Re: CGRC before CISSP?

SalzburgGirl · ‎10-01-2024

Before I embark on the CISSP, I was wondering if getting the CGRC would make sense or is even recommended. I mainly work in the GRC area (doing policy work), and would like to get a more solid understanding of the different frameworks etc. I am thinking that getting a CGRC certification could help me here.

Does it make sense to attempt this certification without the knowledge & experience required for a CISSP?

Thanks for any guidance you may have.

ericgeater · ‎10-01-2024

I've done a self-study of the CGRC. I still may take the exam next year for the wisdom of the frameworks, as you mentioned. But CISSP is a completely different depth than CGRC.

I would pick up a CGRC study guide (if one exists?!) and give it a read-through. The material rarely changes, as you may expect. If you find that you're already well-placed in your knowledge, then maybe the CGRC will be an easy win for you.

But it likely won't lend much toward your CISSP study.

-----------
A claim is as good as its veracity.

gidyn · ‎10-01-2024

If you've never done an ISC2 exam before, one in an area that you're familiar with may good to get a taste of the question style.

SalzburgGirl · ‎10-03-2024

Hi @ericgeater ! Thank you for your views on this. There is no dedicated study guide for this certification, as far as I know. So, I will have to resort to what's available for the CISSP. But good to know that the CGRC doesn't go into the same great depth as the CISSP (I assume that that is what you meant 😉).

I have done one ISC2 exam already (the CC), so I am somewhat familiar with the format.

emb021 · ‎10-03-2024

@SalzburgGirl Sadly, its hard to understand what the revamped CGRC cert covers as there is no review guide.

Have you looked at ISACA's CGEIT or CRISC certs? I found these two helped me in my GRC career.

Further, both CGEIT and CRISC are fairly well known certs. CGRC is just too new.

---
Michael Brown, CISSP, HCISPP, CISA, CISM, CGEIT, CRISC, CDPSE, GSLC, GSTRT, GLEG, GSNA, CIST, CIGE, ISSA Fellow

ericgeater · ‎10-03-2024

Hello @SalzburgGirl , and someone once said that the best study guides are the frameworks themselves. 800-37, 800-53, etc etc. In fact, somewhere on this forum is a thread where an exhaustive roster of frameworks is listed!

Also, someone shared a document to me, which they call the Mango Document (for some reason). It's on their Google Drive, and it expressly deals with CGRC. I am placing the link below:

https://drive.google.com/file/d/1MqdckHhLnVT3CZC5BCL_NovNYf1wYU5O/view?usp=sharing

Definitely, you should look in the forum for the thread I just mentioned.

-----------
A claim is as good as its veracity.

nkeaton

The CGRC is very different from the other exams. It was the first one that I did (was CAP at the time). It was more difficult for me because it was non-technical. If you are asking for a progression, I would recommend the CC first while it is no cost for most (self-study training and exam voucher). I think it relieves a lot of the stress of taking an ISC2 exam and is the general knowledge need for the CISSP (no analytical questions). If your goal is the CISSP, you might consider doing the SSCP after the CC and then the CISSP. The CGRC does not exactly fit in a sequence and could do it after the CC as well as long as remember that everything that you need is in the NIST documents but is definitely different than the others except maybe the ISSEP. CGRC and the CISM also complement each other well because deal with frameworks and GRC. I do hold all of these mentioned if have any additional questions. Best wishes. .

nkeaton

The CBK for the CGRC really adds zero to study; I waited for its release and learned nothing from it. I used the NIST documents and questions by Jim Litchko who I consider the #1 expert in the World on the CGRC (formerly CAP) and RMF.

nkeaton

The NIST documents are what I used and passed with those, self-study. The CGRC is not new. It was only renamed. I took it as the CAP in 2012. It had just changed from DIACAP to RMF. So I am not sure even how long that it was an exam before I took it (I just did an internet search and said 2005). CAP just happened to work out as an acronym as was Certification and Accreditation Professional before I took it. When I tested was Certified Authorization Professional. One of the reasons that I took it when I did and not another was that it was the first exam to be offered online at an exam center. The rest were still paper and pencil (question sheet and answer book) as a group at a hotel or some other large meeting place.

dips0502

I have taken and passed both exams, with the CGRC being the more recent. I don't necessarily think it makes much of a difference which one you attempt first. The CBK for both exams is mostly different, with perhaps a 10 percent overlap. The CGRC heavily revolves around the NIST RMF and other NIST references, with COBIT, GDPR, and ISO only mentioned in passing. You can find the NIST references in the suggested CBK references for the exam. If you work with the NIST RMF and are already comfortable with it, then you should be fine starting with it. If you want to start with a certification that caters to a more global audience, then consider the CISSP.