Skip to main content

ISACA CRISC prep, adaptive plan with ARIA

The ISACA Certified in Risk and Information Systems Control (CRISC) is 240 minutes, 150 questions, and a scaled passing score of 450 out of 800. It is one of the highest-paid certifications in the industry, and the questions are written to punish vocabulary drift. I prep you for it with a 25-question adaptive evaluation, a personalized roadmap sized to your gaps, a daily task engine, and a pass guarantee tied to five measurable conditions. Finish the roadmap, hit the readiness conditions, sit the exam, fail, get a full refund of the Exam Ready plan. Start your free CAT evaluation at claudelab.me/onboarding/select-cert?code=CRISC.

TL;DR

  • 240 minutes, 150 multiple-choice questions, scaled passing score 450 of 800, four domains weighted 27 / 28 / 23 / 22.
  • Cost: 575 USD for ISACA members, 760 USD for non-members; certification requires 3 years of cumulative IT risk and IS control work across at least 2 of the 4 domains.
  • I open with a 15-to-25-question CAT eval that lands a domain-by-domain skill estimate, not a single percentage.
  • Your roadmap is generated from that estimate: more milestones on weak domains, fewer on strong ones, sequenced worst-to-best.
  • Pass-guarantee eligibility is checked by a database function with five mechanical conditions, not a marketing line.

What the CRISC exam is

CRISC is the current ISACA Certified in Risk and Information Systems Control exam (current as of 2026). It tests your ability to identify, assess, respond to, and report on IT risk, and to design, implement, and maintain information system controls that align with enterprise objectives. 150 questions, 240 minutes, scaled passing score 450 of 800, multiple choice. The exam is offered in English, Japanese, Chinese (Simplified), Korean, and Spanish.

The certification has an experience requirement. You need 3 years of cumulative work in IT risk identification, IT risk assessment, risk response and reporting, or information technology and security, spread across at least 2 of the 4 domains, verified within 5 years of the exam. Education and prior-cert waivers exist but cap at one year. You can sit the exam without the experience and bank the pass; the credential awards once the experience is logged.

The blueprint splits into four domains:

DomainWeightWhat it covers
IT Risk Identification27%Risk culture, risk universe, asset and threat identification, vulnerability identification, risk scenarios, the Risk IT Framework, risk register vs risk profile, governance and ownership.
IT Risk Assessment28%Quantitative and qualitative analysis, inherent vs residual vs current vs targeted risk, business impact analysis, third-party risk, control assessment, scenario analysis, risk ranking.
Risk Response and Reporting23%Treat / transfer / mitigate / accept, control selection, KRIs, KPIs, KCIs, risk reporting to executives and the board, exception management, monitoring and review.
Information Technology and Security22%Enterprise architecture, IT operations, project and change management, business continuity, data privacy, emerging technology risk, information security concepts and frameworks.

The weights matter for prep allocation. CRISC tilts heavily toward identification and assessment, which together are over half the exam. A roadmap that splits time evenly burns about a third of your study window. I do not.

How ARIA preps you for it

ARIA owns your CRISC prep end to end. Five pieces, each one running every day you are in the program.

The CAT evaluation. Your first session is a 15-to-25-question adaptive test that converges on your real skill level for each of the four CRISC domains. Difficulty adjusts after every answer. The test stops at 95 percent confidence or 25 questions, whichever comes first. The output is a domain-by-domain estimate that decides what your roadmap looks like. Read the full CAT explainer for the mechanics.

The personalized roadmap. The moment the eval closes, I generate three to five phases sequenced from your weakest CRISC domain to your strongest, each with two to four milestones. Milestone count scales with starting level. CRISC is a vocabulary-dense exam, so even strong practitioners get extra milestones on terminology drilling if their CAT shows fluency in concepts but slippage on ISACA-specific wording. Full structure: the roadmap overview.

The daily task engine. Every time you reopen the app, I pick the next thing to work on, today. One task. Not a list. The engine weighs active milestone, error backlog, readiness decay, and schedule drift, then surfaces the single highest-value action. Roadmap tasks advance milestones; free-play tasks improve readiness but do not.

The error backlog. Every wrong answer on a CRISC question is tagged with the trap pattern, domain, and topic, then queued for return at increasing intervals (1 day, 3 days, 7 days, 21 days). You do not manage decks. I do. The pattern retires only after three correct answers in a row, spaced. Vocabulary traps get a tighter cycle than concept traps because forgetting curves on terminology are steeper.

The readiness score. A single 0-to-100 number that estimates your probability of passing CRISC today. It blends coverage, accuracy, and recency, and decays roughly 3 points per day of inactivity past the grace window. At 60 it unlocks the demo test, at 80 the gauntlet. With every milestone done, two mock passes, one gauntlet pass, and live readiness at 80, the pass guarantee flips eligible.

Common pitfalls on CRISC

These five questions quietly cost the most points on this exam. Every prep tool calls them out. Few do anything structural about them. I do.

1. Inherent vs Residual vs Current vs Targeted risk

The trap: ISACA stems use these four words as if they were interchangeable, and they are not. Inherent risk is the risk before any controls are applied. Residual risk is what is left after the current control set is operating effectively. Current risk is the actual right-now state, including controls that are partial, missing, or under remediation. Targeted risk is the level the organization wants to reach. Candidates who treat residual and current as synonyms get whole questions wrong, especially the ones where a control is half-implemented.

