CGRC – Governance, Risk and Compliance Certification

🧭 Overview

CGRC – Governance, Risk and Compliance Certification (formerly CAP) is an ISC2 credential focused on authorizing and maintaining information systems within risk management and regulatory frameworks. It validates expertise in assessing risk, implementing controls, and ensuring compliance with standards such as NIST RMF.

CGRC holders support organizations in regulated sectors, government agencies, and enterprises that require formalized risk and compliance oversight.

📚 Requirements

Two years cumulative paid work experience in one or more CGRC domains
Pass the CGRC exam covering seven domains:
- Information Security Risk Management Program
- Scope of the Information System
- Select Security and Privacy Controls
- Implement Security and Privacy Controls
- Assess Security and Privacy Controls
- Authorize Information System
- Continuous Monitoring
Agree to ISC2 Code of Ethics
Maintain certification through CPE credits

🤝 Community & Recognition

CGRC is widely respected in government, defense, and regulated industries where compliance and risk governance are essential. It is especially valued by professionals working with NIST frameworks, RMF processes, and system authorization roles.

📜 Quick Facts

Issuing Organization: ISC2
Website: https://www.isc2.org/
Credential Focus: Risk management, compliance, system authorization
Audience: GRC analysts, compliance officers, system assessors
Continuing Education: Required via CPE credits
Related Designations: CISSP, CISA, CRISC