CGRC Certification Exam Outline

1.1 - Demonstrate knowledge in security and privacy governance, risk management, and compliance program

• Principles of governance, risk management, and compliance
• Risk management and compliance frameworks using national and international standards and guidelines for security and privacy requirements (e.g., National Institute of Standards and Technology (NIST), cybersecurity framework, Control Objectives for Information and Related Technology (COBIT), International Organization for Standardization/International Electrotechnical Commission (ISO/IEC))
• System Development Life Cycle (SDLC) (e.g., requirements gathering, design, development, testing, and operations/maintenance/disposal)
• Information lifecycle for each data type processed, stored, or transmitted (e.g., retaining, disposal/destruction, data flow, marking)
• Confidentiality, integrity, availability, non-repudiation, and privacy concepts
• System assets and boundary descriptions
• Security and privacy controls and requirements
• Roles and responsibilities for compliance activities and associated frameworks

1.2 - Demonstrate knowledge in security and privacy governance, risk management and compliance program processes

• Establishment of compliance program for the applicable framework 1.3 - Understand regulatory and legal requirements

1.3 - Demonstrate knowledge of compliance frameworks, regulations, privacy, and security requirements

• Familiarity with compliance frameworks (e.g., International Organization for Standardization/International Electrotechnical Commission (ISO/IEC), Federal Risk and Authorization Management Program (FedRAMP), Payment Card Industry Data Security Standard (PCI-DSS), Cybersecurity Maturity Model Certification)
• Familiarity with other national and international laws and requirements for security and privacy (e.g., Federal Information Security Modernization Act (FISMA), Health Insurance Portability and Accountability Act (HIPAA), executive orders, General Data Protection Regulation (GDPR))

2.1 - Describe the system

• System name and scope documented
• System purpose and functionality

2.2 - Determine security compliance required

• Information types processed, stored, or transmitted
• Security objectives outlined for each information type based on national and international security and privacy compliance requirements (e.g., Federal Information Processing Standards (FIPS), International Organization for Standardization/International Electrotechnical Commission (ISO/IEC), data protection impact assessment)
• Risk impact level determined for system based on the selected framework

3.1 - Identify and document baseline and inherited controls

3.2 - Select and tailor controls

• Determination of applicable baseline and/or inherited controls
• Determination of appropriate control enhancements (e.g., security practices, overlays, mitigating controls)
• Specific data handling/marking requirements identified
• Control selection documentation
• Continued compliance strategy (e.g., continuous monitoring, vulnerability management)
• Control allocation and stakeholder agreement

4.1 - Develop implementation strategy (e.g., resourcing, funding, timeline, effectiveness)

• Control implementation aligned with organizational expectations, national or international requirements, and compliance for security and privacy controls
• Identification of control types (e.g., management, technical, common, operational control)
• Frequency established for compliance documentation reviews and training

4.2 - Implement selected controls

• Control implementation consistent with compliance requirements
• Compensating or alternate security controls implemented

4.3 - Document control implementation

• Residual security risk or planned implementations documented (e.g., Plan of Action and Milestones (POA&M), risk register)
• Implemented controls documented consistent with the organization's purpose, scope, and risk profile (e.g., policies, procedures, plans)

5.1 - Prepare for assessment/audit

• Stakeholder roles and responsibilities established
• Objectives, scope, resources, schedule, deliverables, and logistics outlined
• Assets, methods, and level of effort scoped
• Evidence for demonstration of compliance audited (e.g., previous assessments/audits, system documentation, policies)
• Assessment/audit plan finalized

5.2 - Conduct assessment/audit

• Compliance capabilities verified using appropriate assessment methods: interview, examine, test (e.g., penetration, control, vulnerability scanning)
• Evidence verified and validated

5.3 - Prepare the initial assessment/audit report

• Risks identified during the assessment/audit provided
• Risk mitigation summaries outlined
• Preliminary findings recorded

