You Can Pass This Exam For Free
Choose Your Study Path
You have general IT experience but limited exposure to risk management, governance, or controls. You need to build foundational knowledge and the ISACA risk-thinking mindset.
Exam Overview
Format
150 multiple-choice questions, 240 minutes (4 hours). All questions are scenario-based and test risk management judgment and decision-making.
Scoring
Scaled score 200-800. Passing: 450. No penalty for wrong answers — always answer every question. Scores are scaled, so the raw number of correct answers needed varies by exam form.
Domains & Weights
- Governance26%
- Risk Assessment22%
- Risk Response and Reporting32%
- Technology and Security20%
Registration
$760 USD. Available year-round at PSI testing centers worldwide or online remote proctored. Exam fee is $575 for ISACA members, $760 for non-members. Requires 3 years of qualifying IT risk management experience across at least 2 of the 4 CRISC domains, with one of those domains being Domain 1 (Governance) or Domain 2 (Risk Assessment). Experience must be gained within the 10 years preceding the application. A $50 application processing fee is also required upon certification application. You can sit the exam before meeting the experience requirement.
Topic Priority Table
Not all topics are tested equally. Focus your study time on Tier 1 first, then Tier 2. Tier 3 topics rarely appear — just recognize what they do.
Governance
This domain covers how organizations establish the structures, policies, processes, and culture needed to manage IT risk effectively. It splits into organizational governance (strategy, roles, culture, policies, business processes, assets) and risk governance (ERM, three lines of defense, risk profile, risk appetite/tolerance, frameworks, legal requirements). You must understand how IT risk governance integrates with and supports overall enterprise governance.
Key Topics
Must-Know Concepts
- Organizational governance components: strategy and objectives, organizational structure and roles, culture and ethics, policies and standards, business processes and resilience, and asset management
- Risk governance components: ERM framework, three lines of defense model, risk profile definition and maintenance, risk appetite and risk tolerance, and legal/regulatory/contractual requirements
- Three lines of defense: 1st line (operational management owns and manages risk), 2nd line (risk management and compliance provide oversight), 3rd line (internal audit provides independent assurance)
- Risk appetite is set at the board/strategic level. Risk tolerance is set at the operational/management level. Tolerance must fall within appetite boundaries
- Risk profile is a snapshot of the organization's overall risk exposure at a point in time, used to communicate risk posture to stakeholders and the board
- Enterprise Risk Management (ERM) integrates all types of risk (strategic, operational, financial, compliance, IT) into a single coordinated framework
- Governance frameworks: COBIT (IT governance), ISO 31000 (risk management), COSO ERM (enterprise risk), NIST RMF (federal/cybersecurity)
- Organizational culture and ethics directly impact risk management effectiveness — a risk-aware culture is more valuable than risk policies alone
- Business process owners must understand and accept their risk ownership responsibilities as part of the first line of defense
- Legal, regulatory, and contractual requirements create mandatory risk management obligations that override organizational risk appetite
Common Exam Traps
Risk Assessment
This domain covers the full process of identifying, analyzing, and evaluating IT risks. It includes risk identification (risk events, threat modeling, vulnerability management, risk scenario development) and risk analysis (assessment methodologies, risk registers, business impact analysis, inherent and residual risk calculations). You must demonstrate the ability to assess risk using structured methods and communicate findings to stakeholders.
Key Topics
Must-Know Concepts
- Risk identification components: risk events (including contributing conditions and loss results), threat modeling and threat landscape analysis, vulnerability management and root cause analysis, and risk scenario development and evaluation
- Risk analysis concepts: qualitative assessment (High/Medium/Low), quantitative assessment (ALE = SLE x ARO), semi-quantitative assessment (numerical scales without full dollar conversion)
- ALE formula: Annual Loss Expectancy = Single Loss Expectancy x Annual Rate of Occurrence. Know each component and how to calculate
- Risk register contents: risk description, owner, likelihood, impact, inherent risk rating, controls, residual risk rating, treatment decision, and status
- Business Impact Analysis (BIA): identifies critical business processes, assesses impact of disruption over time, and establishes recovery priorities including MTD, RTO, and RPO
- Inherent risk is before controls. Residual risk is after controls. If residual risk exceeds tolerance, additional treatment or formal acceptance is required
- Threat landscape analysis: understanding external threats (cyber attacks, natural disasters, regulatory changes) and internal threats (insider risk, process failures, human error)
- Vulnerability management: identifying, classifying, prioritizing, and remediating vulnerabilities in systems, processes, and people
- Risk scenario development: creating realistic scenarios that combine threat sources, vulnerabilities, and assets to describe potential risk events and their business impact
- Risk assessment standards and frameworks: ISO 27005 (information security risk management), NIST SP 800-30 (risk assessment guide), OCTAVE, FAIR
Common Exam Traps
Risk Response and Reporting
The heaviest domain at 32% of the exam. Covers risk treatment and response options, risk and control ownership, third-party risk management, emerging risk identification, control design, implementation, testing and evaluation, and risk reporting including KRIs. Master this domain or you will not pass. You must demonstrate the ability to select appropriate risk responses, design effective controls, and communicate risk status to stakeholders.
