I have several staff who grandfathered into the CRISC certification. It is new, but considered a more specific certification than a CISA (which a couple of them have as well). CGEIT has been around for a couple more years than CRISC. ISACA is a pretty good size organization (95,000 members). You can get the numbers on the various certifications that ISACA offers at http://www.isaca.org/About-ISACA/Press-room/Pages/ISACA-Fact-Sheet.aspx  I am also an ISACA member. I'm going to attend a CISSP boot camp later this year.


Julie, I'm afraid that ISACA has a very firm foundation in COBIT. GARP is a shadow of COBIT (and I am one of the folks who helped put GARP together). 


My concern about the CIP and the upcoming ARMA Information Governance certification is that neither has a sufficiently formal body of knowledge behind the certification. As you note, information governance is very nebulous today. I am quite concerned that yet another certification is being designed before a formal governance framework has been developed along the lines of COBIT. ARMA would do well to study the COBIT framework and look to begin to flesh out something similar for records management, and, ultimately, for related elements of information governance.

ARMA has a very good foundation in GARP and the Competencies. This is a start. ISO 15489 is an additional element, but desperately needs updating. Throw into the mix some of the other standards that exist around the world, and again, there is a nice batch of stuff to build upon. But coming up with something on the order of COBIT is going to be hard -- and expensive. But in order for ARMA to lead, it has to develop more than a basic foundation. It has to develop the towers of competencies, standards, and controls upon which certifications can be built.

I'm going to disagree with you in your assessments of some of the certifications that you mention. The CISSP is one of the gold standards of the information security profession (the other is the CISM). It is narrowly focused for the profession and thorough. Boot camp for the CISSP is seven full days. CRISC is much narrower and focused on risk and risk assessments. But it also addresses a broader area of risk than we in records management would generally consider. CGEIT is also broader in that it speaks to governing IT as a whole. The CIP has no substantive foundation, although it tries to maintain a focus on information and information management processes.

As I build my Information Governance organization, I am putting together a team that holds a wide variety of certifications including the CRM, CIP, CIPP/IT, CISSP, CISM, CISA, CRISC, and EnCE, among others. I have staff with MBAs and MAs. This team is well-educated, certified across a number of information disciplines, and looking at how our organization maintains information and ensures the integrity of process to create and store that information. We own control standards for information security and will likely incorporate records management policy into those control standards. Retention is ultimately a focused control standard dealing with determining the end of the lifecycle. We focus on risk and understand the organization's appetite for risk and the current risk trigger points. This means that we have exceptions to policies and control standards from time to time, when the organization understands, accepts and mitigates the risk in a fashion that
 is acceptable to the business. 

One of the things that we in records management have to get beyond is the sense that IT is nothing but a bunch of geeks writing code and buying hardware. For most large organizations, IT processes are quite formal. Many IT organizations are closely woven into SOx controls and audits. As IT outsources more and more work and moves business processes and technology into the cloud (also a form of outsourcing), the core IT organization changes radically. Controls and process governance become much more visible and important. Controlling risk as well as cost is critical. IT organizations are becoming more about managing and governing the information rather than buying or building the technology associated with information.


This approach has taken me a while to embrace. But it is something that I feel strongly about. 


ARMA cannot afford half measures; it cannot shoot from the hip. If it is going to play with the big dogs, it better understand what the big dogs do and how they play the game. AIIM would be well-advised to do the same. Both organizations (ARMA and AIIM) need to focus on their cores and develop depth and discipline and a formidable body of knowledge that stays within information management. There is nothing wrong with that. It is limiting, but it is focused and it is well within our collective competencies. I have been through this rodeo before when ARMA tried to grow beyond its means without 1) building the foundation well, and 2) without engaging in well-designed and delivered change management. Build your core and you grow. Alienate your core and never attract the right new constituency and you shrink. In my opinion, the worst thing that ARMA can do is be seen as running off chasing the latest buzzword or flavor of the month. ARMA should build its body
 of knowledge and competencies within the focus of retention and disposition. It should complement and engage related professional organizations like IAPP and ISACA. ARMA has a good niche and an important role to play. That needs to be built upon in a complimentary manner. It can certainly help develop a better understanding of what is encompassed by information governance, but it is not going to own the concept.

My two cents' worth...

 
Patrick Cunningham, CRM, CIP, FAI
[log in to unmask]

"Perpetual optimism is a force multiplier." 
-- Colin Powell

List archives at http://lists.ufl.edu/archives/recmgmt-l.html
Contact [log in to unmask] for assistance
To unsubscribe from this list, click the below link. If not already present, place UNSUBSCRIBE RECMGMT-L or UNSUB RECMGMT-L in the body of the message.
mailto:[log in to unmask]