Effective Date: August 15, 2021
CGRC Certification Exam Outline
View and download the latest PDF version of the CGRC Certification Exam Outline (Effective August 15, 2021):
About CGRC
A professional earning the Certified in Governance, Risk and Compliance (CGRC®) is an information security practitioner who advocates for security risk management in pursuit of information system authorization to support an organization’s mission and operations in accordance with legal and regulatory requirements.
The broad spectrum of topics included in the CGRC Common Body of Knowledge (CBK®) ensure its relevancy across all disciplines in the field of information security. Successful candidates are competent in the following seven domains:
- Information Security Risk Management Program
- Scope of the Information System
- Selection and Approval of Security and Privacy Controls
- Implementation of Security and Privacy Controls
- Assessment/Audit of Security and Privacy Controls
- Authorization/Approval of Information System
- Continuous Monitoring
Experience Requirements
Candidates must have a minimum of two years cumulative work experience in one or more of the seven domains of the CGRC CBK.
A candidate that doesn’t have the required experience to become a CGRC may become an Associate of (ISC)² by successfully passing the CGRC examination. The Associate of (ISC)² will then have three years to earn the two years of required, relevant experience. Learn more about CGRC experience requirements and how to account for part-time work and internships at www.isc2.org/Certifications/CGRC/experience-requirements.
Accreditation
CGRC is in compliance with the stringent requirements of ANSI/ISO/IEC Standard 17024.
Job Task Analysis (JTA)
(ISC)² has an obligation to its membership to maintain the relevancy of the CGRC. Conducted at regular intervals, the Job Task Analysis (JTA) is a methodical and critical process of determining the tasks that are performed by security professionals who are engaged in the profession defined by the CGRC. The results of the JTA are used to update the examination. This process ensures that candidates are tested on the topic areas relevant to the roles and responsibilities of today’s practicing information security professionals.