BCS Practitioner Certificate in
Information Risk Management

Book Now

bcs Accredited Training Organisation

Acquire the skills and knowledge to manage information risks,
from conducting assessments to developing risk treatment plans


The BCS Practitioner Certificate in Information Risk Management (PCIRM) takes a practical approach to learning about information risk management in the context of current standards, including the ISO 27000 series. The PCIRM is an in-depth professional certification for information security and data protection professionals responsible for assessing the risks associated with their information assets. Award holders will develop an understanding of the benefits of implementing an information risk management governance structure and culture throughout the organisation. This course is based on the current version of the BCS syllabus BCS syllabus (v7.1) from July 2022.



online sessions

40+ hours

Flexible live
interactive training


90-minute online
BCS examination

8 to 12 week programme


Code Course Start Duration Location Booking
PC-IRM BCS Practitioner Certificate in Information Risk Management 03 Jun 24 10 X 3.5hr Sessions Online Book now
07 Oct 24 10 X 3.5hr Sessions Online Book now

BCS Practitioner Certificate in Information Risk Management (PC-IRM)

Starts: 03 Jun 24

Duration: 10 X 3.5hr Sessions

Location: Online

Book now

BCS Practitioner Certificate in Information Risk Management (PC-IRM)

Starts: 07 Oct 24

Duration: 10 X 3.5hr Sessions

Location: Online

Book now

Course Overview

In the modern business environment, information is essential for the smooth functioning of operations. This information includes customer, service user, and employee details, as well as any non-personal information about the methods, plans, management systems, finances, procurement, research areas, intellectual property, and commercial activities relevant to the organisation's interests or statutory function. 

Information and the data it derives from is recorded or obtained from various internal and external activities or sources. This information is then analysed to gain valuable insights as well as being used to provide a comprehensive assessment of operational performance against a range of reporting metrics. The confidentiality, integrity, and availability of such information is therefore imperative, especially considering that it forms the basis for all decision-making processes across every level of the organisation.

In order to prevent inappropriate sharing or theft of information and data assets, organisations must actively monitor and minimise the risk of cyberattacks, information security incidents and privacy violations, which can cause significant harm to business operations and individuals. To accomplish this goal, organisations should ensure they have qualified employees in place to implement appropriate systems, policies, and procedures to identify and analyse potential vulnerabilities as part of a robust information risk management programme.

The BCS Practitioner Certificate in Information Risk Management (PCIRM) course provides a comprehensive understanding of the best practices, principles, and techniques used to safeguard critical information assets from a wide range of threats and vulnerabilities. The course addresses the fundamentals of information security and various international standards that apply to information risk management, including ISO 27001, 27005, and 31000. By attending this accredited BCS PCIRM course, attendees will develop practical skills in conducting risk assessments, evaluating risks against an organisation's risk appetite and developing risk treatment plans. 

The current version of the BCS syllabus (v7.1) from July 2022 prepares delegates for the 90-minute scenario-based online BCS examination.


The BCS Practitioner Certificate in Information Risk Management (PCIRM) is conducted over 10 consecutive morning sessions (or 5 full days when delivered in-company). 

The following schedule is intended as a guide:

