6 Key Certifications For Your Third Party Risk Management Team
Third-Party Risk Management (TPRM) has become an increasingly important consideration for companies as they build out their security program. This is a result of the significant growth in the use of vendor services.
It is important to recognize that risk is introduced when you use a third-party vendor.
A vulnerability in their system could allow an attacker to gain access to your systems. If there is a vendor related breach, your data could be compromised, potentially resulting in financial as well as regulatory issues for your organization.
Staff Your TPRM Team
To protect your organization, a robust TPRM program is essential. That means that you have to staff a TPRM team to assess and monitor your third-party vendor portfolio.
For some insight into factors to consider when building out your team, refer to the article on How to Staff Your Third-Party Risk Management Team.
Key Industry Certifications
Certifications are not the sole factor to consider. Nor should they be considered a substitute for real world on-the-job experience. However, all things being equal between two candidates, the right certification credentials can set one candidate apart from another and be a deciding factor when making a hiring decision.
When it comes to your third-party risk management team there are quite a number of relevant certifications to consider. Qualified candidates may have one or more of these credentials.
In this article we will review several of the key industry standard certifications you may want to consider.
Targeted vs. Broad
Some certifications are very targeted and have a specific focus toward third party vendor assessments while others are geared toward demonstrating broad competence in the Information Security or Audit/Compliance space. When hiring TPRM team members, many candidates may have one or more of the following certifications.
Certified Third Party Risk Professional (CTPRP) certification
A focused certification to consider is the one offered by the Shared Assessments organization. It is the Certified Third Party Risk Professional (CTPRP) certification. This aims to validate specific expertise in evaluating and assessing third party risk.
The CTPRP is intended for mid-level professionals who typically have 5+ years TPRM experience.
Requirements - Attend a CTPRP class, pass a test and have 5 years of experience in risk management.
According to Shared Assessments - “The CTPRP designation is a professional credential designed to validate knowledge, experience, and proficiency in the development and operations of a comprehensive Third Party Risk Management (TPRM) Program; including the analysis, management, and remediation of Third Party risk issues.”
Click here for additional information from Shared Assessments.
Certified Third Party Risk Assessor (CTPRA)
Another relevant certification offered by the Shared Assessments organization is the CTPRA. This is intended for senior level professionals with in-depth knowledge of TPRM topics.
Requirements - Attend a CTPRA class, pass a test and have 5 years of experience in IT risk management.
According to Shared Assessments - “The Certified Third Party Risk Assessor (CTPRA) designation is a professional credential that validates knowledge, expertise, and proficiency in controls evaluation within specific Third Party risk control domains needed in order to perform a comprehensive IT risk evaluation of a third party during an assessment.”
Click here for additional information from Shared Assessments.
Certified Information Systems Security Professional (CISSP)
The CISSP is a highly respected industry standard certification. It demonstrates that an individual has a breadth and depth of Information Security knowledge.
The CISSP is offered by the (ISC)². Their requirements are to: Pass the CISSP test and have 5+ years experience in areas such as Risk Mgt, Security Operations, Security Assessment and Testing.
According to (ISC)² - “Earning the CISSP proves you have what it takes to effectively design, implement and manage a best-in-class cybersecurity program.”
Click here for additional information from (ISC)².
Certified in Risk and Information Systems Control ® (CRISC ®)
The CRISC is unique in that it focuses exclusively on Enterprise IT risk management. While a certification such as the CISSP has risk management as one of its areas of expertise, the CRISC goes much further and does a deep dive into the topic.
The ISACA® requirements: Pass the CRISC® exam and a minimum of 3-years of work experience across at least two of the four CRISC domains.
According to ISACA® “CRISC® validates your experience in building a well-defined, agile risk-management program, based on best practices to identify, analyze, evaluate, assess, prioritize and respond to risks.”
Click here for additional information from ISACA®.
Certified Regulatory Compliance Manager (CRCM)
If you are in the finance or banking industry then CRCM is a valuable certification to consider.
The CRCM attests to an individual's knowledge in managing all aspects of a compliance risk management program as well as ensuring compliance with U.S. federal laws and regulations.
The American Bankers Association® requirements: Pass the CRCM examination and have either 3 years experience as a compliance professional and specific compliance training or 6 years of experience as a compliance professional.
According to the American Bankers Association® with the CRCM you “Differentiate yourself with a credential that sets the standard of professional expertise in the compliance field.”
Click here for additional information from the American Bankers Association®.
Certified Enterprise Risk Professional (CERP)
Another valuable certification to consider for risk management professionals within the banking or finance industry is the CERP.
The American Bankers Association® requirements: Pass the CRCM examination and have either 5 years experience in the financial industry and risk management as well as a Bachelor’s degree or have 7 years experience in the financial industry and risk management with no degree.
According to American Bankers Association® “The Certified Enterprise Risk Professional (CERP) designation has been designed exclusively for risk management professionals within the banking industry, and measures knowledge across several domains and categories, including credit risk, financial and non-financial risks.”
Click here for additional information from the American Bankers Association®.
In Summary
In response to the expanded use of third-party vendor services, an increasing number of companies are staffing dedicated TPRM teams. Individuals on these teams require specialized skills.
As a result, finding qualified candidates can be a challenge. Being aware of the specific industry standard certifications can help identify individuals with expertise in the field.
These certifications also provide a means of differentiating otherwise equally qualified candidates. Finally, if you can find an individual with both relevant experience and an industry certification then you can have the best of both worlds!
If you have any questions or need additional info, please contact me.
Christine has 15+ years in the technical industry developing software, leading teams along with extensive experience as a hiring manager. She found that she really enjoyed the process of building teams and interacting with candidates and business customers. As a result, Christine decided to make the hiring process her focus and started Vector Recruiting.