Re: CGRC vs CRISC

piezor · ‎01-29-2024

Hi all, looking for opinions and advice on this.

I'm looking for a risk management certification that will help me develop my risk assessment and risk reporting skills. I looked at the CGRC because I already hold some ISC2 certs (CISSP, SSCP, CISSP) and keeping things "in house" made sense from a CPE and membership fee perspective. However, from looking at the limited information on the domains, it looks like the CGRC will go through the steps to conduct a risk assessment of a system, select controls, implementation of remediations, and monitoring; but doesn't look at risk management as an overall function and, specifically, risk and control reporting techniques.

My role involves preparing risk dashboards for board presentations so this is something important to me.

The CRISC appears to tick the boxes I need but is another organisation, duplicating CPE and maintenance fees/efforts etc.

So before I pull the trigger on either one I was hoping somebody who has sat the CGRC training and exam could give me some insight into the course content. Does it actually give you good knowledge of effective risk and control reporting techniques, or is it more the risk assessment and process of selecting and implementing controls?

Any and all input welcome.

Early_Adopter · ‎01-29-2024

I’m afraid that there are probably more questions to answer here.

I can say for sure in Banking, In Singapore the guys I knew were going to technical risk via ISACA - the other one they looked at was these guys https://www.rims.org/certification.

Knowledge wise I think you probably know the answer in that you buy/borrow the latest book from each and see which one looks better. The only other potentially helpful thing you might try is to search for jobs like yours or jobs you want to do and see what the cert counts are like - at least you get something quantifiable.

It also looks like there is a fair bit of sectoral breakdown/rallying around certain orgs qualifications.

https://www.indeed.com/career-advice/career-development/risk-management-certification

https://www.techtarget.com/searchcio/feature/Top-enterprise-risk-management-certifications-to-consid...

Good luck and would be nice to learn what you discover.

dips0502 · ‎01-29-2024

If risk management is what you are after, then the choice is clear and that is CRISC. The CGRC is centered solely around the NIST RMF framework. So, if you work for a federal agency in the US, or a contractor with them, and need to be well versed with the NIST RMF, then you have a reason to do CGRC. You can also do it, if you merely want the CGRC in your resume just because it has the the letters "GRC". But apart from these two reasons, I don't see any other valid reason to do it. CGRC covers risk management, but only as part of the overall RMF.

piezor · ‎01-30-2024

thanks @dips0502. that is helpful and confirms what i thought. many thanks for the reply

tldutton · ‎02-07-2024

@piezor keep in mind that effective June 15, 2024, the CGRC exam will be based on an updated exam outline.

Take a look at the updated CGRC Exam Outline:

https://www.isc2.org/-/media/Project/ISC2/Main/Media/documents/domain-refresh/CGRC-Detailed-Content-...

Caute_cautim · ‎02-15-2024

Hi All

Has anyone considered FAIR and the Open Group certification for Quantitative Risk approach?

https://www.opengroup.org/certifications/openfair

Professionally I am seeing a shift toward FAIR and Quantitative risk approach, rather than a Qualitative risk approach, which many Government, including ISO 31000 standards etc take, which make it some what subjective.

https://www.fairinstitute.org/

Regards

Caute_Cautim

SaskiaKaaks · ‎02-23-2024

CPEs overlap, you don't need to double the effort. You should be cautious in choosing the right moment for your education due to different CPE windows.