5.4 - Review initial assessment/audit report and plan risk response actions

• Risk response assigned (e.g., avoid, accept, share, mitigate, transfer) based on identified vulnerabilities or deficiencies
• Risk response collaborated with stakeholders
• Non-compliant findings with newly applied corrective actions reassessed and validated

5.5 - Develop final assessment/audit report

• Final compliance documented (e.g., compliant, non-compliant, not applicable)
• Recommendations documented when appropriate
• Assessment report finalized

5.6 - Develop risk response plan

• Residual risks and deficiencies identified
• Risk prioritized
• Required resources identified (e.g., financial, personnel, and technical) to determine time required to mitigate risk

6.1 - Review and submit security/privacy documents

• Security and privacy documentation required to support a compliance decision by the appropriate party (e.g., authorizing official, third-party assessment organizations, agency) compiled, reviewed, and submitted

6.2 - Determine system risk posture

• System risk acceptance criteria
• Residual risk determination
• Stakeholder concurrence for risk treatment options
• Residual risks defined in formal documentation

6.3 - Document system compliance

• Formal notification of compliance decision
• Formal notification shared with stakeholders

7.1 - Perform system change management

• Changes weigh the impact to organizational risk, operations, and/or compliance requirements (e.g., revisions to baselines)
• Proposed changes documented and approved by authorized personnel (e.g., Change Control Board (CCB), technical review board)
• Deploy to the environment (e.g., test, development, production) with rollback plan
• Changes to the system tracked and compliance enforced

7.2 - Perform ongoing compliance activities based on requirements

• Frequency established for ongoing compliance activities review with stakeholders
• System and assets monitored (e.g., physical and logical assets, personnel, change control)
• Incident response and contingency activities performed
• Security updates performed and risks remediated/tracked
• Evidence collected, testing performed, documentation updated (e.g., service level agreements, third party contracts, policies, procedures), and submission/communication to stakeholders when applicable
• Awareness and training performed, documented, and retained (e.g., contingency, incident response, annual security and privacy)
• Revising monitoring strategies based on updates to legal, regulatory, supplier, security and privacy requirements

7.3 - Engage in audits activities based on compliance requirements

• Required testing and vulnerability scanning performed
• Personnel interviews conducted
• Documentation reviewed and updated

7.4 - Decommission system when applicable

• Requirements for system decommissioning reviewed with stakeholders
• System removed from operations and decommissioned
• Documentation of the decommissioned system retained and shared with stakeholders

Governance in the age of AI requires establishing dedicated oversight boards to manage algorithmic transparency and the ethical use of autonomous agents. Within this domain, we integrate AI by adapting traditional risk management principles to account for the unique, non-deterministic decision-making of machine learning models. This involves mapping complex, overlapping global requirements—such as the NIST AI Risk Management Framework (AI RMF) and ISO/IEC 42001—into existing corporate compliance tracking tools to ensure a unified and ethical approach to AI adoption. 

Furthermore, this domain addresses the information lifecycle specifically for AI, focusing on the technical challenge of “machine unlearning” when sensitive data must be purged from trained models. By utilizing AI-driven analytics to define strict privacy guardrails for LLM training, CGRC professionals ensure that the organization’s governance program protects intellectual property and data confidentiality while enabling responsible innovation. 

Traditional scoping methodologies have been expanded to capture the sprawling and continuous nature of modern machine learning data pipelines. In Domain 2, the CGRC Exam Outline integrates AI by requiring professionals to identify all embedded algorithms, including those hidden within commercial-off-the-shelf (COTS) software. This involves documenting the probabilistic nature of AI subsystems and utilizing AI-driven automated mapping tools to maintain dynamic system descriptions that keep pace with rapidly evolving cloud-native infrastructures. 

Accurate scoping also requires a clear delineation between the foundational AI model training environment and the active inference endpoints. By using Natural Language Processing (NLP) tools to extract and verify scoping boundaries from technical documentation, CGRC practitioners ensure that the assessment boundary is precisely defined. This prevents “scope creep” and ensures that the security and privacy obligations of the AI system are clearly understood by all stakeholders. 