What I do about it: every miss tags which of the four terms was the deciding word, and the backlog ships variants back into your queue until the four definitions sit cleanly in separate boxes. You do not finish the Domain 2 assessment milestone until all four terms are reflexive.

2. Risk capacity vs Risk tolerance vs Risk appetite

The trap: capacity is the maximum risk the organization can absorb without endangering survival. Appetite is the level the board chooses to take. Tolerance is the variance around that appetite. ISACA writes scenarios where the wrong term in a policy document is the actual error to flag. Candidates skim, see "the policy says," and miss that the policy itself misuses the vocabulary.

What I do about it: I drill these three with paired scenarios that flip a single word and change the right answer. The backlog separates them as three sub-patterns and rotates them. The deciding factor on the trap is always which stakeholder owns the term, and I tag that explicitly.

3. KRI vs KPI vs KCI

The trap: Key Risk Indicators are forward-looking and signal increasing risk before it materializes. Key Performance Indicators are backward-looking and measure how the business is doing. Key Control Indicators measure whether a control is operating as designed. Picking a "performance metric" when the question asks for an early-warning risk metric is one of the most common misses on this exam, especially under time pressure.

What I do about it: every KRI / KPI / KCI miss surfaces a directionality card on the explanation, with concrete examples per indicator type. The backlog tags whether you missed direction (forward vs backward) or scope (risk vs performance vs control), so the next return drills the specific axis you slipped on.

4. Risk register vs Risk profile

The trap: the register is granular and ongoing, a living list of every identified risk with owners, scores, and treatments. The profile is the rolled-up snapshot at a point in time, the executive view. Stems hide which deliverable the scenario asks for, especially in reporting and governance questions, and the wrong document choice changes the answer.

What I do about it: I treat register-vs-profile as a sub-pattern under reporting, and the backlog injects deliverable-mismatch scenarios on every cycle. The pattern only retires when you can name the right artifact for the right audience three times in a row, spaced.

5. Three Lines of Defense model and the 2020 update

The trap: Operations is the first line, Risk and Compliance is the second, Internal Audit is the third. The 2020 IIA update renamed the model to the "Three Lines Model," explicitly added the governing body and clarified that internal audit reports independently to the board. Older study material still teaches the pre-2020 vocabulary, and the exam tests both the structure and the post-2020 wording directly.

What I do about it: I tag every Three Lines miss as either structure (which function sits where) or vocabulary (pre-2020 vs 2020 update terms), and the backlog drills the axis you slipped on. You do not move past the Domain 3 governance milestone until the post-2020 vocabulary is automatic.

Common questions

Do I need 3 years of risk experience before sitting CRISC?

ISACA requires 3 years of cumulative work experience across at least 2 of the 4 CRISC domains to earn the certification, and that experience has to be verified within 5 years of the exam pass. You can sit and pass the exam first, then claim the credential once the experience is logged. Some education and adjacent-cert waivers shave time off, but they cap out at one year. The exam itself does not gate on years; the certification does.

CRISC vs CISM vs CISA, which one fits my role?

CRISC is for people who own IT risk identification, assessment, and response, often risk analysts, GRC leads, or second-line risk officers. CISM is for security program managers running an information security program top-down. CISA is for IS auditors evaluating controls and reporting independently. If your day job is naming risks, scoring them, and recommending responses, CRISC fits. If you run the security function, look at CISM. If you audit it from outside, look at CISA.

How does ARIA handle CRISC's scenario-based "best answer" questions?

Every CRISC stem has more than one defensible answer; only one is the best one. I drill that explicitly. After every wrong answer, the explanation card walks through why each option is plausible and what the deciding factor is, usually a phase of the risk lifecycle, a stakeholder, or a sequencing rule. Misses tag the deciding-factor pattern and resurface in the backlog. You stop guessing the "most correct" answer once the deciding factor becomes a reflex.

Does the pass guarantee cover CRISC?

Yes. Five measurable conditions: every milestone completed, every phase completed, two mock exams passed at 72 percent or higher, one gauntlet passed at 80 percent or higher, and a live readiness score of 80 or above. If those are true, you sit the exam in the 60-day window, and you do not pass, you get a full refund of the Exam Ready plan. The full mechanics live on the pass guarantee page.

How long does CRISC take to prepare for if I already work in risk?

If you already work in IT risk full-time, the median time-to-ready sits between six and ten weeks. The exam is heavy on ISACA terminology and on the specific definitions in the Risk IT Framework, so even strong practitioners lose weeks unlearning their employer's house vocabulary and learning ISACA's. A novice on two or more domains gets a longer plan; a senior risk analyst with strong assessment muscle but weak governance vocabulary lands closer to six weeks. The roadmap is sized from your evaluation, not a marketing window.

What is the recertification cost and CPE requirement for CRISC?

CRISC holders earn 120 CPE hours over a rolling three-year cycle, with a minimum of 20 CPE hours per year. The annual maintenance fee is 45 USD for ISACA members and 85 USD for non-members. Failure to meet the CPE minimum results in suspension and eventually revocation, so the recurring cost is real, not symbolic.

Start your CRISC prep

The cheapest possible signal is the 15-minute CAT evaluation. It tells you which of the four CRISC domains you actually own, which one will cost you the exam if you sit it tomorrow, and where the roadmap starts. After that, you decide whether to commit.

Start your free CRISC evaluation at claudelab.me/onboarding/select-cert?code=CRISC.

Background reading: compare the three ISACA tracks on CISM and CISA, and readiness and decay explains the score that drives the experience.