Module 1
Introductions, Learning outcomes
BCS Exam details & techniques
The concepts and framework of information risk management
   • The lifecycle of information
   • What information risk management is, and why and when it should be undertaken
   • Which parts of an organisation may practice information risk management
   • The general legal and regulatory framework that surrounds risks to information
Understanding the context of risk in organisations
   • Why organisations must take account of information risk
   • The benefits to organisations of undertaking information risk management
   • The potential consequences to organisations of not undertaking information risk management
Module 2
The fundamentals of information security
   • Differences between information security, cyber security, information risk management and information assurance
Information risk terms and definitions
Information risk management standards
   • ISO 27001:2022 - Information security management systems (ISMS)
   • ISO 27005: 2022 - Guidance on managing information security risks
   • ISO 31000:2018 - Risk management guidelines
Understanding the UK legal and regulatory environment
   • Data Protection Act 2018 & UK General Data Protection Regulation
   • Official Secrets Act
   • Freedom of Information Act
   • PCI Data Security Standard
The process of information risk management
   • The concept of information risk ownership
   • The four stages of information risk management
   • Conducting risk assessments (risk identification, risk analysis, risk evaluation and risk treatment)
   • Risk management methodologies
Module 3
Establishing an information risk management programme
   • The Plan-Do-Check-Act model, also known as the Deming Cycle
   • Leadership, responsibility and accountability
   • Integrating information risk management into business-as-usual operations
   • Resource allocation
   • Reporting
Development of a strategic approach to information risk management
The principles of information classification
   • The purpose of a classification scheme for information assets
   • Identifying and documenting information assets and their owners
   • Classification types
Module 4
Risk identification
The process of identifying information assets
Conducting a business impact analysis
   • The overall business impact analysis process and who should be involved
   • Formulating business interruption costs
   • Cost of failure analyses
   • The concept of worst-case scenarios
   • Direct and indirect impacts
   • Primary and secondary impacts
   • Quantifying impact levels
Conducting a threat and vulnerability assessment
   • How threats and likelihood combine to create a risk
   • Common threats and hazards
   • Motivations for threats and threat actors
   • Common vulnerabilities and their likelihood
Module 5
Risk assessments
How to undertake a risk analysis
   • Qualitative, quantitative and semiqualitative risk analysis
   • Generic and specific risk analyses
   • The construction and use of a risk matrix
   • Impact, proximity and likelihood scales
   • Risk as an opportunity
Risk evaluation
   • How to quantify the results of a risk assessment
   • Comparing risk analysis results against organisational risk criteria
   • Risk registers
Module 6
Risk treatment options, controls and processes
   • Four strategic risk treatment options
      - Risk avoidance or termination
      - Risk reduction or modification
      - Risk transference or sharing
      - Risk acceptance or toleration and risk retention
   • Tactical and operational risk treatment controls
   • Importance of using a combination of strategic, tactical and operational approaches to risk treatment
   • Resilience, business continuity and disaster recovery
Module 7
Information risk monitoring
   • Monitoring of risks after treatment
   • Monitoring methods
Undertaking an information risk review
   • The need to conduct risk reviews at regular intervals and when their impact or likelihood may have changed 
   • Identifying new threats and risks
   • Ongoing reporting of the information risk management status
Module 8
Report and present the progress of a risk management programme
   • Requirements for reporting on an information risk management programme
   • Contents of a risk report
Presenting a business case (to the board)
   • The need for a business case
   • Business case preparation process and format
   • Presentation of an outline business case
Module 9
Questions & Answers
Individual 1-2-1 tutorials

Learning Objectives

BCS Practitioner Certificate in Information Risk Management (PCIRM) award holders will be able to demonstrate: 

  • An in-depth understanding of terminology, principles and techniques used to manage information risks effectively 
  • The necessary skills to conduct information security risk assessments, including business impact analyses, threat assessments, and vulnerability assessments
  • Detailed knowledge about how information classification schemes are used to categorise information based on its level of sensitivity and establish appropriate controls for each category
  • An ability to assess the level of risk and implement a treatment plan containing appropriate controls and measures to reduce the likelihood or impact of the risk
  • The practical skills and a recognised risk management qualification to make a valuable contribution to the protection of key information assets within your organisation

Who should attend this course?

The BCS Practitioner Certificate in Information Risk Management (PCIRM) will benefit individuals working in the following areas or roles will benefit the most:

  • Information & Cyber Security
  • Business Continuity
  • Information Risk
  • Privacy & Data Protection Professionals
  • Data Protection Officers
  • Information Governance
  • Information Assurance
  • Digital transformation
  • IT and Information systems
  • Software Engineering
  • Test Managers & QA Engineers
  • AI Governance
  • Project Managers

BCS Syllabus

BCS Practitioner Certificate in Information Risk Management (PCIRM)
Extracted from syllabus version 7.1
July 2022

Download the new syllabus (PDF)

This is a UK government-regulated qualification administered and approved by one or more of the following: Ofqual, Qualifications Wales, CCEA Regulation and SQA.

