Top 12 governance, risk, and compliance certifications

What are GRC certifications?

GRC certifications validate the skills, knowledge, and abilities IT professionals have to manage GRC in the enterprise. With companies increasingly operating on a global scale, it can require entire teams to stay on top of all the regulations and compliance standards arising today. It’s crucial to ensure your organization is operating lawfully in every country it operates, your business is protected from cybersecurity threats, and your company both manages risk and establishes processes to govern those tasks.

Why are GRC certifications important?

In the wake of several well-publicized corporate scandals in the early 2000s — Enron and WorldCom, for example — and the passage of the Sarbanes-Oxley Act in 2002, organizations that must adhere to regulations for data security, financial accountability, and consumer privacy can’t do without someone making sure internal processes are being carried out properly. Enter the need for competent GRC professionals.

The goal of GRC, in general, is to ensure that proper policies and controls are in place to reduce risk, set up a system of checks and balances to alert personnel when new risks materialize, and manage business processes more efficiently and proactively. Professionals with a GRC certification must juggle stakeholder expectations with business objectives, and ensure organizational objectives are met while meeting compliance requirements. That significant amount of responsibility is critical in today’s business climate, and certification can prove you’re up to the task.

Is GRC certification worth it?

A variety of roles in the enterprise require or benefit from a GRC certification, such as CIO, IT security analyst, security engineer architect, information assurance program manager, and senior IT auditor, among others. If you work in an IT role that requires knowledge of governance principles, risk management, or compliance regulations, earning a GRC certification can help set you apart from other candidates, and reassure employers that you have the right knowledge for the job. GRC certs, such as the CGRC and CGEIT, are often ranked high on the list for most valuable IT certifications.

Top 12 GRC certifications

• Certified Compliance & Ethics Professional (CCEP)
• Certified Cloud Security Professional (CCSP)
• Certified Governance, Risk, and Compliance (CGRC)
• Certified in Risk and Information Systems Control (CRISC)
• Certification in Risk Management Assurance (CRMA)
• Certified in the Governance of Enterprise IT (CGEIT)
• Certified Information Systems Auditor (CISA)
• Certified Information Security Manager (CISM)
• Certified Information Systems Security Professional (CISSP)
• GRC Professional (GRCP)
• ITIL Expert
• Project Management Institute — Risk Management Professional (PMI-RMP)

Certified Compliance & Ethics Professional (CCEP)

The Certified Compliance & Ethics Professional (CCEP) certification offered by the Compliance Certification Board (CCB) is designed to demonstrate your knowledge and expertise around regulations and compliance processes. This designation shows organizations that you have the skills to understand and address any necessary legal obligations, and to help maintain the integrity of the organization through compliance programs.

To qualify for the CCEP certification, you’ll need to have:

• At least one year experience in a full-time compliance position or 1,500 hours of direct compliance job duties earned over two years or less.
• Job duties that are directly related to tasks outlined in the Candidate Handbook, including knowledge of standards, policies, procedures, communication, education, training, monitoring, auditing, reporting, and how to administer compliance and ethics programs.

However, you may be exempt from these requirements if you’ve successfully completed a certificate program from a CCB-accredited university within the two years prior to your application date. To apply to sit for a CCB examination, all candidates are required to earn and submit 20 CCB-approved continuing education units, earned from live trainings, events, and web conferences.

Exam fees: $350 for members or $450 for nonmembers, with a $145 renewal fee for members or $265 for nonmembers.

Certified Cloud Security Professional (CCSP)

The Certified Cloud Security Professional (CCSP) certification is offered through the International Information System Security Certification Consortium ISC2, and demonstrates your knowledge and abilities when designing, managing, and securing data, applications, and infrastructure in the cloud. It’s designed for those working with cloud technology, including enterprise architects, security administrators, systems engineers, security architects, systems architects, or consultants, engineers, or managers. The certification exam details cloud concepts, architecture, design, security, and risk and compliance.

To qualify for the CCSP exam, there are no requirements but the ISC2 recommends at least five years of experience in IT, with at a minimum of three years in information security, and one year in one or more of the six domains found in the CCSP CBOK. For more, click here.

