The Certified in Risk and Information Systems ControlÔ (CRISCÔ, pronounced “see-risk”) designation is for IT and business professionals who identify and manage risks through the development, implementation and maintenance of information systems (IS) controls. These professionals help enterprises accomplish business objectives such as effective and efficient operations, reliable financial reporting, and compliance with regulatory requirements.
 
The need for this new certification was identified and reported on as part of ISACA’s strategy.  A Board appointed task force was created in July 2009 to develop this new certification. Extensive research was conducted globally that resulted in the validation of a need for a certification for IT and business professionals.

What will be the requirements to earn the CRISC designation?
Earning the CRISC designation will require a combination of experience and expertise. Candidates will be required to prove and demonstrate a minimum of three years of experience related to:
·        Risk identification, assessment and evaluation
·        Risk response
·        Risk monitoring
·        IS control design and implementation
·        IS control monitoring and maintenance
 
In addition, candidates will be required to pass the CRISC exam and commit to a code of ethical conduct and a program of professional continuing education.
 
The task force is currently developing a CRISC job practice that will consist of subject matter areas (domains) and related task and knowledge statements that will serve as the basis for certification and exam development. . The job practice is planned for completion in early March 2010.
 
Will there a grandfathering program?
Yes, just as was the case with other ISACA certification programs the CRISC certification will include a period in which highly experienced professionals can apply for CRISC certification without taking the CRISC exam.  The grandfathering program is scheduled to start on 1 April 2010 and program details will be announced after the completion of the job practice. 
 
When will the first CRISC exam be offered?
The first CRISC exam will be offered in 2011. The exact timing will be determined based on the development of an adequate exam item pool for testing. Item writers will be solicited shortly after the completion of the job practice to write items for the new exam. 
 
HOW will CRISC compare to other ISACA certifications?
CRISC is intended to complement ISACA’s three existing certifications.
·        CRISC is for IT and business professionals who are engaged at an operational level to mitigate risk while CGEIT is for IT and business professionals who have a significant management, advisory or assurance role relating to the governance of IT, including risk management;
·        CRISC is for IT and business professionals who design, implement and maintain IS controls while CISA is designed for IT professionals who perform independent reviews of control design and operational effectiveness;
·        CRISC is for IT professionals whose roles encompass security, operational and compliance considerations, while CISM is for individuals who manage, design, oversee and/or assess an enterprise’s information security, including the identification and management of information security risks.