Top 10 governance, risk, and compliance certifications

What are GRC certifications?

GRC certifications validate the skills, knowledge, and abilities IT professionals have to manage governance, risk, and compliance (GRC) in the enterprise. With companies increasingly operating on a global scale, it can require entire teams to stay on top of all the regulations and compliance standards arising today. It’s crucial to ensure your organization is operating lawfully in every country it operates, that your business is protected from cybersecurity threats, and that your company both manages risk and establishes processes to govern those tasks.

Why are GRC certifications important?

In the wake of several well-publicized corporate scandals in the early aughts — Enron and WorldCom, to name two — and the passage of the Sarbanes-Oxley Act in 2002, organizations that must adhere to regulations for data security, financial accountability, and consumer privacy can’t do without someone making sure internal processes are being carried out properly. Enter the need for competent governance, risk and compliance (GRC) professionals.

The goal of GRC, in general, is to ensure that proper policies and controls are in place to reduce risk, to set up a system of checks and balances to alert personnel when new risks materialize, and to manage business processes more efficiently and proactively. Professionals with a GRC certification must juggle stakeholder expectations with business objectives, and ensure that organizational objectives are met while meeting compliance requirements. That significant amount of responsibility is critical in today’s business climate, and certification can prove you are up to the task.

Is GRC certification worth it?

A variety of roles in the enterprise require or benefit from a GRC certification, such as chief information officer, IT security analyst, security engineer architect, information assurance program manager, and senior IT auditor, among others. If you work in an IT role that requires knowledge of governance principles, risk management, or compliance regulations, earning a GRC certification can help set you apart from other candidates and reassure employers that you have the right knowledge for the job. GRC certs, such as the CGRC and CGEIT, routinely land on lists of certifications earning IT pros higher pay premiums.

Top 10 GRC certifications

Certified Compliance & Ethics Professional (CCEP)
Certified Governance Risk and Compliance (CGRC)
Certified in Risk and Information Systems Control (CRISC)
Certification in Risk Management Assurance (CRMA)
Certified in the Governance of Enterprise IT (CGEIT)
Certified Information Security Manager (CISM)
Certified Information Systems Security Professional (CISSP)
ITIL Expert
GRC Professional (GRCP)
Project Management Institute — Risk Management Professional (PMI-RMP)

Certified Compliance & Ethics Professional (CCEP)

The Certified Compliance & Ethics Professional (CCEP) certification offered by the Compliance Certification Board (CCB) is designed to demonstrate your knowledge and expertise around regulations and compliance processes. This designation shows organizations that you have the skills to understand and address any necessary legal obligations and to help maintain the integrity of the organization through compliance programs.

To qualify for the CCEP certification, you will need to have:

At least one year experience in a full-time compliance position or 1,500 hours of direct compliance job duties earned over two years or less
Job duties that are directly related to tasks that are outlined in the Candidate Handbook, including knowledge of standards, policies, procedures, communication, education, training, monitoring, auditing, reporting, and how to administer compliance and ethics programs

However, you may be exempt from these requirements if you have successfully completed a certificate program from a CCB-accredited university within the two years prior to your application date. To apply to sit for a CCB examination, all candidates are required to earn and submit 20 CCB-approved continuing education units, earned from live trainings, events, and web conferences.

Exam fees: $350 for members or $450 for nonmembers, with a $125 renewal fee for members or $245 for nonmembers

Certified Governance Risk and Compliance (CGRC)

The CGRC certification offered by the ISC2 is designed to demonstrate your expertise in governance, risk, and compliance and your ability to integrate governance, risk management, performance management, and regulatory compliance in an organization. The exam covers topics such as information security risk management, the authorization and approval of information systems, as well as selecting, approving, implementing, assessing, auditing, and monitoring security and privacy controls.

To qualify for the exam you will need two years of relevant work experience in one or more of the seven domains outlined on the current ISC2 CGRC exam outline.

To maintain certification you will need:

60 CPE credits over three years
Annual maintenance fee of $135

Exam fees: $599

Certified in Risk and Information Systems Control (CRISC)

One of the most sought-after GRC certifications by candidates and employers alike is the CRISC from ISACA, which identifies IT professionals who are responsible for managing IT and enterprise risk and ensuring that risk management goals are met. A CRISC is often heavily involved with overseeing the development, implementation, and maintenance of information system (IS) controls designed to secure systems and manage risk. The exam covers IT risk identification, risk response and mitigation, and risk and control monitoring and reporting.

To qualify for the exam, you must:

Have minimum of three years of cumulative work experience in IT risk and information systems associated with at least two of the four domains
Adhere to the ISACA Code of Professional Ethics and comply with the CRISC Continuing Education Policy

Exam fees: $575 for ISACA members or $760 for nonmembers

Certification in Risk Management Assurance (CRMA)

The Institute of Internal Auditors (IIA) is a global professional association that provides information, networking opportunities and education to auditors in business, government, and the financial services industry. Before earning your CRMA, you’ll first need to pass the Certified Internal Auditor (CIA) exam, which demonstrates your proficiency as an auditor. Once you’ve passed that certification, you can move onto the CRMA certification, which recognizes individuals who are involved with risk management and assurance, governance, quality assurance and control self-assessment. A CRMA is considered a trusted advisor to senior management and members of audit committees in large organizations.

