ISACA, which is approaching 90,000 members world-wide, has always been centered on qualifications, so the change to an experience plus qualification is an interesting move for the 43-year-old group, Infosecurity notes.

The new qualification – CRISC (pronounced 'see-risk' ),  which stands for being Certified in Risk and Information Systems Control – relies on IT security professionals with at least eight years of experience in the industry and being able to prove they have spent at least six years operating in five key fields.

The key fields identified by ISACA are risk identification, assessment and evaluation; risk response; risk monitoring, information security control, design and implementation; and information security control monitoring and maintenance.

In addition, candidates must also prove at least three years of experience in risk identification, assessment, evaluation, response and monitoring.

Plans call for the first CRISC examination to be administered in 2011.

Announcing the new qualification, Urs Fletcher, the chairperson of the ISACA CRISC task force, said that enterprises around the world are rapidly realising the importance of monitoring, controlling and benefiting from risk-related activities.

"The CRISC designation helps provide assurance to employers that professionals who earn it are experienced in identifying and evaluating the risks unique to their specific organisation", he said.

"Earning CRISC also helps risk and control professionals demonstrate that they have the proven ability to design, implement, monitor and maintain effective risk-based information systems controls", he added.