Hi all, looking for opinions and advice on this.
I'm looking for a risk management certification that will help me develop my risk assessment and risk reporting skills. I looked at the CGRC because I already hold some ISC2 certs (CISSP, SSCP, CISSP) and keeping things "in house" made sense from a CPE and membership fee perspective. However, from looking at the limited information on the domains, it looks like the CGRC will go through the steps to conduct a risk assessment of a system, select controls, implementation of remediations, and monitoring; but doesn't look at risk management as an overall function and, specifically, risk and control reporting techniques.
My role involves preparing risk dashboards for board presentations so this is something important to me.
The CRISC appears to tick the boxes I need but is another organisation, duplicating CPE and maintenance fees/efforts etc.
So before I pull the trigger on either one I was hoping somebody who has sat the CGRC training and exam could give me some insight into the course content. Does it actually give you good knowledge of effective risk and control reporting techniques, or is it more the risk assessment and process of selecting and implementing controls?
Any and all input welcome.
If risk management is what you are after, then the choice is clear and that is CRISC. The CGRC is centered solely around the NIST RMF framework. So, if you work for a federal agency in the US, or a contractor with them, and need to be well versed with the NIST RMF, then you have a reason to do CGRC. You can also do it, if you merely want the CGRC in your resume just because it has the the letters "GRC". But apart from these two reasons, I don't see any other valid reason to do it. CGRC covers risk management, but only as part of the overall RMF.
thanks @dips0502. that is helpful and confirms what i thought. many thanks for the reply
@piezor keep in mind that effective June 15, 2024, the CGRC exam will be based on an updated exam outline.
Take a look at the updated CGRC Exam Outline:
Hi All
Has anyone considered FAIR and the Open Group certification for Quantitative Risk approach?
https://www.opengroup.org/certifications/openfair
Professionally I am seeing a shift toward FAIR and Quantitative risk approach, rather than a Qualitative risk approach, which many Government, including ISO 31000 standards etc take, which make it some what subjective.
https://www.fairinstitute.org/
Regards
Caute_Cautim
CPEs overlap, you don't need to double the effort. You should be cautious in choosing the right moment for your education due to different CPE windows.
Now I see why it used to be called the Certified Authorization Professional (CAP) since authorize is one of the RMF steps. CGRC seems like a more marketable name than CAP.
i need help on the best textbook for CGRC. i will appreciate suggestion on the best book that can help me to pass the exam
I received my CGRC earlier this year. The "best" textbook is probably NIST SP 800-37. It's the primary reference that the CGRC is based on. ISC2 published a study guide (back when CGRC was still called CAP). It's okay, but it's over 10 years old now. See my review here: https://www.goodreads.com/review/show/5971773506.
I read two other books as well, and my reviews for them are:
There are also some self-study aids here: https://www.isc2.org/certifications/cgrc/cgrc-self-study-resources. The practice exam is new since I took my exam in March. The flash cards are helpful for definitions.
Good luck!
Mike