Yes, CRISC expires every 3 years. You must earn 120 CPE hours (minimum 20 per year) and pay the annual maintenance fee of $85 (ISACA members) or $185 (non-members).

Does CRISC Expire? Complete Renewal & CPE Guide 2026

Q: How many CPE hours does CRISC require?

CRISC requires 120 CPE hours over each 3-year cycle with a minimum of 20 hours per year. Activities must relate to IT risk management, governance, or information security.

Q: What happens if my CRISC certification lapses?

If CRISC lapses, you lose the right to use the designation. ISACA may allow reinstatement within a limited window. Otherwise, you must retake the exam and meet experience requirements again.

Yes, the Certified in Risk and Information Systems Control (CRISC) certification expires every 3 years. Like all ISACA certifications, CRISC requires 120 CPE hours per certification cycle, a minimum of 20 CPE hours annually, and payment of the annual maintenance fee. IT risk professionals must plan their continuing education throughout each cycle to keep their credential active.

Cycle

3 Years

CPE Hours

120

Annual Min.

20 Hrs

Member Fee

$85/yr

CRISC Renewal Requirements

CRISC covers four domains: IT Risk Identification, IT Risk Assessment, Risk Response and Reporting, and Information Technology and Security. As enterprise risk management practices evolve with new technologies, regulatory changes, and emerging threats, ISACA requires CRISC holders to demonstrate ongoing professional development in these areas.

CPE activities must relate to IT risk management, information security, governance, or related disciplines. ISACA provides flexibility in how you earn CPE hours, accepting everything from formal training courses to self-study, teaching, publishing, and professional contributions. Each CPE hour must be documented and is subject to potential audit by ISACA.

The 20-hour annual minimum ensures consistent engagement with professional development. Most IT risk professionals exceed this through their regular work activities—attending risk committee meetings, participating in framework implementations, and staying current with regulatory changes can all generate CPE-eligible activities.

How to Earn CRISC CPE Hours

Risk management conferences: ISACA conferences, RSA, FAIR Conference, and GRC-focused events offer 15-30+ CPE hours each.
Framework training: COBIT, NIST RMF, ISO 31000, and FAIR model training directly supports CRISC domains and earns significant CPE hours.
Professional certifications: Earning CISM, CISA, CISSP, or other risk-related certifications provides CPE credit toward CRISC renewal.
Online courses: ISACA's online learning platform, Coursera GRC courses, and vendor-specific risk management training all qualify.
Self-study: Reading risk management publications, ISACA Journal articles, and industry reports earns CPE hours with proper documentation.
Teaching and mentoring: Developing risk management training programs, mentoring junior risk professionals, or presenting at industry events.
Contributing to standards: Participating in ISACA working groups, risk framework development, or industry best practices committees.

CRISC vs Other Risk Certifications: Renewal Comparison

Certification	Cycle	CE Required	Annual Fee
CRISC	3 years	120 CPE hours	$85
CISM	3 years	120 CPE hours	$85
CISSP	3 years	120 CPE credits	$125
CompTIA Security+	3 years	50 CEUs	$50/yr

What Happens If CRISC Lapses

If you don't meet CPE or fee requirements, ISACA revokes your CRISC certification. You cannot use the CRISC designation professionally until you either reinstate (within a limited ISACA-defined window) or retake and pass the full exam. The CRISC exam consists of 150 questions over 4 hours with a passing score of 450 out of 800.

Recertification also requires meeting the work experience requirement again—a minimum of 3 years in IT risk management and IS control, with at least 1 year in two of the four CRISC domains. Maintaining through CPEs is significantly easier than starting over.

Pro Tips for Efficient CRISC Renewal

If you hold multiple ISACA certifications, strategically choose CPE activities that qualify for several credentials simultaneously. Risk management conferences and GRC training often count toward CRISC, CISM, and CISA. Document each activity thoroughly, noting which domains it covers and retaining certificates of completion.

Consider joining your local ISACA chapter. Chapter meetings typically offer 1-2 CPE hours per event, and most chapters host monthly events. Over a year, regular attendance alone can generate 12-24 CPE hours while also expanding your professional network in the GRC community.

Frequently Asked Questions

Does CRISC expire?

Yes, CRISC expires every 3 years. Renewal requires 120 CPE hours (20/year minimum) and the $85 annual maintenance fee for ISACA members ($185 for non-members).

How many CPE hours does CRISC require?

120 CPE hours over 3 years, minimum 20 per year. Activities must relate to IT risk management, governance, or information security.

What happens if my CRISC certification lapses?

You lose the CRISC designation. ISACA may allow a limited reinstatement window. After that, you must retake the 150-question exam and meet experience requirements.

Practice CRISC Questions for CPE Credits

Self-study with practice questions counts toward your CPE hours.

Start Free CRISC Practice Test →

Related Resources

What is CRISC? How to Pass CRISC CRISC Exam Questions Does CISM Expire? Does CISA Expire?