Today's organizations must keep a careful eye on regulations that address financial accountability, data security and protection, confidentiality, and customer privacy. Add to that the need to minimize risk, maintain profitability, ensure efficiency and meet strategic goals, and there's a lot on the plate.
Because IT plays such a major role in all these areas, organizational governance extends to IT as well. In turn, this prompts a need for serious-minded people who understand these worlds, can meet overarching business goals and will realize mission statements.
IT governance adds structure to the process of aligning IT with business strategies. It seeks to produce measurable results, to meet regulatory and legal obligations, and to ensure that investments produce positive gains. Several governance frameworks are available to help reach these goals – COBIT, ISO/IEC 38500 and ITIL, to name just a few.
In this article, we look at five IT governance certifications that are well known and well regarded across a variety of industries and fields. We conducted a search of several popular job boards for the certifications featured here. We found no shortage of requests from employers seeking candidates holding these best-of-the-best credentials.
We limited our search to the U.S. (With its roots in Great Britain and Europe, ITIL is bound to be in higher demand across the pond.) Most of these certifications have hefty work experience requirements. Thus, it's safe to speculate that these certifications aim at experts who are leaders in their organizations.
Job board search results (in alphabetical order, by certification)
Certification | Total | ||||
ITIL Expert (Axelos) | 62 | 66 | 56 | 28 | 212 |
CGEIT (ISACA) | 142 | 187 | 329 | 103 | 761 |
CGRC (The GRC Group) | 51 | 76 | 25 | 7 | 159 |
CRISC (ISACA) | 700 | 862 | 1,590 | 532 | 3,684 |
PMI-RMP (PMI) | 31 | 46 | 75 | 27 | 179 |
As far as salaries go, Simply Hired reports an average salary of $81,642 for IT governance, risk and compliance jobs, topping out around $133,642. Risk manager salaries average $94,110, with some salaries as high as $163,160. Glassdoor reports a salary range for IT governance, risk and compliance from $75,474 to $111,000, with risk managers' pay ranging from $99,949 to $134,000.
Let's look at the top five IT governance certifications for 2019.
ITIL Expert
ITIL (formerly known as the Information Technology Infrastructure Library) is a well-defined set of best practices that organizations use to design, implement, manage and maintain IT service projects. ITIL's primary focus is service management, which aligns IT projects and services with the business goals of an organization. ITIL also meets quality standards set by ISO/IEC 20000, so an organization that consistently and closely follows ITIL practices is quite likely to offer high-quality products or services.
In 2013, ITIL was acquired by Axelos, which focuses on global best practices and standards. Axelos also offers certifications for Resilia, Prince2 (2009 and 2017), Prince2 Agile, AgileSHIFT, P30, MSP, M_o_R, P3M3, MoP and MoV. Axelos manages updates to the ITIL framework, but this organization also accredits ITIL exam institutes and licenses third-party organizations to use ITIL's intellectual property.
The ITIL V3 certification tier offers several certifications to help employers find or groom employees with the right skills and knowledge to implement ITIL processes:
- ITIL Foundation
- ITIL Practitioner
- ITIL Intermediate
- ITIL Expert
- ITIL Master
The ITIL Expert certification recognizes well-rounded and balanced knowledge across all areas of the ITIL service lifecycle.
The Foundation, Practitioner and Intermediate tiers require certification exams. To achieve the ITIL Expert credential, candidates must hold the ITIL Foundation certificate or a Bridge qualification equivalent, acquire at least 17 credits per the ITIL Credit System, and pass the Managing Across the Lifecycle (MALC) exam to amass a total of 22 credits.
Achieving the ITIL Expert level is a prerequisite for the ITIL Master Qualification, the pinnacle ITIL credential. The ITIL Master is also in high demand, primarily in large enterprises, government agencies and so forth.
The ITIL certification program is currently migrating from ITIL V3 to ITIL V4. The new ITIL V4 will have a different look and feel from ITIL V3. Instead of five credentials, ITIL V4 will only encompass four certifications – Foundation, Managing Professional, Strategic Leader and Master. The ITIL V4 Foundation exam is targeted for release on February 28, 2019. The remaining certs are scheduled to be released sometime during the second half of 2019. ITIL recommends that ITIL V3 Foundation candidates pursue the ITIL V4 Foundation instead. Candidates who are at the ITIL V3 Intermediate level should continue certifying on V3. Professionals who earned the Expert designation on ITIL V3 will be eligible to take the Managing Professional (ITIL MP) as soon as it is released.
Since ITIL is in transition, candidates should check back frequently for updates on targeted release dates, prerequisites, and exam information.
