IT Governance Certification

IT Governance Certification

Obtaining an IT governance certification is a good idea for any IT practitioner who wants to specialize in IT governance. The certification provides a validation and demonstration of the individual’s knowledge in the governance of IT systems and enterprises. There are several different certifications and many different opinions about which are the best IT governance certifications. In this article, we will look at some of the certifications that are available today. 

IT Governance Certification – GRC certifications

The GRC group is the recognized global leader in governance, risk, and compliance. The Group is made up from two institutions:

  • The SOX Institute, which focuses on Sarbanes-Oxley (SOX) certifications.
  • The GRC Institute, which targets certification and training in the areas of governance, risk and compliance, including GRC for information security and information technology.

The GRC Institute provides training and certifications in Governance, Risk and Compliance (GRC) and Information Security & Information Technology Governance, Risk, and Compliance (IS/IT-GRC).  The IT GRC qualification has two levels, Base and Pro. These are designed to meet different levels of knowledge and experience with IS/IT-GRC. They are recognized as being among the best IT governance certifications. Four different IT GRC certifications are offered at each level:

Base level IT GRC certification:

  • Certified in IT Compliance (CITC).
  • Certified in IT Risk Management (CITR).
  • Certified in IT Governance (CITG).
  • Certified in IT Governance, Risk Management, and Compliance (CGRC-IT).

To be eligible to take the examinations for these IT governance certifications, the candidate must have current membership in the GRC Group, three years of professional experience, and have completed the necessary training:

  • CITC: ITC-Classroom training or self-study training and a one-hour closed-book multiple-choice exam.
  • CITR: ITR-Classroom training or self-study training and one after-class open-book case study write-up.
  • CITG: ITG-Classroom training and one after-class open-book case study write-up.
  • CGRC-IT: All of the above.

These certifications are maintained by continued GRC Group membership, updating knowledge, attending training, webinars, and other GRC Group learning activities for a cumulative total of at least 12 hours a year.

Pro-Level Certification IT GRC certification:

  • Certified IT Compliance Professional (CITCP)
  • Certified IT Risk Management Professional (CITRP)
  • Certified IT Governance Professional (CITGP)
  • Certified IT Governance, Risk Management, and Compliance Professional (CGRCP-IT)/
    Certified IT Governance, Risk Management, and Compliance Manager (CGRCM-IT)

The pre-requisites for these IT governance certifications are: A valid and current Base-Level Certification and an average of at least 1,200 hours per year of IT-GRC related experience in the past three years, as verifiable by two professional references.

These certifications are maintained by continued membership of the GRC Group, updating knowledge, attending training, webinars, and other GRC Group learning activities for a cumulative total of at least 12 hours a year, plus having at least 1,200 hours of IT-GRC related experience per year over the past three years, verifiable by two professional references.

As well as offering these IT GRC certifications, the GRC Group also provides CGRC: Certified in Governance, Risk, and Compliance certifications. These are targeted at corporate governance, but they can also be useful IT governance certifications, especially for individuals that want a career path beyond IT: 

Base-Level certifications:

  • Certified in Corporate Governance (CGOV).
  • Certified in Integrated Risk Management (CIRM).
  • Certified in Internal Control Management (CICM).
  • Certified in Governance, Risk, and Compliance (CGRC).

Pro-Level certifications:

  • Certified Corporate Governance Professional (CGOVP).
  • Certified Integrated Risk Management Professional (CIRMP).
  • Certified Internal Control Management Professional (CICMP).
  • Certified Governance Risk Compliance Professional (CGRCP)/Certified Governance Risk Compliance Manager (CGRCM).

ISACA certifications

The Information Systems Audit and Control Association, known as ISACA, is an international professional association that focuses on IT governance, including the provision of IT governance certifications. Active in over 180 countries, ISACA has 150,000 members and professionals holding ISACA certifications). There is a network of over ISACA chapters in 80+ countries that provide members with education and networking opportunities. ISACA offers a range of IT governance certifications with training and preparation for them provided by a wide range of training companies. Here is a selection of their best IT governance certifications:

CGEIT: Certified in Governance of Enterprise IT 

CGEIT is a vendor-neutral IT governance certification that is designed for IT professionals in large organizations who are responsible for directing, managing, and supporting the governance of IT and who want their skills externally certified in the governance of enterprise IT.  This governance of enterprise IT certification is awarded to individuals, not organizations. According to ISACA, this certification is designed for professionals who have “significant management, advisory, or assurance role relating to the governance of IT and the knowledge required to perform these tasks.”

