In March, 2019, I passed the ISACA CRISC exam and got certified in the next month. The CRISC is a great certificate because it shifts your mindset and helps you to establish standardized information risk management practices.
However, I decided not to stop there, but to further search for holistic and effective standards for cyber risk quantification and through that, I came across Factor Analysis for Information Risk (FAIR™), which I believe it is complementary to CRISC.
Adham Etoom is a FAIR Institute member and project manager based in Jordan with expertise in information security program management, IT risk and incident management, satellite systems management and security, holding global certifications in project management, incident handling, and risk management, (PMP, GCIH, CRISC, FAIR).
FAIR is the only international standard Value at Risk model for cybersecurity and operational risk. It provides a model for understanding, analyzing and quantifying information risk in financial terms. I started to get obsessed with FAIR after I realized its beauty and importance in risk quantification – it indeed makes sense to me scientifically and practically. So I decided to get certified with such a solid standard and to expand my knowledge into this interesting domain for further opportunities internationally.
Socrates said almost 2,500 years ago, “The beginning of wisdom is the definition of terms.” This quote has stuck in my mind for long time and I can relate it here to risk taxonomy.
How I Prepared for the Open FAIR Exam
To gain a general understanding, I started by reading the following:
- An Executive's Guide to Cyber Risk Economics by Jack Jones
- An Adoption Guide for FAIR by Jack Jones
- The FAIR Open Course by Osama Salah on GitHub
For direct exam preparation, I strongly advise you to go to the Open Group official website and start reading about Open FAIR™ Certification.
I managed my preparation as self-study in the following order:
Developed my study plan using an Excel sheet to go through all the available resources with reference notes for later review and to track my progress.
- Joined the FAIR community.
- Downloaded the FAIR Model on a Page Infographic
- Read this FAIR Institute blog post: How to Prepare for the Open FAIR Certification Exam
- At the Open FAIR Certification Program website, I used these resources:
Certification Policy for Examination-Based Programs
FAIR Conformance Requirements
c13g Risk Analysis O-RA - The Risk Analysis Standard
c13k Risk Taxonomy O-RT - The Risk Taxonomy Standard
c103 FAIR - ISO 27K Cookbook
The Open FAIR Risk Analysis Tool Beta 90 days (Excel sheet)
- The FAIR-U training tool powered by RiskLens for simulation
- Open FAIR Official Study Guide (The Open FAIR Body of Knowledge, Open FAIR Foundation Preparation for the Open FAIR Part 1 Examination), purchased from the Open Group.
- The book Measuring and Managing Information Risk: A FAIR Approach by Jack Freund and Jack Jones
For a guided learning experience led by instructors and including realistic analysis practice, many organizations choose to educate their teams on FAIR with the RiskLens Academy’s FAIR Analysis Fundamentals course, available online or in classroom settings at the annual FAIR Conference, through the SANS Institute and other venues. Students who complete the course receive a voucher to take the FAIR certification exam for free from the Open Group. Learn more about FAIR Analysis Fundamentals training.
Study Tips for the Open FAIR Exam
Study these very well and focus on understanding and comprehension rather than memorizing everything:
- c13g Risk Analysis O-RA
- c13k Risk Taxonomy O-RT
- FAIR Model on a Page Infographic ( Must be memorized and practiced daily)
I went through the official Open FAIR Study Guide and practiced the sample questions at the end of each chapter, and then took the Official Exam Paper – the results were reasonable with medium confidence and I did knowledge gap analysis. I decided to book the Open FAIR exam then make the final review and to fill the gaps that I had.
NOTE: For me, one of the difficult aspects of FAIR methodology was terms normalization for all the risk factors, I overcame this by reading each and every definition daily and related each factor to a practical example in my daily life.
The Exam Experience
The exam itself was like any other exam: If you are well prepared, you are going to clear it by practice and self-confidence. And the journey should not stop here.
I personally was satisfied with this major milestone in my professional life and that I passed it by self-study. I learned a lot of things that transformed my ability to apply critical thinking to risk, to understand the complex nature of risk and to optimize risk decision making – and most importantly not to be deceived by the subjective nature of any qualitative assessment.
I strongly recommend that you go for Open FAIR certification program, whether you have little or extensive experience.