The Certified Authorization Professional (CAP) is changing to Certified in Governance, Risk and Compliance (CGRC). Only the name is changing. 

This change better represents the knowledge, skills and abilities required to earn and maintain this certification. The subject matter is broader and more inclusive to frameworks used around the world. 

Certified in Governance, Risk and Compliance (CGRC) cybersecurity professionals have the knowledge and skills to integrate governance, performance management, risk management and regulatory compliance within the organization while helping the organization achieve objectives, address uncertainty and act with integrity. CGRC professionals align IT goals with organizational objectives as they manage cyber risks and achieve regulatory needs. They utilize frameworks to integrate security and privacy with the organization’s overall objectives, allowing stakeholders to make informed decisions regarding data security and privacy risks.

It will officially change on February 15, 2023.

Current Domains	Weight
Domain 1: Information Security Risk Management Program	16%
Domain 2: Scope of the Information System	11%
Domain 3: Selection and Approval of Security and Privacy Controls	15%
Domain 4: Implementation of Security and Privacy Controls	16%
Domain 5: Assessment/Audit of Security and Privacy Controls	16%
Domain 6: Authorization/Approval of Information System	10%
Domain 7: Continuous Monitoring	16%
	100%

Please refer to the Exam Outline for details.

The content of the exam last changed on August 15, 2021. More information about the previous content change can be found on the blog.

Your digital certificate will update in your account. You will be sent an email from Credly to accept a new version of the digital badge representing the change to CGRC.

The CGRC exam has the same format and language availability as the CAP has at this time. It is available in English in the linear fixed form format.

No. The name update will not impact the number of items on the CGRC exam, which is 125 items within a three-hour limit.

Yes, this change is to only the name of the exam. All (ISC)² exams are experiential and include experience-based items that cannot be learned by studying alone. If you already have the required experience in the domains and believe that you have sufficient proficiency in those domains, you should feel confident that you can pass the CGRC exam and meet the experience requirements for full certification.

No. For the CGRC, you are required to have a minimum of two years of cumulative work experience in one or more of the seven domains of the CGRC.

• Information Security Risk Management Program
• Scope of the Information System
• Selection and Approval of Security and Privacy Controls 
• Implementation of Security and Privacy Controls
• Assessment/Audit of Security and Privacy Controls
• Authorization/Approval of Information Systems
• Continuous Monitoring

The Official (ISC)² CGRC Training Course (online-instructor led) will be available in January 2023. The current CAP CBK book can still be used, and training content material is not changing aside from a name change. Student guides will be available with the purchase of an online instructor training course.

The CGRC is ideal for IT, information security and cybersecurity professionals responsible for governance, risk and compliance within an organization. Roles include:

Authorizing Official Cyber GRC Manager Cybersecurity Auditor Cybersecurity Compliance Officer GRC Architect GRC Information Technology Manager GRC Manager Cybersecurity Risk & Compliance Project Manager

Cybersecurity Risk & Controls Analyst Cybersecurity Third Party Risk Manager Enterprise Risk Manager GRC Analyst GRC Director GRC Security Analyst System Security Manager System Security Officer Information Assurance Manager

The AMF and CPE requirements will remain the same. To maintain CGRC, you must earn and submit 60 CPE credits during your three-year certification cycle and pay an AMF of U.S. $125 upon the anniversary of the original certification date.

You can still take the CAP exam on or before February 14, 2023. Should you pass, your certification will be changed to CGRC automatically on February 15, 2023.

You may access your profile to download a copy of your CGRC certificate to print after February 15, 2023. Candidates who pass the CGRC exam after February 15, 2023, will receive a certificate by mail. Yes, you may also order and purchase through the member support team at https://www.isc2.org/contact-us.

Connect and network with others who already hold the certification at: https://community.isc2.org/t5/CAP-Group/gh-p/CAP.

Connect and prepare with others for the certification at:  https://community.isc2.org/t5/CAP-Study-Group/gh-p/CAP_StudyGroup.

Trainings, seminars and courseware directly from (ISC)² or one of our many Official Training Providers help you get ready for the CGRC exam by reviewing relevant domains and topics. Visit www.isc2.org/Training to register for the course that best meets your needs. Private on-site and online instructor-led trainings are also available.

Beginning January 1, 2023, you can visit Pearson VUE home.pearsonvue.com/isc2 and click to register for CGRC at an exam location of your choice on or after February 15, 2023. Prior to 2023, the exam will remain listed under the CAP name.

The price of the exam is U.S. $599 (EUR 555, GBP 479). This cost does not include training.