By: Hugh Shepherd
December 28, 2021
CISA vs. CRISC
By: Hugh Shepherd
December 28, 2021
The IT industry is saturated with an alphabet soup of professional certifications. There are credentials for everything, covering security, networking, privacy, governance, penetration testing, etc. There are numerous possibilities of certificates to pursue, but only a limited number of resources (e.g., time, money, and motivation) can be utilized to earn them.
For individuals just entering IT or already mid-career, there most likely has come a time where the questions have arisen, “Which certification to earn?” or “Which certification is the better choice?”. Well, if the two certifications in question just happen to be the CISA and the CRISC (pronounced “see-risk”), then keep reading.
In this blog post, the CISA and CRISC certifications will be briefly examined and compared to identify the similarities and differences of each and its benefits. In addition, the most relevant target audience for each credential.
Overview of CISA and CRISC Certifications
The Certified Information Systems Auditor (CISA) and the Certified in Risk and Information Systems Control (CRISC) credentials are two of the more popular information security certifications in the Information Technology (IT) industry. The Information Systems Audit and Control Association (ISACA) IT professional governance association offers both certifications.
The CISA is one of the older certifications on the market. ISACA first introduced it in 1978 with the primary purpose of assessing the competencies of professionals that perform auditing of IT systems. Since then, it has evolved to a well-respected, globally recognized security-focused credential for those involved in performing governance, risk management, and compliance (GRC) audits of IT systems. Worldwide there are over 151,000 CISA holders. The CISA certification is ANSI accredited under ISO/IEC 17024:2012. Also, the CISA has been formally approved by the U.S. Department of Defense as a certification that meets requirements for personnel working in the Technical Information Assurance job category.
Introduced in 2010, CRISC is one of the newer certifications available in the IT industry. ISACA developed it to provide a risk-focused credential for IT professionals involved in risk identification, assessment, and evaluation; risk monitoring and response; and the design, implementation, monitoring, and maintenance of security controls. Currently, over 30,000 CRISC holders globally. Like the CISA credential, this certification is ANSI accredited under ISO/IEC 17024:2012 as well.
As detailed in the “ISACA Certification Exams Candidate Guide,” CISA candidates are required to have five or more years of experience in IS/IT audit, control, assurance, or security. However, an experience waiver is available for three years of experience. For CRISC candidates, the requirement to sit for the exam is only three (or more) years of experience in IT risk management and IS controls. However, experience waivers or substitutions are not available.
To maintain the credential, both require a minimum of 20 CPE hours every year and a minimum of 120 CPE hours for a three-year certification cycle.
About the Exams
The exams are four hours long and comprise 150 multiple-choice questions. Both exams are computer-based and can be taken on-site at a test center or home via Online Remote Proctoring.
For the CISA exam, as listed in the ISACA Exam Preparation Guide, the domain topics and their respective weights are as follows:
- Domain 1 - Information System Auditing Process (21%)
- Domain 2 - Governance and Management of IT (17%)
- Domain 3 – Information Systems Acquisition, Development, and implementation (12%)
- Domain 4 - Information Systems Operation and Business Resilience (23%)
- Domain 5 – Protection of Information Assets (27%)
Also, listed in the Exam Preparation Guide, for the CRISC, exam the domain topics and their respective weights are as follows:
- Domain 1 – Governance (26%)
- Domain 2 – IT Risk Assessment (20%)
- Domain 3 – Risk Response and Reporting (32%)
- Domain 4 – Information Technology and Security (22%)
A standard scale from 200 to 800 points is utilized for all certification exams. A score of 800 is a perfect score, and 200 is the lowest possible. Four hundred fifty points or higher is required to pass the exam. Candidates will need to apply for the certification after that.
Comparison of CISA to CRISC
There are several similarities between the certifications. Both credentials focus on some of the same topic areas. There is overlap in governance and protecting/securing information technology assets from a cursory glance at the domain topics listed above. It discusses policies, legal/regulatory requirements, frameworks, business processes, enterprise architecture, and business continuity/disaster recovery. Other things in common between the two certifications include:
- ISACA provides both
- Exam cost $575 for ISACA members and $760 for non-members
- Credential validity period and maintenance requirements are the same
- Both ANSI accredited under ISO/IEC 17024:2012
Some of the differences between the CISA and CRISC certification include:
- Primarily intended for professionals conducting Information System audits
- Entry-level to mid-career professionals
- Older (1978), well established
- Average salary USD 110,000 per/year
- Job search results in 12,799 job descriptions
- Primarily intended professionals focusing on enterprise IT risk management
- Mid-career professionals
- Newer (2010), not as well-recognized
- Average salary USD 114,000 per/year
- Job search results in 3,217 job descriptions
Even though a head-to-head comparison of CISA to CRISC may seem like comparing apples to oranges, there is some value in doing so. Especially since there are many similarities and common topics between the two certifications, this exercise could be valuable for those considering which certificate is better for their situation.
Both certifications validate professional skills and competence in critical areas of the information security industry. However, the CISA has more name recognition and prestige than the newer CRISC. Nevertheless, it is quickly gaining traction in these areas. So, unless required for a particular job, the best advice on the final decision comes from individual preference and career path/goals.
If you participate in IT auditing, the CISA is the easy decision certification to pursue. It is a niche certification for auditors and validates their IT technical knowledge amongst their peers. Furthermore, it is a certification that will get a “foot in the door” with Human Resources. The CISA is one of the “keyword” certs often used to weed out candidates.
If you are a security professional involved in enterprise risk management and implementing security controls, then the CRISC is the better option. It does not have as much name recognition, but it is still a well-respected credential to hold, and the demand is growing.
However, for those aspiring to more senior positions in information security, such as a Security Architect or CISO, holding both credentials may also provide some benefits.
Bottom-line, they are an excellent choice, and the credentials can complement each other. Furthermore, the knowledge gained from the study for either or both exams will spur professional growth and expertise in cyber security. If the resources of time, motivation, and money are available to earn both, go for it.
Certified in Risk and Information Systems Control (CRISC) Certified Information Systems Auditor (CISA) CISA Exam Content Outline CRISC Exam Content Outline CISA Exam Planning Guide CRISC Exam Planning Guide Exam Candidate Information Guide Information Systems Audit and Control Association (ISACA) What Is CRISC Certification? Everything You Need to Know