Certified in Risk and Information Systems Control (CRISC) Prep

ISACA-authorized CRISC exam prep covering the four domains of enterprise IT risk identification, assessment, response, and monitoring. Delivered by an ISACA Accredited Training Organization (ATO) with hands-on risk register and control design practice.

Purchase Course

$ 3,495

Virtual Live

Start April 27th, 2026

Course Overview

Boards no longer treat IT risk as a back-office concern — it's a first-class enterprise risk, sitting alongside financial, operational, and strategic exposure. ISACA's Certified in Risk and Information Systems Control (CRISC) is the globally recognized standard for professionals who identify, assess, respond to, and monitor IT risk in a way the business actually understands. CRISC is the credential that proves you can build a risk register that informs capital allocation, not one that collects dust.

  • This comprehensive exam prep program is delivered by Divergence Academy, an ISACA Accredited Training Organization (ATO), ensuring official curriculum alignment with the current CRISC Job Practice. Participants progress through all four domains — Governance, IT Risk Assessment, Risk Response and Reporting, and Information Technology and Security — with a focus on risk appetite, control design, and quantitative risk thinking the exam rewards.
  • Tools, Languages, and Frameworks Used
  • The program covers the full CRISC body of knowledge: enterprise risk management frameworks (COSO ERM, ISO 31000), IT risk management (NIST SP 800-30, ISACA Risk IT Framework), COBIT, qualitative and quantitative risk analysis, key risk indicators (KRIs) and key control indicators (KCIs), control design and selection, third-party risk management, emerging technology risk (cloud, AI, IoT), and risk reporting to executives and boards. Participants also work through ISACA's official CRISC Review Manual and QAE (Questions, Answers & Explanations) Database.
  • Course Delivery Model
  • CRISC Prep is delivered through a blend of instructor-led lectures by ISACA-certified risk practitioners, interactive case discussions framed around real-world risk scenarios and control failures, hands-on risk assessment exercises, and structured QAE practice sessions. Participants receive access to ISACA's official review materials and a cohort-based study cadence designed to build exam stamina and enterprise-risk judgment — not just recall.

Why CISA

Go Anywhere

CRISC is the preferred credential for IT risk and control professionals worldwide — more than 30,000 professionals across 180+ countries hold it, and it's approved for use under U.S. Department of Defense 8140 cyber workforce roles. Whether you're building an enterprise risk function, advising a regulated bank, leading third-party risk for a SaaS provider, or translating cyber risk into board-level capital decisions, CRISC is recognized as the authoritative risk credential.

Enables You

CRISC validates that you can identify IT risks the business actually cares about, assess them in terms the CFO understands, design proportionate controls, and report risk in a way that drives decisions — not just compliance checkboxes. It's the credential that earns you credibility with risk committees, audit committees, and enterprise risk officers. CRISC turns technical risk knowledge into business-integrated risk leadership.

Better Pay

CRISC holders earn an average of US$151,000+ annually in North America (per Skillsoft), and CRISC is consistently ranked among the highest-paying IT certifications in the Foote Partners IT Skills and Certifications Pay Index. Demand for CRISC-certified risk professionals has climbed sharply as enterprises build out third-party risk, operational resilience, cyber risk quantification, and board-level IT risk reporting functions — every one of which requires a CRISC-grade skillset.

Achievement

CRISC is ANSI-accredited under ISO/IEC 17024:2012 — the international standard for personnel certification bodies — and was one of the first enterprise IT risk credentials to meet that bar. It has been recognized by CIO.com, Global Knowledge, and Certification Magazine as one of the most valuable and highest-paying IT certifications year over year. Earning CRISC signals to CROs, audit committees, and regulators that your risk assessments are grounded in a rigorous, internationally-recognized body of knowledge.

Program Outline
  • Enterprise Governance and Risk Management Frameworks
  • Organizational Strategy, Goals, and Risk Appetite
  • Three Lines Model and IT Risk Ownership
  • IT Risk Identification and Documentation
  • Risk Scenario Development and Business Impact Analysis
  • Qualitative and Quantitative Risk Assessment
  • Risk Response Options and Treatment Planning
  • Control Design, Selection, and Implementation
  • Key Risk Indicators (KRIs) and Key Control Indicators (KCIs)
  • Risk Monitoring, Reporting, and Communication
  • Information Systems Architecture and Emerging Technology Risk
  • Third-Party, Cloud, and Supply Chain Risk
  • Information Security Controls and Data Privacy Risk
  • QAE Practice Sessions and Exam Strategy Labs

Why Divergence

Beyond Content

Our cohort-based model ensures active social learning — not a solo march through recorded videos. Participants work through risk scenarios, debate treatment decisions, and build risk registers alongside peers who bring perspectives from banking, insurance, defense, healthcare, and SaaS. You graduate having practiced CRISC-level enterprise risk thinking, not just read about it.

Beyond the Classroom

As an ISACA Accredited Training Organization (ATO), Divergence Academy delivers the official CRISC Review curriculum with instructors who hold CRISC and related ISACA credentials. You receive structured office hours, QAE coaching, exam strategy sessions, and application review support — guidance that extends past the final class into your exam date and beyond.

