Application for CRISC Certification

For individuals who passed a CRISC

exam administered in 2015 and Later

Requirements to Become Certified in Risk and Information Systems Control

To become Certified in Risk and Information Systems Control (CRISC), an applicant must:
1. Obtain a passing score on the CRISC exam. If the applicant does not apply or meet the CRISC
certification requirements within five years after passing the CRISC exam, the passing score will be
voided and the applicant will be required to re-pass the exam.
2. Submit verified evidence of three years working experience in IT risk and information systems control.
This experience must be earned in at least two domains, one of which must be in either domain 1 or 2.
Work experience must be gained within the ten-year period preceding the application submission date for
certification. There are no substitutions or experience waivers.
3. Submit payment for the CRISC application processing fee of US $50 online at www.isaca.org/criscpay.
4. Agree to abide by the ISACA Code of Professional Ethics, which can be viewed at www.isaca.org/ethics.
5. Agree to abide by the CRISC Continuing Professional Education Policy, which can be viewed at
www.isaca.org/crisccpepolicy.

Instructions for Completing Your Application for CRISC Certification

Carefully follow the instructions to complete your application. Be sure to complete all appropriate sections and
sign your application. Incomplete or unsigned applications will stall the review process. You have the option to
print and handwrite the application or complete the application digitally.

FILLABLE PDF INSTRUCTIONS

1. To fill out the PDF, you will need Adobe Reader (version 8.0 or greater) installed. You can download it
here for free:
https://acrobat.adobe.com/us/en/acrobat/pdf-reader.html
2. Select the selection tool from the Acrobat toolbar menu. Position the pointer inside a form field and
click. This will allow you to enter text or check a box/radio button.
3. Enter in the required information in the fillable PDF form fields. (See instructions below)
4. Sign page A-1 and V-1 using an E-Signature.
5. Email your verifier(s) the form.
6. Have your verifier(s) sign page V-1 using an E-Signature.
You may also print out the form and handwrite the signatures and dates if needed.

HANDWRITTEN INSTRUCTIONS
1. Print and complete the application.
2. Sign and date page A-1 and V-1 using a handwritten signature.
3. Have your verifier(s) sign and date page V-1 using a handwritten signature.
4. Scan the form back into a computer.

1
 Application for CRISC Certification
Exam Passers 2015 and Later
Application Instructions
Work Experience Form (Pages A-1 & A-2)
APPLICATION PAGE A-1
Section A—Information Security Management Experience
For each employer (starting with the most current), enter the following information:
1. Company Name. Enter the name of the company where CRISC tasks were performed. Use one
assessment box for each employer.
2. CRISC Domain Work Experience. For each domain in which you earned experience, enter the period of
time (in the From MM/YY and To MM/YY boxes) that you performed tasks within the domain (see page V-
2 for domains and task statements), and the years/months of experience that you are claiming with this
employer. Do not leave dates blank. If currently employed, include a date or current, now, present, etc. To
qualify you need 3 years of cumulative experience across a minimum of 2 domains, one of which must be
in either domain 1 or 2.
3. Total. Do not add column figures; your total experience is the actual ‘length of time’ working in all the
domains. Total years/months of experience cannot exceed the total length of employment with this
company.
Repeat these steps for each employer for which you are claiming CRISC experience.
If you are using more than 3 employers, please print out additional copies of page A-1.

Example: If in 2011 and 2012, you worked the entire year in domains 1 and 2 with this company and in 2013 you
only worked in domain 4 for the entire year for an employer, you would enter:

In the example above your total length of time in all the domains is 3 years (2011-2013) NOT column total of 5
years.

APPLICATION PAGE A-2

Section B—Verifier Information
1. For each company listed in Section A, enter the company name, verifier name, verifier job title, business
phone number and email address.
2. Read and review the acknowledgement.
3. Print and sign Applicant’s name with a hand-written or certificate-based signature and enter date on form
at bottom of page. Signatures cut and pasted into the document or keyboard typed in are NOT
acceptable.

2
 Application for CRISC Certification
Exam Passers 2015 and Later
Application Instructions
Verification of Work Experience Form (Pages V-1 & V-2)
The applicant is required to have their work experience claimed verified by a person qualified to do so.
If you need more than one verifier, you may complete or print additional copies of pages V-1 & V-2.

Who can perform this role?

