On June 15, 2024, ISC2 will update the CGRC exam. This exam update is the result of the Job Task Analysis (JTA), which is an analysis of the knowledge, skills and abilities of the credential evaluated by ISC2 members on a triennial cycle. The exam domain weights for the CGRC will change as follows:       Current (Effective August 15, 2021)  New (Effective June 15, 2024)  1  Information Security Risk Management Program  16%  Security and Privacy Governance, Risk Management, and Compliance Program  16%  2  Scope of the Information System  11%  Scope of the System  10%  3  Selection and Approval of Security and Privacy Controls  15%  Selection and Approval of Framework, Security, and Privacy Controls  14%  4  Implementation of Security and Privacy Controls  16%  Implementation of Security and Privacy Controls  17%  5  Assessment/Audit of Security and Privacy Controls  16%  Assessment/Audit of Security and Privacy Controls  16%  6  Authorization/Approval of Information System  10%  System Compliance  14%  7  Continuous Monitoring  16%  Compliance Maintenance  13%     Total:  100%  Total:  100%     For more information, please review our CGRC Exam Update FAQs or the CGRC Exam Outline.  View More

Welcome to the CGRC Certification Study Group.    This is an open discussion forum for those studying for the CGRC certification.This forum provides an opportunity to connect with others preparing for the exam. Please follow all Community Guidelines regarding usage of this group, including adhering to the exam confidentiality policy.    View our Community Usage Policies and Guidelines.   Adhere to (ISC)² Exam Confidentiality Discussing (ISC)² examination items, answers and responses with other individuals is a violation of the (ISC)² Examination Non-Disclosure Agreement that is signed prior to taking an (ISC)² examination. Any posts related to this will be removed, and users found to be in violation may face penalties. General discussions about exams that do not share specific exam items are permissible. We encourage Community members to help candidates prepare themselves for success and share their own experiences without disclosing any information that could compromise the integrity of the exam process. View More

Looking for self study options for CGRC. I see a lot of folks asking for this, but very little action on the part of ICS2 to facilitate. Other than reading old CAP books and/or publicly available NIST documents, are there any other options? I am not interested in any form of instructor led "live" class. I'd be open to something similar to the CCSP online course. When, ISC2, will you provide more options for those of us who prefer to self study? View More

Hi there I am an ISC2 Instructor, an adjunct Professor in cybersecurity and I received my CGRC certificate last year. Many of my students ask me if they should enroll in an ISC2 course or study on their own. I always answer that it is a trick question and the answer is both! You should enroll in a good ISC2 course and study on your own.  Here are some thumb rules about certification that I got from my mentors, mentees and other students 1. This is a technical certification. Make sure that you have 2-3 years of experience in Governance/Risk/Compliance before you start working on this certification. You will get much more if you have the experience. While there an option to get this certificate with the required experience, most students got more from preparation for this exam because they could learn at work 2.  If you like a structured approach - use the self learning modules by ISC2, it is very interactive and it gives a great overview 3. If you like interacting with your instructor, with your classmates and would like your training to be spread over 8 weeks, I recommend the 8 week instructor led courses. You get access to the course material for 6 months. 4. If you are prepared well, enroll in the 5 day workshop as a great review before you go for the exam. 5. The bottom line is that you have to read the standards and be very familiar with them. Start with this standard. NIST SP 800-37 Rev 2, Guide for Applying the Risk Management Framework to Federal Information Systems   Many of my students and I benefited from the Free flashcards that ISC2 makes available. Check out the graphics and links below. Dr K Sudesh Kannan, CISSP, CGRC PhD Cyber Security  Professional  https://www.linkedin.com/in/sudeshkannan/   Self-Study Resources can be found here: https://www.isc2.org/Training/Self-Study-Resources   Here is a link to the Online Instructor Led Course as well:  https://enroll.isc2.org/catalog?pagename=cgrc-training   https://csrc.nist.gov/projects/risk-management/about-rmf     NIST SP 800-18 - development of system security plans  NIST SP 800-30 - supports the development of system and organizational risk assessments  NIST SP 800-30 Rev 1, Guide for Conducting Risk Assessments SP 800-171 Rev. 2 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations 800-53 and 800-171 provide actual security controls NIST SP 800-53A Rev 4 (Rev 5 when released), Assessing Security and Privacy Controls in Federal Information Systems and Organizations* NIST SP 800-53 Rev 5, Security and Privacy Controls for Federal Systems and Organizations* NIST SP 800-53B, Control Baselines for Information Systems and Organizations NIST SP 800-37 Rev 2, Guide for Applying the Risk Management Framework to Federal Information Systems   NIST SP 800-39, Organizational Wide Risk Management NIST SP 800-160, Volume I, Systems Security Engineering FIPS 200 addresses the specification of minimum security requirements for federal information and information systems. FIPS 199 addresses the classification divides systems. It divides the systems into high, moderate, and low impact systems based on their impact on individuals and organizations. View More

Join us for our second ISC2 Spotlight on Governance, Risk and Compliance. This virtual event for cybersecurity professionals is focused on providing a solid foundation in governance, risk and compliance (GRC) best practices. You’ll learn the latest developments in GRC and interact with experts in the field.   Cybersecurity professionals in every stage of their career are encouraged to participate. ISC2 Members, Candidates and Associates attend for free. Earn 5.5 CPE credits   February 27-28 (10am-1pm ET each day)   Register now: https://events.isc2.org/live/63/page/653    View More