Certification Rules and Policies

1. Professional References

For each application, two professional references are required. Professional references shall be individuals who have worked with you in a professional environment and can validate your expertise in the respective field, current, and previous work history. You cannot use as a referee the persons who fall under your supervision or are a relative of yours.

Note: References do not apply for Foundation, Transition, and Provisional certificates.

2. Professional Experience

Candidates shall provide complete information regarding their professional experience, including job titles, commencement and end dates, job descriptions, and more. Candidates are advised to summarize their previous and current assignments, providing sufficient details to describe the nature of the responsibilities that they have had. More detailed information can be included in the résumé.

A pre-evaluation step will be done, before the certification process is implemented for all candidates that will apply for ISO/IEC 27005:2022 Risk Manager/Lead Risk Manager and DPO Certification Schemes. This will be carried out to confirm if the candidate meets the work experience specified within the certification scheme.

Work experience does not apply for Foundation, Transition and Provisional certificates.

Note: ISO/IEC 27005:2022 Risk Manager/Lead Risk Manager and DPO-CNIL certification schemes do not have Provisional credentials.

3. Audit Experience

The candidate’s audit log will be checked to ensure that the candidate has the required number of audit hours. The following audit types constitute valid audit experience: pre-audit, gap analysis, internal audits, second-party audits, third-party audits, or opinion audits.

Note: Audit experience is required only for Lead Auditor certification schemes.

4. Project Experience

The candidate’s project log will be checked to ensure that the candidate has the required number of implementation hours.

Note: Project experience is required only for Lead Implementer, Lead Manager, Lead Risk Manager, Risk Manager and DPO certification schemes.

5. Evaluation of Applications

The Certification Department will evaluate each application to validate the candidate’s eligibility for certification or certificate program. A candidate whose application is being reviewed will be notified in writing and given a reasonable time frame to provide any additional documentation if necessary. If a candidate does not respond by the deadline, or does not provide the required documentation within the given time frame, the Certification Department will validate the application based on the initial information provided, which can eventually lead to the downgrade of it to a lower credential or it can be declared ineligible. At the end of the evaluation of the application, if all requirements are met, a certificate and a digital badge are issued to the candidate.

Note 1: Downgrade is not applicable for Foundation, Transition, and Provisional certificates.

Note 2: For ISO/IEC 27005:2022 Risk Manager/Lead Risk Manager and CNIL downgrade is not applicable.

6. Denial of Certification/Certificate Program

PECB can deny certification/certificate program if candidates:

• Falsify the application
• Violate the exam procedures
• Violate the PECB Code of Ethics
• Fail the exam

Any concerns regarding the denial of certification/certificate program can be appealed in writing to the Certification Board.

The application payment for the certification/certificate program is nonrefundable. This is because of the process of verifying the application, the evidence submitted by the candidates, and the engagement of the relevant departments in this process.

7. Suspension of Certification

PECB can temporarily suspend certification if the candidate fails to satisfy the requirements of PECB. Additional reasons for suspension can be if:

• PECB receives excessive or serious complaints by interested parties (Suspension will be applied until the investigation has been completed.).
• The logos of PECB or accreditation bodies are willfully misused.
• The candidate fails to correct the misuse of a certification mark within the determined time by PECB.
• The certified individual has voluntarily requested a suspension.
• PECB deems appropriate other conditions for suspension of certification/certificate program.

Note 1: For ISO/IEC 27005:2022 Risk Manager/Lead Risk Manager, failure to submit the CPD and AMF payment during the cycle will result in a 12-month suspension period, during which you can address any outstanding AMFs and CPDs. If no action is taken during the suspension period, the certification will be revoked.

Note 2: For CNIL, failure to comply with the recertification requirements (work experience in data protection and passing the CNIL recertification exam) will result in a 12-month suspension period. If no action is taken during the suspension period, the certification will be revoked

8. Revocation of Certification

PECB can revoke (that is, to withdraw) certification if the candidate fails to satisfy the requirements of PECB. Candidates are then no longer allowed to represent themselves as PECB certified professionals. Additional reasons can be if candidates:

• Violate the PECB Code of Ethics
• Misrepresent and provide false information of the scope of the certification/certificate program
• Break any other PECB rules
• Any other reasons that PECB deems appropriate

Individuals whose certification has been revoked, are not authorized to use any references to a certified status.

Note 1: For ISO/IEC 27005:2022 Risk Manager/Lead Risk Manager, failure to submit the CPD and AMF payment during the cycle will result in a 12-month suspension period, during which you can address any outstanding AMFs and CPDs. If no action is taken during the suspension period, the certification will be revoked.

Note 2: For CNIL, failure to comply with the recertification requirements (work experience in data protection and passing the CNIL recertification exam) will result in a 12-month suspension period. If no action is taken during the suspension period, the certification will be revoked

9. Invalidation of Certificate

PECB shall invalidate a certificate if the person it was issued to is found to have not fulfilled the certificate program requisites.

10. Non-discrimination and Special Accommodations

All candidate applications shall be evaluated objectively without regard to age, sex, race, religion, national origin, or marital status. PECB will allow for reasonable accommodations (1) as required by the Americans with Disabilities Act (ADA) (2) or an equivalent national law. A candidate who needs special accommodations must make the request in writing and allow an extra two weeks for processing of the application. Click here to download the  Special Accommodations for Candidates with Disabilities Form.

11. Complaint and Appeal

Any complaint that a candidate has must be made no later than 30 days after their certification/certificate program has been denied. Within 30 working days after receiving the complaint, PECB will provide a written response to the candidate. Should the response from PECB not be satisfactory, the candidate has the right to file an appeal. For more detailed information, please refer to the  PECB Complaint and Appeal Policy.