A verifier should be the applicant’s immediate supervisor or a person of higher rank within their organization. If
one person cannot verify all required experience for you to become a CRISC, previous employers must be asked
to complete this form. If they can, it is permissible for one verifier to verify all of the applicant’s work experience. If
the applicant is no longer in contact with their former supervisors/managers, they may have a colleague that has
knowledge of their work from that company verify that work experience. If you currently or once worked as an
independent consultant, you can use a knowledgeable client or a person certified as a CRISC to perform this role.

Who can’t perform this role?

The individual verifying the applicant’s work experience should not be of any relation to the applicant nor can the
applicant verify their own work. Human Resource (HR) verifications for work experience are not acceptable unless
applicant directly reports to HR function. Letters of Employment are not acceptable as verification for your work
experience.

APPLICANT TASKS PAGE V-1

• The applicant must sign and date the top portion of the page.

APPLICANT TASKS PAGE V-2

• The applicant must check the boxes on page V-2 in the job practice areas that indicate the tasks they
have performed to be verified.

VERIFIER TASKS PAGE V-1

• Please have the verifier fill in their contact details and answer all 6 questions pertaining to the working
experience.
• Make sure to list the companies being attested to above Question 1 the Contact Information.
• It is suggested that the applicant reviews the task statements checked on page V-2 with the verifier.
• The verifier must sign and date the page on the bottom line.

3
 Application for CRISC Certification
Exam Passers 2015 and Later
Application Instructions
Instructions for Submitting Your Application for CRISC Certification
For your application to be efficiently processed, please collect all verification of work experience form(s)
and submit your completed Application for CRISC Certification online at: https://support.isaca.org
Topic: Certifications & Certificate Programs Category: Application Process
Please allow approximately two weeks for the processing of your completed Application for CRISC Certification.
Verification forms may be subject to an audit and verifiers may be contacted to confirm their completion and
verification of the work experience form that they signed.
Upon approval, you will be notified by an email sent to the email address indicated in your ISACA profile. You will
also be sent a certificate package via mail to the address listed in your ISACA profile containing a letter of
certification, a CRISC pin and your CRISC certificate.

Frequently Missed Items

Incomplete applications can stall the review process and thus, stall how soon you can become certified. To
ensure you submit a complete application, we have provided a list of items that are frequently missed below:
 Applicant has signed/dated pages A-2 and V-1 of the application and each verifier has signed/dated their
respective page V-1.
 Applicant and verification signatures on forms must be Certificate-Based Signatures or handwritten.
Signatures copy and pasted into the documents or typed in are not acceptable.
 On page A-1, please do not leave dates of employment blank. If currently employed, include a date or
current, now, present, etc.
 Employment dates do not overlap in any section on page A-1.
 The work experience used in your application must be gained within the ten-year period preceding the
application date for certification or within 5 years from the date of initially passing the exam.
 Check to confirm that the verifier listed the companies they are verifying on page V-1.
 USD $50 application processing fee has been paid online at www.isaca.org/criscpay.

Follow Your Application Progress

Once you submit your application, you can follow the progress online at:
www.isaca.org/myisaca/pages/mycertifications.aspx

If Status Shows: Explanation:

Application Link and Last Date to Apply Application has not been received or logged into the record.
for Certification

Complete Under Review Application is going through the review process. An email message will
be sent if any additional information/documents are needed to complete
your application.

Complete Pending Audit Application was selected for a random verifier audit and ISACA is
awaiting response from the verifier.

Incomplete The application is incomplete or has missing documents. An email

message is sent to the applicant with details on the incomplete or
missing items.

Approved Application has been tentatively approved and will be certified in the
next grouping or certifying batch for that certification unless selected
for the random verification audit.

4
 Application for CRISC Certification
Exam Passers 2015 and Later
Page A-1
Applicant Information
Applicant Name_ __________________________________________________________________________ ISACA ID#_ ________________________

Maiden Name or Former Name(s) _______________________________________________________________________________________________

Email address___________________________________________________Phone number__________________________________________________

Section 1—Employment History

CRISC certification requires 3 years of cumulative experience across a minimum of 2 domains, one of which must be in either domain 1
or 2. Your CRISC work experience must be gained within the ten year period preceding the application date for certification or within 5
years from the date of initially passing the exam. Work experience greater than 10 years cannot be claimed on your application. Do not
leave dates blank. If currently employed, include a date or current, now, present, etc.

