CTPRA Experience Eligibility Policy
In order to earn the CTPRA certification, an individual must first attend the Shared Assessments Program Certification Workshop and successfully pass the Shared Assessments CTPRA examination. In addition, individuals must hold a minimum of five (5) years experience as a IT risk management professional, in a position(s) which demonstrates proficiency in performing assessments of a vendor’s risk controls relative to the risk tolerance of the assessor organization. (See “Experience Requirement Defined” below). Upon receiving notice of the successful completion of the CTPRA examination, individuals must submit the Shared Assessments CTPRA Proof of Experience form signed by a current manager. This form is distributed upon notification of passing the Shared Assessments CTPRA examination.
CTPRA Experience Requirement Defined
CTPRA applicants must have a thorough working knowledge of IT risk management concepts and principles, including but not limited to:
- Risk assessment administrative controls
- Knowledge of various assessment frameworks and standards
- Organizational security structure
- Risk assessment technical controls, including but not limited to:
- Operations Management
- Network Security
- Server Security
- The fundamentals of vendor risk assessment, monitoring and management
- Effective utilization of third party questionnaires (trust)
- Conducting onsite assessments (verify)
- Developing an effective remediation plan and remediation reporting
Among the areas of expertise that qualify for CTPRA experience include some or all of the following areas:
- Third party risk management/assessment
- Audit and/or compliance
- Experience with determining whether organizations are executing risk controls against specific standards
- The risk control areas assessed as part of the third party assessment process
- Knowledge in the importance of risk controls and determining if controls are adequate.
Work Experience Substitutions and Waivers
A maximum of one (1) year work experience may be waived as follows:
- One year waiver: The applicant holds an IT or IS certification (i.e., CISA, CISSP, CIPP, CIPM, etc.).
NOTE: The acceptance of a certification in lieu of one (1) year work experience is subject to the approval of the CTPRA Certification Committee.
Less Than Five (5) Years Experience
If an exam taker successfully passes the CTPRA exam but holds less than the minimum required years of experience, the individual will be awarded the Associate CTPRA designation. The Associate CTPRA certification period expires once the five (5) year professional experience requirement is met.
A manager at the applicant’s current place of employment must sign the CTPRA Proof of Experience form and attest to holding the minimum required experience. For those who are self-employed or unemployed, the CTPRA Certification Committee will make a determination based on a review of documentation provided to show the necessary experience. Supporting documentation should be provided with Proof of Experience form to show the length and level of experience, including, but not limited to, items such as a current resume or CV, agendas from speaking engagements, letters of recommendation from past employers or consulting clients. For more information, please contact The Santa Fe Group at 505-466-6434 or firstname.lastname@example.org.