Exam fee: $599

Certified Governance, Risk, and Compliance (CGRC)

The CGRC certification offered by the ISC2 is designed to demonstrate your expertise in GRC, and your ability to integrate governance, risk management, performance management, and regulatory compliance in an organization. The exam covers topics like information security risk management, and the authorization and approval of information systems, as well as selecting, approving, implementing, assessing, auditing, and monitoring security and privacy controls.

To qualify for the exam, you’ll need two years of cumulative, paid work experience in one or more of the seven domains outlined on the current ISC2 CGRC exam outline. To maintain the certification, you’ll need to receive 60 CPE credits over three years, and pay the annual maintenance fee of $135.

Exam fees: $599

Certified in Risk and Information Systems Control (CRISC)

One of the most sought-after GRC certifications by both candidates and employers is the CRISC from ISACA, which identifies IT professionals responsible for managing IT and enterprise risk, and ensuring risk management goals are met. A CRISC is often heavily involved with overseeing the development, implementation, and maintenance of information system (IS) controls designed to secure systems and manage risk. The exam covers IT risk identification, risk response and mitigation, and risk and control monitoring and reporting.

To qualify for the exam, you must:

• Have a minimum of three years of cumulative work experience in IT risk and information systems associated with at least two of the four domains.
• Adhere to the ISACA Code of Professional Ethics and comply with the CRISC Continuing Education Policy.

Exam fees: $575 for ISACA members or $760 for nonmembers.

Certification in Risk Management Assurance (CRMA)

The Institute of Internal Auditors (IIA) is a global professional association that provides information, networking opportunities and education to auditors in business, government, and the financial services industry. Before earning your CRMA, you’ll first need to pass the Certified Internal Auditor (CIA) exam, which demonstrates your proficiency as an auditor. Once you’ve passed that certification, you can move onto the CRMA certification, which recognizes individuals involved with risk management and assurance, governance, and quality assurance, and those who control self-assessment. A CRMA is considered a trusted advisor to senior management and members of audit committees in large organizations.

Depending on your level of education, there are different requirements to qualify for the CRMA certification exam. If you’ve earned a master’s degree equivalent or higher, you’ll just need to provide proof of education, one year of internal audit experience, and a government-issued photo ID at the exam. Those with a bachelor’s degree or higher have the same requirements, but you’ll need to show two years of internal audit experience. Without a higher degree, you’ll need proof of five years of internal audit experience, and two out of those five required years must have been within the past three years.

Exam fees: $465 for IIA members or $610 for nonmembers, with an application fee of $100 for members and $220 for nonmembers.

Certified in the Governance of Enterprise IT (CGEIT)

The CGEIT certification, by ISACA, recognizes IT professionals with deep knowledge of enterprise IT governance principles and practices, as well as the ability to enhance value to the organization through governance and risk optimization measures, and to align IT with business strategies and goals. Since the program started, more than 7,000 individuals have achieved the CGEIT through ISACA. The exam covers five domains: framework for the governance of enterprise IT, strategic management, benefits realization, risk optimization, and resource optimization.

To qualify for the exam, you’ll need at least five years of cumulative work experience in IT enterprise governance, including at least one year defining, implementing, and managing a governance framework.

Exam fees: $525 for ISACA members or $760 for non-members.

Certified Information Systems Auditor (CISA)

Offered through the ISACA, the CISA certification is globally recognized for IS audit control. It was established in 1978 and certifies your ability to report on compliance procedures, how well you can assess vulnerabilities, and your knowledge of every stage in the auditing process. The certification covers high-level topics such as the information systems auditing process, governance and management of IT, operations and business resilience, and IS acquisition, development, and implementation.

To qualify for the CISA exam you’ll need to have at least five years of experience in IS auditing, control, or security, and must complete another entry-level exam through the ISACA certification scheme.

Exam fee: $575 for members or $760 for non-members.

Certified Information Security Manager (CISM)

The CISM certification offered by the ISACA covers your ability to asses risks, implement governance practices, and proactively respond to any security incidents. The exam highlights emerging technologies such as AI and blockchain to ensure your skillset meets current industry standards and requirements to address evolving security risks. The certification also details information security governance, information security risk management, information security programs, and incident management. To qualify for the exam you’ll need five or more years of experience in information security management.

