Governance, Risk, and Compliance Certification (CGRC)

In today’s dynamic landscape of cybersecurity laws and regulations, organizations face a critical skills gap that can lead to increased liability. The Cybersecurity Specialization: Governance, Risk, and Compliance course equips individuals with the knowledge needed to navigate these complexities. It covers the creation of governance systems, risk management strategies, policy enforcement, and compliance measures. Through a challenge-based approach, participants gain practical skills that mirror real-world scenarios, enabling them to enhance their organization’s cybersecurity posture and minimize legal risks.


In-depth coverage of the seven domains required to pass the CGRS exam:

  1. Develop a compliance risk mitigation strategy.
  2. Contribute to a risk management framework.
  3. Create policies with controls.
  4. Enhance risk maturity.
  5. Promote enterprise security.
  6. Prioritize business processes in continuity planning.
  7. Select eGRC tools based on needs and capabilities.
  • Candidates must have a minimum of two years cumulative work experience in one or more of the seven domains of the CGRC CBK.
  • A candidate who doesn’t have the required experience to become a CGRC may become an Associate of ISC2 by successfully passing the CGRC examination. The Associate of ISC2 will then have three years to earn the two years of required, relevant experience.

The CGRC is ideal for IT, information security, and information assurance practitioners who work in Governance, Risk, and Compliance (GRC) roles and have a need to understand, apply and/or implement a risk management program for IT systems within an organization, including positions like:

  • Cybersecurity Auditor
  • Cybersecurity Compliance Officer
  • GRC Architect
  • GRC Manager
  • Cybersecurity Risk & Compliance Project Manager
  • Cybersecurity Risk & Controls Analyst
  • Cybersecurity Third Party Risk Manager
  • Enterprise Risk Manager
  • GRC Analyst
  • GRC Director
  • Information Assurance Manager


i. Understand the foundation of an organization information security risk management program
ii. Understand risk management program process
iii. Understand regulatory and legal requirements
i. Define the information system
ii. Determine the categorization of the information system
i. Identify and document baseline and inherited controls
ii. Select and tailor controls to the system
iii. Develop continuous control monitoring strategy (e.g., implementation, timeline, effectiveness)
iv. Review and approve security plan/Information Security Management System (ISMS)
i. Implement selected controls
ii. Document control implementation
i. Prepare for assessment/audit
ii. Conduct assessment/audit
iii. Prepare the initial assessment/audit report
iv. Review the initial assessment/audit report and perform remediation actions
v. Develop final assessment/audit report
vi. Develop remediation plan
i. Compile security and privacy authorization/approval documents
ii. Determine information system risk
iii. Authorize/approve information system
i. Determine impact of changes to information system and environment
ii. Perform ongoing assessments/audits based on organizational requirements
iii. Review supply chain risk analysis monitoring activities (e.g., cyber threat reports, agency reports, news reports)
iv. Actively participate in response planning and communication of a cyber event
v. Revise monitoring strategies based on changes to industry developments introduced through legal, regulatory, supplier, security, and privacy updates
vi. Keep designated officials updated about the risk posture for continuous authorization/approval
vii. Decommission information system
Length of exam 3 hours
Number of questions 125
Question format Multiple choice
Passing grade 700 out of 1000 points
Exam availability English
Testing center Pearson VUE Testing Center