Two globally recognized choices in the ISC2 certification catalog are the Certified in Governance, Risk and Compliance (CGRC) and Certified Information Systems Security Professional (CISSP) credentials. Both certifications are held by experts deeply skilled and experienced in cybersecurity. But what are the key distinctions you should consider if you’re weighing which one to pursue?

CGRC’s Evolution

CGRC (formerly known as The CAP) was developed and launched in 2005 by ISC2 as a credential focused on the Certification & Authorization (C&A) process following the Department of Defense Information Assurance Certification and Accreditation Process (DIACGRC). It was first updated when the U.S. government changed DIACGRC to the Risk Management Framework and the terms C&A were replaced by Assessment & Authorization (A&A).

The decision was made to expand CGRC in 2021 to reflect the more diverse day-to-day work of professionals earning the credential. What started out as certification primarily for U.S. government professionals using the Risk Management Framework (RMF) is now also for professionals working in the private sector and organizations around the world.

CISSP Gets It Started

Today’s broad portfolio of ISC2 cybersecurity certifications started with CISSP. It launched in 1994 and is now considered the global gold standard. In 2005, CISSP became the first credential in the field of information security to meet the requirements of the ISO/IEC Standard 17024. More recently, CISSP has fulfilled requirements for the U.S. Department of Defense (DoD) workers (Directive 8570.1) to obtain a commercial certification credential accredited by the American National Standards Institute (ANSI).

Comparing Each of Their Roles

CGRC-certified security professionals have proven their skills in effectively advocating for risk management solutions to authorize systems that will support an organization’s mission within regulatory-mandated requirements.

CISSP-certified professionals have been evaluated on their knowledge, skills, and ability to design, engineer and manage an organization’s security posture.

While a CISSP-credentialed professional has strong general knowledge of one regulatory requirement over another, the CGRC professional has a more in-depth understanding of each and how to meet or exceed requirements for an organization’s compliance. In a real-world scenario, based on a cost-benefit analysis and risk appetite, a CISSP professional may understand different methods to achieve an organization’s acceptable level of security – however, some of those methods may not be considered adequate in environments from a CGRC expert’s point of view.



Information Security Risk Management Program

Security and Risk Management

Scope of the Information System

Asset Security

Selection and Approval of Security and Privacy Controls

Security Architecture and Engineering

Implementation of Security and Privacy Controls

Communication and Network Security

Assessment/Audit of Security and Privacy Controls

Identity and Access Management

Authorization/Approval of Information System

Security Assessment and Testing

Continuous Monitoring

Security Assessment and Testing

Software Development Security

What are examples of roles for each credential?

The CGRC is ideal for IT, information security and information assurance practitioners who work in Governance, Risk and Compliance roles and have a need to understand, apply and/or implement a risk management program for IT systems within an organization. CGRC roles include information security officer, information security engineer, information security manager, risk manager/analyst, information assurance practitioner, and governance, risk, and compliance engineer.

The CISSP is ideal for information security professionals seeking to prove their understanding of cybersecurity strategy and hands-on implementation. It shows you have the advanced knowledge and technical skills to design, develop and manage an organization’s overall security posture. CISSP roles include CIO/CISO, security or IT director, security or network architect/engineer, security manager, security analyst/auditor, systems engineer, and security consultant.

Are they accredited?

CGRC is ANSI-accredited for the ISO/IEC Standard 17024. In addition, CGRCs are DoD 8570.01 approved and listed in two categories: IAM Level I and IAM Level II.

CISSP is ANSI-accredited for the ISO/IEC Standard 17024. In addition, CISSPs are DoD 8570.01 approved and listed in five categories: IAT Level III, IAM Level II, IAM Level III, IASAE I and IASAE II.

What level of professional experience is required?

CGRC candidates must have a minimum of two years’ cumulative work experience in one or more of the seven domains of the CGRC Common Body of Knowledge (CBK®). Candidates without the required experience may become an Associate of ISC2 by successfully passing the CGRC examination. The Associate of ISC2 will then have three years to earn the two years of required experience.

CISSP candidates must have a minimum of five years’ cumulative paid work experience in two or more of the eight domains of the CISSP Common Body of Knowledge (CBK®). Earning a four-year college degree or regional equivalent or an additional credential from the ISC2 approved list will satisfy one year of the required experience. Education credit will only satisfy one year of experience. A candidate without the required experience may become an Associate of ISC2 by successfully passing the CISSP examination. The Associate of ISC2 will then have six years to earn the five years required experience.

Certification and Maintenance Details


Length of Exam

3 hours/125 multiple-choice questions

3 hours/100-150 multiple-choice and advanced innovative questions

Passing Score

700 out of 1,000

700 out of 1,000

Exam Fee

$599 USD

$749 USD

Annual Maintenance

$135 USD

$135 USD


60 credits over 3 years

120 credits over 3 years

What’s the earning potential of each?

Certification Magazine’s 2021 salary survey ranks CGRC at No. 27 on its list of most lucrative certifications with an average draw of $135,430 USD annually. CISSP ranks No. 11 with an average annual salary of $149,690.

What about SSCP? How is the certification different from CGRC and CISSP?

The Systems Security Certified Practitioner (SSCP) certification provides confirmation of a practitioner’s ability to implement, monitor and administer IT infrastructure in accordance with cybersecurity policies and procedures that ensure data confidentiality, integrity, and availability. It is ideal for IT administrators, managers, and network security professionals responsible for the hands-on operational security of their organization’s critical assets.

SSCP requires less experience in the field than CGRC and CISSP. To qualify, candidates need only one year of cumulative, paid work experience in one or more of the seven domains of the ISC2 SSCP Common Body of Knowledge (CBK®).

How CGRC Certification Can Help You Succeed

Earning the globally recognized CGRC certification is a proven way to build your career. The vendor-neutral credential shows you have the advanced knowledge and technical ability to formalize processes to assess risk and establish security documentation within a broad range of risk management frameworks.

Achieving CGRC certification provides the added benefit of membership in ISC2, the world’s largest nonprofit association of cybersecurity professionals, more than 160,000 members strong. ISC2 provides members with professional development courses through the Professional Development Institute (PDI); continuing professional education through industry events like Security Congress; technical webinars covering evolving cybersecurity trends; and benefits, such as the ISC2 Community.

Download your copy of The Ultimate Guide to the CGRC and start your journey toward certification today.