ISACA Updates CRISC Exam Domains: Key Changes Explained

ISACA, formerly known as the Information Systems Audit and Control Association, has recently introduced updates to its Certified in Risk and Information Systems Control (CRISC) exam to bring it in line with today’s risk and technology practices. 

ISACA has updated this key certification to stay in step with real-world demands, just as it did with the Certified Data Privacy Solutions Engineer (CDPSE) exam. So what do those changes mean? Here's what you need to know including when the updates go into effect and why these changes matter. 

What’s Changing in the CRISC Exam?

The CRISC exam still covers four domains: Governance, Risk Assessment, Risk Response and Reporting, and Technology and Security. However, there are changes in the distribution of the exam content as follows:

• The Governance domain now takes up 26 percent of the test.

• Risk Assessment moves up to 22 percent.

• Risk Response and Reporting stays at 32 percent.

• Technology and Security is down to 20 percent.

With these changes, there’s more weight placed on the Risk Assessment and Risk Response and Reporting domains, while the Technology and Security domain is given less emphasis.

Looking to refresh your CRISC credentials? CBT Nuggets offers CRISC Online Training to help you prepare for the exam.

Updated Materials and Timeline

While new CRISC study materials are now available online, the updated exam itself will be launched on November 3, 2025. Updated study materials launched in early September. 

Within this timeline, ISACA will remove the older prep resources once the new materials go live, so you should move to the updated manuals, QAE Database, and online review courses before taking the test. You can access study materials in these languages: Japanese, Korean, Spanish, and English.

Why the Update Matters

CRISC is one of ISACA’s key training courses and is a necessary certification if you often handle risk in both IT and business settings. Because of this role, changing the domain weights shows how risk assessment and reporting have become more important with cloud computing growth and supply chain security concerns. As a result, the new focus is an indicator of what companies now look for and how you should prepare.

Who Should Take the CRISC Exam

The CRISC certification is designed for IT and business professionals who deal with risk management on a daily basis. It’s especially valuable for risk and compliance managers, IT auditors, security professionals, project managers, and anyone responsible for identifying, assessing, and responding to organizational risk. If your role involves bridging the gap between technical teams and business leaders—or if you’re looking to move into a governance, risk, and compliance (GRC) role—CRISC can give you the credibility and practical skills employers are seeking.

Next Steps for IT Pros 

Ready to learn more about ISACA and the CRISC Exam? Continue your ISACA certification training with these CBT Nuggets courses: ISACA Cybersecurity Fundamentals, ISACA Software Development Fundamentals, and ISACA CISM – Certified Information Security Manager.

Reinforce your technical edge. Start training with CBT Nuggets’ wide range of courses today.