam tests this cost-vs-speed trade-off
Change management is NOT optional. Even emergency changes must be documented and assessed for risk, even if the approval process is expedited
SDLC security integration means security at EVERY phase. If security is only tested at the end (during QA), the answer is wrong on the CRISC exam
Cloud shared responsibility model means the cloud provider secures the infrastructure, but the CUSTOMER is responsible for securing their data, configurations, and access controls
Quick Check: Technology and Security

Question 1 of 3

An organization is migrating critical workloads to a public cloud environment. Which risk consideration is MOST important from a governance perspective?

Concepts You Must Not Confuse

These pairs appear on nearly every exam. Learn the difference and you'll avoid the most common traps.

Risk Appetite vs Risk Tolerance

Use Risk Appetite when…

The broad amount and type of risk an organization is willing to accept in pursuit of its strategic objectives. Set by the board and expressed at the enterprise level.

Use Risk Tolerance when…

The acceptable level of variation around specific risk targets that management will allow. Expressed at a granular, operational level with specific measurable thresholds.

Exam trap

Risk appetite is STRATEGIC and set by the board. Risk tolerance is OPERATIONAL and set by management. Risk tolerance must fall within risk appetite. When a risk exceeds tolerance, a risk response is triggered. This is the single most confused pair of concepts on the CRISC exam.

Inherent Risk vs Residual Risk

Use Inherent Risk when…

The level of risk that exists before any controls or risk treatment measures are applied. Represents the raw exposure from a threat exploiting a vulnerability.

Use Residual Risk when…

The level of risk remaining after controls and risk treatment measures have been implemented. Must fall within the organization's risk tolerance.

Exam trap

Inherent risk is BEFORE controls. Residual risk is AFTER controls. Residual risk cannot be calculated until controls are selected. If residual risk exceeds tolerance, additional treatment is required or management must formally accept the excess risk.

Key Risk Indicators (KRIs) vs Key Performance Indicators (KPIs)

Use Key Risk Indicators (KRIs) when…

Forward-looking metrics that provide early warning when risk levels are approaching or exceeding defined thresholds. Signal potential future problems.

Use Key Performance Indicators (KPIs) when…

Backward-looking metrics that measure how effectively processes, controls, or programs are performing against defined targets. Measure past results.

Exam trap

KRIs are FORWARD-LOOKING (predict risk). KPIs are BACKWARD-LOOKING (measure performance). The exam also tests Key Control Indicators (KCIs), which specifically measure control effectiveness. A strong KPI does not guarantee low risk — they measure different things.

Qualitative Risk Assessment vs Quantitative Risk Assessment

Use Qualitative Risk Assessment when…

Uses descriptive categories (High/Medium/Low) to rate risk likelihood and impact. Faster, simpler, and based on expert judgment. Suitable when precise data is unavailable.

Use Quantitative Risk Assessment when…

Uses numerical values and formulas (ALE = SLE x ARO) to express risk in monetary terms. More precise but requires reliable data. Suitable for cost-benefit analysis.

Exam trap

Qualitative is SUBJECTIVE (categories). Quantitative is OBJECTIVE (dollar values). Know the ALE formula: ALE = SLE x ARO. Semi-quantitative uses numerical scales but without full monetary conversion. The exam tests when each approach is most appropriate.

Risk Mitigation vs Risk Transfer

Use Risk Mitigation when…

Implementing controls to reduce the likelihood or impact of a risk event. The organization retains the risk but reduces it to an acceptable level.

Use Risk Transfer when…

Shifting the financial impact of a risk to a third party through insurance, outsourcing, or contractual arrangements. The risk still exists but the financial burden moves.

Exam trap

Mitigation REDUCES the risk. Transfer SHIFTS the financial impact. Transfer does NOT eliminate the risk — operational responsibility and reputational risk often remain with the organization. The exam tests scenarios where candidates must choose between the two.

Preventive Controls vs Detective Controls

Use Preventive Controls when…

Controls that stop an unwanted event from occurring in the first place. Examples: access controls, segregation of duties, encryption, firewalls.

Use Detective Controls when…

Controls that identify and alert when an unwanted event has occurred or is occurring. Examples: audit logs, intrusion detection systems, monitoring, reconciliation.

