As those interested in or preparing for the CAP certification, we are informing you that effective February 15, 2023, the certification will be known as the Certified in Governance, Risk and Compliance or CGRC. This name change better represents the knowledge, skills and abilities required to earn and maintain this certification as the content reaches beyond authorization. The exam and course content will not change, nor will the experience requirements for the certification.
You can learn more about the last exam refresh, which occurred in 2021 on our blog.
If you plan to sit for the exam on or before February 14, 2023, you will register for the CAP exam. Starting January 1, 2023, you can register to take the CGRC exam on or after February 15, 2023.
You can take the next step to launch your cybersecurity career by logging into your Pearson VUE account to register for your exam
If you have further questions, refer to our CAP to CGRC FAQ page.
I'm curious about the removal of the word "Professional" from the new name.
Prior to the CC certification, all ISC2 certification abbreviations ended with a P either denoting a Professional or a Practitioner level certification.
e.g. CAP - Certified Authorization Professional or SSCP - Systems Security Certified Practitioner.
I understand the CC not having a P being entry-level, but how will CGRC holders show they hold a Professional level certification to people who don't know it's just the new name for the CAP, or those who don't know what the CAP is to begin with?
I'd imagine the new, more international, target audience for the CGRC would include many people / employers who would be in that latter group.
Is (ISC)2 working with DoD to have the new name added to the DoD 8570 Workforce Program tables, so that DoD entities will recognize both the CAP and CGRC certificates?
It would be messy to replace CAP with CGRC, creating difficulties for current CAP holders until they renew and get the new name certificate.
Thank you for your questions.
Regarding the "professional" term in the certification name, all (ISC)² certifications act as a professional mark of distinction recognizing the skills, knowledge and abilities required to earn and maintain them. The new certification name, CGRC, better represents the breadth of the subject matter covered within the exam and aligned with the growing field of Governance, Risk and Compliance.
Regarding the DoD question, the DoD will not reference both names at the same time. The CAP name will change to CGRC when the name becomes active on February 15, 2023. At that time, all active certification holders will then have CGRC.
Thanks for the response, Andrea, and that's a nice sentiment, but it begs the question why the SSCP and the HCISPP are named as Practitioner certifications and all the others, CC excepted, are named as Professional?
Naming conventions tie into GRC policies so it's a topical question at least!
I always viewed the hierarchy (rightly or wrongly) as Professional > Practitioner > No designation, and that was largely reflected in the respective experience requirements for ISC2's various certifications - based on that, is the CAP being devalued?
Admittedly, the CAP was always the outlier being a Professional certification only requiring 2 years of experience, the same as the HCISPP which as mentioned above is Practitioner level, so perhaps it's not being devalued as much as I first thought.
The reason why I am curious about all of this is, the CAP is the only Professional level ISC2 certification I don't hold - it never interested me as a non-US member, given its scope is US Federal / RMF centric.
However, with the change in the scope, which is said to now be more international, it started to pique my intertest, but there are a few things which are telling me to hold off going for this, the new name choice included - just some feedback for the team.
Regarding the "professional" term in the certification name, all (ISC)² certifications act as a professional mark of distinction recognizing the skills, knowledge and abilities required to earn and maintain them.
The flaw in this line of reasoning becomes obvious when taken to the extreme. All of the certifications are "certifications"., so the "C" is redundant. They are all IT related, so "I" is redundant. They are also in the "security" realm, so the "S" is redundant. And, as earlier mentioned, the "P" is redundant. Taken together, that would imply that the "CISSP" would more aptly be named "S".
The bit that appears to be missing here is that "C.... P" identifies to the world-writ-large that the certs "belong" to the (ISC)² family. Names are more than just identification. They also communicate pedigree. I see this quite often having an atypical last name (for the country I live in). I am regularly asked "Are you related to the teacher?" or "Do you know the doctor with the same last name?".
My vote (which has zero weight) would be to rename "CC" to "CCP", "CGRC" to "CGRCP", etc., so that the pedigree is reenforced.
Is there a potential conflict with this organization that also has a CGRC?
The other suggestion that it be called CGRCP for alignment with other ISC2 certifications seems to make sense but that’s a mouth full of acronyms and the above organization also issues CGRCP certificates.