To qualify for this exam you must:

Have earned the CIA designation from the IIA
Have a 3- or 4-year post-secondary degree (or higher) — alternatives to the bachelor’s degree are two years of post-secondary education and five years of internal auditing experience (or equivalent) or seven years of internal auditing experience
Demonstrate proof of at least two years of auditing experience or control-related business experience in risk management or quality assurance
Provide a character reference signed by a person holding an IIA certification or a supervisor
Agree to abide by the Code of Ethics established by the IIA

Exam fees: $465 for IIA members or $610 for nonmembers, with an application fee of $100 for members and $220 for nonmembers.

Certified in the Governance of Enterprise IT (CGEIT)

The CGEIT certification, by ISACA, recognizes IT professionals with deep knowledge of enterprise IT governance principles and practices as well as the ability to enhance value to the organization through governance and risk optimization measures and to align IT with business strategies and goals. Since the program started, more than 7,000 individuals have achieved the CGEIT credential through ISACA. The exam covers five domains: framework for the governance of enterprise IT, strategic management, benefits realization, risk optimization, and resource optimization.

To qualify for the exam, you must:

Have at least five years of cumulative work experience in IT enterprise governance, including at least one year defining, implementing, and managing a governance framework
Adhere to the ISACA Code of Professional Ethics and comply with the CGEIT Continuing Education Policy

Exam fees: $525 for ISACA members or $760 for non-members

Certified Information Security Manager (CISM)

The CISM certification offered by the ISACA covers your ability to asses risks, implement governance practices, and proactively respond to any security incidents. The exam also covers emerging technologies, such as AI and blockchain, to ensure that your skillset meets current industry standards and requirements to address evolving security risks. The certification covers information security governance, information security risk management, information security programs, and incident management.

To qualify for the exam you will need five or more years of experience in information security management.

Exam fees: $575 for members or $760 for non-members

Certified Information Systems Security Professional (CISSP)

The CISSP certification offered by the ISC2 is designed for cybersecurity professionals to demonstrate that they have the right knowledge, skills, and abilities to design, implement, and manage cybersecurity programs. The exam covers security and risk management, asset security, security architecture and engineering, communication and network security, identity and access management (IAM), security assessment and testing, security operations, and software development security.

To qualify for the exam you will need:

Five or more years of cybersecurity work experience, or internship experience, in two or more of the eight domains covered on the exam
One year of work experience can be substituted with a four-year college degree or equivalent, or an advanced degree in information security from the US National Center of Academic Excellence in Information Assurance Education (CAE/IAE)
One year of work experience can be satisfied if you hold another approved credential from ISC2

Exam fees: $749

GRC Professional (GRCP)

OCEG is a member-driven, global organization dedicated to providing information, education and certification on GRC to its members and the greater community. With only a few but well-respected certifications in its program, the GRCP is a solid credential aimed at a broad range of industries and practices. The single exam covers basic terms and concepts, GRC principles, and core components and practices, as well as the relationship of GRC to other disciplines. The GRCP is required for the higher-level GRC Audit certification. The exam contains 100 questions and takes up to two hours to complete.

There are no requirements to qualify for the GRCP exam — it is “open and accessible to all professionals” accepting candidates from “diverse cultural, educational, and professional backgrounds,” according to OCEG.

Exam fees: $499 for an All-Access Pass, which provides everything you need to prepare for and take the exam, including all live and archived webinars, OCEG Standards, Guides and Resources, eLearning program, and the exam.

ITIL Expert

Information Technology Infrastructure Library (ITIL) certifications are tied to the ITIL framework, which describes best practices for designing, implementing and managing a wide variety of IT service projects. In ITIL-speak, certifications are referred to as “qualifications,” which create a classic certification ladder beginning with the basic-level ITIL Foundation and culminating with the pinnacle ITIL Master. One rung below the Master level is the popular ITIL Expert.

A professional with the ITIL Expert qualification has a deep understanding of ITIL service best practices as they apply across an IT environment, not just to one service area. In other words, the Expert is able to support an organization by bridging service lifecycle stages, seeing the big picture as a sum of the parts.

To qualify for the exam, you must have:

Earned an ITIL Foundation certificate or a Bridge qualification equivalent
Acquired at least 17 credits per the ITIL Credit System
Taken an approved training course and pass the Managing Across the Lifecycle (MALC) exam at the end

Exam fees: Training costs vary among vendors but expect to pay in the range of $1,800 (online) to $5,000 (classroom), which includes training and the exam.

Project Management Institute — Risk Management Professional (PMI-RMP)

Anyone who has pursued a project management certification is familiar with the Project Management Institute (PMI), either through research or by picking up the coveted Project Management Professional (PMP) credential. PMI also offers the Risk Management Professional (PMI-RMP) certification, as well as several others that focus on business management, business analysis, agile and scheduling.

The PMI-RMP identifies IT professionals involved with large projects or working in complex environments who assess and identify project-based risks. They are also competent in designing and implementing mitigation plans that counter the risks from system vulnerabilities, natural disasters and the like. The exam covers risk strategy and planning, stakeholder engagement, risk process facilitation, risk monitoring and reporting, and performing specialized risk analysis.