Certification pathways

One certification is a step. A pathway is the career.

Most learners do not stop at one cert. They build a sequence: Foundation, then Lead Implementer, then Lead Auditor; or CISA, then CRISC, then ISO 27001 LA. Below are the canonical pathways we deliver, with the duration, audience and steps spelled out.

Pick the destination first. We map the route.

15

pathways

7

domains

6-18

months end-to-end

99.1%

pass at first attempt

Why a pathway, not a course

The first certification opens the door. The next two earn the role.

Hiring managers in compliance-heavy industries do not just look at the credential. They look at the sequence: Foundation, then Lead, then Auditor. Or CISA, then CRISC, then a management-system audit credential. The pathway shows you went deep, not wide.

Each domain below carries the canonical pathways we deliver, the audience they fit, the typical duration and the steps in order. Pick a destination and we map the route from where you are today.

Information security

Pathways in information security.

The ISO/IEC 27001 family. Pathways for implementers, auditors and security leaders.

ISO 27001 Implementer

Security teams, CISOs, GRC analysts owning the ISMS.

Foundation gives you the language. Lead Implementer builds the ISMS, risk treatment and controls. Lead Auditor adds the audit angle for organisations expecting a certification review.

Duration

2 + 5 + 5 days, over 6 to 12 months

Steps

3 certifications

  1. 1
    Foundation

    ISO 27001 Foundation

    Vocabulary, structure of the standard, intro to controls.

  2. 2
    Lead Implementer

    ISO 27001 Lead Implementer

    Build, deploy and maintain a working ISMS.

  3. 3
    Lead Auditor

    ISO 27001 Lead Auditor

    Plan and run an ISO 27001 audit end to end.

Browse cohortsDiscuss this pathway

ISO 27001 Auditor (fast track)

Internal auditors, audit and compliance consultants.

For internal auditors and Big Four practitioners who do not need to implement the ISMS but must audit one. Lead Auditor on top of Foundation, plus optional ISO 27005 for the risk lens.

Duration

2 + 5 days

Steps

2 certifications

  1. 1
    Foundation

    ISO 27001 Foundation

    Required to sit Lead Auditor.

  2. 2
    Lead Auditor

    ISO 27001 Lead Auditor

    Audit methodology, evidence handling, reporting.

Browse cohortsDiscuss this pathway

CISO leadership

Senior security leaders moving toward CISO.

ISO 27001 Lead Implementer for operational depth, Lead Cybersecurity Manager for programme governance, then the Certified CISO track for the board-level layer.

Duration

5 + 5 + 5 days, over 12 to 18 months

Steps

3 certifications

  1. 1
    ISO 27001 LI

    ISO 27001 Lead Implementer

    Operational ISMS layer.

  2. 2
    Lead Cybersecurity

    Lead Cybersecurity Manager

    Programme governance and strategy.

  3. 3
    CISO

    Certified CISO

    Board-level, third-party and supply-chain layer.

Browse cohortsDiscuss this pathway

Risk management

Pathways in risk management.

ISO 31000, ISO 27005 and CRISC. Different lenses on risk for different roles.

ISO 31000 risk practitioner

Risk officers, GRC analysts running enterprise risk.

Foundation, then Risk Manager, then Lead Risk Manager. The PECB risk management path. Note: ISO 31000 has no Lead Auditor; this is the only progression.

Duration

2 + 5 + 5 days

Steps

3 certifications

  1. 1
    Foundation

    ISO 31000 Foundation

    Risk vocabulary, principles, framework.

  2. 2
    Risk Manager

    ISO 31000 Risk Manager

    Apply ISO 31000 in your environment.

  3. 3
    Lead Risk Manager

    ISO 31000 Lead Risk Manager

    Lead enterprise risk programmes.

Browse cohortsDiscuss this pathway

ISO 27005 information-security risk

Information-security risk leads, ISMS owners.

ISO/IEC 27005 Foundation, then Risk Manager. The IS-specific risk lens that pairs with ISO 27001 implementation work. Often layered alongside ISO 31000.

Duration

2 + 5 days

Steps

2 certifications

  1. 1
    Foundation

    ISO 27005 Foundation

    IS risk vocabulary and approach.

  2. 2
    Risk Manager

    ISO 27005 Risk Manager

    Run an IS risk programme.

