Certified in Risk and Information Systems Control training for IT risk and compliance professionals. All 4 domains with practitioner instruction. Strong alignment to NIST 800-30 and CMMC risk assessment requirements.
CRISC (Certified in Risk and Information Systems Control) is ISACA's certification for IT risk and control professionals. It is recognized globally as the standard credential for those who identify, assess, evaluate, and manage IT risk and implement and maintain information systems controls.
CRISC holders typically work in enterprise risk management, IT audit, GRC, and cybersecurity risk roles. For organizations under CMMC, the CRISC framework maps directly to the risk assessment and risk management requirements embedded in NIST 800-171 and NIST 800-30.
ISACA requires three years of cumulative work experience across CRISC domains for certification. You can sit for the exam before meeting the experience requirement.
Exam details subject to change. Verify at isaca.org.
Four domains covering the full IT risk and control lifecycle.
IT risk governance strategy and framework, risk appetite, risk tolerance, and the organizational structure needed to manage IT risk effectively. Connects to CMMC governance requirements and NIST 800-37 risk management framework.
Identifying and evaluating IT risk scenarios, threats, vulnerabilities, and potential business impact. Risk identification, risk analysis methodologies, and risk assessment documentation. Direct alignment to NIST 800-30 risk assessment requirements.
The largest CRISC domain. Selecting and implementing risk treatment options (accept, mitigate, transfer, avoid), monitoring residual risk, reporting risk posture to stakeholders, and maintaining risk registers. Critical for CMMC POA&M management.
IT concepts, infrastructure components, and security technologies as they relate to risk and control. Covers access controls, encryption, network security, and IT operations from a risk management perspective.
CMMC Level 2 requires risk assessments that align to NIST 800-30. CRISC-certified professionals have the structured methodology to conduct, document, and maintain these assessments in a way that satisfies C3PAO assessors. CRISC maps to CMMC control family 3.11 (Risk Assessment) and the risk treatment requirements across the NIST 800-171 control families.
The CRISC framework for risk reporting and residual risk monitoring also directly supports the POA&M (Plan of Action and Milestones) management process that CMMC requires. CRISC-credentialed team members can own the risk register, risk acceptance decisions, and risk reporting that C3PAO assessments scrutinize.
IS audit certification that pairs with CRISC for comprehensive GRC credentials.
Security management depth that complements CRISC's risk focus.
Technical CMMC implementation where CRISC-certified risk managers add the most value.
Schedule a conversation to discuss your certification timeline, current background, and the training path that fits your schedule and goals.
Schedule CRISC Training ConsultationVirtual Infrastructure Services LLC · South Brunswick, NJ · +1 (732) 200-7351