To gain your full CTPRP designation, you must pass the CTPRP exam and have a minimum of 5 years of experience as a risk management professional, in a position(s) that demonstrates proficiency in assessment, management, and remediation of Third Party risk issues.
The CTPRP examination is a time-based, closed book exam, completed within 3 hours that is administered through a third party vendor, Examity. The exam is taken online from your own computer and remote proctoring is required to monitor examination compliance. The CTPRP examination contains 125 questions worth up to 140 points. Examination questions include testing the domain knowledge and application of knowledge using Third Party risk situations. Multiple choice questions are presented using Third Party risk management scenarios from the Outsourcer or the Service Provider point of view. A score of 70% or higher must be achieved to pass the exam. We do not offer stand-alone practice tests currently; however, the class materials provide Knowledge Check sample questions for each module.
The exam must be taken within 15 weeks of starting the class. Failure to meet the 15- week deadline may result in retaking the class and the exam at your own expense.
We recommend scheduling your exam at least 24 hours in advance of your preferred exam date/time to avoid a nominal $5.00 “on demand” testing fee from the testing company. Any cancellation or modification within 24 hours of an existing exam appointment will result in a $5.00 on-demand fee.
If you need reasonable accommodations to take the exam, please contact us at firstname.lastname@example.org.
If you do not pass the exam on the first try, you may retake the exam a second time. There is a $150 fee to retake the exam. You may re-take the exam up to three (3) times. After the third attempt, you must retake the class at your own expense. Individuals who wish to retake the class will receive a 50% discount.
Instant results through the testing platform are not available at this time. Results are sent out from Shared Assessments via email within 2-3 weeks of taking the exam.
CTPRP applicants must have a thorough working knowledge of IT risk management concepts and principles, including but not limited to:
- Risk assessment techniques and administrative controls
- Knowledge of various assessment frameworks and standards
- Regulatory drivers
- Organizational security structure
- Risk assessment technical controls, including but not limited to:
- Operations Management and Business Resiliency
- Access control and Network Security
- Application and Server Security
- The fundamentals of vendor risk assessment, monitoring, and management:
- Effective utilization of Third Party questionnaires (Trust)
- Controls evaluation using onsite and/or virtual assessments (Verify)
- Risk identification and analysis, including definition of corrective action plan and remediation reporting
Among the expertise that qualifies for CTPRP experience:
- Third Party risk management/assessment
- Audit and/or compliance
- Experience with determining whether organizations are executing risk controls against specific standards
- Risk control areas assessed as part of the Third Party assessment process
- Knowledge in the importance of risk controls and determining if controls are adequate
Work Experience Substitutions and Waivers
A maximum of two years of work experience may be waived for the following:
One (1) year of work experience may be waived if the applicant holds an active IT or IS certification (i.e., CISA, CISSP, CIPP, CIPM).
One (1) year of work experience may be waived if the applicant holds a bachelor’s or master’s in information security or information technology from an accredited university.
NOTE: The acceptance of a certification and/or education in lieu of one (1) year of work experience is subject to the approval of the Shared Assessments Certification Advisory Council.
If You Have Less Than Five (5) Years of Experience
If an applicant successfully passes the CTPRP exam but holds less than the minimum required years of experience, the individual will be awarded the Associate CTPRP designation. The Associate CTPRP certification can be changed to a full CTPRP designation if the certification is kept active and the five (5) year professional experience requirement is achieved. Upon request, we will send the Associate designation holder the necessary form to apply for full designation. Similar to the initial application, the applicant will enter all work experience since receiving the Associate Certification and have their current manager sign a verification form. Please contact email@example.com to request information on making the transition from the associate to full designation.
On the application, you are required to enter the name of a person who can verify your employment. This is usually an applicant’s current manager but can be anyone who can verify that the employment information entered on your application is accurate. For those who are unemployed, Shared Assessments will make a determination based on a review of the documentation provided to show the necessary experience.
Applying for Certification
Once the class is completed and the exam is passed, an applicant will receive more information on applying for certification which includes providing a signed Proof of Experience form to show the length and level of experience. Once the completed forms are received, the application is approved for full or associate certification status, or the applicant is notified that more information is needed before a decision can be made.
Maintaining Your Certification
Qualifying Continuing Professional Education
The goal of attaining Continuing Professional Education (CPE) credits is to ensure the certification holders maintain the latest knowledge in the TPRM industry. The Shared Assessments Certification Advisory Council is responsible for defining the CPE requirements.
It is the responsibility of the certification holder to earn and track CPE credits and earn sixty (60) total CPE credits within the 3-year certification term. It is recommended, but not required, that designees earn twenty (20) CPE credits per year during the 3-year term.
Shared Assessments CPEs. All CPEs earned by attending Shared Assessments events or participating in Shared Assessments member-related meetings can be found and downloaded from your account in the Shared Assessments Certification and Events portal (education.sharedassessments.org). Please note, any CPEs issued before January 1, 2020 are not available in the portal but are available upon request. It can take up to thirty (30) days for a CPE certificate to be issued. Shared Assessments does not issue CPEs for partial attendance or for viewing recordings of our events currently.
