Good morning,
In case you wonder, I should be ready to post the first ISO training video this week. In the meantime, I came across a news piece and I thought it might be interesting to discuss it :)
As some of you may know, the
ISACA is launching
a new certification, the CRISC (pronounce See Risk). Like for previous certification, the ISACA will grandfather industry professional based on their existing credential to get certified (starting this April), or you will be able to take the exam in 2011.
Two things come to mind, if you are a risk management expert, get involved, I'll sure do, you can help the ISACA prepare the training or exam material over the course of 2010 so people can get trained and take the exam in 2011. If you are experienced enough to be grandfathered, it means you can help, so please do.
Now, the second thing that comes to mind is: Do we need another certification? The same question comes around every time a new one is launched. Already available on the market, there is the
ISO 27005 Risk Management certification, the
Associate Risk Manager (ARM), somebody will surely design something around
ISO 31000 /
ISO 31010, there is also the
MoR certification for ITIL practitioners...
In my own opinion, the ISO27005 certification program is good but the standard is a bit weak, it is primarily design for supporting the ISO27001 company certification process and do not take in consideration the real operational risk management measure that organization is looking for, ISO31000 will surely complement well the 27005 standard to help people get a more holistic view of enterprise risks.
The ARM has been designed by the US insurance industry with a deep focus on estimation of risks and financing, it lack a lot in the area of information technology and business continuity risks while MOR is mostly (nearly only) about information technology, project management and business continuity...
So, by analyzing the market, I think we can safely assume that there is enough space (and differentiators) for a new certification. One must also take a step back to look at how the ISACA work. From my perspective, the biggest contribution of the ISACA is not the certification they launch but the body of knowledge they create to train and support professional on the core aspect of those certifications.
If you are certified, you already know what I am talking about, did you got rid of your CISA or CISM books? Surely not, they contain great information, I even know people that buy back the review manuals on a yearly basis to get up to date information.
Give me your thought and input on the subject, tell me what you think this certification and its body of knowledge should contain, we might be able to get something out of it, and I will escalate this information from the field to the association.
Have a great day and see you soon,
Martin Dion (CISSP/CISM)
ISO27001 Lead Auditor & Trainer
CTO @
Above Security