The practitioner certification in information risk management (PRICM) course has been designed to supply individuals with foundation knowledge in regards to information risk management – the core principles and terminology. It is intended for anyone that works in the field of IT security or is looking to break into this area, whether you want to enhance your value to your employer or you want to carve a long and successful career in cybersecurity. In this post, we are going to take a look at the syllabus you can expect to encounter when you take one of these IT security courses.
What is PCIRM?
Before we can provide some top tips on PCIRM, it is first vital to establish what this certification is and what it aims to achieve. This is an information risk management qualification and by achieving it you will be able to do the following…
- Evaluate risks
- Present risks in a way that will form the basis of a risk treatment plan
- Explain why control selection and risk treatment is vital
- Explain and use information risk management terminology
- Explain the business benefits that will be harvested through the management of information risk
- Conduct a risk analysis
- Know how to carry out threat and vulnerability assessments
- Conduct business impact analysis
When taking this type of IT security training, whether independently or alongside one of the available IT apprenticeships, you can expect to cover the following topics – the framework and concepts of information risk management, the fundamentals of information risk management, how to establish an information risk management programme, the identification of risks, the assessment of risks, the treatment of risks, how to present risks and business case and finally monitoring and reviewing information risk. There are then several sub-categories within each domain. Let’s take a look at each section in further detail.
- The framework and concepts of information risk management – This is the first module you will need to cover when training for PRICM. You will learn all about the need for information risk management, as well as the content of risk in a business or organisation. Essentially you will look at why, when and how information risk management should be used.
- Fundamentals of information risk management – You will take a look at many different concepts associated with information security, such as accountability, identification, reliability, authenticity, integrity, availability and confidentiality. Terms and definitions make up a core part of this module, while you will look at the use and process of information risk management.
- How to establish an information risk management programme – It’s all in the name with this module. This begins with the requirements for an information risk management programme, you will then learn about developing a strategic approach by taking into account the organisations legal and regulatory requirements, information assurance requirements and much more.
- Identification of risks – This begins by identifying intangible and tangible information assets, which then gives you the platform to conduct a business impact analysis and threat and vulnerability assessments.
- Assessment of risks – This module is designed to give you knowledge regarding risk analysis, which includes explaining the concept of risk as an opportunity and how to specify likelihood and proximity scales, and risk evaluation, which involves the contents of a risk register and how to quantify the results of your assessment.
- Treatment of risks – You will take a look at the options, controls and processes you have available to you when you are dealing with risks, including the four strategic risk treatment options. You will then discover how to put a risk treatment plan in place.
- Presenting risks and business case – This module is all about reporting and presentation so you can build a successful case.
- Monitor and review – Finally, you will round off the course by learning why information risk monitoring and review is so important, and you will discover how to implement such procedures.
Advice for anyone considering PCIRM
Gain prior experience – It is vital to recognise that this is not a starter course. It is designed for people that already have a degree of experience in the industry. Whilst there are no prerequisites in terms of qualifications and such like, ideally you will need to have a minimum of two years experience in information security and risk management. Moreover, knowledge of various security standards would be helpful, such as ISO 27005, 27002 and 27001.
- Formal training – It is vital to have formal training before you take the exam. There are so many topics that need to be covered and if you do not go on a training course there is always a very high risk that something is going to be left out. Topics range from risk monitoring to information risk management terminology, to risk management controls, to typical classification schemes, to review of information security fundamentals. Thus, choosing a course with care is imperative.
- The exam – The exam is split into two sections. The first section consists of six short answer questions and ten multiple-choice questions. Section second consists of three essay questions, which are scenario based. In order to pass the exam, you will need to achieve a minimum of 65 per cent.
To conclude, achieving the Practitioner Certificate in Information Risk Management is something that comes highly recommended. You will be able to put yourself in a good position for job growth or even when it comes to finding a new job in the future. Nonetheless, take note of all of the advice that has been provided when attempting to achieve this certification.