Having a certification does not qualify you as a member of Shared Assessments. Your current employer must be an active member of Shared Assessments for you to participate in Member-only events and activities such as committee meetings and monthly Member Forum Calls. Shared Assessments does offer CPE-earning activities for non-members such as our annual Summit, webinars, workshops, and training. To learn more about membership for your organization and non-member CPE-earning events, visit our website, SharedAssessments.org.
CPE Hours Calculation. One CPE hour is earned for each fifty (50) minutes of active participation (excluding lunches and breaks) for qualifying educational activities and meetings. Shared Assessments does not issue CPE credits for partial attendance. Attendance duration is verified via teleconference records or staff verification. Shared Assessments does recognize partial credits from other organizations’ qualifying events.
Non-Shared Assessments CPEs. Non-Shared Assessments CPE credits are recognized and accepted by Shared Assessments and may be earned from attending industry conferences or webinars, authoring published materials, course instruction, or from speaking engagements pertaining to the topics that fall under the vendor risk management umbrella, such as security, privacy, and business continuity. Your everyday work in risk management does not count towards earning CPEs.
Examples of acceptable non-Shared Assessments include but are not limited to:
- ISACA, IAPP, ISC2, and AICPA education activities and meetings
- In-house corporate training, professional conferences, workshops, webinars, and university courses related to vendor risk management
- Vendor management-related self-study classes
- Teaching or presenting at industry conferences and events
You may upload any non-Shared Assessments CPEs to your account in our Education portal at any time. Once you’ve logged into your account, go to the Certificate tab, and click on the Add Non-Shared Assessments CPEs button. Follow the instructions on the page to upload the information. The required information to upload is:
- Event Name
- Sponsoring Organization Name
- Event Date
- Number of CPEs earned
Documentation proof of the agenda and attendance must be available in case of audit but is optional for upload to your account. Documentation must take the form of one of the following:
- Email notice from the issuing organization stating CPEs earned
- Electronic form or communication from the issuing organization stating agenda and attendance
- Certificate of completion from the issuing organization with a description of the event content
Certification holders are solely responsible for the legitimacy of their documentation and accurate recordkeeping. Certification holders may be required to participate in an audit of CPE credits for up to two years after the submission date.
Upon the 3-year term renewal date, the certification holder must have the minimum required CPEs in their account and the annual payment fee to renew their certification status. Uploading document proof is voluntary.
Audit of CPE Hours
A random sample of Certification holders is selected each year for audit. Those certification holders must provide written evidence of previously reported activities that meet the criteria described in the Qualifying Continuing Professional Education section above. Please send copies of supporting documentation because the documents will not be returned. The Shared Assessments Certification Advisory Council will determine the acceptance of hours for professional educational activities. Those individuals who do not comply with the audit will have their certification revoked.
Annual payment of the CTPRP Maintenance Fee
Certification expires at the end of three (3) years. For new CTPRP holders, the annual and three- year certification terms begin the date you are approved for your designation. This date can be found on your Certification certificate, in the email notifying you of your designation, and in your account in the Shared Assessments Education and Events portal. Associate and full CTPRP holders are required to pay an annual maintenance fee. As of January 1, 2021, the annual maintenance fee is US $100.00. This amount is subject to change. To renew the certification at the end of the 3-year term, holders must have paid the annual maintenance fees and report the required amount of CPE credits earned during the 3-year certification period.
Non-payment of Annual Maintenance Fee
If your annual maintenance fee payment is not received within 30 days of the anniversary of the certification date, the certification is suspended. If payment is not received within 60 days, the certification is termed.
If your annual maintenance fee and/or CPE requirements are not submitted within 30 days of your 3-year renewal date, the certification is suspended. If payment and/or CPEs are not received within 60 days, the certification is termed.
Comply with the Code of Ethics
Certification holders must abide by the Shared Assessments Code of Ethics to maintain their certification.
Certification Termination and Re-instatement
If any of the requirements for maintaining certification are not met, certification will be termed. It can be reinstated if requirements are met within two years of lapse. After two years, the certification holder must retake the class and the exam at their own expense. If certification is termed because of a Code of Ethics violation, the Shared Assessments Certification Advisory Council will review any request for reinstatement on a case-by-case basis.
Materials and Data Sharing Policy
Distribution of the materials to any party other than the intended recipient is strictly prohibited. Sharing materials without permission by Shared Assessments may result in the termination of the certification designation attained.
Exam and Certificant Data
Information about an individual’s performance on a certification exam and other detailed information will only be shared with that individual. Certification information will only be shared with someone other than the individual under the following circumstances:
- Individual gives written consent to share exam results and other detailed certification information. Such consent may be evidenced by a written authorization from the individual or by terms of employment (employment contract, Employee Handbook, etc.). It is not the responsibility of Shared Assessments to obtain consent. It is the requestor’s responsibility to obtain consent and provide the written documentation showing consent when submitting the request for information.
- Shared Assessments will confirm if an individual is currently certified without written consent but will not provide detailed information on certification date, term date, or exam or application data.
Use of the CTPRP Acronym and Logo
Upon successfully earning the CTPRP credential, individuals will receive a digital credential badge. CTPRP holders may use the CTPRP acronym following their name in signatures, business cards, websites, resumes, and other materials (example: John Q. Public, CTPRP). Shared Assessments does not provide individual use of the Shared Assessments or CTPRP logo.
If you have any questions or need support, please email us at firstname.lastname@example.org or call us at 505-466-6434.