Enterprise IT includes the staff, services, architectures, and processes associated with an organization’s IT systems and services and their strategy, management, budgets, and policy. Enterprise IT includes all systems and services irrespective of whether they are hosted by the organization or in the cloud.

This governance of enterprise IT certification covers five main CGEIT domains:

  • Domain 1: Framework for the governance of enterprise IT. This covers establishing an appropriate framework to help the organization achieve its goals and objectives whilst considering risk and optimization and all of the requirements necessary to build, oversee, and manage the framework.
  • Domain 2: Strategic management.  This focuses on aligning IT with enterprise objectives through a strategic plan that helps the organization understand how changes to business strategy will impact IT strategy.
  • Domain 3: Benefits realization: This domain includes knowledge of KPIs, benefit calculation techniques, how to measure and monitor outcome and performance, and knowledge of continual improvement concepts and principles.
  • Domain 4: Risk optimization: Ensuring that risk and managed and that the IT risk management approach is aligned with the organization’s enterprise risk management framework. This includes understanding any legal and regulatory compliance regulations. 
  • Domain 5: Resource optimization.  This domain includes processes to optimize all IT resources, including people and technology, in order to reach enterprise goals. 

There are some significant prerequisites to be CGEIT certified in the governance of enterprise IT. Candidates must have at least five years of relevant work experience, with one year working in Domain 1 (managing frameworks) and the other four years spent working in at least two out of the five other domains.  While there are training courses available for this governance of enterprise IT certification, they are not mandatory. In fact, work experience in real-life situations is intended to be your CGEIT education necessary for this IT governance certification. 

To maintain this IT governance certification, candidates need to earn 20 hours of continuing professional education (CPE) hours over a year, 120 CPE hours over 3 years, and pay an annual CPE maintenance fee, submit required documentation if selected for auditing, and comply with the ISACA Code of Professional Ethics.

CRISC: Certified in Risk and Information Systems Control

This IT governance certification from ISACA certifies IT professionals responsible for an organization’s risk management program. CRISC professionals manage risk, design and oversee response measures, monitor systems for risk, and ensure that the organization’s risk management strategies are met. Typical job roles that can benefit from this IT governance certification include IT security analyst, information assurance program manager, security engineer, and IT auditor. The CRISC certification includes four domains:

  • IT Risk Identification.
  • IT Risk Assessment.
  • Risk Response and Mitigation.
  • Risk and Control Monitoring and Reporting.

Candidates must have a minimum of three years of cumulative, professional-level risk management and control experience in at least two of the CRISC domains. Alternatively, candidates for CRISC certification have up to five years to fulfill the work experience requirement after passing the exam.

CISA: Certified Information Systems Auditor

The CISA IT governance certification is world-renowned as the standard of achievement for staff who audit, control, monitor, and assess an organization’s information technology and business systems. 

CRISC: Certified in Risk and Information Systems Control

ISACA’s Certified in Risk and Information Systems Control certification demonstrates expertise in identifying and managing enterprise IT risk and implementing and maintaining information systems controls. This IT governance certification is particularly relevant for mid-career IT professionals that have a focus on IT and cyber risk and control.

CISM: Certified Information Security Manager

ISACA’s Certified Information Security Manager IT governance certification focuses on expertise in information security governance, program development and management, incident management, and risk management. This certification can be useful for IT professionals who want to take senior management roles in IT security and control.


This article has provided an overview of some of the best IT governance certifications.  Which is best for you will depend on the particular circumstances of your staff and your organization, including what budget is available, what skills already exist, and what the aspirations are. Obtaining any IT governance certification is a significant investment in both time and cost. Hence decisions about which certification to take should be based on facts.  That said, taking any of the IT governance certification routes should provide significant benefits to individuals and organizations.

Terry Brown

Terry Brown

Terry is an experienced product management and marketing professional having worked for technology based companies for over 30 years, in different industries including; Telecoms, IT Service Management (ITSM), Managed Service Providers (MSP), Enterprise Security, Business Intelligence (BI) and Healthcare. He has extensive experience defining and driving marketing strategy to align and support the sales process. He is also a fan of craft beer and Lotus cars.