Can you CRISC?

Making sense of ISACA's growing stable of qualifications is an increasingly complex task. But is the new CRISC qualification right for you?My general view is that building better core qualifications would be a better strategy for the association, but that doesn't mean the new additions have no value on a CV - on the contrary, even the recent entries can help set you apart from the competition.

IT audit is an unusual profession, in that there is no one industry qualification that's right for everyone - the field is just too wide.

Here's the rub: ISACA now has four closely related qualifications:

  • CISA (Certified Information Systems Auditor), for auditors
  • CISM (Certified Information Security Manager), for managers

Riskmonkey didn't really see much of a gap between those two, if they were developed to their potential. ISACA's eagle-eyed experts clearly did though, which led to the creation of...

I have no real problem with CGEIT, except that it really ought to be a required part of CISA and CISM - how can you be a competent IT auditor or security manger if you don't understand IT governance? CGEIT really just shows up the weakness of these qualifications.

CRISC, however, is another question. ISACA says "CRISC is designed for IT professionals with experience in risk identification, response and monitoring; and IS control design, implementation, monitoring and maintenance".

I struggle to separate these skills and experiences from those that would be expected of any good IT auditor or manager - in effect, CRISC seems to add little to the CISA or CISM qualification. Risk is a core part of those qualifications in a way that governance, as covered by CGEIT, is not.

As such, it seems to be a qualification suited to auditors and managers alike. Certainly, ISACA seem to be going for the widest possible audience, requiring experience in wide ranging fields that would cover practically anyone who read this web site. The target audience, "professionals who are engaged at an operational level to mitigate risk" doesn't even imply knowing how to turn on a computer, so if you're a policy wonk this qualification could work for you. Indeed, it would seem to cover absolutely anyone with a professional job of any kind, in any field, for any employer. Perhaps then, that is the qualification's potential strength: it doesn't button-hole you into a role.

It does however demonstrate an understanding of risk in a IT-centric environment, something that should a a critical skill for any IT manager, auditor, consultant, or business advisor. It could therefore add value to anyone from a network infrastructure manager to a high-street Accountant, as long as they have the right skill set.

And therein the mystery - as the exam has not yet been sat, we just don't know how rigorous it will be. We do know however where it will focus, namely on:

  • Risk identification, assessment and evaluation
  • Risk response
  • Risk monitoring
  • IS control design and implementation
  • IS control monitoring and maintenance

This is clearly spelt out by ISACA, and whilst all this is relevant to CISA and CISM (indeed should be at the core of it), the risk focus is not as strong as it could be in those qualifications and the questions will presumably have to be different to reflect the change in perspective, and a focus on operational response to risk.

I Therefore sees four types of professional for whom CRISC might be particularly useful:

  • People who want to do CISA or CISM, but whose experience doesn't meet ISACA's requirements for those qualifications
  • People who have done CISA or CISM, but want to demonstrate a wider perspective that is not constrained to auditing or security management.
  • IT managers who want to demonstrate a risk focus, but do not want the 'auditor' or 'infosec' label
  • People who want to move out of an IT security environment towards a more general risk focused role

Ultimately though, whether a qualification is right for you depends on what you want to acheive. As Urs Fischer, the Chair of ISACA’s CRISC Certification Committee, points out "each one of ISACA’s four credentials sets professionals on unique and desirable career paths: Chief Audit Executive (CISA), Chief Security Officer (CISM), Chief Risk Officer (CRISC) and Chief Information Officer (CGEIT)".

Can you CRISC? If seeing the risk, and knowing what to do about it and how, is your USP - CRISC might well be right for you.