On June 15, 2024, ISC2 will update the CGRC exam. This exam update is the result of the Job Task Analysis (JTA), which is an analysis of the knowledge, skills and abilities of the credential evaluated by ISC2 members on a triennial cycle. The exam domain weights for the CGRC will change as follows:
|
Current (Effective August 15, 2021) |
New (Effective June 15, 2024) |
||
1 |
Information Security Risk Management Program |
16% |
Security and Privacy Governance, Risk Management, and Compliance Program |
16% |
2 |
Scope of the Information System |
11% |
Scope of the System |
10% |
3 |
Selection and Approval of Security and Privacy Controls |
15% |
Selection and Approval of Framework, Security, and Privacy Controls |
14% |
4 |
Implementation of Security and Privacy Controls |
16% |
Implementation of Security and Privacy Controls |
17% |
5 |
Assessment/Audit of Security and Privacy Controls |
16% |
Assessment/Audit of Security and Privacy Controls |
16% |
6 |
Authorization/Approval of Information System |
10% |
System Compliance |
14% |
7 |
Continuous Monitoring |
16% |
Compliance Maintenance |
13% |
|
Total: |
100% |
Total: |
100% |
For more information, please review our CGRC Exam Update FAQs or the CGRC Exam Outline.
Hi, Do you think when the new exam changes go in place there will be a update to the self study material needed? Will there be an updated CBK?
Hi there
I am an authorized ISC2 instructor for CGRC. From my point of view, there are only minor tweaks to the distribution of questions (see the original posting). You do not need to wait for updated CBK materials.
The exam questions are primarily based on your knowledge of Information Security/cybersecurity and important NIST standards. The current material is very good. See my earlier posting on common standards such NIST, ISO etc for you to review as part of the curriculum.
https://community.isc2.org/t5/CGRC-Study-Group/Self-Study-or-Enroll-in-ISC2-Course/m-p/65306
Best wishes,
Dr K
As a fellow instructor, I concur with Dr. K's post. From what I've read and been told, the subject matter and material that you'll be tested on is not changing, rather it is a reorganization of what's covered in each domain (hence, the new domain titles).
Thus, the relative weight of each domain has shifted. For most domains that shift is only 1%; the exceptions are in domains 6 and 7. Domain 6 goes up from 10% of the total to 14%, while domain 7 goes down from 16% to 13%. Collectively, the weight of those two domains goes up only 1% from 26% to 27%.
Previously, earning this certification required having a good understanding of the Risk Management Framework, the activities performed in each step (including the largest step: Preparation), knowing the roles with primary responsibility for performing each of those activities, and an understanding of what's in the relevant NIST & ISO standards and documentation. If you have that information in your head, you'd have what it takes to pass the exam.
Unless ISC2 has decided to do something else that's not in the material they're providing instructors like me and Dr. K, that will still be true when the updated exam rolls out.
I hope this information helps.
I have to agree, there is a new program out with a 2nd test (if needed). I have read the NIST SP's and used them for years, yet I believe I will need the retest as there is little to no available actual prep in the area. I've been in security for 35 years - I am hoping that the GRC refresher (look under continuing education for skill builders) content from ISC2 is a little bit helpful but so far I've been burning through it.
Like so many others, I sure wish there was more out there.
Hello Dr K,
This is Abdulnazeer, i was your last student for last batch(meant before exam change). I could not attend actively your training due to time zone difference. I used to watch recording . Will it sufficient for exam, i booked my exam next week. Need you input ,if required i can reschedule it still required to go through more.