Beyond Certification

Divergence alumni span enterprise risk managers, IT risk officers, third-party risk leads, and GRC consultants — many working across the Defense Industrial Base, financial services, insurance, and Fortune 500 risk teams. The CRISC cohort plugs you into an active community of practitioners who continue sharing risk register templates, control catalogs, and board-reporting examples well after certification.

Beyond One Course

CRISC pairs naturally with CISA (audit perspective), CISM (management focus), and CDPSE (privacy engineering) for professionals building a full ISACA credential stack. Bundle pricing is available for the tri-cert (CISA + CISM + CRISC) pathway — ideal for GRC leaders building cross-domain authority. Ask about our ISACA tri-cert track.

Certified in Risk and Information Systems Control (CRISC) Prep

A cohort-based virtual live program that prepares you to pass the CRISC exam and operate as an enterprise IT risk professional. This course goes beyond exam recall into the risk judgment ISACA tests — how to build a risk register that aligns with appetite, quantify exposure in business terms, design proportionate controls, and report risk in language the board can act on. Includes ISACA official review materials, QAE database access, and the full four-domain curriculum mapped to the current CRISC Job Practice.

$3,495Instructor-led
Virtual Live
Purchase Course
$19per Month (USD)
Join the Awesome Academy and get access to all courses.
Enroll Now

Frequently Asked Questions (FAQs)

To sit for the CRISC exam, ISACA requires no prerequisites — anyone may take the exam. However, to earn the CRISC certification, you must document three (3) years of cumulative work experience managing IT risk and designing/implementing IS controls across at least two of the four CRISC domains, with at least one year of experience in Domain 1 (Governance) or Domain 2 (IT Risk Assessment), within the 10 years preceding application or within 5 years after passing the exam.

Note: Unlike CISA and CISM, CRISC experience cannot be waived — all three years must be documented. However, experience in a closely-related role (audit, security, IT governance, compliance) often counts, provided you performed IT risk-identification, assessment, or control-design tasks.

For this course, Divergence recommends (not requires):

  1. At least 2 years of IT, risk, audit, security, or compliance experience
  2. Familiarity with a risk or control framework (NIST, ISO 31000, COSO ERM, COBIT)
  3. Basic understanding of enterprise risk management concepts

Divergence Academy is an ISACA Accredited Training Organization (ATO) — you register directly with Divergence for the course, and separately with ISACA for the exam. Exam registration fees are paid to ISACA.

CISM is management-focused — it validates your ability to govern and run an information security program. CRISC is risk-focused — it validates your ability to identify, assess, respond to, and monitor IT risk across the enterprise, whether or not you sit inside the security function. CRISC holders often work in enterprise risk management, third-party risk, operational resilience, or IT risk committees where the scope extends beyond security into availability, integrity, resilience, and vendor concentration. Many GRC professionals hold both.

A CRISC-certified professional identifies and assesses IT risks across the enterprise, quantifies exposure in business terms, recommends risk responses (accept, mitigate, transfer, avoid), designs and monitors controls, tracks key risk and control indicators, and reports risk posture to senior management and the board. Typical titles include IT Risk Manager, Enterprise Risk Analyst, Third-Party Risk Manager, Operational Resilience Lead, GRC Consultant, and Chief Risk Officer (CRO).

The exam covers 150 questions across four job practice domains:

  1. Governance — organizational strategy, risk appetite, roles, and three lines model
  2. IT Risk Assessment — risk identification, analysis, and evaluation
  3. Risk Response and Reporting — treatment, control design, KRIs, communication
  4. Information Technology and Security — enterprise architecture, emerging tech, security controls

Virtual Live instructor-led, cohort-based. Sessions are delivered synchronously via Zoom with recordings available for review. Includes ISACA official CRISC Review Manual access, QAE database subscription, live domain deep-dives, and exam strategy sessions. Delivered by Divergence Academy as an ISACA Accredited Training Organization.

Course tuition: $3,495 — all-inclusive, paid to Divergence Academy. Includes:

  • ISACA official materials: One attempt CRISC exam, CRISC Review Manual, QAE (Questions, Answers & Explanations) database subscription, and ISACA Self-Study Online Review Course
  • ISACA Membership (one year) — unlocks the ISACA member network, free CPE opportunities, and discounted rates on any future exam retakes
  • Divergence Academy value-add: Access to our proprietary ISACA Governance Simulations platform — Socratic AI-driven 12-turn interview simulations that test risk judgment across all four CRISC domains, with 4-dimension scoring (priority, lens, evidence, boundary) and Mirror Moment blind-spot analysis. Not available anywhere else.

To maintain CRISC, you must earn and report a minimum of 120 CPE hours every three-year reporting cycle, with at least 20 CPEs annually. The CRISC Review course itself earns up to 14 CPEs (VILT) or 20 CPEs (online review). CRISC awards up to one hour of CPE for every one hour of instructor-led training.

You can still take and pass the exam — your CRISC certification simply remains pending until you document the required experience (within 5 years of passing). Many candidates use this window to take on IT risk, third-party risk, or control-design responsibilities, knowing the exam is already behind them. Divergence instructors can advise on documenting qualifying experience and identifying roles that accelerate eligibility.

AI in the flow of training

Train Smarter with the Simulator Platform

Mock assessments. Real-time feedback. Judgment under pressure — not just content recall.

Try