How To Pass CRISC Exam Easily

Ben Pournader
3 min readJul 29, 2018


Surveys of IT leaders find that security certifications are increasingly important in today’s enterprise environments. The two most popular certification issuers that are recognized widely in infosec industry are ISC2 (which issues CISSP, CCSP, SSCP, …) and ISACA (which is famous for its CISA, CISM and CRISC). Both are independent nonprofits and they call themselves vendor-neutral.

If you pass the CRISC exam, you will prove you are an expert in how to challenge both IT and enterprise risk management. Being certified in CRISC may help your organization on how to implement and align effective risk management and control frameworks and to be able to make risk-aware decisions in order to maintain or attain their competitiveness. But if you want to maximize your ROI, try CISA or CISM (or both) first as they are much more recognized in Information Security world and all 3 require kind of the same investment of time. I followed the same path, got my CISA in 2016, CISM in 2017 and now CRISC. All three certificates (CISA, CISM and CRISC) demonstrate an understanding of both technology and business but the weight of business side of them is higher.

Last month I passed CRISC easily and this is the result:

A scaled score of 450 or higher is required to pass, which represents the minimum consistent standard of knowledge as established by ISACA’s CRISC Certification Working Group. We are pleased to inform you that you successfully PASSED the exam with a total scaled score of 558. For your information, your exam results by area are provided below.


IT Risk Identification 567

IT Risk Assessment 612

Risk Response and Mitigation 567

Risk and Control Monitoring and Reporting 468

These are my recommendations to you to pass the exam easily:

  1. You’ll have to pace yourself in the exam. During the exam, make sure you keep an eye on the clock, it will be shown at the top of the monitor throughout the exam. You have 4 hours which is plenty of time to answer the questions. I finished it in less than 2 hours and most of questions are not long. However, try not to waste your time on questions you can’t answer easily. Leave them and come back later.
  2. You don’t have to pay for CRISC certification preparation
  3. Make the most of ISACA glossary on ISACA website. Spend two to three hours on this page and make a note when you see a new term. These are some terms that you have to be aware of: Inherent risk, Current risk, Residual risk, Relevance risk, Control Risk, Risk Scenarios, Control Self-Assessment, Opportunity Cost, Delphi Technique, Risk Register, Risk Profile, Risk Heat Map, Annualized Loss Expectancy, Annual Rate of Occurrence, Single Loss Expectancy, BCP, DRP, Business Impact Analysis, Maximum Tolerable Downtime, Recovery Time Objective, Work Recovery Time, Mean Time Between Failure, Mean Time To Repair, Min Operating Requirements, Cold Site, Warm Site, Hot Site, Key Risk Indicator, Key Performance Indicator, Capability Models, Maturity Models, Risk Response, Role-based Access, Acceptable Use Policy, RACI, Threat Analysis, Vulnerability, Attack Vector, Pharming Attack, Compliance Testing, Countermeasure, Countermeasure Analysis, Peer Review, Risk Aggregation, Risk Action Plan, Bow Tie Analysis and lot more
  4. Your personal experience isn’t always the correct answer if you are an experienced risk practitioner or IT professional. It can be tempting to refer to your personal experience when taking the exam, but you’re going to need to take the word of ISACA as law. If you have a wealth of personal knowledge and experience, it would be good for you but the exam is designed to test your knowledge of ISACA’s logic.
  5. Practice the exam. Learn the ISACA language by practicing the latest version of CRISC Review Questions, Answers & Explanations, and do not use any other source. Most of them are not useful as they are not familiar with ISACA way of thinking.
  6. I wasted my time reading CRISC Review Manual, 6th Edition. Do not do that! Review “CRISC Review Questions, Answers & Explanations” twice, read the explanations carefully and make sure that you got the logic behind the ISACA justification for each and every answer.
  7. Self-study is almost the best option for me but it is not the only option. Different methods work for different people. I found this video training very useful but bear in mind that she does not cover all aspects of CRISC exam. Use it as a starter.



Ben Pournader

Information Security Expert, Cyber Security Engineer, Blogger, Mentor, PCI SME, CISM, CGEIT, CISA, CRISC, RHCSA, MCSE, CCNA, MBA, PMP, CLSSGB