Exam Preparation

The topics covered in this session include:

Part 1. Online discussion and presentation
  • Exam technique
  • Timing
  • Completing the exam paperwork
  • How to read and answer BCS exam questions properly
  • Exercises
  • Group discussion, 3 example questions
Part 2. Mock exam
  • 45-minute mock exam (50% of the exam paper)
Part 3. Discussion, Q&A, review of the mock exam
  • Group discussion, mock exam answers

Following the examination prep day, the instructor will evaluate each student’s mock paper and provide individual feedback. This will include direct comments on the answers and offer guidance for further study areas.


Duration and Format of the BCS Examination

The BCS Practitioner Certificate in Information Risk Management (PCIRM) exam format is a 90-minute multiple-choice examination. The exam is a closed book, i.e. no materials can be taken into the examination room.

Format of the Examination
Type 60 Multiple Choice Questions
Duration 90 minutes
Supervised Yes
Open Book No (no materials can be taken into the examination room)
Pass Mark 39/60 (65%)
Delivery Digital or paper-based
Additional time for candidates requiring Reasonable Adjustments

Adjustments and/or additional time can be requested in line with the BCS reasonable adjustments policy for candidates with a disability or other special considerations, including English as a second language.

Course Cost

Get this BCS Practitioner Certificate in Information Risk Management (PCIRM) for:


  • Receive a 15% online discount for multiple bookings onto public courses
  • Onsite courses can be delivered for teams of 6 or more
BCS Accredited PCIRM training package includes:
  • 10 x 3.5 hour live online sessions across 2-weeks, or
  • 5-days for a traditional classroom setting
  • 1-day exam preparation online training course
  • Entrance to the 90-minute, multiple-choice online BCS Examination
  • 1-2-1 coaching and support
  • 1st year BCS Associate membership
Courseware: a complete practitioner-level information risk management manual
  • Detailed training manual comes in an A4 bound folder + an editable electronic version
  • Includes free lifetime updates (electronic version), which means it will never go out of date
  • Electronic copy of the full course PowerPoint
  • Exercises & revision materials
  • Sample exam questions
  • Prep day course materials with sample exam questions

10% OFF


Sign-up for our Privacy Newsfeed weekly newsletter to get your discount code. Receive additional offers by selecting training announcements option. Please choose your desired subscription option and then enter your details to subscribe.


Code Course Start Duration Location Booking
PC-IRM BCS Practitioner Certificate in Information Risk Management 03 Jun 24 10 X 3.5hr Sessions Online Book now
07 Oct 24 10 X 3.5hr Sessions Online Book now

BCS Practitioner Certificate in Information Risk Management (PC-IRM)

Starts: 03 Jun 24

Duration: 10 X 3.5hr Sessions

Location: Online

Book now

BCS Practitioner Certificate in Information Risk Management (PC-IRM)

Starts: 07 Oct 24

Duration: 10 X 3.5hr Sessions

Location: Online

Book now


In addition to the above course dates, you also need to select the dates for your examination events. Choose a date for your exam preparation day 3-6 weeks after the training course. Then book your BCS exam 2-6 weeks after the exam preparation day.

Exam preparation day

Duration: 1-day

Format: Online

  • 22 Mar 24
  • 10 Jul 24
BCS Exam

Duration: 90 minutes

Location: Online

  • 29 Mar 24
  • 17 Jul 24

Freevacy has been shortlisted in the Best Educator category.
The PICCASO Privacy Awards recognise the people making an outstanding contribution to this dynamic and fast-growing sector.