Selecting the right defenses for an AI system requires integrating specialized overlays, such as the CSA AI Controls Matrix, into traditional framework baselines. This domain emphasizes the use of AI to automate the dynamic mapping and selection of controls across complex, hybrid architectures. Practitioners understand how to identify inherited AI security controls from major Cloud Service Providers (CSPs), ensuring that foundational models like those in AWS Bedrock or Azure OpenAI are properly accounted for in the system’s security plan. 

Moreover, the integration focuses on tailoring controls to mitigate AI-specific threats, including prompt injection and adversarial data poisoning. By leveraging AI algorithms to recommend optimal control selections based on a model’s unique risk profile, CGRC professionals can rapidly document complex control inheritance hierarchies. This ensures that the selected safeguards are not only compliant with international standards but are also technically effective against modern algorithmic attacks. 

The implementation phase addresses the deployment of AI-native security controls seamlessly into distributed machine learning pipelines. This domain focuses on the use of intelligent Infrastructure as Code (IaC) to automate the provisioning and configuration of these controls, ensuring consistency across hyper-scaled environments. Practitioners are tasked with developing strategies that implement these safeguards without introducing unacceptable latency into real-time AI inference endpoints, balancing security with operational performance. 

Compliance is further strengthened by aligning implementation with emerging international requirements, such as the EU AI Act. CGRC professionals ensure that privacy controls are technically robust enough to prevent unauthorized model retraining on protected tenant data. By utilizing predictive analytics to model implementation timelines and funding requirements, they ensure that the organization’s AI infrastructure is deployed in a way that is both fiscally responsible and fundamentally secure. 

Auditing in an AI-driven environment shifts from manual inspections to the use of AI-powered audit tools that can correlate compliance evidence across vast cloud landscapes. This domain integrates the assessment of “black-box” machine learning models for risks like algorithmic bias, data poisoning and hallucinations. Practitioners understand how to use predictive AI to accurately scope the boundaries of auto-scaling ML infrastructure, ensuring that the audit reflects the actual operational state of the system.

Accountability is a cornerstone of this domain, specifically regarding the autonomous decisions made by an AI system during an audit period. The exam outline aligns specific responsibilities to AI Ethics Officers and ML Engineers, ensuring that the audit process captures the technical and ethical dimensions of AI performance. By automating the scheduling and resource allocation for these complex audits, CGRC professionals can provide authorizing officials with high-fidelity data regarding the system’s true compliance posture.

The authorization of an AI system involves navigating the inherent uncertainties of generative AI through formal risk acceptance criteria. In Domain 6, the CGRC Exam Outline integrates the use of AI governance tools to automate the generation and submission of massive compliance authorization packages, such as System Security Plans (SSPs). Utilizing NLP to cross-reference thousands of pages of privacy documentation, practitioners can identify inconsistencies and streamline the review process for authorizing officials.

Furthermore, this domain addresses the specialized documentation required for intelligent systems, including algorithmic bias audits and training data provenance logs. By using AI orchestration to route these documents through complex, multi-tier stakeholder approval workflows, CGRC professionals ensure that the final authorization is based on a transparent and comprehensive understanding of the system’s risks. This ensures that even the most advanced AI deployments satisfy the rigorous standards for organizational risk acceptance. 

Maintaining compliance for an AI system requires a transition to AI-driven Continuous Control Monitoring (CCM) that can handle the rapid change lifecycle of MLOps. This domain integrates the governance of continuous deployments, treating the update of ML weights as formal system changes. Practitioners understand how to use AI to predict the “blast radius” and compliance impact of a proposed architectural change before it is approved, preventing unauthorized drift from the authorized security baseline.

Finally, the CGRC Exam Outline addresses the role of AI in autonomously assessing how updates to foundational models might alter the system’s compliance posture or introduce new biases. By evaluating how shifts in training data demographics impact regulatory requirements, CGRC professionals ensure that the system remains compliant throughout its operational life. This proactive approach to maintenance ensures that the organization can leverage the latest AI innovations without compromising its long-term security and compliance goals.