Showing results for 
Show  only  | Search instead for 
Did you mean: 
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Newcomer II

In which order is better to pursue CRISC and CISSP certifications?

Hello to everyone.


I'm planning to pursue these 2 certifications and they complement each other. So I was curious which of them seasoned members here could advice me to start with? I was working both in IT Technology and IT Security fields, but have no high level certifications.


6 Replies
Defender I

Aleksandr (@askripnikov),

The real value of professional certifications in the marketplace is to get past HR filters to reach managers with actual hiring authority. With that in mind, survey job postings you are interested in to see which certifications are listed as required or preferred in those announcements. Prioritize your certification plan based on occurrence of the certifications in the announcements.


If you have access to folks in your field with hiring authority, even if they have no openings, ask them the same question.


If, however, you are seeking the certifications because of what you will learn by preparing for them, go for the one that covers knowledge and skills you wish to acquire first.



D. Cragin Shelton, DSc
My Blog
My LinkeDin Profile
My Community Posts
Community Champion

Completely agreed with Cragin, though for me the real question is do you want to:


1. Conduct lost of risk assessments, have exiting audits and do lots of COBIT - ISACA is the way to go;

2. Save the world, party and decide on just what your new badge should look against the fine lapel of your best persuasion Jacket, as you practice your ‘Magnum’ look from Zoolander? Welcome to ISC2. ISACA are a very perculiar bunch anyway... 😉


OK in seriousness, if if you are working somewhere then the certifications you need for career development/advance to/ meet business objectives would best be agreed with your line manager. 


If if you are looking for a new role, want to market yourself as a contractor or consultant then in addition to Cragin’s excellent advice you might want to go and meet up with some folks at a chapter or similar.


In terms of ease study, perhaps work out which you think is most complementary to what you know by reviewing the CBK, exam outlines, guidance( I’m assuming CRISC is comparable here,  as despite my flippant comments I’ve got very peripheral information). This is a counter point to Cragin’s post just in case it’s less about the learning and more about getting the certification from a satisfaction/ material standpoint.


On the certification experience side of things CISSP requires 4-5 years of full time paid work in the 8 domains of the CBK. CRISC reques 3 year in four domains but the experience requirement is narrower - so if that’s a consideration I’d recommend reading up and certifying on the one that you are most likely/ most easy to hit the experience bar for.









Newcomer II

 @CraginS @Early_Adopter Thank you for suggessions from all sides.

  • In my case in 1st place I'm looking to get more knowledge and CISSP is closer for my expectations and from experience side too
  • Regarding HR and recruiters for sure CISSP is also ahead.
  • Another problem is that in the country I live in there is no chapter of any of these organizations.
  • For ISACA exams here's also no test centers and I would have to fly to another country where such centers do exist.
Newcomer I

I would suggest CISSP then CRISC.


I concur and respect Dr. Cragin's reply philosophically and ethically, agree and share Early_Adopter's perspective and wry philosophy, and strongly-align tekfarmer's reply.


In light of your constraints, I please recommend you consider mapping your progression around matriculating either/both "Associate" certifications initially.


In case that new planning assumption is unacceptable, the following are MY "Seeds of Wisdom" and reverse-rank order recommendation:


3 - One should not certify as means to an employment end; one should certify to either accredit capabilities gained over time, or as consummation of a learning process leading to enhanced factual knowledge context for current responsibilities or envisioned future professional experience.


2 - Indeed (ISC)2 and ISACA are distinctly-different breeds of cat; I've known both for the over 15 years since they both were "children" (heck, I think I remember that my first ISC2 dues surface-mailed to a personal PO Box in Florida, and that I had to submit CISA CEH verifications the same way...), so subsequently submit that it's indeed important to one's professional growth to assimilate both knowledge bases on a complementary basis.  Boo-Rah for the two organizations that have done the most for my career thanks to what they've enabled me to do for the organizations where I've practiced!


1 - My final answer is indeed the same as tekfarmer's.  I see no way to practically-surmount the CRISC absent the context and knowledge base surrounding CISSP.  (Ironically, last night I was again working through CRISC sample exams cold, scoring well above median, and found myself marvelling at how much easier that was thanks to my CISSP, CISA, CTPRP, CBCP, and PMP contexts than it ever could have been when I was matriculating CISSP.) 


Additionally, to attempt to do CRISC before CISSP would place you at significant disadvantage for the following reasons (IMHO, obviously):

-CISSP and CRISC experience requirements mutualize, but don't coincide.  You'd potentially strand some which contribute to the latter, but POTENTIALLY not the former.  (Remember, a human will ultimately decision your applications...)

-A CRISC might get you in the door for a role responsible for GDPR PDR and DPIA, or a role responsible for NIST RMF overlay and analysis, but absent the additional context and knowledge the CISSP represents, you'd be laughed at behind your back for your contextual naivete by the constituents you are attempting to serve, because they'd have to lead YOU, around related technicals (as opposed to the converse, around the practical application of risk management).

-CRISC might shuffle you too far into compliance and audit, and away from security operations, to ever learn/appreciate enough cyber operations for today's CISSP to be possible.  (e.g. Unless you plan to operate your own private router/switch and SIEM lab as practicum, you better have some means of seeing how cyber plays out at the packet level in today's real world before you attempt CISSP.)


Thanks for asking; best of luck!

Contributor I

For a cyber security professional, In my opinion CISSP should be attempted before CRISC.


As CISSP covers comprehensive cyber security and CRISC , CRMP, PMI RMP cover just risk area. 

I am an experienced Information Security Professional with over 25 years of expertise in diverse industries, including Telecom, Banking, Education and Financial Institutions.
I am ISC2 CISSP certified along with other Information Security certifications.