ITIL Expert facts and figures
Certification name | ITIL Expert |
Prerequisites and required courses | ITIL Foundation certificate or Bridge certificate equivalent Minimum of 22 credits from ITIL qualification or complementary certs: 17 credits from any selection of Foundation and Intermediate modules or complementary qualifications 5 credits from the Managing Across the Lifecycle module |
Number of exams | One: Managing Across the Lifecycle (MALC) exam (multiple choice, 120 minutes) |
Cost per exam | Prices vary depending on the training provider. Candidates can expect to pay approximately $3,095 for online and $3,095 to $4,995 for classroom MALC training and exam. |
URL | www.axelos.com/qualifications/itil-qualifications/itil-expert-level |
Self-study materials | Multiple resources are available from the official ITIL site, including blogs, whitepapers, case studies, mobile apps, skills assessment tools, videos, sample papers, webinars and course syllabi. Some training providers offer self-paced training courses for as little as $225. |
CGEIT: Certified in the Governance of Enterprise IT
ISACA is a highly respected, global nonprofit association that provides education, conferences, publications and certification for IT governance professionals. Four certifications are available from ISACA that address information systems auditing, information security management, enterprise IT governance, and risk and information systems control:
- Certified Information Systems Auditor (CISA)
- Certified Information Security Manager (CISM)
- Certified in the Governance of Enterprise IT (CGEIT)
- Certified in Risk and Information Systems Control (CRISC)
ISACA also offers the Cybersecurity Nexus (CSX) program. Candidates can achieve the CSX Practitioner (CSX-P) certification by passing a performance-based exam.
The CGEIT credential is geared toward professionals who play a significant role in managing, advising and/or assuring IT governance. Typical job roles include senior security analyst and chief information security officer – the upper echelon of the organization chart.
Professionals at this level align IT with business strategies and goals, manage IT investments to maximize return on investment, strive for excellence in IT operations and governance, and promote greater efficiency and effectiveness in IT while minimizing risk.
ISACA's CGEIT exam covers five domains that address various aspects of governance and risk management:
ISACA's work experience requirements for the CGEIT qualification are demanding. To meet the five-year minimum requirement, one year must be directly related to enterprise IT governance frameworks. For the other four years, you must demonstrate experience in at least two of these domains: strategic management, benefits realization, risk optimization and resource optimization.
If you teach an accredited IT governance curriculum at an approved institution, you can count two full-time years toward every year of the CGEIT work requirement. Candidates with certain types of management experience and advanced degrees or certifications may substitute up to two years to meet the experience requirement.
CGEIT facts and figures
Certification name | Certified in the Governance of Enterprise IT (CGEIT) |
Prerequisites and required courses |
|
Number of exams | One (150 questions, 4 hours) |
Cost per exam | $575 (member)/$760 (nonmember) |
URL | www.isaca.org/Certification/CGEIT-Certified-in-the-Governance-of-Enterprise-IT/Pages/default.aspx |
Self-study materials | Candidate's Guide to the CGEIT Exam, job practice, study materials and review courses are available on the certification webpage. |
CGRC: Certified in Governance, Risk and Compliance
Making its second appearance on our top five list is the Certified in Governance, Risk and Compliance (CGRC) credential from the GRC Group. A globally recognized leader in governance, risk and compliance, the GRC Group consists of two institutions:
- The SOX Institute, which focuses on Sarbanes-Oxley (SOX) certifications
- The GRC Institute, which targets certification and training in the areas of governance, risk and compliance (including GRC for information security and information technology)
The GRC Institute offers two certification tiers – Base Level and Pro Level – with four certifications at each level.
Base-Level certifications:
- Certified in Corporate Governance (CGOV)
- Certified in Integrated Risk Management (CIRM)
- Certified in Internal Control Management (CICM)
- Certified in Governance, Risk, and Compliance (CGRC)
Pro-Level certifications:
- Certified Corporate Governance Professional (CGOVP)
- Certified Integrated Risk Management Professional (CIRMP)
- Certified Internal Control Management Professional (CICMP)
- Certified Governance Risk Compliance Professional (CGRCP)/Certified Governance Risk Compliance Manager (CGRCM)
Certification requirements for the CGRC are stringent. To earn the credential, candidates must possess the CGOV, CIRM and CICM certifications. Current membership in the GRC Group is required, plus a minimum of three years of professional experience. Exams are required for the lower-level certifications, but not for the CGRC. To maintain the credential, candidates must earn 12 hours of training and keep their GRC Group membership current.