Box 1. COMPANY NAME

For each CRISC domain in which you earned
experience, enter the period of time (in the From
MM/YY and To MM/YY boxes) you performed the
CRISC Domain Work Experience From MM/YY To MM/YY YEARS MONTHS tasks (see V-2 for domains and task statements), and
the years/months of experience that you are claiming
Domain 1 (RI) with this employer. See instructions for an example.
Domain 2 (RA) * Total: Do not add column figures; your total
experience is the ‘length of time’ in all the
Domain 3 (RRM)
domains. Total years/months of experience
Domain 4 (RCMR) cannot exceed the total length of employment
with this employer.
TOTAL*

Box 2. COMPANY NAME

For each CRISC domain in which you earned
experience, enter the period of time (in the From
MM/YY and To MM/YY boxes) you performed the
CRISC Domain Work Experience From MM/YY To MM/YY YEARS MONTHS tasks (see V-2 for domains and task statements), and
the years/months of experience that you are claiming
Domain 1 (RI) with this employer. See instructions for an example.
Domain 2 (RA) * Total: Do not add column figures; your total
experience is the ‘length of time’ in all the
Domain 3 (RRM)
domains. Total years/months of experience
Domain 4 (RCMR) cannot exceed the total length of employment
with this employer.
TOTAL*

Box 3. COMPANY NAME

For each CRISC domain in which you earned
experience, enter the period of time (in the From
MM/YY and To MM/YY boxes) you performed the
CRISC Domain Work Experience From MM/YY To MM/YY YEARS MONTHS tasks (see V-2 for domains and task statements), and
the years/months of experience that you are claiming
Domain 1 (RI) with this employer. See instructions for an example.
Domain 2 (RA) * Total: Do not add column figures; your total
experience is the ‘length of time’ in all the
Domain 3 (RRM)
domains. Total years/months of experience
Domain 4 (RCMR) cannot exceed the total length of employment
with this employer.
TOTAL*

Section 2—Employment Summary YEARS MONTHS

TOTAL CRISC overall domain related experience: Must be 3 or more years of cumulative experience across 2 CRISC domains, one
of which must be in either domain 1 or 2.

A-1
 Application for CRISC Certification
Exam Passers 2015 and Later
Page A-2
Applicant Information
Applicant Name_ __________________________________________________________________________ ISACA ID#_ ________________________

Email address___________________________________________________Phone number__________________________________________________

Section 3—Verifier Information

Person(s) you have requested to verify your work experience (a work experience verification form, pages V-1 and V-2, must be submitted for each
person listed below):

1) Employer (Company) Name_________________________________________________________________________________________________

Verifier Name______________________________________________________________________________________________________________

Verifier Job Title_ __________________________________________________________________________________________________________

E-mail Address___________________________________________________________ Business Phone_____________________________________

2) Employer (Company) Name_________________________________________________________________________________________________

Verifier Name______________________________________________________________________________________________________________

Verifier Job Title_ __________________________________________________________________________________________________________

E-mail Address___________________________________________________________ Business Phone_____________________________________

3) Employer (Company) Name_________________________________________________________________________________________________

Verifier Name______________________________________________________________________________________________________________

Verifier Job Title_ __________________________________________________________________________________________________________

E-mail Address___________________________________________________________ Business Phone_____________________________________

