MEHARI Certification


The "Certified MEHARI" credential is a professional certification for professionals needing to demonstrate the competence to implement, maintain and manage an ongoing risk management program according to MEHARI.

The principal competencies and knowledge skills needed by the market are the ability to support an organization in implementing and managing a risk management framework as specified in MEHARI implementation of a risk management program, risk identification, risk analysis, risk evaluation, risk treatment, acceptance of risk, and management of residual risks, communicating, monitoring and reviewing risk.

Various professions may apply for this certification:

  • Information security 
  • Persons responsible for information security or conformity within an organization
  • Member of the information security team
  • IT security consultants
  • Staff implementing or seeking to comply with MEHARI or involved in an information security program
  • Internal implementation and/or management of a risk management program


For certification purposes, the following risk management activities constitute valid experience:

  • External/consulting implementation and/or management of a risk management program
  • Partial implementation and/or management of a risk management program as risk identification, 
  • Risk analysis, risk evaluation, risk treatment, acceptance of risk, and management of residual risks, communicating, monitoring and reviewing risk.

To be considered valid, the risk assessment activities should follow best implementation practices and include significant part of the following activities:

  1. Understanding an organization and its context
  2. Defining a risk management approach
  3. Selecting of risk analysis methodologies
  4. Defining risk evaluation criteria
  5. Identification of assets, threats, existing controls, vulnerabilities and consequences (impacts)
  6. Assessing of consequences and incident likelihood
  7. Determining the level of risk
  8. Evaluating risk scenarios
  9. Evaluating risk treatment options
  10. Selecting and implementing controls
  11. Performing a risk management review

Professional references

Professional references must be from individuals who have professionally worked with you and can validate your risk management expertise, current and previous work history, as well as your job performance. You cannot use anyone as a reference who falls under your supervision or is a relative. At least three professional references are required (candidates can input up to a maximum of five references).

Professional experience

Complete information is required: including job title, begin dates, end dates, responsibilities and more. Summarize each assignment, providing sufficient detail to describe the nature of the responsibilities that you had. This information can be detailed in your resume.

Risk assessment experience

The candidate's risk assessment log will be checked to ensure that the applicant has the minimal required number of risk assessment-hours. The following risk assessment activities constitute valid experience: understanding an organization and its context, defining a risk management approach, selecting of risk analysis methodologies, defining risk evaluation criteria, identification of risk (assets, threats, existing controls, vulnerabilities and consequences), assessing of consequences and incident likelihood, determining the level of risk, evaluating risk scenarios, evaluating risk treatment options, selecting and implementing information security controls and performing a risk management review. This information can be detailed in your resume.

Denial and Revocation of Certification

Certification will be denied or revoked for any of the following reasons:

  • Falsification of application
  • Violation of testing procedures
  • Misrepresentation
  • Failure to pass the examination

Denials or revocations of certification may be appealed to the Certification Board in writing.

Annual Renewal Certification Fee

To maintain your credentials active, there is an annual renewal fee for each calendar year. Registrants who pay their annual renewal fee will appear online in the PECB Directory of Certified Professional.

Maintain your Certification (Recertification)

The PECB designations are valid for three years. To maintain your certification, you must have accumulated the necessary 90 Continuing Professional Development credits (CPD) by the end of that three-year period and pay the recertification fee. CPD hours need to be inputted in your online PECB profile. PECB certified professionals who fail to provide the required CPD hours will have their PECB credentials revoked and will no longer be allowed to present themselves as certified PECB professionals.


Contact Us

PECB is ready to help you.

Contact our Customer Service Center



Scroll to Top