I recently received information from ISACA about their new CRISC certification (Certified in Risk and Information Systems Control). Based on the CRISC grandfathering provisions I am eligible for consideration so I am evaluating whether it would be useful to sign up at this time. Information security professionals have a mixed view of grandfathering since it is used by certification vendors to quickly get an established (and paying) community but is viewed by many as a cheap way of obtaining a certification without completing the study materials and exam. Before I get to my decision, I want to review some of the key questions around the CRISC and my decision process.
Who is the CRISC meant for?
The newly created CRISC certification is targeting business and information security professionals who specialize in the end to end risk management process (risk identification, assessment, evaluation, and remediation). In addition, there is a focus on the design, implementation, and monitoring of internal controls to manage these business & system.
Who can be grandfathered into the CRISC?
Information Security and risk management professionals with at least 8 years of IT or business risk mitigation experience that includes a minimum of 6 years of cumulative work experience across all 5 of the CRISC domains. And a minimum of 3 years of cumulative work experience in CRISC risk domains 1-3
What are the CRISC risk domains?
Here are the breakdowns of the CRISC domains by weighted percentage.
- Domain 1 – Risk Identification, Assessment & Evaluation – 31%
- Domain 2 – Risk Response – 17%
- Domain 3 – Risk Monitoring – 17%
- Domain 4 – Information Systems Control Design & Implementation (17%)
- Domain 5 – IS Control Monitoring & Maintenance (18%)
* Per ISACA website details
When does the CRISC grandfathering deadline end?
You must make your decision to pursue the CRISC via the grandfathering program within a month. The currently announced deadline is mentioned as June 30th, 2011.
What is the cost of the CRISC?
The ISACA member rate for CRISC is $595 and the non-member rate is $725. The annual recertification fee is 40$ for ISACA members and $85 for non-members.
What are the CRISC CPE requirements?
The requirements are identical to that of the CISA which is 120 CPE hrs every three year cycle with an annual minimum of 20.
Should I accept grandfathering status for the CRISC certification?
Since I am not philosophically opposed to the concept of grandfathering for qualified professionals I gave adequate consideration as to whether I should apply for the CRISC designation. After doing some careful career consideration I decided it was not a needed activity for me do complete at this point even though I would qualify. It is uncertain how much traction the CRISC will gain in the industry since more established credentials like the CISSP and CISA are already considered the dominant certifications. There is potentially room for another one but I would likely consider a SANS offering before pursuing the CRISC.