The BCS Practitioner Certificate in Information Risk Management (PCIRM) takes a practical approach to learning about information risk management in the context of current standards, including the ISO 27000 series. The PCIRM is an in-depth professional certification for information security and data protection professionals responsible for assessing the risks associated with their information assets. Award holders will develop an understanding of the benefits of implementing an information risk management governance structure and culture throughout the organisation. This course is based on the current version of the BCS syllabus BCS syllabus (v7.1) from July 2022.
8 to 12 week programme
In the modern business environment, information is essential for the smooth functioning of operations. This information includes customer, service user, and employee details, as well as any non-personal information about the methods, plans, management systems, finances, procurement, research areas, intellectual property, and commercial activities relevant to the organisation's interests or statutory function.
Information and the data it derives from is recorded or obtained from various internal and external activities or sources. This information is then analysed to gain valuable insights as well as being used to provide a comprehensive assessment of operational performance against a range of reporting metrics. The confidentiality, integrity, and availability of such information is therefore imperative, especially considering that it forms the basis for all decision-making processes across every level of the organisation.
In order to prevent inappropriate sharing or theft of information and data assets, organisations must actively monitor and minimise the risk of cyberattacks, information security incidents and privacy violations, which can cause significant harm to business operations and individuals. To accomplish this goal, organisations should ensure they have qualified employees in place to implement appropriate systems, policies, and procedures to identify and analyse potential vulnerabilities as part of a robust information risk management programme.
The BCS Practitioner Certificate in Information Risk Management (PCIRM) course provides a comprehensive understanding of the best practices, principles, and techniques used to safeguard critical information assets from a wide range of threats and vulnerabilities. The course addresses the fundamentals of information security and various international standards that apply to information risk management, including ISO 27001, 27005, and 31000. By attending this accredited BCS PCIRM course, attendees will develop practical skills in conducting risk assessments, evaluating risks against an organisation's risk appetite and developing risk treatment plans.
The current version of the BCS syllabus (v7.1) from July 2022 prepares delegates for the 90-minute scenario-based online BCS examination.
The BCS Practitioner Certificate in Information Risk Management (PCIRM) is conducted over 10 consecutive morning sessions (or 5 full days when delivered in-company).
The following schedule is intended as a guide:
Introductions, Learning outcomes
|BCS Exam details & techniques
The concepts and framework of information risk management• The lifecycle of information
• What information risk management is, and why and when it should be undertaken
• Which parts of an organisation may practice information risk management
• The general legal and regulatory framework that surrounds risks to information
Understanding the context of risk in organisations
• Why organisations must take account of information risk
• The benefits to organisations of undertaking information risk management• The potential consequences to organisations of not undertaking information risk management
|The fundamentals of information security
• Differences between information security, cyber security, information risk management and information assurance
|Information risk terms and definitions
|Information risk management standards
• ISO 27001:2022 - Information security management systems (ISMS)
• ISO 27005: 2022 - Guidance on managing information security risks
• ISO 31000:2018 - Risk management guidelines
|Understanding the UK legal and regulatory environment
• Data Protection Act 2018 & UK General Data Protection Regulation
• Official Secrets Act
• Freedom of Information Act
• PCI Data Security Standard
|The process of information risk management
• The concept of information risk ownership
• The four stages of information risk management
• Conducting risk assessments (risk identification, risk analysis, risk evaluation and risk treatment)
• Risk management methodologies
|Establishing an information risk management programme
• The Plan-Do-Check-Act model, also known as the Deming Cycle
• Leadership, responsibility and accountability
• Integrating information risk management into business-as-usual operations
• Resource allocation
|Development of a strategic approach to information risk management
|The principles of information classification
• The purpose of a classification scheme for information assets
• Identifying and documenting information assets and their owners
• Classification types
|The process of identifying information assets
|Conducting a business impact analysis
• The overall business impact analysis process and who should be involved
• Formulating business interruption costs
• Cost of failure analyses
• The concept of worst-case scenarios
• Direct and indirect impacts
• Primary and secondary impacts
• Quantifying impact levels
|Conducting a threat and vulnerability assessment
• How threats and likelihood combine to create a risk
• Common threats and hazards
• Motivations for threats and threat actors
• Common vulnerabilities and their likelihood
|How to undertake a risk analysis
• Qualitative, quantitative and semiqualitative risk analysis
• Generic and specific risk analyses
• The construction and use of a risk matrix
• Impact, proximity and likelihood scales
• Risk as an opportunity
• How to quantify the results of a risk assessment
• Comparing risk analysis results against organisational risk criteria
• Risk registers
|Risk treatment options, controls and processes
• Four strategic risk treatment options
- Risk avoidance or termination
- Risk reduction or modification
- Risk transference or sharing
- Risk acceptance or toleration and risk retention
• Tactical and operational risk treatment controls
• Importance of using a combination of strategic, tactical and operational approaches to risk treatment
• Resilience, business continuity and disaster recovery
|Information risk monitoring
• Monitoring of risks after treatment
• Monitoring methods
|Undertaking an information risk review
• The need to conduct risk reviews at regular intervals and when their impact or likelihood may have changed
• Identifying new threats and risks
• Ongoing reporting of the information risk management status
|Report and present the progress of a risk management programme
• Requirements for reporting on an information risk management programme
• Contents of a risk report
|Presenting a business case (to the board)
• The need for a business case
• Business case preparation process and format
• Presentation of an outline business case
|Questions & Answers
|Individual 1-2-1 tutorials
BCS Practitioner Certificate in Information Risk Management (PCIRM) award holders will be able to demonstrate:
The BCS Practitioner Certificate in Information Risk Management (PCIRM) will benefit individuals working in the following areas or roles will benefit the most:
BCS Practitioner Certificate in Information Risk Management (PCIRM)
Extracted from syllabus version 7.1
This is a UK government-regulated qualification administered and approved by one or more of the following: Ofqual, Qualifications Wales, CCEA Regulation and SQA.
The topics covered in this session include:
Following the examination prep day, the instructor will evaluate each student’s mock paper and provide individual feedback. This will include direct comments on the answers and offer guidance for further study areas.
The BCS Practitioner Certificate in Information Risk Management (PCIRM) exam format is a 90-minute multiple-choice examination. The exam is a closed book, i.e. no materials can be taken into the examination room.
|Type||60 Multiple Choice Questions|
|Open Book||No (no materials can be taken into the examination room)|
|Pass Mark||39/60 (65%)|
|Delivery||Digital or paper-based|
Adjustments and/or additional time can be requested in line with the BCS reasonable adjustments policy for candidates with a disability or other special considerations, including English as a second language.
Get this BCS Practitioner Certificate in Information Risk Management (PCIRM) for:
Sign-up for our Privacy Newsfeed weekly newsletter to get your discount code. Receive additional offers by selecting training announcements option. Please choose your desired subscription option and then enter your details to subscribe.
In addition to the above course dates, you also need to select the dates for your examination events. Choose a date for your exam preparation day 3-6 weeks after the training course. Then book your BCS exam 2-6 weeks after the exam preparation day.
Duration: 90 minutes
Freevacy has been shortlisted in the Best Educator category. The PICCASO Privacy Awards recognise the people making an outstanding contribution to this dynamic and fast-growing sector.