To be fair to ISACA, at just over 40 years old they are a toddler compared to many professional bodies. Terms such as Information Governance are even newer, to the point where there is often no clear consensus on what they actually mean. In that environment, it’s not surprising the growing protfolio of professional certifications – CISA, CISM, CGEIT and CRISC – sounds a little confused to the casual observer.

For example, on the difference between CISM And CRISC, ISACA says “While CISM is for individuals who manage, design, oversee and/or assess an enterprise’s information security risks, CRISC is for IT professionals whose role encompasses security, operational and compliance considerations.”

I’d challenge anyone to show a clear dividing line between the two. Given that no two roles are the same, this is not helpful if you’re trying to decide what certification route is most appropriate.

Here is the simple guide to what ISACA’s certifications really mean and where you might expect to find them.

CISA

Useful for: IT auditors.

Possible job titles: IT Auditor, Computer Auditor, Information Assurance Officer, Internal Auditor, Audit Manager, Head of IT Audit

CISM

Useful for: Managers and staff focussing on Security of Information and systems

Possible job titles: Information Security Manager, Information Security Officer, It Security Officer, Chief Information Security Officer

CGEIT

Useful for: Managers focussing on the Governance of Information and systems

Possible job titles: Head of IT, Head of Risk, Risk Manager, IT Operations Manager, Information Governance Manager, Chief Information Security Officer

CRISC

Useful for: Managers and staff focussing on Information Risk.

Possible job titles: Head of Risk, Risk Manager, IT Operations Manager, Chief Information Security Officer, Information Governance Manager, Information Security Officer, IT Project Manager

So, what’s right for me?

All are management, rather than techncial certifications, with CISA and CISM being the most established and most popular, and CGEIT and CRISC being seen really as secondary differentiators. Most require about 5 years experience in specified areas (3 years for CRISC) with some credit offered for other professional qualifications or a degree, and als require a multiple-choice exam and ongoing CPD. In that regard, they all sit at a similar level but with a different focus – meaning the choice of whether and how to certify is mostly about what experience you have and where you want to go.

Of course, there are alternatives. We’ve covered this in Part 2: Alternatives to ISACA certification.