CGRC facts and figures
Certification name | Certified in Governance, Risk, and Compliance (CGRC) |
Prerequisites and required courses |
|
Number of exams | None; exams are required for the prerequisite credentials |
Cost per exam | N/A |
URL | |
Self-study materials | Self-study recorded online – also classroom and live online |
CRISC: Certified in Risk and Information Systems Control
Another certification from ISACA, Certified in Risk and Information Systems Control (CRISC), recognizes IT professionals who are responsible for an organization's risk management program.
CRISC professionals manage risk, design and oversee response measures, monitor systems for risk, and ensure the organization's risk management strategies are met. Organizations look for employees with the CRISC credential for jobs, such as IT security analyst, security engineer or architect, information assurance program manager and senior IT auditor.
The CRISC exam covers four domains that are periodically updated to reflect the changing needs of the profession:
- Domain 1: IT Risk Identification
- Domain 2: IT Risk Assessment
- Domain 3: Risk Response and Mitigation
- Domain 4: Risk and Control Monitoring and Reporting
ISACA requires CRISC candidates to have a minimum of three years of cumulative, professional-level risk management and control experience, and to perform tasks in at least two CRISC domains, one of which must be in Domain 1 or 2. Work experience must be within the preceding 10 years from the date of application. Alternatively, candidates for CRISC certification have up to five years to fulfill the work experience requirement after passing the exam.
Since the inception of the CRISC certification program in 2010, more than 20,000 professionals have acquired this certification. Such a strong response says a lot about the program and the need for this type of credential in the enterprise workforce.
CRISC facts and figures
Certification name | Certified in Risk and Information Systems Control (CRISC) |
Prerequisites and required courses |
|
Number of exams | One (150 questions, 4 hours) |
Cost per exam | $575 (member)/$760 (nonmember) |
URL | |
Self-study materials | Candidate's Guide to the CRISC Exam, job practice, study materials and review courses are available on the certification webpage. |
PMI-RMP: Project Management Institute – Risk Management Professional
The highly regarded Project Management Institute (PMI) is perhaps best known for its Project Management Professional (PMP) credential, but it also offers the PMI Risk Management Professional (PMI-RMP) for governance, risk and compliance professionals.
The PMI-RMP recognizes individuals who have a combination of top-notch project management skills and the ability to identify and accurately assess project risks and then mitigate identified threats to organizations.
Candidates must pass one exam and meet considerable education and experience requirements. The exam focuses on the following domains:
- Domain 1: Risk Strategy and Planning
- Domain 2: Stakeholder Engagement
- Domain 3: Risk Process Facilitation
- Domain 4: Risk Monitoring and Reporting
- Domain 5: Perform Specialized Risk Analyses
Once you achieve the PMI-RMP, you may maintain the credential by earning 30 professional development units (PDUs) in one or more risk management topics every three years.
PMI-RMP facts and figures
Certification name | Project Management Institute – Risk Management Professional (PMI-RMP) |
Prerequisites and required courses | Secondary degree (high school diploma, associate degree or the global equivalent), plus 4,500 hours of project risk management experience and 40 hours of project risk management education OR Four-year degree (bachelor's degree or the global equivalent), plus 3,000 hours of project risk management experience and 30 hours of project risk management education |
Number of exams | One (170 questions, 3.5 hours) |
Cost per exam | $520 (member)/$670 (nonmember) |
URL | http://www.pmi.org/certification/risk-management-professional-rmp.aspx |
Self-study materials | Exam guidance and a reference list of recommended study resources are available on the PMI website. |
Beyond the top 5: More IT governance certifications
Beyond the top five IT governance certifications covered in this article, other certification programs can further the careers and professional development of IT professionals working in governance, risk management, and compliance.
For example, interested parties should check out the Governance, Risk Management and Compliance Professional (GRCP) certification by OCEG. Another credential worth noting is the Leadership Professional in Ethics & Compliance (LPEC) certification from the Ethics and Compliance Initiative (ECI). ECI bills itself as the oldest ethics and compliance research organization in the U.S.
If you're based in the U.K., consider the BCS Information Security Management Principles Foundation Certificate. BCS is based in the U.K., and, while popular overseas, its credentials just haven't gained enough popularity in the U.S. to maintain a slot in the top five. The BCS certifications are still excellent and worth considering if you're working overseas in the U.K. or EMEA.
Finally, the Institute of Internal Auditors (IIA) has a well-established certification program aimed at auditors in the government and financial sectors. Within the IIA lineup is the Certification in Risk Management Assurance (CRMA) credential, which identifies professionals who provide risk management assurance and advice to senior management and audit committees.
Be sure to investigate these certs on your own. One of them might prove even more valuable to your career path than the ones we've featured here.