As many of you have reached out to me asking about the resources I used to prepare for the Certified in Governance, Risk, and Compliance (CGRC) exam, and given the noticeable lack of resources or guidance in this area, I've decided to put together a concise guideline to assist you in your journey towards CGRC certification.
https://www.linkedin.com/pulse/concise-guide-certified-governance-risk-compliance-cgrc-yusuf-purna
It is my sincere hope that you will find this guide useful and insightful, and it will serve as a roadmap to ease your preparation process.
I was hoping and expecting a downloadable PDF file, but I guess not? Thanks for your page on this pertinent information anyways?
Gilbert
CySA+, SSCP, MCP, IT
Excellent writeup Yusuf!
Thanks, Yusuf! I appreciate your submission. Also, congratulations on passing the CGRC! I saw that in your LI profile.
Thaniks for the information
This is great information. I have been working with the federal government as an ISSO for 15+ years working with policy & compliance. I would suggest adding NIST 800-171 for non-government systems to this list. Now that we are doing more cloud systems at my agency, when the vendors do not have FedRAMP authorization we ask them to provide a self-assessment based on NIST 800-171. This gives us somewhere to start because for some of them this whole security control thing is new, and it provides at least some guidance for them as to what we expect. NIST 800-53, 53A (Assessment), and 53B (Baselines) are great and there is a ton of good information there, but federal agencies do require more than the private sector and that deep of an understanding may or may not be needed for the exam. However, if you have that level of understanding the test would/will be easier to pass. Just my 2 cents. Oh, and you should definitely know the regulations/references by name and number.
There is probably a ton of information and .pdf type stuff for the CAP certification and that would serve as a good base for this information. You could start with that and build from there. The best way to learn the information is to work with it so if you could get an internship or a detail to a position that deals with Governance, Risk and Compliance you could learn on the job.