I hereby apply to Information Systems Audit and Control Association, Inc. (ISACA) for the By signing below, I authorize ISACA to disclose my Certification status. This contact information
Certified in Risk and Information Systems Control (CRISC) certification in accordance with and will be used to fulfill my Certification inquiries and requests. By signing below, I authorize ISACA
subject to the procedures and policies of ISACA. I have read and agree to the conditions set to contact me at the address and numbers provided and that the information I provided is my
forth in the Application for Certification and the Continuing Professional Education (CPE) Policy own and is accurate. I authorize ISACA to release confidential Certification application and
in effect at the time of my application, covering the Certification process and CPE policy. certification information if required by law or as described in ISACA’s Privacy Policy. To learn
I agree: to provide proof of meeting the eligibility requirements; to permit ISACA to ask for more about how we use the information you have provided on this form, please read our Privacy
clarification or further verification of all information submitted pursuant to the Application, Policy, available at www.isaca.org/privacy.
including but not limited to directly contacting any verifying professional to confirm the
information submitted; to comply with the requirements to attain and maintain the certification, I hereby agree to hold ISACA, its officers, directors, examiners, employees, agents and those
including eligibility requirements carrying out the tasks of a CRISC, compliance with ISACA’s of its supporting organizations harmless from any complaint, claim, or damage arising out
Code of Ethics, the fulfillment of renewal requirements; to notify the ISACA certification of any action or omission by any of them in connection with this Application; the application
department promptly if I am unable to comply with the certification requirements; to carry out process; the failure to issue me any certificate; or any demand for forfeiture or redelivery of
the tasks of a CRISC; to make claims regarding certification only with respect to the scope for such certificate. Not withstanding the above, I understand and agree that any action arising out
which certification has been granted; and not use the CRISC certificate or logos or marks in a of, or pertaining to this application must be brought in the Circuit Court of Cook County, Illinois,
misleading manner or contrary to ISACA guidelines. I understand and agree that my Certification USA, and shall be governed by the laws of the State of Illinois, USA.
application will be denied and any credential granted me by ISACA will be revoked and forfeited
in the event that any of the statements or answers provided by me in this Application are I UNDERSTAND THAT THE DECISION AS TO WHETHER I QUALIFY FOR
false or in the event that I violate any of the examination rules or certification requirements. I CERTIFICATION RESTS SOLELY AND EXCLUSIVELY WITH ISACA AND THAT THE DECISION
understand that all certificates are owned by ISACA and if my certificate is granted and then OF ISACA IS FINAL.
revoked, I will destroy the certificate, discontinue its use and retract all claims of my entitlement
to the Certification. I authorize ISACA to make any and all inquiries and investigations it deems I HAVE READ AND UNDERSTAND THESE STATEMENTS AND I INTEND TO BE LEGALLY
necessary to verify my credentials and my professional standing. I acknowledge that if I am BOUND BY THEM.
granted the Certification, my certification status will become public, and may be disclosed by
ISACA to third parties who inquire. If my application is not approved, I understand that I am Name
able to appeal the decision by contacting [email protected]. Appeals undertaken by a
Certification exam taker, Certification applicant or by a certified individual are undertaken at
the discretion and cost of the examinee or applicant. Signature & Date

(For your application to be complete you must include your name, signature and date above.)

A-2
 Application for CRISC Certification
Exam Passers 2015 and Later
Page V-1
Verification of Work Experience Form (page 1 of 2)
Applicant Name_ __________________________________________________________________________ ISACA ID#_ ________________________

E-mail address___________________________________________________Phone number__________________________________________________

Section 4—Request for Work Experience Verificatio

I, ___________________________________________________, am applying for the Certified in Risk and Information Systems Control (CRISC)
(Applicant Printed Name)

certification. As such, my work experience in identifying, assessing, mitigating and responding to risk, and monitoring and reporting on risk and control
must be independently verified by individuals knowledgeable of my work experience (current or previous employer). The individual verifying the work
experience must be an independent verifier and not of any relation to the applicant nor can the applicant verify his/her own work. If I currently or once
worked as an independent consultant, I can use a knowledgeable client or colleague to perform this role.

Please verify my IT risk and/or IS control-related experience as noted on my attached application form, and as described by the CRISC job practice
domains and task statements (see page V-2). Please return the completed form to me for my submission to ISACA. If you have any questions
concerning this form, please direct them to support.isaca.org or call +1.847.660.5660. Thank you.

____________________________________________________________________________________
Applicant Signature Date

Section 5—Verification of Work Experience

Verifier Name:_ ______________________________________________________________________________________________________________

Professional Title: ____________________________________________________________________________________________________________

Company Name_ _____________________________________________________________________________________________________________

Address_____________________________________________________________________________________________________________________
Street
___________________________________________________________________________________________________________________________
City State/Province/Country Postal Code

Verifier E-mail:____________________________________________ Verifier Telephone Number:____________________________________________

I am attesting to the employment experience listed in Section 1—Employment History. Enter box number (Box 1, Box 2, etc) or employer
(company) name. List all that apply to this verification.
________________________________________________________________________________________________________________________

1. I have functioned in a supervisory or other related position to the applicant and can verify his/her work experience. Yes No
(Section 1 of the application)
If no, identify why you are able to verfy. ________________________________________________________________________________________
2. I can attest to the duration of the applicant’s work experience on this application with my organization. Yes No N/A
If no, I attest to experience from _________ to _________.
3. I can attest to the duration of the applicant’s work experience on this application prior to his/her affiliatio Yes No N/A
with my organization.
4. I can attest that the tasks performed by the applicant, as checked on the verification form page V-2, Yes No
are correct to the best of my knowledge.
5. I can attest to the fact that the applicant is competent in performing the tasks as checked on the verificatio Yes No
form page V-2.
6. Is there any reason you believe this applicant SHOULD NOT be Certified in Risk and Information Systems Yes No
Control by ISACA?

