In the wake of several well-publicized corporate scandals about 15 years ago – Enron and WorldCom, to name two – and the passage of the Sarbanes-Oxley Act in 2002, organizations that must adhere to regulations for data security, financial accountability and consumer privacy found they couldn't do without someone to make sure internal processes are being carried out properly. Enter the need for competent governance, risk and compliance (GRC) professionals.
The goal of GRC, in general, is to ensure that proper policies and controls are in place to reduce risk, to set up a system of checks and balances to alert personnel when new risks materialize and to manage business processes more efficiently and proactively. Professionals with a GRC certification must juggle stakeholder expectations with business objectives and ensure that organizational objectives are met while also meeting compliance requirements. That's an incredible amount of responsibility, and it's absolutely necessary in today's business climate.
All kinds of job roles require or benefit from a GRC certification, including CIO, IT security analyst, security engineer or architect, information assurance program manager and senior IT auditor, among others.
Read on to learn about our top six picks for GRC certifications, as well links to relevant GRC resources.
Certified in Risk and Information Systems Control (CRISC)
One of the most sought-after GRC certifications by candidates and employers alike is the CRISC from ISACA, which identifies IT professionals who are responsible for managing IT and enterprise risk and ensuring that risk management goals are met. A CRISC is often heavily involved with overseeing the development, implementation and maintenance of information system (IS) controls designed to secure systems and manage risk. Since 2010, ISACA has issued over 20,000 CRISC credentials — a relatively high number in the GRC certification field.
To earn the CRISC, you must pass one exam that covers four domains: IT Risk Identification (Domain 1), IT Risk Assessment (Domain 2), Risk Response and Mitigation (Domain 3), and Risk and Control Monitoring and Reporting (Domain 4). The exam contains 150 questions, takes up to four hours to complete and costs $575 (ISACA members) or $760 (nonmembers).
In addition, you must prove a minimum of three years of cumulative work experience in IT risk and information systems associated with at least two of the four domains, adhere to the ISACA Code of Professional Ethics and comply with the CRISC Continuing Education Policy.
Certified in the Governance of Enterprise IT (CGEIT)
The CGEIT certification, by ISACA, recognizes IT professionals with deep knowledge of enterprise IT governance principles and practices as well as the ability to enhance value to the organization through governance and risk optimization measures and to align IT with business strategies and goals. Since the program started, more than 7,000 individuals have achieved the CGEIT credential through ISACA.
To earn the CGEIT credential, you need to pass one exam (150 questions, four hours) covering five domains: Framework for the Governance of Enterprise IT (Domain 1), Strategic Management (Domain 2), Benefits Realization (Domain 3), Risk Optimization (Domain 4) and Resource Optimization (Domain 5). The exam costs $525 for ISACA members or $760 for non-members.
The qualifications for the CGEIT are at least five years of cumulative work experience in IT enterprise governance, including at least one year defining, implementing and managing a governance framework. Candidates must also adhere to the ISACA Code of Professional Ethics and comply with the CGEIT Continuing Education Policy.
Project Management Institute - Risk Management Professional (PMI-RMP)
Anyone who has pursued a project management certification is familiar with the Project Management Institute (PMI), either through research or by picking up the coveted Project Management Professional (PMP) credential. However, PMI also offers the Risk Management Professional (PMI-RMP) certification, as well as several others that focus on business management, business analysis, agile and scheduling.
The PMI-RMP identifies IT professionals involved with large projects or working in complex environments who assess and identify project-based risks. They are also competent in designing and implementing mitigation plans that counter the risks from system vulnerabilities, natural disasters and the like.
The PMI-RMP exam covers five knowledge domains: Risk Strategy and Planning (Domain 1), Stakeholder Engagement (Domain 2), Risk Process Facilitation (Domain 3), Risk Monitoring and Reporting (Domain 4) and Perform Specialized Risk Analyses (Domain 5). The exam has 170 multiple-choice questions, takes up to 3.5 hours to complete and costs $520 (PMI members) or $670 (non-members).
You must also meet experience and education requirements. One option is to have a secondary degree (high school diploma, associate's degree or global equivalent), and at least 4,500 hours of project risk management experience and 40 hours of project risk management education. The second option is a four-year degree (bachelor's degree or global equivalent), at least 3,000 hours of project risk management experience and 30 hours of project risk management education.
