CRISC Official Logo

ISACA (Disclaimer….I’m on the NJ Board of Directors) has developed and released a new certification called: Certified in Risk and Information Systems Control (CRISC and pronounced as See-Risk). It’s probably a more formal certification that one that I had thought of years earlier, Certified Risk Assessment Professional (CRAP). I just knew that the name wasn’t going to take off.

There are 5 focus areas:

  • Risk Identification
  • Risk Response
  • Risk Monitoring
  • Control Design and Implementation
  • Control Monitoring and Maintenance

Based on what I’ve read and what I’ve seen so far, this certification looks to actually define a certification around information security risk management across the entire lifecycle.  Specific areas of study and details in each of the 5 areas look pretty solid and hold on, actually make sense.  I’m not sure how “technical” it will get since it is geared towards IT Professionals as well as business analysts and project managers, but I think that speaks to the holistic view that the certification will take around risk management.

If you’ve got the required experience, you can Grandfather in and not have to take the test.  That may be the way to go – since there is no history on how the test is, what they are looking for, and the quality of questions.

If you’re interested, check out: for more details around the entire program, including grandfathering.

  1. I sure do hope that the CRISC Certification is better received and publicized than the CGEIT Certification. I paid alot of money to “Grandfather” in to that certification and now you really have to hunt to find it!


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.