Exam trap

Preventive controls STOP events. Detective controls FIND events. Corrective controls FIX events after they occur. The exam often presents scenarios where all three types are options and you must identify the correct category or select the most appropriate type.

Business Continuity Plan (BCP) vs Disaster Recovery Plan (DRP)

Use Business Continuity Plan (BCP) when…

A comprehensive plan to maintain or resume critical business operations during and after a disruption. Covers people, processes, facilities, and technology.

Use Disaster Recovery Plan (DRP) when…

A plan focused specifically on restoring IT systems, infrastructure, and data after a disruption. It is a subset of the broader BCP.

Exam trap

BCP is BUSINESS-focused (operations, people, processes). DRP is TECHNOLOGY-focused (IT systems, data, infrastructure). DRP is a COMPONENT of BCP, not the other way around. BIA must be completed BEFORE developing either plan.

Risk Avoidance vs Risk Acceptance

Use Risk Avoidance when…

Eliminating the activity or condition that creates the risk entirely. The organization decides the risk is too great and removes the risk source.

Use Risk Acceptance when…

Formally acknowledging the risk exists and deciding to bear it without further treatment, typically because the cost of treatment exceeds the potential loss or the risk is within tolerance.

Exam trap

Avoidance ELIMINATES the risk source (e.g., discontinuing a product line). Acceptance ACKNOWLEDGES the risk and moves forward. Acceptance must be a conscious, documented management decision, not ignorance. Risk acceptance requires formal sign-off by an authorized risk owner.

Top Mistakes to Avoid

Confusing risk appetite (strategic, board-level) with risk tolerance (operational, management-level) — appetite sets the boundary, tolerance operates within it
Mixing up inherent risk (before controls) with residual risk (after controls) — residual risk cannot be calculated until controls are selected and evaluated
Treating KRIs (forward-looking risk signals) the same as KPIs (backward-looking performance measures) — they measure fundamentally different things
Choosing the technical answer instead of the management answer — CRISC tests risk management judgment, not technical implementation skills
Thinking risk transfer (insurance, outsourcing) eliminates all risk — reputational and regulatory responsibility typically remain with the organization
Confusing risk acceptance (formal documented decision) with risk ignorance (failing to address a risk) — acceptance requires conscious authorization by a risk owner
Forgetting that BIA must be completed BEFORE developing BCP and DRP — BIA establishes recovery priorities that drive both plans
Treating the risk register as a one-time exercise — it is a living document requiring continuous updates as risks evolve
Assuming controls are effective just because they exist — controls must be tested and their effectiveness evaluated, not just documented
Not understanding the three lines of defense — operations OWN risk (1st line), risk management OVERSEES risk (2nd line), internal audit ASSURES risk management works (3rd line)

Exam-Ready Checklist

Can explain all 4 exam domains and their relative weights (26%, 22%, 32%, 20%)
Know the difference between risk appetite (board/strategic) and risk tolerance (management/operational) and can apply the distinction in scenarios
Can calculate ALE using the formula ALE = SLE x ARO and explain each component
Understand the three lines of defense model and can identify which line handles any given risk management activity
Can distinguish between all four risk treatment options (mitigate, transfer, accept, avoid) and select the appropriate one for any scenario
Know the difference between inherent risk and residual risk and what triggers additional treatment
Can distinguish KRIs (forward-looking) from KPIs (backward-looking) from KCIs (control effectiveness)
Understand control types (preventive, detective, corrective, compensating) and can match them to scenarios
Can explain the relationship between BIA, BCP, and DRP and the correct sequence for developing them
Know recovery site types (hot, warm, cold) and their cost-vs-recovery-time trade-offs
Understand the SDLC and can explain why security must be integrated at every phase, not just during testing
Can explain Zero Trust Architecture principles and how they differ from traditional perimeter security
Know how to design, monitor, and report on KRIs including threshold-based alerting
Scored 70%+ on at least two full mock exams (450/800 passing score on the actual exam)
Reviewed all incorrect answers with focus on Domain 3 (32%) and Domain 1 (26%) which together represent 58% of the exam

Recommended Resources

Free & Official Resources

Paid Courses & Practice Exams

These are recommended if you prefer a structured learning path. They can save time but are not required to pass.

Frequently Asked Questions