1. Get the Job
  2. Get Ahead
  3. Office Life
  4. Work-Life Balance
  5. Home Office
Product and service reviews are conducted independently by our editorial team, but we sometimes make money when you click on links. Learn more.
Build Your Career Get Ahead

Best IT Governance Certifications 2018

Best IT Governance Certifications 2018
Credit: Shutterstock/Gorodenkoff

Today's organizations must keep a careful eye on regulations governing financial accountability, data security and protection, and customer privacy. Add to that the need to minimize risk, maintain profitability, ensure efficiency and meet strategic goals, and there's a lot on your plate.

Because IT plays such a major role in all these areas, organizational governance extends to IT as well. In turn, this prompts a need for serious-minded people who understand these worlds, can meet overarching business goals and will realize mission statements.

IT governance adds structure to the process of aligning IT with business strategies. It seeks to produce measurable results, to meet regulatory and legal obligations, and to ensure that investments produce positive gains. Several governance frameworks are available to help reach these goals – COBIT, ISO/IEC 38500 and ITIL, to name just a few.

In this article, we look at five IT governance certifications that are well known and well regarded across a variety of industries and fields. We conducted a search of several popular job boards for the certifications featured here. We found no shortage of requests from employers seeking candidates holding these best-of-the-best credentials.

We limited our search to the U.S. (With its roots in Great Britain and Europe, ITIL is bound to be in higher demand across the pond.) Most of these certifications have hefty work experience requirements. Thus, it's safe to speculate that these certifications aim at experts who are leaders in their organizations.


Simply Hired


LinkedIn Jobs



ITIL Expert (Axelos)












CGRC (The GRC Group)


















As far as salaries go, Simply Hired reports an average salary of $67,172 for IT governance, risk and compliance jobs, topping out around $125,000. Risk manager salaries average $98,000, with some salaries as high as $167,000. Glassdoor reports a salary range for IT governance, risk and compliance from $115,000 to $178,000, with risk managers' pay ranging from $103,000 to $138,000.

Let's look at the top five IT governance certifications for 2018.

ITIL (formerly known as the Information Technology Infrastructure Library) is a well-defined set of best practices that organizations use to design, implement, manage and maintain IT service projects. ITIL's primary focus is service management, which aligns IT projects and services with the business goals of an organization. ITIL also meets quality standards set by ISO/IEC 20000, so an organization that consistently and closely follows ITIL practices is quite likely to offer high-quality products or services.

In 2013, ITIL was acquired by Axelos, which focuses on global best practices and standards. Axelos also offers certifications for Resilia, Prince2 (2009 and 2017), Prince2 Agile, P30, MSP, M_o_R, P3M3, MoP and MoV. Axelos manages updates to the ITIL framework, but this organization also accredits ITIL exam institutes and licenses third-party organizations to use ITIL's intellectual property.

The ITIL certification tier offers several certifications to help employers find or groom employees with the right skills and knowledge to implement ITIL processes:

  • ITIL Foundation
  • ITIL Practitioner
  • ITIL Intermediate
  • ITIL Expert
  • ITIL Master

The ITIL Expert certification recognizes well-rounded and balanced knowledge across all areas of the ITIL service lifecycle.

The Foundation, Practitioner and Intermediate tiers require certification exams. To achieve the ITIL Expert credential, candidates must hold the ITIL Foundation certificate or a Bridge qualification equivalent, acquire at least 17 credits per the ITIL Credit System, and pass the Managing Across the Lifecycle (MALC) exam to amass a total of 22 credits.

Achieving the ITIL Expert level is a prerequisite for the ITIL Master Qualification, the pinnacle ITIL credential. The ITIL Master is also in high demand, primarily in large enterprises, government agencies and so forth.

Certification name

ITIL Expert

Prerequisites and required courses

ITIL Foundation certificate or Bridge certificate equivalent

  • Minimum of 22 credits from ITIL qualification or complementary certs: 17 credits from any selection of Foundation and Intermediate modules or complementary qualifications
  • 5 credits from the Managing Across the Lifecycle module

Number of exams

One: Managing Across the Lifecycle (MALC) exam (multiple choice, 120 minutes)

Cost per exam

Prices vary depending on training provider. Candidates can expect to pay approximately $3,095 for online and $3,095 to $4,995 for classroom MALC training and exam.



