The demand for governance, risk, and compliance (GRC) professionals is on the rise due to increasing regulatory requirements, the constantly evolving cybersecurity landscape, and the significant financial and reputational risks associated with non-compliance or security breaches. To safeguard their assets, maintain legal and regulatory compliance, and mitigate operational, financial, and reputational risks, organizations must establish robust governance, risk, and compliance strategies and employ certified professionals.

The ISC2 Certified in Governance, Risk, and Compliance (CGRC) certification is a comprehensive program specifically designed to empower IT and information security practitioners in effectively managing risk and ensuring the security of information systems. In this in-depth review, we explore the distinctive features, benefits, and the process of acquiring this valuable credential.

Which part of the compliance process is the most challenging?

The top challenge faced by organizations in maintaining compliance is the lack of staff expertise and knowledge (55%). Organizations struggle to find qualified personnel who can effectively manage and ensure compliance in cloud environments.


The CGRC is a vendor-neutral cybersecurity credential designed to certify that CGRC professionals possess the expertise to integrate governance, risk management, and regulatory compliance within an organization. By aligning IT goals with organizational objectives, CGRC professionals effectively manage cyber risks and achieve regulatory needs. They also use frameworks to integrate security and privacy with an organization’s overall objectives, enabling stakeholders to make informed decisions regarding data security and privacy risks.

“The CGRC not only helps to explain how the federal government operates but lays the foundation for how you work and what to expect in the way of security and privacy controls and countermeasures.” – Larry Wlosinski, Senior Associate at Veris Group


  • Vendor-Neutral Certification: The CGRC certification ensures that professionals have advanced technical security skills and knowledge, applicable across various technologies and methodologies, to authorize and maintain information systems.
  • Accreditation and Recognition: The CGRC certification is ANAB/ANSI and IAS for the ISO/IEC Standard 17024.
  • DoD-Approved: CGRC-certified professionals are listed in two categories under the DoD 8570.01 mandate: IAM Level I and IAM Level II. The certification is the only one under the DoD 8571 mandate that aligns with each RMF step.
  • Continuing Professional Education: CGRC-certified professionals must participate in continuing professional education to stay current on emerging threats, technologies, regulations, standards, and practices.

To qualify for the CGRC certification, participants must pass the exam and have at least two years of cumulative, paid work experience in one or more of the seven domains of the ISC2 CGRC Common Body of Knowledge (CBK®). By obtaining the CGRC certification, professionals can demonstrate their commitment to upholding the highest standards in governance, risk, and compliance, making them invaluable assets in the ever-evolving cybersecurity landscape.


Professionals are encouraged to navigate their journey towards CGRC certification in a way that best suits their unique learning styles and experiences.

BECOMING AN ISC2 CANDIDATE: Joining ISC2 as a candidate is an excellent starting point in the pursuit of the CGRC certification. Candidates can access numerous
benefits enjoyed by certified members, including a 20% discount on training and 30-50% off textbooks, to aid their progress.

OBTAINING THE REQUIRED EXPERIENCE: To qualify for the CGRC certification, participants must pass the exam and have at least two years of cumulative, paid work experience in one or more of the seven domains of the ISC2 CGRC Common Body of Knowledge (CBK®).

The domains are:
• Information Security Risk Management Program
• Scope of the Information System
• Selection and Approval of Security and Privacy Controls
• Implementation of Security and Privacy Controls
• Assessment/Audit of Security and Privacy Controls
• Authorization/Approval of Information System
• Continuous Monitoring

STUDYING FOR THE EXAM: Various self-study resources are provided by ISC2, the creator and custodian of the CGRC CBK, to help participants prepare confidently for the exam. While some candidates prefer to pass the exam through self-study, others opt to attend an Official ISC2 Training to review and reinforce their knowledge before attempting the exam.

PASSING THE EXAM: The CGRC exam consists of 125 items and must be completed within a maximum of three hours. Candidates can schedule their exams by creating an account with Pearson VUE, a leading provider of global, computerbased testing for certification and licensure exams.

GETTING ENDORSED: Once participants pass the exam, they have nine months from the exam date to complete the ISC2 endorsement process. This step is crucial in ensuring the integrity and value of the CGRC certification.

