cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
piezor
Viewer

CGRC vs CRISC

Hi all, looking for opinions and advice on this.

 

I'm looking for a risk management certification that will help me develop my risk assessment and risk reporting skills. I looked at the CGRC because I already hold some ISC2 certs (CISSP, SSCP, CISSP) and keeping things "in house" made sense from a CPE and membership fee perspective. However, from looking at the limited information on the domains, it looks like the CGRC will go through the steps to conduct a risk assessment of a system, select controls, implementation of remediations, and monitoring; but doesn't look at risk management as an overall function and, specifically, risk and control reporting techniques.

My role involves preparing risk dashboards for board presentations so this is something important to me.

 

The CRISC appears to tick the boxes I need but is another organisation, duplicating CPE and maintenance fees/efforts etc. 

 

So before I pull the trigger on either one I was hoping somebody who has sat the CGRC training and exam could give me some insight into the course content. Does it actually give you good knowledge of effective risk and control reporting techniques, or is it more the risk assessment and process of selecting and implementing controls?

 

Any and all input welcome.

12 Replies
MartinN
Newcomer I

I have not looked into this, but does ISC2 make accommodations to "co-term" multiple certs so members don't need to keep track of different CPE windows? Like for a 5 year lease of printers, if you add a new printer in the 2nd year it can be co-termed to the original 5 year term.

MartinN
Newcomer I

From talking to a seasoned CISO and my own thoughts, quantitative risk assessment is difficult without third party tools/data. How can you accurately value an asset or come up with a number for exposure factor, for each asset? A qualitative approach can be used first then from there you prioritize the risks and can then use a quantitative approach on those if needed. I think a tool like this may be helpful https://www.cybersaint.io/cybersecurity/cyberstrong/risk-hub (I have no affiliation with this company. I saw a webinar for this on BrightTalk and thought it was interesting).

MartinN
Newcomer I

Let me know if you find something decent for CGRC. The latest book on Amz (https://www.amazon.com/dp/B0DKJX4L16) does not seem to be good. I may ask my employer to send me to the course.