________________________________________________________________________________________________________________
Verifier Signature Date

V-1
 Application for CRISC Certification
Exam Passers 2015 and Later
Page V-2
Verification of Work Experience Form (page 2 of 2)

Applicant Name_ __________________________________________________________________________ ISACA ID#_ ________________________

Verifier Name________________________________________________________________________________________________________________

CRISC job practice domains and task statements

Applicants are required to checkmark ( or ) in each box the tasks they performed to be confirmed by the verifier. For each task checked off, the
corresponding domain should be referenced in Section 1—Employment History.

Domain 1: IT Risk Identification

Identify the universe of IT risk to contribute to the execution of the IT risk management strategy in support of business objectives and in alignment with
the enterprise risk management (ERM) strategy.
Collect and review information, including existing documentation, regarding the organization’s internal and external business and IT environments to identify
potential or realized impacts of IT risk to the organization’s business objectives and operations.
Identify potential threats and vulnerabilities to the organization’s people, processes and technology to enable IT risk analysis.
Develop a comprehensive set of IT risk scenarios based on available information to determine the potential impact to business objectives and operations.
Identify key stakeholders for IT risk scenarios to help establish accountability.
Establish an IT risk register to help ensure that identified IT risk scenarios are accounted for and incorporated into the enterprisewide risk profile
Identify risk appetite and tolerance defined by senior leadership and key stakeholders to ensure alignment with business objectives.
Collaborate in the development of a risk awareness program, and conduct training to ensure that stakeholders understand risk and to promote a
risk-aware culture.

Domain 2: IT Risk Assessment

Analyze and evaluate IT risk to determine the likelihood and impact on business objectives to enable risk-based decision making.
Analyze risk scenarios based on organizational criteria (e.g., organizational structure, policies, standards, technology, architecture, controls) to determine the
likelihood and impact of an identified risk.
Identify the current state of existing controls and evaluate their effectiveness for IT risk mitigation.
Review the results of risk and control analysis to assess any gaps between current and desired states of the IT risk environment.
Ensure that risk ownership is assigned at the appropriate level to establish clear lines of accountability.
Communicate the results of risk assessments to senior management and appropriate stakeholders to enable risk-based decision making.
Update the risk register with the results of the risk assessment.

Domain 3: Risk Response and Mitigation

Determine risk response options and evaluate their efficiency and effectiveness to manage risk in alignment with business objectives.
Consult with risk owners to select and align recommended risk responses with business objectives and enable informed risk decisions.
Consult with, or assist, risk owners on the development of risk action plans to ensure that plans include key elements (e.g., response, cost, target date).
Consult on the design and implementation or adjustment of mitigating controls to ensure that the risk is managed to an acceptable level.
Ensure that control ownership is assigned to establish clear lines of accountability.
Assist control owners in developing control procedures and documentation to enable efficient and effective control execution.
Update the risk register to reflect changes in risk and management’s risk response.
Validate that risk responses have been executed according to the risk action plans.

Domain 4: Risk and Control Monitoring and Reporting

Continuously monitor and report on IT risk and controls to relevant stakeholders to ensure the continued efficiency and effectiveness of the IT risk
management strategy and its alignment to business objectives.
Define and establish key risk indicators (KRIs) and thresholds based on available data, to enable monitoring of changes in risk.
Monitor and analyze key risk indicators (KRIs) to identify changes or trends in the IT risk profile
Report on changes or trends related to the IT risk profile to assist management and relevant stakeholders in decision making.
Facilitate the identification of metrics and key performance indicators (KPIs) to enable the measurement of control performance.
Monitor and analyze key performance indicators (KPIs) to identify changes or trends related to the control environment and determine the efficiency and
effectiveness of controls.
Review the results of control assessments to determine the effectiveness of the control environment.
Report on the performance of, changes to, or trends in the overall risk profile and control environment to relevant stakeholders to enable decision making.

V-2