A new qualification is available for experts in IT governance. It's so hard that you can't revise for it, only take it and hope you are good enough to pass, as Gary Flood reports.

Sorry if the above seems off-putting, but the organisation behind the certification is adamant that becoming Certified in the Governance of Enterprise IT (CGEIT) can never be seen as something achieved by any kind of brain dump.

However, practitioners of the disciplines around effective IT governance are unlikely to be offended - and in fact are probably not that surprised at this high barrier, given that the new exam is from the same body that twice a year whittles down 250 proposed questions for another of its exams to a mere 23, which in turn get heavily rewritten.

I am referring to the new qualification coming out of Information Systems Audit and Control Association (ISACA), the body behind the control objectives for information and related Technology (COBIT) IT governance standard.

December 2008 saw the first delegates sit the CGEIT, which becomes the third qualification available from this group, complementing its 20-year-old Certified Information Systems Auditor (CISA) and seven year old Certified Information Security Manager (CISM).

'We see a clear emergence of what might be called a new class of professional, the IT governance specialist, and this qualification is a reflection of that trend and a way to recognise that unique skill set,' says Howard Nicholson, business analyst for the City of Salisbury in Southern Australia and chair of ISACA's CGEIT Certification Board.

Like its two stable mates, CGEIT now becomes a biannual exam event, with the next round set for June 2009. Not surprisingly, given its tender age, CGEIT is a minority sport in terms of uptake at the moment, with just around 1,000 holders as of the start of 2009. Note that the holders didn't all physically sit the exams, which are offered globally, last December - only 300 or so candidates so did, and the 1,000 only represents half of all those who applied in the first place. The others who hold the certificate are 'grand fathered' - see below.

The exam is a stiff test of whichever candidate makes it through to sitting it, as it seeks to examine the six identified relevant domains of IT governance and a number of related sub-domains and tasks. 'We don't expect candidates to know all of this but they do need to demonstrate a high level of base competency. We also expect them to be able to write a clear narrative of what they are doing in their day jobs so as to demonstrate their suitability.'

Just sitting the exam isn't even the end of this process; each paper is examined blind by up to three assessors and a work reference from a peer also needs to be considered. Plus, the qualification needs to be scrutinised on a rolling three-year basis to ensure the holder is still up to the mark.

Multiple choice / pass by regurgitating the supplier's book type of exam this just is not, or as Nicholson puts it: 'Don't even bother sitting this if you don't work in this area.'

ISACA, in a process it calls 'grandfathering', invited applications from IT governance professionals to be considered for being granted the qualification based on experience alone, with the median amount of such real-world exposure to governance issue of the successful candidates being around eight years.

One such 'grandfathered' new CGEIT holder is Jo Stewart-Rattray, director of information security at the Australian arm of chartered accountants RSM Bird Cameron, who thus now holds all three ISACA qualifications. Was it worth it?

'Having these qualifications has absolutely helped me,' she told IT Training. 'The Federal Government here in Australia did some research into market credentials in audit and IT security some years back and identified these as having very strong value. In my job I have also found that clients recognise their worth and I think have a higher level of confidence in the consultant assigned to them if they see them, as they have such a high "experiential" component, not just showing you've acquired a body of knowledge.'

ISACA may not be massively well known outside the audit, assurance and IT security domains - but has undeniable credibility in the areas its 86,000 members operate in. Indeed, in 2009 the body is celebrating its 40th anniversary, no less; some 18,000 professionals annually undergo the CISA process, for example, with a global tally of 60,000 such exam holders now in the market, while CISM is up to about the 10,000 level.

Those involved with the ISACA certification family see the addition of CGEIT as underlining a growing global interest in compliance, set, they believe, for even more focus in light of the ongoing credit crunch.

ISACA certifications not only have this very determined focus on real-world experience, they don't have the traditional tertiary (apprentice/beginner, mid-level and master) structure of, say, the traditional MCSE et al: one just passes, or doesn't. The body claims a CISM or CISA is roughly equivalent to a postgraduate diploma (and presumably values the new CGEIT at an equivalent level).

We said 'just passes'; and we weren't joking. Derek Oliver, CEO of UK audit specialists Ravenswood Consultants, founding chairman of ISACA's CISM Test Enhancement Committee and a former member of the group's CISA Certification Board, is both a CISA holder and a developer of both it and the CISM exams; as far as can be done, he provides the nearest thing to third party training one can get for ISACA qualifications - though he is 'still thinking' about whether or not to take on CGEIT work as well, he says.

He told IT Training he'd hate to sit the CIS again as it is so tough - and that CISA has a quite remarkable 55 per cent failure rate first time round. 'These aren't exams you have reading lists for, and we will never ask you a question you can get from just reading a book, there are no "definitional" questions at all - this is all about practical experience,’ he warns. 'I tell people that the best way they can prepare for an ISACA exam is to sit one.' Oliver is convinced that the chance is worth taking: 'In the UK and US, basically for a junior audit job it's "CISA preferred" and for senior jobs - "CISA required".'

This exam machismo must be slightly tempered by the fact that there at least a few ISACA-sponsored guides and 'candidate manuals' available. But there is no denying that ISACA and the group of highly expert professionals it represents (note that non-members are welcome to sit the exams - though they may pay a bit more than their enrolled colleagues) do feel that having these letters after your name really does mean that you have earned them.

Where will CGEIT go next? We suspect that it forms the first attempt by ISACA to start framing a COBIT professional qualification itself. In the meantime, we can only point any IT governance practitioner who thinks they have the grey hairs to prove they truly know what they are talking about to the CGEIT door to see if they can pass the exam you can't revise for.

To find out more:
ISACA homepage