Certified in risk and information systems control (crisc)- issaca

Certified in risk and information systems control (crisc)- issaca
hoverplay

CRISC is the only certification that prepares and enables IT professionals for the unique challenges of IT and enterprise risk management, and positions them to become strategic partners to the enterprise.


The American National Standards Institute (ANSI) has accredited the CRISC certification program under ISO/IEC 17024:2012, General Requirements for Bodies Operating Certification Systems of Persons. ANSI, a private, nonprofit organization, accredits other organizations to serve as third-party product, system and personnel certifiers. ISACA is proud to be recognized with this international standard of performance.

In accordance with the ISO standard, ISACA understands the importance of impartiality and commits to act impartially in carrying out its certification activities, managing conflicts of interest and ensuring the objectivity of its certification activities.

It is important for a CRISC candidate to be able to distinguish functional terms and apply concepts associated with “risk,” “threats” and “vulnerabilities. These terms should not be used interchangeably.

  • “Risk” refers to the likelihood (or frequency) and magnitude of loss that exists from a combination of asset(s), threat(s) and control conditions. As a derived value, it cannot take a plural form (i.e., “risks”). Consequently, when referring to conditions that represent some amount of risk, terms such as “risk factors,” “risk scenarios” or “risk concerns” will be used.
  • “Threat” refers to anything (e.g., object, substance, human) that is capable of acting against an asset in a manner that can result in loss or harm.
  • Vulnerability” refers to control conditions that are deemed to be deficient relative to requirements or the threat levels being faced. It is a weakness in design, implementation, operation or internal controls..