Browse cohortsDiscuss this pathway

ISACA CRISC (IT risk)

IT risk practitioners, GRC analysts in regulated industries.

CRISC is the ISACA credential for risk practitioners working in and around information systems. Layered after CISA for auditors or after ISO 27001 LI for security teams adding the IT-specific risk layer.

Duration

Self-paced plus 5-day intensive

Steps

2 certifications

  1. 1
    Prereq

    CISA or ISO 27001 LI

    Foundational credential recommended.

  2. 2
    CRISC

    CRISC

    IT risk identification, assessment, response, monitoring.

Browse cohortsDiscuss this pathway

Privacy and data protection

Pathways in privacy and data protection.

GDPR, CDPO, ISO 27701 and CDPSE. Pathways for DPOs, privacy engineers and AI-act readiness.

GDPR to CDPO

DPOs, privacy officers, compliance leads.

GDPR Foundation for the vocabulary, then Certified Data Protection Officer for the official European DPO credential. Strong complement with ISO 27701 for the privacy ISMS angle.

Duration

2 + 5 days

Steps

3 certifications

  1. 1
    Foundation

    GDPR Foundation

    GDPR principles, lawful basis, accountability.

  2. 2
    CDPO

    Certified Data Protection Officer

    DPO role, accountability, supervisory authority engagement.

  3. 3
    ISO 27701

    ISO 27701 Lead Implementer (optional)

    Privacy ISMS bolted onto ISO 27001.

Browse cohortsDiscuss this pathway

ISACA CDPSE (privacy engineer)

Privacy engineers, security teams owning privacy implementation.

The ISACA technical privacy credential. Pairs with GDPR and CDPO for organisations that need both the policy-side and the engineering-side privacy capability.

Duration

Self-paced plus intensive prep

Steps

1 certifications

  1. 1
    CDPSE

    CDPSE

    Privacy governance, architecture and data lifecycle.

Browse cohortsDiscuss this pathway

AI governance and risk

Pathways in ai governance and risk.

The brand-new ISO/IEC 42001 family plus AI risk and AI audit specialisations.

ISO 42001 AI management system

AI governance leads, security teams owning AI risk.

Foundation, then Lead Implementer, then Lead Auditor on the ISO/IEC 42001 standard published in 2023. The AI equivalent of the ISO 27001 ISMS journey, including AI Act readiness.

Duration

2 + 5 + 5 days

Steps

3 certifications

  1. 1
    Foundation

    ISO 42001 Foundation

    AIMS vocabulary, structure of the standard.

  2. 2
    Lead Implementer

    ISO 42001 Lead Implementer

    Build and run the AIMS.

  3. 3
    Lead Auditor

    ISO 42001 Lead Auditor

    Audit the AIMS end to end.

Browse cohortsDiscuss this pathway

AI audit and risk specialisation

IT auditors and risk practitioners adding AI capability.

AI Risk Manager builds the operational risk layer. AAIA (ISACA Advanced in AI Audit) adds the audit credential. Pairs with ISO 42001 Lead Auditor for full AI governance coverage.

Duration

5 days plus intensive prep

Steps

2 certifications

  1. 1
    AI Risk Manager

    AI Risk Manager

    Operational AI risk programme.

  2. 2
    AAIA

    AAIA (ISACA)

    Advanced AI audit credential.

Browse cohortsDiscuss this pathway

Resilience and continuity

Pathways in resilience and continuity.

ISO 22301, operational resilience, DORA. The continuity stack for regulated organisations.

ISO 22301 BCM

BCM leads, resilience officers, security teams owning incident management.

Foundation, then Lead Implementer, then Lead Auditor on business continuity. Pairs with Lead Operational Resilience Manager for the EU-regulator angle (DORA, NIS 2 incident management).

Duration

2 + 5 + 5 days

Steps

3 certifications

  1. 1
    Foundation

    ISO 22301 Foundation

    BCM principles and ISO 22301 structure.

  2. 2
    Lead Implementer

    ISO 22301 Lead Implementer

    Build the BCMS, BIA, recovery plans.

  3. 3
    Lead Auditor

    ISO 22301 Lead Auditor

    Audit a BCMS.

Browse cohortsDiscuss this pathway

DORA readiness

Financial entities and their critical third-party providers.

