Welcome to the CGRC Certification Study Group.
This is an open discussion forum for those studying for the CGRC certification.This forum provides an opportunity to connect with others preparing for the exam. Please follow all Community Guidelines regarding usage of this group, including adhering to the exam confidentiality policy.
View our Community Usage Policies and Guidelines.
Adhere to (ISC)² Exam Confidentiality
Discussing (ISC)² examination items, answers and responses with other individuals is a violation of the (ISC)² Examination Non-Disclosure Agreement that is signed prior to taking an (ISC)² examination. Any posts related to this will be removed, and users found to be in violation may face penalties.
General discussions about exams that do not share specific exam items are permissible. We encourage Community members to help candidates prepare themselves for success and share their own experiences without disclosing any information that could compromise the integrity of the exam process.
Join us for this live Q&A where our panel of experts will answer all of your questions about CGRC certification before you sit for the exam. We’ll go over certification requirements, the domains, self-study resources, training options and more to help you build confidence so you’re ready on exam day. Friday, July 21 at 1 p.m. ET You’ll learn: • How CGRC prepares you to use frameworks to manage risk • Why vendor-neutral certification is in demand • What training tools are available • And much more Save your spot now.
Hello all! I was hoping to get some input/clarification on the two terms I’ve seen some people use interchangeably, but I’m pretty sure they mean two different things. Risk Mitigation is putting controls in place to reduce or limit the adverse affects of risks, identified or likely to occur. Risk treatment is after the risk assessment, where you look at the identified risks and create controls to…treat them. So basically Mitigation is proactive approach that can basically be done anytime, while risk treatment is reactive, something that is done only during the risk assessment and after a risk has been identified. Thanks in advance!