Get trained and certified in ISO 27005 Enterprise Risk Management

Risk assessment and management provides the foundation for information security management, as well as business continuity and disaster recovery management. After all, the ISMS and the BCMS exist purely to manage risk. This means that an ISMS and a BCMS can only be a good as the organization's ability to create, authorize, and practice a single consistent approach to assessing and treating risks. The ISO/IEC 27001 certification of an organization's Information Security Management System (ISMS) requires that all security methods and controls must be driven by risk assessment as defined in an organization's formal documented risk management methodology. BS 25999-2 certification of an organization's Business Continuity Management System (BCMS) requires the same.

What the 27005 Standard is...

ISO/IEC 27005:2011 provides guidelines for information security risk management. It supports the general concepts specified in ISO/IEC 27001 and is designed to assist the satisfactory implementation of information security based on a risk management approach. Knowledge of the concepts, models, processes and terminologies described in ISO/IEC 27001 and ISO/IEC 27002 is important for a complete understanding of ISO/IEC 27005:2011. ISO/IEC 27005:2011 is applicable to all types of organizations (e.g. commercial enterprises, government agencies, non-profit organizations) which intend to manage risks that could compromise the organization's information security. As an internationally accepted best practice guideline for developing a solid risk management methodology that is fit-for-purpose for the organization, ISO 27005 can also ensure fulfillment of BS 25999's requirements for such a risk management capability.

The problem with many organizations is that the very people who should be leading or performing risk assessment have never been sufficiently trained to be able to do the job properly. Risk assessment and management is complex - complex enough to have its own ISO/IEC standard! Certified Information Security provides the training and credentialing you need to become recognized as an authority in leading or facilitating risk assessment and management according to the ISO/IEC 27005 Standard.

CICRA™ Certification

The CICRA credential by Certified Information Security certifies your understanding of ISO/IEC 27005, and how the 27005 framework can be used to develop a custom risk management methodology that fulfills the requirements of both ISO/IEC 27001, and BS 25999-2. It also helps fulfil the competence requirements of the certifications themselves. This is the risk management certification supporting a career in risk management, information security management, or business continuity/disaster recovery management. It is appropriate for all members of the BCMS or ISMS committee.

Getting Certified as a CICRA™

The CICRA™ certification is available to qualified candidates who:

1. Are a member of CIS in good standing.
   If you are not already an Associate member of the CIS certification student body, you must first become a member to pursue the CICRA credential.
2. Attend one  of the following the required CIS approved curriculum courses:
   • Option 1: Instructor-led training:Our risk management training is included within our information security and business continuity training when delivered in a live presentation. If you attend either of the following live instructor-led 3-day seminars, you will fulfill the training requirement for CICRA certification.
     • Establishing a Business Continuity Management System
     • Using ISO 27005 to Develop & Deploy Enterprise Risk Management
   • Option 2: Online training: Our online students have the alternative to attend our risk management training as a free-standing course. Successfully completing the following online course fulfills the training requirement for CICRA certification.
     • Using ISO 27005 to Develop & Deploy Enterprise Risk Management
3. Pass the CICRA Exam. For CICRA certification by CIS, candidates must pass CIS exam RM101. Once you have successfully completed all of the steps above, we will arrange to schedule and administrate your exam. CIS exams are administered on-line and can be taken at your convenience at your home or work through the CIS eLearning Center, where your progress and score are monitored and recorded centrally. Your exam results are provided automatically upon completion of your exam.
4. Submit your professional endorsements.
   
   CICRA is an entry-level credential and has no experience requirements.
   Complete your CIS exam RM101 and submit three CIS Candidate Endorsement Forms to the Certification Department at CIS Headquarters. We recommend you gather your documentation and send it all together along with your application approximately one month before you are ready to take a CIS Exam. Your completed application and documentation can be mailed, transmitted by facsimile, or e-mailed to:
   
   Certified Information Security
   ATTN: Certification Department
   1004 Green Pine Circle
   Orange Park, FL 32065 USA
   Fax: +1(786) 522-9063
   E-mail: This e-mail address is being protected from spambots. You need JavaScript enabled to view it
5. Gain final approval from the certification committee and become certified by CIS.
   You will officially become certified once your exam and credentials are approved by the certification committee. Your certification kit will be mailed to the address you provided for your membership account. Those who have attained a CIS credential will be invoiced for certification renewal upon annual membership renewal. 

Upgrade Path: Certified Business Continuity Strategist (CBCS™) or Certified Internal Controls Architect (CICA™)