The ISC2 Certified in Governance, Risk and Compliance (CGRC) — formerly known as the Certified Authorization Professional (CAP) — is a globally recognized certification that validates advanced knowledge and skills in integrating governance, risk management, and regulatory compliance within an organization’s information security program. The CGRC demonstrates that a professional can advocate for security risk management, authorize and maintain information systems, and align security strategies with organizational objectives using established frameworks such as the NIST Risk Management Framework (RMF), ISO 31000, and COBIT. Accredited to ISO/IEC 17024 by ANAB and recognized under the U.S. Department of Defense (DoD 8140) framework, the CGRC is particularly valued across government, federal, defense, and commercial sectors where GRC expertise is in high and growing demand.
Audience Profile
- Cybersecurity Auditors and Compliance Officers
- GRC Architects, GRC Managers, and GRC Directors
- GRC Analysts responsible for risk assessments and control frameworks
- Cybersecurity Risk & Compliance Project Managers
- Cybersecurity Risk & Controls Analysts
- Cybersecurity Third Party Risk Managers
- Enterprise Risk Managers
- Information Assurance Managers
- IT and security professionals working within risk management and compliance functions
What will you learn?
The CGRC covers seven core domains:
- Security and Privacy Governance, Risk Management, and Compliance Program — Establishing and managing a GRC program aligned to organizational and regulatory requirements
- Scope of the System — Defining and documenting the boundaries and environment of information systems under assessment
- Selection and Approval of Framework, Security, and Privacy Controls — Choosing appropriate controls from frameworks such as NIST 800-53, ISO 27001, and others
- Implementation of Security and Privacy Controls — Applying selected controls to protect information systems and ensure compliance
- Assessment/Audit of Security and Privacy Controls — Evaluating the effectiveness of implemented controls through audits and assessments
- System Compliance — Achieving and documenting formal authorization for information systems to operate
- Compliance Maintenance — Continuously monitoring, reviewing, and updating controls to maintain ongoing compliance and authorization
Why Get Certified?
- Demonstrates expertise across the full GRC lifecycle — from governance design through to ongoing compliance maintenance
- Recognized by the U.S. DoD 8140 framework, making it highly valuable for government and defense sector roles
- Accredited to ISO/IEC 17024 — the global benchmark for personnel certification bodies
- Directly aligned to the NIST Risk Management Framework (RMF), the most widely used GRC framework in the public and private sectors
- Capitalizes on rapidly growing demand for GRC professionals as organizations face increasing regulatory complexity and cybersecurity risk
- Opens access to senior roles in risk management, security authorization, compliance leadership, and information assurance
Prerequisites
- Minimum of 2 years of cumulative, paid, full-time work experience in one or more of the seven CGRC domains
- No experience yet? Pass the exam and become an Associate of ISC2, then complete the required experience within 3 years to achieve full CGRC certification
Contact Us For More Enquiries
Ready to take the next step? Fill out the form below to get started, and our team will reach out to guide you through the enrollment process. We’re excited to help you begin your journey!