Exam fees: $575 for members or $760 for non-members.

Certified Information Systems Security Professional (CISSP)

The CISSP certification offered by the ISC2 is designed for cybersecurity professionals to demonstrate they have the right knowledge, skills, and abilities to design, implement, and manage cybersecurity programs. The exam covers security and risk management, asset security, security architecture and engineering, communication and network security, identity and access management (IAM), security assessment and testing, security operations, and software development security.

To qualify for the exam you’ll need five or more years of cybersecurity work or internship experience in two or more of the eight domains covered on the exam.

One year of work experience can be substituted with a four-year college degree or equivalent, or an advanced degree in information security from the US National Center of Academic Excellence in Information Assurance Education (CAE/IAE). Also, one year of work experience can be satisfied if you hold another approved credential from ISC2.

Exam fees: $749

GRC Professional (GRCP)

Open Compliance and Ethics Group (OCEG) is a member-driven, global organization dedicated to providing information, education, and certification on GRC to its members and the greater community. With only a few but well-respected certifications in its program, the GRCP is a solid credential aimed at a broad range of industries and practices. The single exam covers basic terms and concepts, GRC principles, and core components and practices, as well as the relationship of GRC to other disciplines. The GRCP is required for the higher-level GRC audit certification. The exam contains 100 questions and takes up to two hours to complete.

There are no requirements to qualify for the GRCP exam as it’s open and accessible to all professionals, accepting candidates from diverse cultural, educational, and professional backgrounds.

Exam fees: $499 for an all-access pass, which provides everything needed to prepare for and take the exam, including all live and archived webinars, OCEG standards, guides and resources, eLearning program, and the exam.

ITIL Expert

Information Technology Infrastructure Library (ITIL) certifications are tied to the ITIL framework, which describes best practices for designing, implementing and managing a wide variety of IT service projects. In ITIL-speak, certifications are referred to as qualifications, which create a classic certification ladder beginning with the basic-level ITIL Foundation, and culminating with the pinnacle ITIL Master. One rung below the Master level is the popular ITIL Expert.

A professional with the ITIL Expert qualification has a deep understanding of ITIL service best practices as they apply across an IT environment, not just to one service area. In other words, the Expert is able to support an organization by bridging service lifecycle stages, seeing the big picture as a sum of the parts.

To qualify for the exam, you must have:

• Earned an ITIL Foundation certificate or a Bridge qualification equivalent.
• Acquired at least 17 credits per the ITIL credit system.
• Taken an approved training course and passed the Managing Across the Lifecycle (MALC) exam at the end.

Exam fees: Training costs vary among vendors but expect to pay around $1,800 (online) to $5,000 (classroom), which includes training and the exam.

Project Management Institute — Risk Management Professional (PMI-RMP)

Anyone who’s pursued a project management certification is familiar with the Project Management Institute (PMI), either through research or by picking up the coveted Project Management Professional (PMP) credential. PMI also offers the PMI-RMP certification, as well as several others that focus on business management, business analysis, Agile and scheduling.

The PMI-RMP identifies IT professionals involved with large projects or working in complex environments who assess and identify project-based risks. They’re also competent in designing and implementing mitigation plans that counter the risks from system vulnerabilities and natural disasters, for instance. The exam covers risk strategy and planning, stakeholder engagement, risk process facilitation, risk monitoring and reporting, and performing specialized risk analysis.

To qualify for the exam, you must have a secondary degree (high school diploma, associate’s degree, or global equivalent), and at least 4,500 hours of project risk management experience and 40 hours of project risk management education. Or you can have a four-year degree (bachelor’s degree or global equivalent), at least 3,000 hours of project risk management experience, and 30 hours of project risk management education.

Exam fees: $520 for PMI members or $670 for nonmembers.

More on GRC:

• What is GRC and why do you need it?
• Top 10 GRC mistakes — and how to avoid them
• Top 10 GRC mistakes — and how to avoid them
• What is IT governance? A formal way to align IT & business strategy
• The keys to effective IT governance in the digital era