Key Topics
Must-Know Concepts
- Four risk treatment options: mitigate (reduce), transfer (shift financial impact), accept (acknowledge formally), avoid (eliminate the activity). Must select based on cost-benefit and risk appetite
- Risk and control ownership: risk owners (typically business process owners in 1st line) are accountable for managing risk within their area. Control owners ensure controls operate effectively
- Third-party risk management lifecycle: vendor selection and due diligence, contract requirements (SLAs, right-to-audit, data protection clauses), ongoing monitoring, and exit strategy
- Emerging risk identification: monitoring the external and internal environment for new or evolving risks from technology changes, regulatory updates, geopolitical events, and market shifts
- Control design principles: controls must be appropriate to the risk, cost-effective, aligned with business objectives, and sustainable over time
- Control implementation: deployment, documentation, training, and communication to ensure controls are operational and understood by all relevant parties
- Control testing methods: self-assessment, compliance testing, substantive testing, penetration testing, and continuous monitoring. Different methods provide different levels of assurance
- Control effectiveness evaluation: assessing whether controls actually reduce risk to acceptable levels, not just whether they exist on paper
- KRI design and monitoring: KRIs must be measurable, relevant to risk appetite and tolerance, provide early warning capability, and trigger defined responses when thresholds are breached
- Risk reporting: different audiences need different information — boards need strategic risk summaries, management needs operational risk dashboards, regulators need compliance reports
Common Exam Traps
Technology and Security
This domain covers the technical foundations that support IT risk management: enterprise architecture, IT operations management, project management, disaster recovery management, data lifecycle management, system development lifecycle, and emerging technologies. The 2025 update explicitly added Zero Trust Architecture. You must understand how technology decisions create, mitigate, and transform risk, and how security controls integrate into IT operations.
Key Topics
Must-Know Concepts
- Enterprise architecture frameworks: TOGAF, Zachman. How architecture decisions (cloud vs on-premise, centralized vs distributed) create risk trade-offs
- IT operations management: change management, configuration management, patch management, release management, and incident management processes
- Zero Trust Architecture: never trust, always verify. Continuous authentication and authorization, micro-segmentation, least privilege access, and assume-breach mentality
- Disaster recovery: recovery site types (hot site — ready immediately, warm site — hours to activate, cold site — days to activate), testing methods, and RTO/RPO alignment
- Data lifecycle management: creation, classification, storage, use, sharing, archival, and destruction. Privacy and security controls at each stage
- System Development Life Cycle (SDLC): requirements, design, development, testing, deployment, maintenance. Security must be integrated at EVERY phase, not added at the end
- Project risk management: risk identification for IT projects, scope creep, resource constraints, technology uncertainties, and how project risks feed the enterprise risk register
- Change management: request, assess risk, approve/reject, implement, verify, close. All changes must be assessed for risk impact before implementation
- Emerging technologies and their risks: cloud computing (shared responsibility, data sovereignty), AI/ML (bias, transparency), IoT (expanded attack surface), blockchain (immutability challenges)
- Security controls in technical environments: network segmentation, encryption, access controls, logging and monitoring, vulnerability scanning, and penetration testing
Common Exam Traps
Concepts You Must Not Confuse
These pairs appear on nearly every exam. Learn the difference and you'll avoid the most common traps.
Top Mistakes to Avoid
Exam-Ready Checklist
Recommended Resources
Free & Official Resources
Paid Courses & Practice Exams
These are recommended if you prefer a structured learning path. They can save time but are not required to pass.