topic Re: CGRC vs CRISC in Governance, Risk, Compliance

CGRC vs CRISC

piezor — Mon, 29 Jan 2024 14:02:58 GMT

Hi all, looking for opinions and advice on this.

I'm looking for a risk management certification that will help me develop my risk assessment and risk reporting skills. I looked at the CGRC because I already hold some ISC2 certs (CISSP, SSCP, CISSP) and keeping things "in house" made sense from a CPE and membership fee perspective. However, from looking at the limited information on the domains, it looks like the CGRC will go through the steps to conduct a risk assessment of a system, select controls, implementation of remediations, and monitoring; but doesn't look at risk management as an overall function and, specifically, risk and control reporting techniques.

My role involves preparing risk dashboards for board presentations so this is something important to me.

The CRISC appears to tick the boxes I need but is another organisation, duplicating CPE and maintenance fees/efforts etc.

So before I pull the trigger on either one I was hoping somebody who has sat the CGRC training and exam could give me some insight into the course content. Does it actually give you good knowledge of effective risk and control reporting techniques, or is it more the risk assessment and process of selecting and implementing controls?

Any and all input welcome.

Re: CGRC vs CRISC

Early_Adopter — Mon, 29 Jan 2024 16:53:26 GMT

I’m afraid that there are probably more questions to answer here.

I can say for sure in Banking, In Singapore the guys I knew were going to technical risk via ISACA - the other one they looked at was these guys https://www.rims.org/certification.

Knowledge wise I think you probably know the answer in that you buy/borrow the latest book from each and see which one looks better. The only other potentially helpful thing you might try is to search for jobs like yours or jobs you want to do and see what the cert counts are like - at least you get something quantifiable.

It also looks like there is a fair bit of sectoral breakdown/rallying around certain orgs qualifications.

https://www.indeed.com/career-advice/career-development/risk-management-certification

https://www.techtarget.com/searchcio/feature/Top-enterprise-risk-management-certifications-to-consider

Good luck and would be nice to learn what you discover.

Re: CGRC vs CRISC

dips0502 — Tue, 30 Jan 2024 03:50:50 GMT

If risk management is what you are after, then the choice is clear and that is CRISC. The CGRC is centered solely around the NIST RMF framework. So, if you work for a federal agency in the US, or a contractor with them, and need to be well versed with the NIST RMF, then you have a reason to do CGRC. You can also do it, if you merely want the CGRC in your resume just because it has the the letters "GRC". But apart from these two reasons, I don't see any other valid reason to do it. CGRC covers risk management, but only as part of the overall RMF.

Re: CGRC vs CRISC

piezor — Tue, 30 Jan 2024 09:27:27 GMT

thanks @dips0502. that is helpful and confirms what i thought. many thanks for the reply

Re: CGRC vs CRISC

tldutton — Wed, 07 Feb 2024 16:37:48 GMT

@piezor keep in mind that effective June 15, 2024, the CGRC exam will be based on an updated exam outline.

Take a look at the updated CGRC Exam Outline:

https://www.isc2.org/-/media/Project/ISC2/Main/Media/documents/domain-refresh/CGRC-Detailed-Content-Outline-with-Weights-2024.pdf

Re: CGRC vs CRISC

Caute_cautim — Fri, 16 Feb 2024 04:47:21 GMT

Hi All

Has anyone considered FAIR and the Open Group certification for Quantitative Risk approach?

https://www.opengroup.org/certifications/openfair

Professionally I am seeing a shift toward FAIR and Quantitative risk approach, rather than a Qualitative risk approach, which many Government, including ISO 31000 standards etc take, which make it some what subjective.

https://www.fairinstitute.org/

Regards

Caute_Cautim

Re: CGRC vs CRISC

SaskiaKaaks — Fri, 23 Feb 2024 20:09:36 GMT

CPEs overlap, you don't need to double the effort. You should be cautious in choosing the right moment for your education due to different CPE windows.

Re: CGRC vs CRISC

MartinN — Sat, 09 Nov 2024 20:44:05 GMT

Now I see why it used to be called the Certified Authorization Professional (CAP) since authorize is one of the RMF steps. CGRC seems like a more marketable name than CAP.

Re: CGRC vs CRISC

GABSONSOHO — Fri, 29 Nov 2024 02:35:25 GMT

i need help on the best textbook for CGRC. i will appreciate suggestion on the best book that can help me to pass the exam

Re: CGRC vs CRISC

jmikesmith — Fri, 29 Nov 2024 14:51:16 GMT

I received my CGRC earlier this year. The "best" textbook is probably NIST SP 800-37. It's the primary reference that the CGRC is based on. ISC2 published a study guide (back when CGRC was still called CAP). It's okay, but it's over 10 years old now. See my review here: https://www.goodreads.com/review/show/5971773506.

I read two other books as well, and my reviews for them are:

ISO 27001/ISO 27002: A guide to information security management systems: https://www.goodreads.com/review/show/6300405669
Information Security Risk Management for ISO 27001/ISO 27002: https://www.goodreads.com/review/show/6297499126

There are also some self-study aids here: https://www.isc2.org/certifications/cgrc/cgrc-self-study-resources. The practice exam is new since I took my exam in March. The flash cards are helpful for definitions.

Good luck!

Mike

Re: CGRC vs CRISC

MartinN — Fri, 29 Nov 2024 16:52:47 GMT

I have not looked into this, but does ISC2 make accommodations to "co-term" multiple certs so members don't need to keep track of different CPE windows? Like for a 5 year lease of printers, if you add a new printer in the 2nd year it can be co-termed to the original 5 year term.

Re: CGRC vs CRISC

MartinN — Fri, 29 Nov 2024 17:03:16 GMT

From talking to a seasoned CISO and my own thoughts, quantitative risk assessment is difficult without third party tools/data. How can you accurately value an asset or come up with a number for exposure factor, for each asset? A qualitative approach can be used first then from there you prioritize the risks and can then use a quantitative approach on those if needed. I think a tool like this may be helpful https://www.cybersaint.io/cybersecurity/cyberstrong/risk-hub (I have no affiliation with this company. I saw a webinar for this on BrightTalk and thought it was interesting).

Re: CGRC vs CRISC

MartinN — Fri, 29 Nov 2024 17:08:51 GMT

Let me know if you find something decent for CGRC. The latest book on Amz (https://www.amazon.com/dp/B0DKJX4L16) does not seem to be good. I may ask my employer to send me to the course.