Capitalize on the rising demand for Governance, Risk and Compliance (GRC) expertise by earning the CGRC certification. The CGRC is a proven way to demonstrate your knowledge and skills to integrate governance, performance management, risk management and regulatory compliance within your organization.

CGRC professionals utilize frameworks to integrate security and privacy within organizational objectives, better enabling stakeholders to make informed decisions regarding data security, compliance, supply chain risk management and more.

Already Have a Peace of Mind Voucher? Learn how to redeem it now.

CGRC Quick Glance

GOVERNANCE RISK AND COMPLIANCE

Shows advanced technical skills and knowledge to protect, authorize and maintain information systems within various risk management frameworks.

WHAT TO EXPECT ON THE CGRC EXAM

Domain 1: Security and Privacy Governance, Risk Management, and Compliance Program

Domain 2: Scope of the System

Domain 3: Selection and Approval of Framework, Security, and Privacy Controls

Domain 4: Implementation of Security and Privacy Controls

Domain 5: Assessment/Audit of Security and Privacy Controls

Domain 6: System Compliance

Domain 7: Compliance Maintenance

CGRC Exam Outline

Who Earns the CGRC?

The CGRC is ideal for IT, information security and information assurance practitioners who work in Governance, Risk and Compliance (GRC) roles and have a need to understand, apply and/or implement a risk management program for IT systems within an organization, including positions like:

• Cybersecurity Auditor

• Cybersecurity Compliance Officer

• GRC Architect

• GRC Manager

• Cybersecurity Risk & Compliance Project Manager

• Cybersecurity Risk & Controls Analyst

• Cybersecurity Third Party Risk Manager

• Enterprise Risk Manager

• GRC Analyst

• GRC Director

• Information Assurance Manager

Experience Requirements

Candidates must have a minimum of two years cumulative work experience in one or more of the seven domains of the CGRC CBK.

A candidate that doesn’t have the required experience to become a CGRC may become an Associate of ISC2 by successfully passing the CGRC examination. The Associate of ISC2 will then have three years to earn the two years of required, relevant experience. Learn more about CGRC experience requirements and how to account for part-time work and internships at www.isc2.org/Certifications/CGRC/CGRC-Experience-Requirements.

Accreditation

CGRC is in compliance with the stringent requirements of ANSI/ISO/IEC Standard 17024.

Job Task Analysis (JTA)

ISC2 has an obligation to its membership to maintain the relevancy of the CGRC. Conducted at regular intervals, the Job Task Analysis (JTA) is a methodical and critical process of determining the tasks that are performed by security professionals who are engaged in the profession defined by the CGRC. The results of the JTA are used to update the examination. This process ensures that candidates are tested on the topic areas relevant to the roles and responsibilities of today’s practicing information security professionals.

CGRC Examination Information

Length of exam                      3 hours

Number of items                    125

Item format                              Multiple choice

Passing grade                         700 out of 1000 points

Exam language availability    English

Testing center                          Pearson VUE Testing Center

CGRC Examination Weights

Domains

Average Weight

• Security and Privacy Governance, 

• Risk Management, and Compliance Program                      16%

• Scope of the System                                                             10%

• Selection and Approval of Framework,

•  Security, and Privacy Controls                                              14%

• Implementation of Security and Privacy Controls                  17%

• Assessment/Audit of Security and Privacy Controls              16%

• System Compliance                                                               14%

• Compliance Maintenance                                                       13%

• Total                                                                                       100%

Get CGRC Training that's Right for You

With self-paced or Online Instructor-Led and Classroom training, ISC2 has a training option to fit your schedule and learning style. Trainings, seminars, courseware and self-study aids from ISC2 or one of our many Official Training Providers help you get ready for the rigorous CGRC exam by reviewing relevant domains and topics.

Explore Training

ISC2 Self-Study Tools Keep Your Skills Sharp

Studying on your own or looking for a supplement to your seminar courseware? Check out our official self-study tools:

• Official textbooks: What you need to know to be successful and review relevant domains.

• Official study guides: Strengthen your knowledge in a specific domain and get in more exam practice time.

• Official practice tests: Take full practice tests.

Complete the Certification Application Process

Once you receive notification that you have successfully passed the exam, you can start the online certification application process. This process attests that your assertions regarding professional experience are true, that you are in good standing within the cybersecurity industry. It also contains the agreements to abide by the ISC2 Code of Ethics and privacy policy.

Agree to the ISC2 Code of Ethics

All information security professionals who are certified by ISC2 recognize that such certification is a privilege that must be both earned and maintained. All ISC2 members are required to commit to fully support ISC2 Code of Ethics Canons:

• Protect society, the common good, necessary public trust and confidence, and the infrastructure.

• Act honorably, honestly, justly, responsibly, and legally.

• Provide diligent and competent service to principles.

• Advance and protect the profession.