CRISC (Certified in Risk and Information Systems Control) is ISACA's credential for IT risk management professionals. It's the certification that bridges the gap between security practitioners who understand technical threats and business stakeholders who need to understand risk in organizational terms.
-
What CRISC Certifies
CRISC certifies that you can identify, assess, evaluate, and respond to IT risk — and that you can implement and monitor information systems controls to manage that risk. It's the credential for IT risk managers, GRC analysts, vCISOs with risk management responsibilities, and compliance officers who need to quantify and report risk.
-
The Four CRISC Domains
CRISC covers four domains: (1) Governance — how IT risk fits into enterprise risk management; (2) IT Risk Assessment — identifying, analyzing, and evaluating IT risk scenarios; (3) Risk Response and Reporting — selecting and implementing responses and communicating risk to stakeholders; (4) Information Technology and Security — the technical controls and security practices that implement risk responses.
-
CRISC and CMMC POA&M Management
For DoD contractors, CRISC is most applicable to POA&M (Plan of Action and Milestones) management — the risk-based process of identifying gaps, prioritizing remediation, and tracking completion. CRISC-credentialed professionals approach POA&M management with the formal risk assessment methodology that satisfies both NIST 800-171 requirements and C3PAO expectations.
-
CRISC and vCISO Roles
Many vCISOs hold or pursue CRISC alongside CISM — CISM provides the security management framework, while CRISC provides the risk assessment and quantification methodology. Together they cover the full vCISO role: building the security program (CISM) and communicating its risk posture to the business (CRISC).
-
Who Should Pursue CRISC
CRISC is the right credential for: IT risk managers and GRC analysts who need formal risk methodology credentials; vCISOs who need to quantify and report risk to boards and executives; DoD contractor staff responsible for CMMC POA&M and risk management; compliance professionals who bridge IT and business risk.