Infosec Assessment Methodology Certificate Program

Posted on
Share on Google+Share on LinkedInShare on FacebookShare on RedditTweet about this on TwitterEmail this to someone

I’ve been surveying and following information security certifications closely for more than three years now, but it’s a big and booming area subject to lots of change and ferment. That’s why I’m always glad to hear from readers who occasionally clue me into programs I’ve not yet come across myself. Hence, I give my thanks to Mike Gregg, Certified Information Systems Security Professional (CISSP), for e-mailing me about this month’s featured credential.

The Infosec Assessment Methodology (IAM) program originated within the U.S. National Security Agency (NSA), in large part to help organizations within the Department of Defense (DoD)—particularly those concerned with intelligence or national security matters—make sure their staff were properly trained to conduct information security assessments.


Basically, the IAM is based around an information assessment methodology that the NSA developed to meet its own needs in conducting such assessments for the DoD, but then realized could be adapted for other users as well. After conducting the program on a government-only basis from 1999 to 2001, the organization decided to share its knowledge and experience, and opened the program up to the public under the IAM label. It’s handled under the aegis of the Information Assessment Training and Rating Program (IATRP,


Details about information assessments and what’s involved in conducting one are covered on the organization’s Infosec Assessments Web page, at IAM certification candidates learn how to plan, conduct and report on information security assessments in a two-day, NSA-sponsored IAM certification class ( Requirements to obtain the certification include mandatory class attendance, participation in class activities and discussions, and a score of 70 percent or better on the IAM test that follows the course. Vendors Security Horizon ( and EDS ( currently offer the class for $995 and $695, respectively. Prerequisites for attending the class include the following:



  • U.S. citizenship.
  • Five years of experience in the field of information security, communications security or computer security.
  • Two to five years of experience directly related to analyzing computer system/network vulnerabilities and security matters.


Candidates who meet prerequisite, classroom and exam requirements are granted an NSA IAM certificate of completion. Because of the pedigree behind this program, it’s highly recommended for information security professionals who may wish to conduct information security assessments in the future or demonstrate their ability to do so.


Ed Tittel is a full-time free-lance writer and trainer, and is technology editor and a regular contributor for Certification Magazine. E-mail Ed at

Share on Google+Share on LinkedInShare on FacebookShare on RedditTweet about this on TwitterEmail this to someone


Posted in Archive|