ElIgibility Requirements

To gain your full CTPRA designation, you must pass the CTPRA exam and have a minimum of 5 years of experience as a risk management professional, in a position(s) that demonstrates proficiency in assessment, management, and remediation of third-party risk issues.

Exam Requirements

The CTPRA examination is a time-based, closed-book exam, completed within 3 hours, that is administered through a third-party vendor, Proctor360. The exam is taken online from your computer, and remote proctoring is required to monitor examination compliance. The CTPRA examination contains 120 questions worth up to 125 points. Examination questions include testing the domain knowledge and application of knowledge using third-party risk situations. Multiple choice questions are presented using third-party risk management scenarios from the Outsourcer or the Service Provider point of view. A score of 70% or higher must be achieved to pass the exam.

We offer two separate practice exams, each structured with 40 multiple-choice questions designed to reflect the types of questions you may encounter during the actual exam. The questions are distributed according to the CTPRA exam profile as follows:

• Applying Risk Concepts in TPRM: 20%
• Performing Risk-Based Due Diligence: 20%
• Controls Evaluation in TPRM: Governance and Information Protection: 30%
• Controls Evaluation in TPRM: Technology Management and Operational Risk: 30%

In the practice exams, you will have one opportunity to answer each question. The answers will include explanations for both the correct and incorrect options you choose. You can retake the practice exam as many times as you like.

The exam must be taken within 15 weeks of the bootcamp. Failure to meet the 15-week deadline will result in retaking the bootcamp and the exam at your own expense.

You are strongly encouraged to sign up at least 48 hours before the selected exam time to avoid a $15 USD “on-demand” testing fee. Additionally, any cancellation or modification within 48 hours of an existing exam appointment will result in a $15 USD fee. Candidates are encouraged to complete the testing process within 30 days of the bootcamp.

Please note: We encourage test-takers to arrive 15 minutes before the start of their exam. This will allow ample time to connect with your proctor and troubleshoot technical issues.

If you need reasonable accommodations to take the exam, please contact us at education@sharedassessments.org.

Exam Retake

If you do not pass the exam with a minimum score of 70%, you may retake it. There is a $150 USD fee to retake the exam. You may re-take the exam up to three (3) times. After the third attempt, you must re-take the bootcamp at your expense. Individuals who wish to retake the bootcamp will receive a 50% discount on the program.

Exam Results

Upon completing the exam, you will receive your final exam results automatically, along with details about the application process and re-testing options. Additionally, you will have the option to print or download a copy of your results.

Experience Requirements

CTPRA applicants must have a thorough working knowledge of IT risk management concepts and principles, including but not limited to:

• Risk assessment techniques and administrative controls
  • Knowledge of various assessment frameworks and standards
  • Regulatory drivers
  • Organizational security structure

• Risk assessment technical controls, including but not limited to:
  • Operations Management and Business Resiliency
  • Access control and Network Security
  • Application and Server Security

• The fundamentals of vendor risk assessment, monitoring, and management:
  • Effective utilization of Third-Party questionnaires (Trust)
  • Controls evaluation using onsite and/or virtual assessments (Verify)
  • Risk identification and analysis, including definition of corrective action plan and remediation reporting

Among the expertise that qualifies for CTPRA experience:

• Third-party risk management/assessment
• Audit and/or compliance
• Experience with determining whether organizations are executing risk controls against specific standards
• Risk control areas assessed as part of the Third-Party assessment process
• Knowledge of the importance of risk controls and determining if controls are adequate

 

Work Experience Substitutions or Waivers

A maximum of two years of work experience may be waived for the following:

One (1) year of work experience may be waived if the applicant holds an active IT or IS certification (i.e., CISA, CISSP, CIPP, CIPM).

One (1) year of work experience may be waived if the applicant holds a bachelor’s or master’s in information security or information technology from an accredited university.

NOTE: The acceptance of a certification and/or education in lieu of one (1) year of work experience is subject to the approval of Shared Assessments.

Employment Verification

When completing the application, please provide the name of someone who can verify your employment. This is usually your current manager, but it can be anyone who can confirm the accuracy of the employment information you provided. If you are currently unemployed, Shared Assessments will review the documentation you submit to assess whether you have the necessary experience.

Applying for Certification

After completing the class and passing the exam, applicants will receive information on how to apply for certification, which includes a link to the application. The application requires signing a Proof of Experience form to demonstrate the length and level of experience. Once the completed application is submitted, it will be reviewed for full certification status. If additional information is necessary for a decision, the applicant will be notified.

Maintaining Your Certification

Continuing Professional Education (CPE) Requirements

To ensure certification holders stay current with evolving practices in the Third-Party Risk Management (TPRM) industry, Shared Assessments has established Continuing Professional Education (CPE) requirements.

Certified individuals are responsible for earning and tracking their CPE credits. A total of thirty-six (36) CPE credits must be earned within the 3-year certification period. While not mandatory, it is recommended that designees earn twelve (12) CPE credits each year to stay on track.

Shared Assessments CPEs

CPE credits earned through Shared Assessments events or participation in member-related meetings are available for download in your Shared Assessments Academy portal account (education.sharedassessments.org). Please note that CPEs issued prior to January 1, 2020, are not accessible through the portal but may be requested. Allow up to thirty (30) days for CPE certificates to be issued. Partial attendance does not qualify for CPE credit.

Membership and CPE Opportunities

Holding a certification does not automatically make you a member of Shared Assessments. To access member-only events and activities such as committee meetings and Member Forum Calls, your current employer must be an active Shared Assessments member.

