CGRC: Certified in Governance, Risk and Compliance

Earn Your GRC Certification – Be a Governance, Risk and Compliance Leader! Capitalize on the rising demand for Governance, Risk and Compliance (GRC) expertise by earning the CGRC certification. The CGRC is a proven way to demonstrate your knowledge and skills to integrate governance, performance management, risk management and regulatory compliance within your organization. CGRC professionals utilize frameworks to integrate security and privacy within organizational objectives, better enabling stakeholders to make informed decisions regarding data security, compliance, supply chain risk management and more.


The CGRC is ideal for IT, information security and information assurance practitioners who work in Governance, Risk and Compliance (GRC) roles and have a need to understand, apply and/or implement a risk management program for IT systems within an organization, including positions like:

  • Cybersecurity Auditor, Cybersecurity Compliance Officer
  • GRC Architect, GRC Manager
  • Cybersecurity Risk & Compliance Project Manager, Cybersecurity Risk & Controls Analyst, Cybersecurity Third Party Risk Manager
  • Enterprise Risk Manager
  • GRC Analyst, GRC Director
  • Information Assurance Manager


To qualify for the ISC(2) CGRC certification, you must:

  • pass the exam and
  • have at least two years of cumulative, paid work experience in one or more of the seven domains of the ISC2 CGRC Exam Outline. 

Learn more about CGRC Experience Requirements

Don’t have enough experience yet? You can still pass the CGRC exam and become an Associate of ISC2 while you earn the required work experience. 

Course goals

In this CGRC Certification and Training, you will learn how to:

  • Create an Information Security Risk Management Programme.
  • Scope of the Information System.
  • Selection and Approval of Security and Privacy Controls.
  • Implementation of Security and Privacy Controls.
  • Assessment/Audit of Security and Privacy Controls.
  • Authorisation/Approval of Information System.
  • Perform Continuous Monitoring.


Course content

Domain 1: Information Security Risk Management Programme

1.1 Understand the foundation of an organisation's information security risk management programme » Principles of information security

1.2 Understand risk management programme processes

Domain 2: Scope of the Information System

2.1 Define the information system

2.2 Determine categorisation of the information system

Domain 3: Selection and Approval of Security and Privacy Controls

3.1 Identify and document baseline and inherited controls

3.2 Select and tailor controls to the system

3.3 Develop a continuous control monitoring strategy (e.g., implementation, timeline, effectiveness)

3.4 Review and approve security plan/Information Security Management System (ISMS)

Domain 4: Implementation of Security and Privacy Controls

4.1 Implement selected controls

Domain 5: Assessment/Audit of Security and Privacy Controls

5.1 Prepare for assessment/audit

5.2 Conduct assessment/audit

5.3 Prepare the initial assessment/audit report

5.4 Review initial assessment/audit report and perform remediation actions

5.5 Develop final assessment/audit report

5.6 Develop a remediation plan

Domain 6: Authorisation/Approval of Information System

6.1 Compile security and privacy authorisation/approval documents

6.2 Determine information system risk

6.3 Authorise/approve information system

Domain 7: Continuous Monitoring

7.1 Determine the impact of changes to information systems and the environment

7.2 Perform ongoing assessments/audits based on organisational requirements

7.3 Review supply chain risk analysis monitoring activities (e.g., cyber threat reports, agency reports, news reports)

7.4 Actively participate in response planning and communication of a cyber event

7.5 Revise monitoring strategies based on changes to industry developments introduced through legal, regulatory, supplier, security, and privacy updates

7.6 Keep designated officials updated about the risk posture for continuous authorisation/approval

7.7 Decommission information system


This course and materials will help prepare you to take the CGRC – Governance, Risk and Compliance Certification

IMPORTANT! The CGRC exam voucher is NOT included in this CC training.

Other relevant courses

23. September
5 days
Classroom Virtual