Self-study materials

Multiple resources are available from the official ITIL site, including blogs, whitepapers, case studies, mobile apps, skills assessment tools, videos, sample papers, webinars and course syllabi. Some training providers offer self-paced training courses for as little as $225.

ISACA is a highly respected, global nonprofit association that provides education, conferences, publications and certification for IT governance professionals. Four certifications are available from ISACA that address information systems auditing, information security management, enterprise IT governance, and risk and information systems control:

  • Certified Information Systems Auditor (CISA)
  • Certified Information Systems Manager (MISM)
  • Certified in the Governance of Enterprise IT (CGEIT)
  • Certified in Risk and Information Systems Control (CTISC)

ISACA also offers the Cybersecurity Nexus (CSX) program. Candidates can achieve the CSX Practitioner (CSX-P) certification by passing a performance-based exam.

The CGEIT credential is geared toward professionals who play a significant role in managing, advising and/or assuring IT governance. Typical job roles include senior security analyst and chief information security officer – the upper echelon of the organization chart.

Professionals at this level align IT with business strategies and goals, manage IT investments to maximize return on investment, strive for excellence in IT operations and governance, and promote greater efficiency and effectiveness in IT while minimizing risk.

ISACA's CGEIT exam covers five domains that address various aspects of governance and risk management:

ISACA's work experience requirements for the CGEIT qualification are demanding. To meet the five-year minimum requirement, one year must be directly related to enterprise IT governance frameworks. For the other four years, you must demonstrate experience in at least two of these domains: strategic management, benefits realization, risk optimization and resource optimization.

If you teach an accredited IT governance curriculum at an approved institution, you can count two full-time years toward every year of the CGEIT work requirement. Candidates with certain types of management experience and advanced degrees or certifications may substitute up to two years to meet the experience requirement.

Certification name

Certified in the Governance of Enterprise IT (CGEIT)

Prerequisites and required courses

  • A minimum of five years of professional-level enterprise management experience, or experience serving in an advisory or governance support role (including a minimum of one year defining, managing and establishing Framework for Governance of IT) (evidence required as defined by CGEIT Job Practice)
  • Agree to adhere to the ISACA Code of Professional Ethics
  • Agree to comply with the CGEIT Continuing Education Policy

Number of exams

One (150 questions, 4 hours)

Cost per exam

$575 (member)/$760 (nonmember)



Self-study materials

Candidate's Guide to the CGEIT Exam, job practice, study materials and review courses are available on the certification webpage.


Making its first appearance on our top-five list is the Certified in Governance, Risk and Compliance (CGRC) credential from the GRC Group. A globally recognized leader in governance, risk and compliance, the GRC Group consists of two institutions:

  • The SOX Institute, which focuses on Sarbanes-Oxley (SOX) certifications
  • The GRC Institute, which targets certification and training in the areas of governance, risk and compliance (including GRC for information security and information technology)

The GRC Institute offers two certification tiers – Base-Level and Pro-Level – with four certifications at each level.

Base-Level certifications:

  • Certified in Corporate Governance (CGOV)
  • Certified in Integrated Risk Management (CIRM)
  • Certified in Internal Control Management (CICM)
  • Certified in Governance, Risk, and Compliance (CGRC)

Pro-Level certifications:

  • Certified Corporate Governance Professional (CGOVP)
  • Certified Integrated Risk Management Professional (CIRMP)
  • Certified Internal Control Management Professional (CICMP)
  • Certified Governance Risk Compliance Professional (CGRCP)/Certified Governance Risk Compliance Manager (CGRCM)

Certification requirements for the CGRC are stringent. To earn the credential, candidates must possess the CGOV, CIRM and CICM certifications. Current membership in the GRC Group is required, plus a minimum of three years of professional experience. Exams are required for the lower-level certifications but not for the CGRC. To maintain the credential, candidates must earn 12 hours of training and keep their GRC Group membership current.

Certification name

Certified in Governance, Risk, and Compliance (CGRC)

Prerequisites and required courses

  • Current GRC Group membership
  • Three years of professional experience
  • Certified in Corporate Governance (CGOV)
  • Certified in Integrated Risk Management (CIRM)
  • Certified in Internal Control Management (CICM)

Number of exams

None; exams are required for the prerequisite credentials

Cost per exam




Self-study materials

Self-study recorded online – also classroom and live online


Another certification from ISACA, Certified in Risk and Information Systems Control (CRISC), recognizes IT professionals who are responsible for an organization's risk management program.

