CTPRP Experience Eligibility Policy
In addition to attending the Shared Assessments Program Certification Workshop and successfully passing the Shared Assessments CTPRP examination, to earn the CTPRP certification, individuals must hold a minimum of five (5) years experience as a risk management professional, in a position(s) which demonstrates proficiency in assessment, management, and remediation of third party risk issues. (See “Experience Requirement Defined” below).
Upon receiving notice of the successful completion of the CTPRP examination, individuals must present the Shared Assessments CTPRP Proof of Experience form signed by a current manager. This form is received upon notification of passing the Shared Assessments CTPRP examination.
Experience Requirement Defined
CTPRP applicants must have a thorough working knowledge of third party risk management concepts and principles, including:
- Managing the vendor lifecycle
- Vendor risk identification and rating
- Determining monitoring frequency
- The fundamentals of vendor risk assessment, monitoring and management
- Effective utilization of third party questionnaires (trust)
- Conducting onsite assessments (verify)
- Developing an effective remediation plan and remediation reporting
Among the areas of expertise that qualify for CTPRP experience include some or all of the following areas:
- Third party risk management/assessment (either generally or IT specific)
- Audit and/or compliance
- Experience with determining whether organizations are executing risk controls against specific standards
- The risk control areas assessed as part of the third party assessment process
- Business continuity planning (BCP), access control, privacy, etc.
- Knowledge in the importance of risk controls and determining if controls are adequate.
Work Experience Substitutions and Waivers
A maximum of 2 years’ work experience may be waived as follows:
- One year waiver: The applicant holds a bachelor’s or master’s in information security or information technology from an accredited university.
- One year waiver: The applicant holds an IT or IS certification (i.e., CISA, CISSP, CIPP, CIPM, etc.).
NOTE: The acceptance of a certification in lieu of one year’s work experience is subject to the approval of the CTPRP Certification Committee.
Less Than Five (5) Years Experience
If an exam taker successfully passes the CTPRP exam but holds less than the minimum required years of experience, they have the option of submitting the Proof of Experience form within three (3) years from the start of the certification period. The certification period begins the subsequent quarter succeeding the exam date. No annual maintenance fee is required until the CTPRP has been awarded.
A manager at the applicant’s current place of employment must sign the CTPRP Proof of Experience form and attest to holding the minimum required experience.
For those who are self-employed or unemployed, the CTPRP Certification Committee will make a determination based on a review of documentation provided to show the necessary experience. Supporting documentation should be provided with Proof of Experience form to show the length and level of experience, including, but not limited to, items such as a current resume or CV, agendas from speaking engagements, letters of recommendation from past employers or consulting clients.
For more information, please contact The Santa Fe Group at 505-466-6434 or firstname.lastname@example.org.