CGRC – Governance, Risk and Compliance Certification

Become a CGRC – Be a Governance, Risk and Compliance Leader

Capitalize on the rising demand for Governance, Risk and Compliance (GRC) expertise by earning the CGRC certification. The CGRC is a proven way to demonstrate your knowledge and skills to integrate governance, performance management, risk management and regulatory compliance within your organization.

CGRC professionals utilize frameworks to integrate security and privacy within organizational objectives, better enabling stakeholders to make informed decisions regarding data security, compliance, supply chain risk management and more.



About CGRC

A professional earning the Certified in Governance, Risk and Compliance (CGRC®) is an information security practitioner who advocates for security risk management in pursuit of information system authorization to support an organization’s mission and operations in accordance with legal and regulatory requirements.

The broad spectrum of topics included in the CGRC Common Body of Knowledge (CBK®) ensure its relevancy across all disciplines in the field of information security. Successful candidates are competent in the following seven domains:

  • Information Security Risk Management Program
  • Scope of the Information System
  • Selection and Approval of Security and Privacy Controls
  • Implementation of Security and Privacy Controls
  • Assessment/Audit of Security and Privacy Controls
  • Authorization/Approval of Information System
  • Continuous Monitoring

Experience Requirements

Candidates must have a minimum of two years cumulative work experience in one or more of the seven domains of the CGRC CBK.

A candidate that doesn’t have the required experience to become a CGRC may become an Associate of ISC2 by successfully passing the CGRC examination. The Associate of ISC2 will then have three years to earn the two years of required, relevant experience. Learn more about CGRC experience requirements and how to account for part-time work and internships at


CGRC is in compliance with the stringent requirements of ANSI/ISO/IEC Standard 17024.

Job Task Analysis (JTA)

ISC2 has an obligation to its membership to maintain the relevancy of the CGRC. Conducted at regular intervals, the Job Task Analysis (JTA) is a methodical and critical process of determining the tasks that are performed by security professionals who are engaged in the profession defined by the CGRC. The results of the JTA are used to update the examination. This process ensures that candidates are tested on the topic areas relevant to the roles and responsibilities of today’s practicing information security professionals.

CGRC Examination Information

Length of exam 3 hours
Number of items 125
Item format Multiple choice
Passing grade 700 out of 1000 points
Exam language availability English
Testing center Pearson VUE Testing Center

CGRC Examination Weights

Domains Average Weight
1. Information Security Risk Management Program 16%
2. Scope of the Information System 11%
3. Selection and Approval of Security and Privacy Controls 15%
4. Implementation of Security and Privacy Controls 16%
5. Assessment/Audit of Security and Privacy Controls 16%
6. Authorization/Approval of Information Systems 10%
7. Continuous Monitoring 16%
Total 100%

Reference :

There are no reviews yet.

Be the first to review “CGRC – Governance, Risk and Compliance Certification”

Your email address will not be published. Required fields are marked *