contact us

Use the form on the right to contact us.

You can edit the text in this area, and change where the contact form on the right submits to, by entering edit mode using the modes on the bottom right.

Palmer on Security

Information Security & Privacy

Making sense of the ISACA certification minefield Part 2: Alternatives to ISACA

Matt Palmer

Following on from our roundup of ISACA's certifications last week, if you're not a fan of ISACA's information risk and security management qualifications, or you're looking for an alternative way to demonstrate professionalism in information risk whilst moving in from a related field, here's a shortlist of alternative certifications to consider.


CISA is aimed at IT auditors.

Possible alternatives: Institute of Internal Auditors IT audit qualifications (see IIA US, IIA UK), such as the UK IIA's IT Auditing Certificate. These are more appropriate for general or financial auditors moving towards IT audit. You could also look at CISSP (below).


CISM is targeted towards managers and staff focusing on Security of Information and systems.

Possible alternatives: Certified Information Systems Security Professional (CISSP) from ISC2 is seen as a slightly more challenging certification for Information Security. Member of the Institute of Information Security Professionals (M Inst ISP) is another option (and particularly useful if working on sensitive government projects), as are more generalist IT Management certifications such as those from the British Computer Society.


A new certification for managers focusing on the governance of information and information systems.

Possible alternatives: No direct alternatives, although people with this role focus may well also have management, accountancy or legal qualifications.


For managers and staff focusing on Information Risk. Another new certification, I've taken a closer look at CRISC here.

Possible alternatives: Institute of Risk Management (specialist member), Institute of Operational Risk, Global Association of Risk Professionals, Project management certifications for managing general project risks such as Prince 2 or PMP.

Does it matter?

At the end of the day, few employers will value qualifications more than experience, so the main question is what gets you in the door. CISA, CISM and CISSP are generally most sought after in job ads - and most recognised by large companies and government bodies around the world. Unless you're in public practice and selling your skills afresh on a daily basis to a different client, once you're employed most certifications gather dust, so it's worth asking whether you'll learn something new from studying. Just remember they also gather CPD requirements!