cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
piezor
Viewer

CGRC vs CRISC

Hi all, looking for opinions and advice on this.

 

I'm looking for a risk management certification that will help me develop my risk assessment and risk reporting skills. I looked at the CGRC because I already hold some ISC2 certs (CISSP, SSCP, CISSP) and keeping things "in house" made sense from a CPE and membership fee perspective. However, from looking at the limited information on the domains, it looks like the CGRC will go through the steps to conduct a risk assessment of a system, select controls, implementation of remediations, and monitoring; but doesn't look at risk management as an overall function and, specifically, risk and control reporting techniques.

My role involves preparing risk dashboards for board presentations so this is something important to me.

 

The CRISC appears to tick the boxes I need but is another organisation, duplicating CPE and maintenance fees/efforts etc. 

 

So before I pull the trigger on either one I was hoping somebody who has sat the CGRC training and exam could give me some insight into the course content. Does it actually give you good knowledge of effective risk and control reporting techniques, or is it more the risk assessment and process of selecting and implementing controls?

 

Any and all input welcome.

7 Replies
Early_Adopter
Community Champion

I’m afraid that there are probably more questions to answer here.

I can say for sure in Banking, In Singapore the guys I knew were going to technical risk via ISACA - the other one they looked at was these guys https://www.rims.org/certification.

Knowledge wise I think you probably know the answer in that you buy/borrow the latest book from each and see which one looks better. The only other potentially helpful thing you might try is to search for jobs like yours or jobs you want to do and see what the cert counts are like - at least you get something quantifiable.

It also looks like there is a fair bit of sectoral breakdown/rallying around certain orgs qualifications.

https://www.indeed.com/career-advice/career-development/risk-management-certification

https://www.techtarget.com/searchcio/feature/Top-enterprise-risk-management-certifications-to-consid...

Good luck and would be nice to learn what you discover.
dips0502
Newcomer I

If risk management is what you are after, then the choice is clear and that is CRISC. The CGRC is centered solely around the NIST RMF framework. So, if you work for a federal agency in the US, or a contractor with them, and need to be well versed with the NIST RMF, then you have a reason to do CGRC. You can also do it, if you merely want the CGRC in your resume just because it has the the letters "GRC". But apart from these two reasons, I don't see any other valid reason to do it. CGRC covers risk management, but only as part of the overall RMF.

piezor
Viewer

thanks @dips0502. that is helpful and confirms what i thought. many thanks for the reply

tldutton
ISC2 Team

@piezor keep in mind that effective June 15, 2024, the CGRC exam will be based on an updated exam outline.

 

Take a look at the updated CGRC Exam Outline:

https://www.isc2.org/-/media/Project/ISC2/Main/Media/documents/domain-refresh/CGRC-Detailed-Content-...

 

 

Caute_cautim
Community Champion

Hi All

 

Has anyone considered FAIR and the Open Group certification for Quantitative Risk approach? 

 

https://www.opengroup.org/certifications/openfair

 

Professionally I am seeing a shift toward FAIR and Quantitative risk approach, rather than a Qualitative risk approach, which many Government, including ISO 31000 standards etc take, which make it some what subjective.

 

https://www.fairinstitute.org/

 

Regards

 

Caute_Cautim

SaskiaKaaks
Viewer III

CPEs overlap, you don't need to double the effort. You should be cautious in choosing the right moment for your education due to different CPE windows. 

MartinN
Viewer II

Now I see why it used to be called the Certified Authorization Professional (CAP) since authorize is one of the RMF steps. CGRC seems like a more marketable name than CAP.