EARNING CPE CREDITS: Upon certification, professionals become ISC2 members and are required to recertify every three years. Recertification is achieved by earning
Continuing Professional Education (CPE) credits and paying an Annual Maintenance Fee (AMF) to support ongoing development.


ISC2 offers various training options to cater to individual learning styles. These include online instructor-led training and classroom-based training. By offering flexibility in training formats, ISC2 ensures that professionals can engage in a learning experience best suited to their needs. Once professionals pass the exam and become ISC2 members, they must recertify every three years by earning 60 CPE credits and paying a $125 AMF. Numerous opportunities exist for earning free CPEs, such as attending webinars, participating in think tanks and security briefings, and volunteering.

When you join as a candidate, you can enjoy member benefits before obtaining certification. As a candidate, there is a $50 AMF, but the first year is free.


The CGRC certification offers numerous benefits to professionals in the cybersecurity field, ranging from career advancement to a stronger skill set. This section delves into the key advantages of obtaining the CGRC certification and the exclusive resources available to certified professionals.

Career Opportunities and Advancement: CGRC certification raises a professional’s visibility and credibility, opening doors to new career opportunities and helping them stand out in the competitive cybersecurity landscape.

Versatile Skills: The vendor-neutral nature of the CGRC certification enables professionals to apply their skills across various technologies and methodologies, making them valuable assets to organizations across industries.

Credibility: By obtaining the CGRC certification, professionals demonstrate their solid foundation in mitigating and responding to cyberthreats, thereby establishing trust and confidence in their abilities.

Solid Foundation for Protection: Certified professionals are better prepared to counter cyberattacks and contribute to a safe and secure cyber world, thanks to the comprehensive knowledge acquired through the CGRC certification process, standards, and practices.

Membership in a Strong Peer Network: Becoming an ISC2 member unlocks exclusive
resources, educational tools, and peer-to-peer networking opportunities, facilitating continuous professional development and collaboration.

Higher Compensation: CGRC-certified professionals can expect higher salaries, with Certification Magazine’s annual survey reporting an average salary of $118,980 in the U.S. and $114,150 globally in 2023.

Expanded Knowledge: The CGRC certification provides professionals with a deeper, broader understanding of the cybersecurity Common Body of Knowledge (CBK®), helping them excel in their roles and stay ahead in the ever-evolving field.

Stronger Skill Set: CGRC certification equips professionals with the skills and knowledge needed to effectively fulfill their organizational duties and tackle the diverse challenges in cybersecurity.

In the words of Brian Braxton, an Information Security Risk Management Lead from Rockville, MD, “CGRC is a great certification to earn and have on your resume. It shows you understand what is required to secure IT systems. Also, understanding the Risk Management Framework will help you during the interview process.”

After earning the CGRC certification and becoming an ISC2 member, professionals gain access to a full suite of benefits and resources for continuing education and development.

These include free online ISC2 Professional Development courses, discounts on CBK
books, Wiley publications, and ISC2 events, free access to webinars and pre-recorded webcasts, invitations to join or start local ISC2 chapters, volunteer opportunities, and professional recognition through ISC2 Global Achievement Awards.

Through these resources, CGRC-certified professionals can further develop their skills, expand their knowledge, and stay connected with the global cybersecurity community.


The ISC2 CGRC certification is a comprehensive and valuable credential for IT, information security, and cybersecurity professionals who aim to excel in the field of governance, risk, and compliance. By obtaining this certification, professionals can demonstrate their expertise in managing risk and authorizing information systems, while staying ahead of the curve in the ever-evolving cybersecurity landscape.

The CGRC certification provides opportunities for career advancement, skill development, and higher compensation, making it an excellent choice for professionals seeking to advance their careers in the GRC field.


ISC2 is an international nonprofit membership association focused on inspiring a safe and secure cyber world. Best known for the acclaimed Certified Information Systems Security Professional (CISSP®) certification, ISC2 offers a portfolio of credentials that are part of a holistic, pragmatic approach to security. Our association of candidates, associates and members, nearly 365,000 strong, is made up of certified cyber, information, software and infrastructure security professionals who are making a difference and helping to advance the industry. Our vision is supported by our commitment to educate and reach the general public through our charitable foundation – The Center for Cyber Safety and Education™.



No posts to display