Skip to main content
Register for exam

CGRC Experience Requirements

Candidates must have a minimum of two years cumulative, full-time experience in one or more of the domains of the current CGRC Exam Outline. Part-time work and internships may also count towards the experience requirement.

If you do not have the required experience to earn the CGRC, you may become an Associate of ISC2 by successfully passing the CGRC examination. As an Associate of ISC2, you will then have three years to earn the two years of required, relevant experience.

Part-time work and internships may also count towards your experience.

Work Experience

Valid experience includes information systems security-related work performed in pursuit of information system authorization, or work that requires security risk management knowledge and involves direct application of that knowledge. Experience must fall within one or more of the seven domains of the ISC2 CGRC Exam Outline:

  • Domain 1: Security and Privacy Governance, Risk Management, and Compliance
  • Domain 2: Scope of the System
  • Domain 3: Selection and Approval of Framework, Security, and Privacy Controls
  • Domain 4: Implementation of Security and Privacy Controls
  • Domain 5: Assessment/Audit of Security and Privacy Controls
  • Domain 6: System Compliance
  • Domain 7: Compliance Maintenance

Full-Time Experience: Your work experience is accrued monthly. Thus, you must have worked a minimum of 35 hours/week for four weeks to accrue one month of work experience

Part-Time Experience: Your part-time experience cannot be less than 20 hours a week and no more than 34 hours a week.

  • 1040 hours of part-time = 6 months of full-time experience
  • 2080 hours of part-time = 12 months of full-time experience

Internship: Paid or unpaid internship is acceptable. You will need documentation on company/organization letterhead confirming your position as an intern. If you are interning at a school, the document can be on the registrar's stationery.