ISACA (Disclaimer….I’m on the NJ Board of Directors) has developed and released a new certification called: Certified in Risk and Information Systems Control (CRISC and pronounced as See-Risk). It’s probably a more formal certification that one that I had thought of years earlier, Certified Risk Assessment Professional (CRAP). I just knew that the name wasn’t going to take off.
There are 5 focus areas:
- Risk Identification
- Risk Response
- Risk Monitoring
- Control Design and Implementation
- Control Monitoring and Maintenance
Based on what I’ve read and what I’ve seen so far, this certification looks to actually define a certification around information security risk management across the entire lifecycle. Specific areas of study and details in each of the 5 areas look pretty solid and hold on, actually make sense. I’m not sure how “technical” it will get since it is geared towards IT Professionals as well as business analysts and project managers, but I think that speaks to the holistic view that the certification will take around risk management.
If you’ve got the required experience, you can Grandfather in and not have to take the test. That may be the way to go – since there is no history on how the test is, what they are looking for, and the quality of questions.
If you’re interested, check out: www.isaca.org/crisc for more details around the entire program, including grandfathering.