INFORMATION SYSTEMS CONTROL
(CRISC) EXAM | Q&A WITH
RATIONALES
1. What is the primary purpose of the Certified
in Risk and Information Systems Control
(CRISC) certification?
A) To validate entry-level technical security
skills
B) To validate expertise in identifying and
managing enterprise IT risk and implementing
information system controls
C) To certify expertise in network routing and
switching
D) To validate secure software development
skills
Correct answer: B
Rationale: CRISC validates expertise in
identifying and managing enterprise IT risk,
demonstrating proficiency in designing and
,implementing risk-based information systems
controls that align IT risk management with
broader business objectives .
2. Which organization administers the CRISC
certification?
A) CompTIA
B) (ISC)²
C) ISACA
D) GIAC
Correct answer: C
Rationale: The Certified in Risk and Information
Systems Control (CRISC) certification is
granted and administered by ISACA
(Information Systems Audit and Control
Association) .
3. How many questions are on the CRISC exam
and what is the time limit?
A) 125 questions, 3 hours
B) 150 questions, 4 hours
,C) 150 questions, 3 hours
D) 200 questions, 4 hours
Correct answer: B
Rationale: The CRISC exam consists of 150
multiple-choice questions that must be
completed within a 4-hour timeframe .
4. What is the minimum work experience
requirement for full CRISC certification?
A) 2 years
B) 3 years
C) 5 years
D) 7 years
Correct answer: B
Rationale: Candidates must have a minimum of
three years of cumulative work experience in IT
risk management, information systems control,
or related governance roles .
5. What is the passing score for the CRISC
exam?
, A) 650 out of 1000 points
B) 700 out of 1000 points
C) 450 out of 800 points
D) 750 out of 1000 points
Correct answer: C
Rationale: The CRISC exam uses a scaled
scoring system from 200 to 800, with a minimum
passing score of 450 .
6. Which of the following is NOT one of the four
domains covered by the CRISC exam?
A) Governance
B) IT Risk Assessment
C) Security Architecture and Engineering
D) Risk Response and Reporting
Correct answer: C
Rationale: The four CRISC domains are
Governance, IT Risk Assessment, Risk
Response and Reporting, and Information
Technology and Security .