Information Technology Infrastructure Library (ITIL) certifications are tied to the ITIL framework, which describes best practices for designing, implementing and managing a wide variety of IT service projects. In ITIL-speak, certifications are referred to as "qualifications," which create a classic certification ladder beginning with the basic-level ITIL Foundation and culminating with the pinnacle ITIL Master. One rung below the Master level is the popular ITIL Expert.
A professional with the ITIL Expert qualification has a deep understanding of ITIL service best practices as they apply across an IT environment, not just to one service area. In other words, the Expert is able to support an organization by bridging service lifecycle stages, seeing the big picture as a sum of the parts.
To achieve the ITIL Expert qualification, you must first earn the ITIL Foundation certificate or a Bridge qualification equivalent, and then acquire at least 17 credits per the ITIL Credit System. Finally, take an approved training course and pass the Managing Across the Lifecycle (MALC) exam at the end. Training costs vary among vendors, but expect to pay in the range of $1,800 (online) to $5,000 (classroom), which includes training and the exam.
Certification in Risk Management Assurance (CRMA)
The Institute of Internal Auditors (IIA) is a global professional association that provides information, networking opportunities and education to auditors in business, government and the financial services industry. One of the IIA's certifications is the CRMA, which recognizes individuals who are involved with risk management and assurance, governance, quality assurance and control self-assessment. A CRMA is considered a trusted advisor to senior management and members of audit committees in large organizations.
Achieving the CRMA credential requires passing a multiple-choice exam (100 questions, up to two hours) through Pearson VUE. The exam costs $380 for IIA members or $495 for non-members.
In addition, you must have a 3- or 4-year post-secondary degree (or higher). Alternatives to the bachelor's degree are two years of post-secondary education and five years of internal auditing experience (or equivalent) or seven years of internal auditing experience. The IIA also requires proof of at least two years of auditing experience or control-related business experience in risk management or quality assurance. Finally, you need to provide a character reference signed by a person holding an IIA certification or a supervisor, provide proof of identification and agree to abide by the Code of Ethics established by The IIA.
GRC Professional (GRCP)
OCEG is a member-driven, global organization dedicated to providing information, education and certification on GRC to its members and the greater community. With only a few but well-respected certifications in its program, the GRCP is a solid credential aimed at a broad range of industries and practices.
The single exam covers basic terms and concepts, GRC principles, and core components and practices, as well as the relationship of GRC to other disciplines. The GRCP is required for the higher-level GRC Audit certification. The exam contains 100 questions and takes up to two hours to complete. OCEG offers an All Access Pass for $395 (auto-renews) or $495 (no renewal), which provides everything you need to prepare for and take the exam. This includes all live and archived webinars, OCEG Standards, Guides and Resources, eLearning program, and the exam.
Resources for the GRC community
There are plenty of resources on the web of interest to budding and long-time GRC professionals, and some may be useful for pursuing a GRC certification. Here are a few sites to add to your GRC toolkit:
- ComplianceWeek: This site is an excellent source of resources for the GRC community. You can find news articles, whitepapers, GRC reports, conference materials, job opportunities and much more. The site also features free, one-hour webcasts most weeks, which are available on demand after each event, and many are eligible for continuing professional education (CPE) credits.
- The GRC Bluebook: Advertising itself as "the online GRC knowledgebase," you'll find great reviews on GRC tools (and there are a bunch!), news articles, risk practices, industry events and lots more.
- CareersInfoSecurity: As the site implies, you will find a job board section. But CareersInfoSecurity goes well beyond that with a training library, news and other content aimed at information security, risk management, and privacy and fraud professionals. Using the site's search tool, enter "grc" to zero-in on related resources.
- Security Management: The freely available online magazine by ASIS International covers different types of security: national, physical, cyber and strategic. You'll find enterprise risk management articles in the Strategic Security section, as well as access to podcasts and webinars.
- LinkedIn: Search for "grc group" and sign up for a few that look most interesting to you, then start networking. A good general group is Governance, Risk & Compliance (grc). This population of GRC experts have been through the certification process and will be willing to offer advice or insights to your certification questions. LinkedIn also has a job board that's becoming one of the best around.
Good luck with your GRC training and certification pursuits!
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.