1. Pass the CRISC exam
2. Adhere to the CRISC Code of Professional Ethics
3. Demonstrate the required minimum work experience

As noted, CRISC is intended as a relatively high-level cert; as such its holders must demonstrate real-world experience. To be certified, you must have at least three years of work experience performing tasks involved in two of the four domains covered by the exam, with one of those domains being either governance or IT risk assessment.

To ensure you’re relatively current on industry trends, you must have accrued this experience within the past 10 years prior to applying for the credential. But if you don’t have this experience and are itching to take the exam, that’s OK: You have up to five years after you pass the test to complete the required work experience.

Once your CRISC application has been accepted, you need to adhere to ISACA’s Continuing Professional Education (CPE) program to maintain it. That means taking at least 120 hours of CPE training over each three-year reporting period after you’ve attained the credential. For more information on how you can meet this requirement, download the CRISC CPE Policy from ISACA.