CRISC professionals manage risk, design and oversee response measures, monitor systems for risk, and ensure the organization's risk management strategies are met. Organizations look for employees with the CRISC credential for jobs such as IT security analyst, security engineer or architect, information assurance program manager, and senior IT auditor.

The CRISC exam covers four domains that are periodically updated to reflect the changing needs of the profession:

ISACA requires CRISC candidates to have a minimum of three years of cumulative, professional-level risk management and control experience, and to perform tasks in at least two CRISC domains, one of which must be in Domain 1 or 2. Work experience must be within the preceding 10 years from date of application. Alternatively, candidates for CRISC certification have up to five years to fulfill the work experience requirement after passing the exam.

Since the inception of the CRISC certification program in 2010, more than 18,000 professionals have acquired this certification. Such a strong response says a lot about the program and the need for this type of credential in the enterprise workforce.

Certification name

Certified in Risk and Information Systems Control (CRISC)

Prerequisites and required courses

  • A minimum of three years of cumulative, professional-level risk management and control experience
  • Perform the tasks of at least two CRISC domains, one of which must be in Domain 1 or 2
  • Agree to adhere to the ISACA Code of Professional Ethics
  • Agree to comply with the CRISC Continuing Education Policy

Number of exams

One (150 questions, 4 hours)

Cost per exam

$575 (member)/$760 (nonmember)



Self-study materials

Candidate's Guide to the CRISC Exam, job practice, study materials and review courses are available on the certification webpage.

The highly regarded Project Management Institute (PMI) is perhaps best known for its Project Management Professional (PMP) credential, but it also offers the PMI Risk Management Professional (PMI-RMP) for governance, risk and compliance professionals.

The PMI-RMP recognizes individuals who have a combination of top-notch project management skills and the ability to identify and accurately assess project risks and then mitigate identified threats to organizations.

Candidates must pass one exam and meet considerable education and experience requirements. The exam focuses on the following domains:

  • Domain 1: Risk Strategy and Planning
  • Domain 2: Stakeholder Engagement
  • Domain 3: Risk Process Facilitation
  • Domain 4: Risk Monitoring and Reporting
  • Domain 5: Perform Specialized Risk Analyses

Once you achieve the PMI-RMP, you may maintain the credential by earning 30 professional development units (PDUs) in one or more risk management topics every three years.

Certification name

Project Management Institute – Risk Management Professional (PMI-RMP)

Prerequisites and required courses

  • Secondary degree (high school diploma, associate's degree or the global equivalent)
  • 4,500 hours of project risk management experience
  • 40 hours of project risk management education or four-year degree (bachelor's degree or the global equivalent)
  • 3,000 hours of project risk management experience
  • 30 hours of project risk management education

Number of exams

One (170 questions, 3.5 hours)

Cost per exam

$520 (member)/$670 (nonmember)



Self-study materials

Exam guidance and a reference list of recommended study resources are available on the PMI website.

Beyond the top five IT governance certifications covered in this article, other certification programs can further the careers and professional development of IT professionals working in governance, risk management and compliance.

For example, interested parties should check out the Governance, Risk Management and Compliance Professional (GRCP) certification by GRC Certify. Another credential worth noting is the Leadership Professional in Ethics & Compliance (LPEC) certification from the Ethics and Compliance Initiative (ECI). ECI bills itself as the oldest ethics and compliance research organization in the U.S. Currently, ECI has 1,500 members with slightly more than half (800-825) certified.

One credential absent from our list of the top five this year is the BCS Information Security Management Principles Foundation Certificate. BCS is based in the U.K., and, while popular overseas, its credentials just haven't gained enough popularity in the U.S. to maintain a slot in the top five. The BCS certifications are still excellent and worth consideration if you're working overseas in the U.K. or EMEA.

Finally, the Institute of Internal Auditors (IIA) has a well-established certification program aimed at auditors in the government and financial sectors. Within the IIA lineup is the Certification in Risk Management Assurance (CRMA) credential, which identifies professionals who provide risk management assurance and advice to senior management and audit committees.

Be sure to investigate these certs on your own. One of them might prove even more valuable to your career path than the ones we've featured here.