In this lesson, we will look at some of the qualifications and certifications that will help a PolicyWizard attain some career progression. 

Every route through the industry will be unique and there's no set path. Using certifications as a guide, these are some of the different ones and the level you'll be expected to be at when holding the certification.

I'll start with higher education. College or university. You can 100% get a job in the industry without this type of education. It does however tick a box for many employers. A degree or relevant experience is a common requirement within job descriptions, especially if you're starting to progress to more senior positions. 

If you do not hold some form of higher education, a sound understanding of the knowledge can be gained by passing the CompTIA triad of certifications. These courses are available free on YouTube and the barriers to entry are just the cost of the examination attempts. The prices are attainable for someone determined on this career path. Be prepared to learn a vast number of subjects at a very, very low level for these courses. You'll be expected to have some hands-on experience using this knowledge. 

If you have higher education, for example, a computer science or cybersecurity degree, you can skip getting the A+ and Network+ exams, but you should still know the curriculum to a level where you could pass the exam. Security+ is often seen as the minimum requirement for entry into the cyber or information security industries.

So, once you have the Security+ under your belt, start adding basic certifications in security frameworks. This is required knowledge for the vast majority of GRC jobs and the minimum required knowledge for senior levels of most career paths within the industry.

In the UK or Europe, focus your energy on ISO 27001 and GDPR. In the USA, NIST CSF and SOC2 are far more common and you'll do well by learning those. Some understanding of CCPA and CPA, sorry CRPA, would certainly impress hiring managers of American companies. However, some large companies are aligning themselves with GDPR as a catch-all for global privacy regulations.

After a year or two in the industry, you should be looking to upskill and gain more knowledge within the focus area of your chosen career path. Governance, risk management and compliance are the three areas and you can specialize in all three. Choose your route and then build on those skills. A strong route is shown in this diagram.

ISO 27001 Implementer will give you the knowledge required to work as a consultant helping businesses attain that certification. It is transferable to other frameworks as the skills are not unique.

Certified Information Security Risk Management (CIS RM) is a mid-level risk course that will give you a thorough understanding of the risk management process.

NIST CSF professional will give you the knowledge to implement that framework and GDPR practitioner will give you expert knowledge about European privacy regulations. This is often required by companies internationally that do business in Europe.

Moving to the senior level, ISO 27001 lead auditor and CISA Certified Information Security Auditor focus on compliance requirements. CRISC is an advanced level qualification in risk management. CISM, Certified Information Security Manager, is often a requirement for any manager role within the industry. And CISSP is a qualification required for most senior roles.

I hope this short lesson helps you focus on the route you want to take as a PolicyWizard, you'll be well placed to move through these courses as the experience gained writing policies, exposes the developer to all areas of the company, business, and technology.