The “PECB ISO/IEC 27005 Risk Manager” credential is a professional certification for professionals needing to demonstrate the competence to implement, maintain and manage an ongoing information security risk management program according to ISO/IEC 27005.
The principal competencies and knowledge skills needed by the market are the ability to support an organization in implementing and managing an risk management framework as specified in PECB ISO/IEC 27005 implementation of a risk management program, risk identification, risk analysis, risk evaluation, risk treatment, acceptance of risk, management of residual risks, communicating, monitoring and reviewing risk.
Various professions may apply for this certification:
- Risk managers
- Persons responsible for information security or conformity within an organization
- Member of the information security team
- IT consultants
- Staff implementing or seeking to comply with PECB ISO 27001 or involved in a risk management program
|Credential||Exam||Professional experience||Risk assessment experience||Other requirements|
|ISO/IEC 27005 Provisional Risk Manager||PECB Certified ISO/IEC 27005 Risk Manager Exam or equivalent||None||None||Signing the PECB code of ethics|
|ISO/IEC 27005 Risk Manager||PECB Certified ISO/IEC 27005 Risk Manager Exam or equivalent||Two years: One year of Risk management work experience||Risk management activities totalling 200 hours||Signing the PECB code of ethics|
|ISO/IEC 27005 Lead Risk Manager||PECB Certified ISO/IEC 27005 Lead Risk Manager exam or equivalent||Five years: Two years of Risk management work experience||Risk management activities totalling 300 hours||Signing the PECB Code of Ethics|
For certification purposes, the following risk management activities constitute valid experience:
- Internal implementation and/or management of a risk management program
- External/consulting implementation and/or management of a risk management program
- Partial implementation and/or management of a risk management program as risk identification, risk analysis, risk evaluation, risk treatment, acceptance of risk, management of residual risks, communicating, monitoring and reviewing risk.
To be considered valid, the risk assessment activities should follow best implementation practices and include significant part of the following activities:
- Understanding an organization and its context
- Defining a risk management approach
- Selecting of risk analysis methodologies
- Defining risk evaluation criteria
- Identification of assets, threats, existing controls, vulnerabilities and consequences (impacts)
- Assessing of consequences and incident likelihood
- Determining the level of risk
- Evaluating risk scenarios
- Evaluating risk treatment options
- Selecting and implementing information security controls
- Performing a risk management review
Professional references must be from individuals who have professionally worked with you and can validate your risk management expertise, current and previous work history, as well as your job performance. You cannot use anyone as a reference who falls under your supervision or is a relative. At least three professional references are required (candidates can input up to a maximum of five references).
Complete information is required: including job title, begin dates, end dates, responsibilities and more. Summarize each assignment, providing sufficient detail to describe the nature of the responsibilities that you had. This information can be detailed in your resume.
Risk assessment experience
The candidate’s risk assessment log will be checked to ensure that the applicant has the minimal required number of risk assessment-hours. The following risk assessment activities constitute valid experience: understanding an organization and its context, defining a risk management approach, selecting of risk analysis methodologies, defining risk evaluation criteria, identification of risk (assets, threats, existing controls, vulnerabilities and consequences), assessing of consequences and incident likelihood, determining the level of risk, evaluating risk scenarios, evaluating risk treatment options, selecting and implementing information security controls and performing a risk management review. This information can be detailed in your resume.
Denial and Revocation of Certification
Certification will be denied or revoked for any of the following reasons:
- Falsification of application
- Violation of testing procedures
- Failure to pass the examination
Denials or revocations of certification may be appealed to the Certification Board in writing.
Annual Renewal Certification Fee
To maintain your credentials active, there is an annual renewal fee for each calendar year. Registrants who pay their annual renewal fee will appear online in the PECB Directory of Certified Professional.
Maintain your Certification (Recertification)
The PECB designations are valid for three years. To maintain your certification, you must have accumulated the necessary 90 Continuing Professional Development credits (CPD) by the end of that three-year period and pay the recertification fee. CPD hours need to be inputted in your online PECB profile. PECB certified professionals who fail to provide the required CPD hours will have their PECB credentials revoked and will no longer be allowed to present themselves as certified PECB professionals.
Informations and registration:
Alexandra Niculae, Training Director ENVISO