Dear comunity
How are you? I hope you are fine. I am opening this thread to ask you for a honest opinion, and hopefully obtaining some empiric data, about the now-called CGRC. I would like to enter in the business of GRC and I need some orientation. I saw that ISC2 has this certification at disposal and I would like how it helps to perform in the job and how it is perceived by Senior Officers and HR.
Many thanks in advance
Juan José
Keep in mind that it is a renaming of a certification, the CAP, that was really only aimed at US government folks, not corporate. I've been involved with GRC for some time and had zero interest in the CAP, and never saw it mentioned by anyone in the GRC field.
To be honest, this would be viewed as a new cert in the realm. So it will take some time to be noticed in the field and be asked for on job descriptions.
Most of the GRC folks are more likely to be members of ISACA and have their CGEIT cert. Which I happen to have myself. GRC only overlaps a little with infosec, tho many like myself have to straddle both areas.
Thanks a lot emb021! Could you, please, tell me how this certification is perceived in comparison to CISM and CGEIT? Many thanks in advance.
If you mean the CGRC cert, again, keep in mind that many consider it a brand new cert. The prior CAP was NOT viewed as a 'GRC cert'. So it will take some time before CGRC has any recognition in the GRC community. As it comes from ISC2, that will come. But am thinking it will be a couple of years before we really start seeing it listed on job descriptions.
The CISM is *highly* respected for security managers (most of whom will also have a CISSP), and CGEIT is also highly respected in GRC. Both require 5 years experience whereas the CGRC only requires 2.
Am thinking of getting it, but its not a high priority for me as I'm focusing on some privacy certs first.
@emb021 wrote:Keep in mind that it is a renaming of a certification, the CAP, that was really only aimed at US government folks, not corporate.
I think this is very true. My two cents is that governance, risk, and compliance can mean very different things depending on context, and all of them can be something different from "GRC." I look at the CGRC/CAP as maybe useful to someone transitioning from an information security operational role to a strategic one, who, for one reason or another, hasn't built up other credentials.