Fourth Industrial Revolution technologies like artificial intelligence, IoT, 5G networks, cloud and blockchain have the potential to increase operational efficiencies and boost economic growth, but they could also increase cyber risk, resulting in forecast losses of $6 trillion USD this year, according The Global Risks Report 2020 from the World Economic Forum. As the needs in cyber risk management change, so must the credentials that support them. ISC2 is answering the call with an updated Certified in Governance, Risk and Compliance (CGRC) (formerly the CAP) certification exam.

CGRC information security practitioners champion system security commensurate with organizations’ missions and risk tolerance while meeting legal and regulatory requirements. The globally recognized credential confirms the knowledge, skill and experience required for using a broad range of frameworks to manage risk and to authorize and maintain information systems.

An Evolution of Expansion

CGRC was developed and launched in 2005 by ISC2 as a credential focused on the Certification & Authorization (C&A) process following the Department of Defense Information Assurance Certification and Accreditation Process (DIACGRC). It was first updated when the U.S. government changed DIACGRC to the Risk Management Framework and the terms C&A were replaced by Assessment & Authorization (A&A).

On August 15, 2021, the ISC2 certification exam for CGRC was updated again. The decision was made to expand CGRC to reflect the more diverse day-to-day work of professionals earning the credential. What started out as certification primarily for U.S. government professionals using the Risk Management Framework (RMF) is now also for professionals working in the private sector and organizations around the world.

CGRC’s content is refreshed to reflect the most pertinent issues authorization security professionals currently face, along with the best practices for mitigation. Some topics are updated, and others are realigned. The result is an exam that most accurately reflects the most current technical and practical knowledge required of cybersecurity professionals in pursuit of information system authorization.

As part of the CGRC expansion, RMF is no longer the sole framework referenced – many other frameworks are now covered, including NIST SP 800-37 (Rev 2), ISO 27001, ISO 31000, FedRAMP and COBIT. In addition, privacy is more prevalent in the updated exam outline, reflecting the convergence of privacy and security in cybersecurity.

A specific breakdown of the CGRC domains follows:

Domain Weight

Information Security Risk Management Program


Scope of the Information System


Selection and Approval of Security and Privacy Controls


Implementation of Security and Privacy Controls


Assessment/Audit of Security and Privacy Controls


Authorization/Approval of Information System


Continuous Monitoring


Is CGRC accredited?

CGRC is ANSI-accredited for the ISO/IEC Standard 17024. In addition, CGRCs are DoD 8570.01 approved and listed in 2 categories: IAM Level I and IAM Level II.

What level of professional experience is required?

Candidates must have a minimum of two years’ cumulative work experience in one or more of the seven domains of the CGRC Common Body of Knowledge (CBK). Candidates without the required experience may become an Associate of ISC2 by successfully passing the CGRC examination. The Associate of ISC2 will then have three years to earn the two years of required experience.

What’s the earning potential?

Certification Magazine’s 2021 salary survey ranks CGRC at No. 27 on its list of most lucrative certifications with an average draw of $135,430 USD annually.

What continuing professional education is required to maintain certification?

CGRC-credentialed professionals must participate in continuing professional education (CPE) and submit a minimum of 20 CPEs each year; 60 CPEs by the end of the 3-year recertification cycle.

CGRC Certification and Maintenance Details

Length of Exam

3 hours/125 multiple-choice questions

Passing Score

700 out of 1,000

Exam Fee

$599 USD

Annual Maintenance

$135 USD

Testing Center

Pearson VUE

How CGRC Certification Can Help You Succeed

Earning the globally recognized CGRC certification is a proven way to build your career. The vendor-neutral credential shows you have the advanced knowledge and technical ability to formalize processes to assess risk and establish security documentation within a broad range of risk management frameworks.

Achieving CGRC certification provides the added benefit of membership in ISC2, the world’s largest nonprofit association of cybersecurity professionals, more than 150,000 members strong. ISC2 provides members with professional development courses through the Professional Development Institute (PDI); continuing professional education through industry events like Security Congress; technical webinars covering evolving cybersecurity trends; and benefits, such as the ISC2 Community.

Download your copy of The Ultimate Guide to the CGRC and start your journey toward certification today.