The CGRC is a unique credential in the ISC2 portfolio. Launched in 2005 as the Certified Authorization Professional (CAP) certification, the original credential was built with a focus on the authorization processes within governance, risk and compliance for U.S. government professionals and contractors. In 2023, the certification was updated to its current name, Certified in Governance, Risk and Compliance (CGRC), to better represent the knowledge, skills and abilities required to earn and maintain it.

Holding the CGRC demonstrates that a professional has the knowledge and skills to integrate governance, performance management, risk management and regulatory compliance within their organization while helping that organization achieve objectives, address uncertainty and act with integrity.

This credential has recently hit an important milestone, with more than 5,000 professionals globally holding it. Holders have demonstrated that they can align IT goals with organizational objectives as they manage cyber risks and achieve regulatory needs. They utilize frameworks to integrate security and privacy with their organization’s overall objectives, allowing stakeholders to make informed decisions regarding data security and privacy risks.

About the CGRC

To earn the CGRC, professionals must successfully pass the exam, demonstrate at least two years of work experience in one or more of the seven domains, as well as pledge to uphold the ISC2 Code of Ethics.

  • Domain 1: Security and Privacy Governance, Risk Management, and Compliance Program
  • Domain 2: Scope of the System
  • Domain 3: Selection and Approval of Framework, Security, and Privacy Controls
  • Domain 4: Implementation of Security and Privacy Controls
  • Domain 5: Assessment/Audit of Security and Privacy Controls
  • Domain 6: System Compliance
  • Domain 7: Compliance Maintenance

The CGRC credential is ideal for professionals in the following roles:

  • Cybersecurity Auditor
  • Cybersecurity Compliance Officer
  • GRC Architect or Manager
  • Cybersecurity Risk & Compliance Project Manager or Analyst
  • Third-Party or Enterprise Risk Manager
  • GRC Analyst or Director
  • System Security Manager or Officer
  • Information Assurance Manager

Why GRC Matters More Than Ever

In the 2024 ISC2 Cybersecurity Workforce Study, GRC ranked among the top technical skills in demand at 13%, just behind risk assessment, analysis, and management (14%). In the 2025 edition, a staggering 95% of respondents reported at least one skills gap, with 59% affirming they faced critical or significant skills needs, a notable increase from 44% in 2024. GRC were again explicitly identified in the 2025 study as among the most needed skills areas by more than a quarter (27%) of respondents, alongside AI and cloud security.

“Governance in the context of cyber security is about defining who is responsible for what, how decisions are made, and what data informs those decisions. Most importantly, it creates accountability by settling out clear roles and responsibilities.” - Business Tech Weekly

“Well-run GRC delivers reliable outcomes, better decision-making, and risk reduction—89% of mature programs report benefit.” - GRCmana.io.

Building GRC Skills

Earning the CGRC credential – and joining the 5,000 professionals already certified worldwide – is a strong way to demonstrate competency and skill in the GRC arena. However, if you’re just starting to explore the area, we invite you to join our upcoming ISC2 Spotlight on Governance, Risk and Compliance on January 21-22, 2026. This virtual event is free for ISC2 Members, Associates and Candidates to attend.

For the fourth year in a row, ISC2 will gather experts to discuss ways to navigate the mounting regulatory demands impacting organizations globally. The event will examine cutting-edge trends impacting GRC, like risk quantification and AI, while covering the fundamentals that companies need to ensure their GRC program is in order.