The Difference between ISACA’s CRISC and the IIA’s CRMA Certification

Given the introduction of ISACA’s CRISC certification in 2010 and the recent announcement by the IIA of a new Certified in Risk Management Assurance (CRMA) certification, this brief paper has been prepared by ISACA’s Credentialing Board and staff to inform ISACA chapters of the primary similarities and differences between the two certifications should questions arise from ISACA members and certifieds.

Market:

CRISC is for IT professionals and operational risk management specialists and is applicable to a wide range of individuals. CRISC is for individuals that perform risk management and implement internal controls.

CRMA is designed for internal auditors and others interested in risk management assurance. CRMA is positioned as a specialization for those that are internal auditors, specifically those that audit or assess risk management processes.

Role:

Both CRISCs and CRMAs educate management about IT risk.CRISC is focused not only on risk processes but addresses control processes as well. A key goal of a CRISC is to also help establish a common perspective and language about IT risk that can set the standard for the enterprise.CRMA is focused on themanagement of risk issues, particularly as they relate to audit and assessment concerns. CRMA plays a different role by focusing on providing assurance.

Availability, domains and experience requirements:

CRISC certification is available worldwide to any individual that meets the requirements for certification. CRISC requires at least three years of work experience in the fields of risk management and information system (IS) control. The experience must bein the tasks of a CRISC professional across at least three CRISC domains and the work experience must be cumulative over the three year period. (Cumulative work experience is defined as experience performing at least one task within a domain over a period (duration) of time.) The CRISC domains and coverage include the following:

  • Domain 1—Risk Identification, Assessment and Evaluation (31%)
  • Domain 2—Risk Response (17%)
  • Domain 3—Risk Monitoring (17%)
  • Domain 4—Information Systems Control Design and Implementation (17%)
  • Domain 5—IS Control Monitoring and Maintenance (18%)

The CRMA (professional recognition program) is currently open only to candidates living in North America and those that live in one of the 65 countries serviced by IIA Global.It is not yet known what the experience requirements will be after the recognition program expires. The CRMA domains have only been identified at a high level and have not been finalized.

The domain areas currently noted for CRMA include Assessing / Assurance of Risk Management Activities within:

  • Domain 1 – Risk Management Fundamentals
  • Domain 2 – Elements of Risk Management
  • Domain 3 – Control Theory and Application
  • Domain 4 – Business Objective and Organizational Performance

It is not yet known how whether the CRMA exam will be delivered in paper-based or electronic format.

Waivers

The CRISC does not recognize any certifications as waivers toward certification requirements. The CRMA for professional recognition recognizes “other active certifications” within their requirements for certification, but non-IIA certifications are granted a lower value.

Summary

Overall, the CRISC and CRMA certifications are focused on different constituentsand cover diverse domain areas as described.

Please encourage your members and others interested to earn the CRISC certification. It is the only certification which links IT risk management and IS control and positions its holders to become strategic partners within their organization.