The senior IT-risk credential from ISACA — enterprise risk identification, assessment, response and monitoring. The cert most often required for risk leadership roles in MY banking and BNM-regulated industries.
⏱Duration: 4 days / 32 hrs
💻Format: Instructor-Led + Risk Labs
🌐Delivery: On-site · Virtual · Hybrid
✅Pass rate: 92%
📅Next intake: 12 May 2026
📊
IT-risk fluency
Identify, assess, respond and monitor enterprise IT risk
🏛
Governance integration
Risk appetite, tolerance, KRIs and reporting to the board
📋
Frameworks
COBIT 2019, ISO 31000, NIST RMF, BNM RMiT mapped
🔍
Control design
Preventive, detective, corrective — design and effectiveness
What this course is
Where IT risk stops being a spreadsheet.
CRISC is ISACA's senior IT-risk credential. It is the cert most often required for IT-risk-officer, risk-and-controls and IT-GRC roles in MY banking, insurance, capital markets and BNM-regulated industries. CRISC is the credential BNM examiners recognise.
At Nexperts, CRISC is delivered as a 4-day intensive that walks the four exam domains in real-world MY case studies — banking, telco, e-commerce, healthcare. By day 4 you've assessed risk on six scenarios, built KRIs, and defended risk-response decisions to a simulated risk committee.
CRISC is the credential that gets the IT-risk-officer chair at the table. CISA tells you what went wrong; CRISC tells you what could go wrong and what you'll do about it. In MY banking, CRISC is increasingly mandated for second-line risk roles.
The 2021+ CRISC update sharpened the focus on enterprise governance, IT-risk appetite/tolerance, and the integration with NIST CSF and ISO 31000. We map every control conversation to BNM RMiT, MAS-TRM and PDPA where relevant.
Who should take this course
💼
IT-risk officers
Owning IT-risk identification and reporting in MY banking, insurance, telco.
🔍
Internal auditors
Already doing IT audit (CISA). CRISC adds the risk-design lens.
🏛
GRC analysts
Owning controls testing and risk reporting. CRISC is the recognised credential.
🔐
Compliance leads
Mapping technology risk into the regulatory programme (BNM, BSP, MAS).
📈
CIO direct reports
Driving IT-risk strategy. CRISC builds the executive vocabulary.
📚
Risk consultants
Delivering risk assessments to MY GLCs and PLCs. CRISC is the trust signal.
Prerequisites
✓ 3 years of cumulative IT-risk and information-systems-control experience
✓ Experience must cover at least 2 of the 4 CRISC domains
✓ Comfortable reading audit reports and risk registers
→ Don't yet have 3 years experience? You can sit the exam first; ISACA grants the cert when experience is verified within 5 years.
Course Curriculum
Four domains. Real risk decisions.
CRISC covers four exam domains: Governance (26%), IT-Risk Assessment (20%), Risk Response & Reporting (32%), and IS&T (Information Security and Technology) (22%). We deliver in lifecycle order with MY-context case studies.
Risk Sims
8 sprints. Real MY risk scenarios.
CRISC is delivered as case-study workshops, not technical labs. By day 4 you've worked through MY-context scenarios across banking, telco, healthcare and government risk programmes.
01
Bank Risk Register
Build an IT-risk register for a Maybank-scale bank.
Assessment
02
Cloud Risk
Assess third-party cloud risk for a regulated workload.
Cloud
03
KRI Design
Design 12 KRIs for a fintech with BNM oversight.
Reporting
04
Control Design
Design preventive + detective controls for an e-wallet.
Control
05
Scenario Modelling
Run quantitative risk on a ransomware scenario.
Assessment
06
Risk Treatment
Defend treatment decisions to simulated risk committee.
Response
07
Third-Party Risk
Map vendor-risk programme to BNM RMiT.
Vendor
08
Board Report
Draft a one-page board-ready risk report.
Reporting
+ 8 micro-tasks across COBIT 2019, NIST RMF and BNM RMiT.
Exam Information
One exam. CRISC.
CRISC has one exam. 150 questions, 4 hours, scaled scoring. You need 450 / 800 to pass. The pass rate is one of the lower in the ISACA family — not because content is harder, but because risk thinking is non-intuitive for first-timers.
CRISC Exam
Questions150 multiple choice
Duration4 hours
Passing score450 / 800 (56%)
FormatPSI / online proctored
Validity3 years (CPE-renewable)
Industry avg pass rate~58% first attempt
Nexperts pass rate92% first attempt
Our 4-Mock Programme
01
Diagnostic
End of day 1. Sets the baseline. Average 47%.
02
Domain Drill
End of day 3. By-domain mock. Highlights weak areas.
03
Full Mock
End of day 4. Full timed simulation. 70%+ before booking.
04
Clearance
Week after class. Final clearance. 75%+ before booking.
0%
Pass Rate
92% of our CRISC candidates pass on first attempt.
The ISACA global first-attempt rate for CRISC sits around 58%. We hit 92% by gating booking on a clearance mock and drilling risk-thinking on real MY scenarios. We refuse vouchers to candidates not at 75%+.
BNM RMiT-alignedRisk-thinking drill92% first attemptFree retake voucherISACA aligned
Why our pass rate is 92%
Industry average: ~58%
Most candidates can recite COBIT control IDs but cannot defend a risk-treatment decision under timer. CRISC questions are scenario-heavy and demand judgement, not memory.
Nexperts: 92%
We work risk scenarios for 70% of class time. We drill the question patterns. We gate booking on a clearance mock. By exam day, you are answering the question they're asking, not the one you wish they'd asked.
Your Risk Path
CRISC pairs with CISM and CISA.
CRISC stacks naturally with CISA (audit lens) for a balanced GRC profile, with CISM (security-management lens) for risk-and-security leadership, or with CGEIT for board-tier governance roles.
Expected salary range after CRISC + 3 years experience: RM 11,000 – RM 18,500/month for IT-risk-officer roles in MY banking, insurance and capital markets.
Student Reviews
What our CRISC graduates say.
4.8
★★★★★
68 reviews
5★
78%
4★
9%
3★
1%
★★★★★
"CRISC was the cert that moved me from IT audit to IT risk. The MY-context scenarios were what pushed me through — ISACA's textbook examples are too generic for our market."
SR
Sarvanan Ramasamy
IT Risk Officer · RHB Bank
✓ Passed first attempt (664/800)
★★★★★
"The risk-thinking drills were the differentiator. Coming from CISA, I treated questions like audit findings; CRISC needs a forward-looking lens. Instructor reset that thinking."
FA
Fatimah Anuar
Senior Risk Analyst · AIA Malaysia
✓ Passed first attempt (612/800)
★★★★
"Tough exam but the clearance mock told me exactly when I was ready. Cleared on first sitting, passed at 588."
WL
Wei Lun Tan
IT GRC Lead · Standard Chartered MY
✓ Passed first attempt (588/800)
★★★★★
"BNM RMiT mapping was the reason I picked Nexperts over Iverson. Worth the extra prep time — I'm now lead risk officer for a fintech licensee."
JP
Joseph Paul
Lead Risk Officer · BigPay
✓ Passed first attempt (702/800)
Copy page link
Share this course page with your team or save the URL for later.
