By Dwayne Natwick, CISSP, CCSP, CGRC, CC, ISC2 Authorized Trainer, author, and product manager with 30+ years of experience in the IT industry

You want to take the CGRC exam with the hopes of getting ISC2 Certified in Governance, Risk, and Compliance. So, what are the best ways to prepare for this exam? People prepare and learn differently. You may prefer a study guidebook, you may test your skills through on-demand courses and quizzes, or maybe you prefer preparation through a full instructor-led training course. Whatever your preference, this article will provide you with some of the tools and materials that you can use for your exam preparation.

Who should take the CGRC exam?

The CGRC exam is based primarily on the NIST Risk Management Framework (RMF) 800-37. Within the RMF are many other standards, regulations, and guides that the United States Federal Government utilizes to maintain compliance and reduce risks through properly analyzing the risk tolerance of an agency, and then categorizing, selecting, and implementing security and privacy controls.

Though this exam references mainly a U.S. government framework, the methods and guidance are reference. The knowledge gained through preparing for this exam is transferable to other country governments and within private industry.

The requirement for obtaining the certification is two years of experience working within one or more of the CGRC domains. If you do not have this experience, you will be named an ISC2 Associate for the credential until you can attest to the required experience. Even if you do not have the required experience, the CGRC exam is worth taking for anyone that is involved in risk and compliance within an organization. If you are involved in security and privacy controls, the knowledge gained through preparing for this exam is transferable to your profession.

How do you prepare for the CGRC?

There are options that you can consider when preparing for the CGRC exam. Since ISC2 exam success does carry a considerable amount of respect within the industry, you want to do your best to ensure success. You should take your preparation seriously and utilize the resources that are available. The NIST 800-37 RMF document is available online and is a great place to start your preparation. Lists to these free resources are listed at the end of this article. >While preparing for your exam, you can connect with others in the ISC2 Study Group on Community. ISC2 has provided some great tools that are fiscally responsible for you as the candidate. These are outlined below.

GRC Skill Builders

Skill Builders are a new method for accelerating your skills. ISC2 has the Skill Builder Supply Chain Risk Management through Governance, Risk and Compliance to build GRC skills. Anyone can access the Skill Builder courses and ISC2 Members can complete these courses at no charge. The Skill Builder courses are new and are continuing to be added to the ISC2 training catalog.

The Skill Builder courses provide a helpful start to your exam preparation. They are a great path to begin and then move to the certificate path of Risk Management Practitioner.

Certificate course for Risk Management Practitioner

ISC2 launched the professional certificate programs in early 2023. These courses provide CPE credits for completion and are an on-demand method for preparing for exams. The Risk Management Practitioner certificate program covers information that you will find on the CGRC exam while also gaining additional practical knowledge and understanding through the modules on Risk Analysis, Risk Standards, and Risk Methods.

Existing credential holders will receive CPE credit for completing these courses, and everyone that completes the courses and passes the final quiz with a 70% or higher will receive a Credly badge for each course.

The Risk Management Practitioner courses provide NIST documentation that can be reviewed for your CGRC preparation. Finishing the Risk Management Practitioner certificate path helps you prepare for the CGRC exam while also allowing you to earn badges and certificates to increase your credibility.

ISC2 authorized instructor-led and on-demand training

You may be someone that prefers to hear an instructor’s perspective on the material with their real-world examples and experience. Interaction that is part of an instructor-led course is an invaluable way to prepare for an exam and to learn the application of the concepts. ISC2 has developed an in-depth course for the CGRC exam with exercises, flashcards, and a helpful student guide. ISC2 Authorized Instructors deliver the material with a focus on what is needed to pass the exam, while also preparing you for the use of the framework and guides. The assessment questions at the end of each domain and the final assessment provide a simulated test scenario that prepares you for what to expect when taking the exam.

You may not have the time or ability to attend a live or virtual training. ISC2 has an on-demand course that is delivered by ISC2 Authorized Instructors. This on-demand course is the same material that you would receive with a live course, but you can take it at your own pace. The same student guide, exercises, flashcards, and assessments are included in the on-demand course.

Attending a training course of any kind with an Authorized Instructor will help you with your preparation and understanding for the exam. Do not get too focused on the practice assessments. Take them to test your knowledge and identify areas that you need to improve your level of understanding. Be cautious that taking a practice assessment multiple times may lead to you memorizing the responses rather than learning the concepts. The CGRC exam requires an expert level of understanding for the RMF and supporting tasks. The relationship between steps, tasks, and roles are necessary to pass the exam.

Taking the exam and what you do after you pass

ISC2 has not adopted at-home proctoring of your exams. You are still required to go to a testing facility for these exams. You should choose an exam location that is comfortable for you to travel to and leave early enough to find parking and get checked in. Follow the directions that are provided by the testing facility, take the exam, and then find out your results. After you pass the exam, you will need to have an ISC2 credential holder to endorse your experience. If you do not have an endorser, you can request that ISC2 assigns an endorser. After your experience has been endorsed, your application will be reviewed by ISC2. It is exciting to pass the exam but understand that it may take 4-6 weeks for the application to be approved and you receive the official certification.

Use these tips and you should be successful in your CGRC exam. Good luck! Once you pass the exam and become fully certified after the endorsement period, you can join your fellow certification holders in the CGRC Certification Group on the ISC2 Community.


SP 800-37 Rev. 2, RMF: A System Life Cycle Approach for Security and Privacy | CSRC (