DORA Foundation for the regulation overview, then DORA Lead Implementer for the operational readiness work. Strong fit alongside Lead Operational Resilience Manager.

Duration

1 + 5 days

Steps

2 certifications

  1. 1
    DORA F

    DORA Foundation

    Scope, RTSs, ITSs, supervisory architecture.

  2. 2
    DORA LI

    DORA Lead Implementer

    Build the DORA-compliance programme.

Browse cohortsDiscuss this pathway

IT audit and compliance

Pathways in it audit and compliance.

CISA-led pathways for auditors moving into senior roles.

CISA, CRISC, ISO 27001 LA

IT auditors growing into senior audit roles.

The reference audit progression. CISA for the IT-audit credential, CRISC for the risk lens, ISO 27001 Lead Auditor for the management-system audit angle. Standard for Big Four and internal audit teams.

Duration

Self-paced plus 5 + 5 days

Steps

3 certifications

  1. 1
    CISA

    CISA (ISACA)

    IT and information systems audit credential.

  2. 2
    CRISC

    CRISC (ISACA)

    IT risk layer.

  3. 3
    ISO 27001 LA

    ISO 27001 Lead Auditor

    Management-system audit credential.

Browse cohortsDiscuss this pathway

Cybersecurity operations

Pathways in cybersecurity operations.

For SOC analysts, blue team and incident responders.

SOC analyst to security manager

SOC analysts, incident responders growing toward security management.

ISACA CCOA (Cybersecurity Operations Analyst) for the hands-on SOC credential, then CISM for the management progression. Optional Lead Cybersecurity Manager for the PECB programme governance layer.

Duration

Self-paced plus 5 days

Steps

2 certifications

  1. 1
    CCOA

    CCOA (ISACA)

    Hands-on cybersecurity operations.

  2. 2
    CISM

    CISM (ISACA)

    Security management credential.

Browse cohortsDiscuss this pathway

Offensive security

Pen testers, red-team leads, security consultants.

PECB Lead Ethical Hacker for the methodology and reporting layer, then Lead Pen Test Professional for the engagement-management angle. Strong fit for red-team leads who need accreditation alongside their lab skills.

Duration

5 + 5 days

Steps

2 certifications

  1. 1
    Lead Ethical Hacker

    Lead Ethical Hacker

    Methodology, reporting, ethics.

  2. 2
    Lead Pen Test

    Lead Penetration Testing Professional

    Engagement and project leadership.

Browse cohortsDiscuss this pathway

Quick answers

Pathway questions buyers ask first.

01Do I have to take the steps in order?

For most certifications, yes. Foundation is the prerequisite for Lead Implementer and Lead Auditor. Some senior credentials (CISO, CISM, CRISC) accept equivalent experience or other credentials in place of Foundation. The course pages list prerequisites explicitly.

02How long does a full pathway take?

Most pathways run 6 to 12 months from Foundation to senior credential, including study time, exam preparation and the gap between cohorts. Senior pathways like CISO leadership run 12 to 18 months. We can compress for in-house cohorts on a defined audit deadline.

03Can I claim equivalent experience to skip a step?

PECB and ISACA both have experience-credit rules. CISM, CISA, CRISC and CGEIT typically require 5 years of verified experience to award the final credential. Some Foundation prerequisites can be waived with prior credentials. We map your case on the discovery call.

04Can I mix PECB and ISACA in a pathway?

Yes, and we recommend it. The audit pathway (CISA, then CRISC, then ISO 27001 LA) is the canonical example: ISACA at the start, PECB at the end. Senior security leadership often pairs PECB ISMS work with ISACA CISM. We help you sequence what is accredited where.

05How is pricing structured across a pathway?

Each step is priced on its course page. Pathways do not auto-bundle; you book each cohort separately. For in-house or multi-seat scopes, we send a single proposal covering the full pathway and the recommended dates.

06Can my employer commission a private pathway?

Yes. We run in-house pathway cohorts (4+ learners) with the PECB or ISACA syllabus adapted to your sector and audit calendar. Pricing and dates are on the in-house training page or via the quote form.

Read the full FAQ

Not sure where to start?

Map your pathway in 20 minutes.

Free discovery call. Tell us your role, your audit calendar and your career step. We come back with the sequence that fits.

Book a discovery callBrowse the catalogue