Shared Assessments also offers CPE-eligible opportunities for non-members, including the annual Summit, webinars, bootcamps, and training programs. For more information on organizational membership and available non-member CPE activities, please visit https://sharedassessments.org/.

CPE Hours Calculation

One CPE hour is earned for each fifty (50) minutes of active participation (excluding lunches and breaks) for qualifying educational activities and meetings. Shared Assessments does not issue CPE credits for partial attendance. Attendance duration is verified via teleconference records or staff verification. Shared Assessments does recognize partial credits from other organizations’ qualifying events.

Non-Shared Assessments CPEs

Non-Shared Assessments CPE credits are recognized and accepted by Shared Assessments and may be earned from attending industry conferences or webinars, authoring published materials, course instruction, or from speaking engagements pertaining to the topics that fall under the vendor risk management umbrella, such as security, privacy, and business continuity. Your everyday work in risk management does not count towards earning CPEs.

Examples of acceptable non-Shared Assessments include but are not limited to:

• ISACA, IAPP, ISC2, and AICPA education activities and meetings
• In-house corporate training, professional conferences, workshops, webinars, and university courses related to vendor risk management
• Vendor management-related self-study classes
• Teaching or presenting at industry conferences and events

You may upload any non-Shared Assessments CPEs to your account in our Shared Assessments Academy portal at any time. Once you’ve logged into your account, go to the Certificate tab, and click on the Add Non-Shared Assessments CPEs button. Follow the instructions on the page to upload the information. The required information to upload is:

• Event Name
• Sponsoring Organization Name
• Event Date
• Number of CPEs earned

Documentation proof of the agenda and attendance must be available in case of an audit, but is optional for upload to your account. Documentation must take the form of one of the following:

• Email notice from the issuing organization stating CPEs earned
• Electronic form or communication from the issuing organization stating the agenda and attendance
• Certificate of completion from the issuing organization with a description of the event content

Certification holders are solely responsible for the legitimacy of their documentation and accurate recordkeeping. Certification holders may be required to participate in an audit of CPE credits for up to two years after the submission date.

Upon the 3-year term renewal date, the certification holder must have the minimum required CPEs in their account and the annual payment fee to renew their certification status.

Audit of CPE Hours

A random sample of Certification holders is selected each year for audit. Those certification holders must provide written evidence of previously reported activities that meet the criteria described in the Qualifying Continuing Professional Education section above. Please send copies of supporting documentation because the documents will not be returned. Shared Assessments will determine the acceptance of hours for professional educational activities. Those individuals who do not comply with the audit will have their certification revoked.

Annual payment of the CTPRA Maintenance Fee

The CTPRA certification is valid for three (3) years from the date of official designation. This date marks the start of the three-year certification cycle and can be found on the certification certificate, in the designation notification email, and the Shared Assessments Academy portal.

All certification holders are required to pay an annual maintenance fee for each year of the three-year term. As of January 1, 2021, the annual maintenance fee is $100 USD. Fees are subject to change at the discretion of Shared Assessments.

To maintain certification and be eligible for renewal at the end of the three-year term, certification holders must:

• Pay all annual maintenance fees in full
• Report a minimum of thirty-six (36) Continuing Professional Education (CPE) credits earned during the certification period.

Non-compliance with these requirements may result in certification expiration.

Non-payment of Annual Maintenance Fee

If the annual maintenance fee is not received within 30 days of the certification anniversary date, the certification will be suspended. If payment is not received within 60 days, the certification will be terminated.

At the end of the three-year certification term, if the required annual maintenance fee and/or Continuing Professional Education (CPE) credits are not submitted within 30 days of the renewal date, the certification will be suspended. If the outstanding requirements are not fulfilled within 60 days, the certification will be terminated.

Comply with the Code of Ethics

Certification holders must abide by the Shared Assessments Code of Ethics to maintain their certification.

 

Certification Termination and Re-instatement

If any of the requirements for maintaining certification are not met, certification will be termed. It can be reinstated if requirements are met within two years of lapse. After two years, the certification holder must retake the class and the exam at their own expense. If certification is termed because of a Code of Ethics violation, Shared Assessments will review any request for reinstatement on a case-by-case basis.

Materials and Data Sharing Policy

Class Materials

Distribution of the materials to any party other than the intended recipient is strictly prohibited. Sharing materials without permission by Shared Assessments may result in the termination of the certification designation attained.

Exam and Certificant Data

Exam performance and detailed certification information are considered confidential and will only be shared with the

individual to whom the information pertains.

Certification-related information may be disclosed to a third party only under the following conditions:

• The individual has provided written consent to release their exam results or other detailed certification information. Acceptable forms of consent include a signed authorization or documentation within an employment agreement (e.g., employment contract, offer letter, or employee handbook).
• It is the sole responsibility of the requesting party to obtain and provide written proof of consent when submitting a request. Shared Assessments is not responsible for securing consent on behalf of the requester.

Without written consent, Shared Assessments will confirm whether an individual currently holds a certification but will not disclose exam scores, certification dates, term duration, or application details.

Use of the CTPRA Acronym and Logo

Individuals who have earned the CTPRA designation will receive a digital credential badge through Credly. Certified professionals may use the CTPRA acronym following their name on business cards, email signatures, résumés, websites, and other professional materials (e.g., Jane Doe, CTPRA). Use of the CTPRA or Shared Assessments logos is not permitted for individual use.

Contact Us

If you have any questions or need support, please email us at education@sharedassessments.org or call us at 505-466-6434.

CTPRA Page→