Join now Sign in

A Concise Guide to the

Certified in
Governance, Risk, and
Compliance (CGRC)
Exam
Yusuf Purna + Follow
Chief Cyber Risk Officer |
Advancing…
Published May 19, 2023

Introduction

The Certified in Governance, Risk, and

Compliance (CGRC) certification from (ISC)² is
a prestigious global credential demonstrating
profound expertise in IT risk management and
the implementation of a risk management
framework. Anchored in the U.S. Government's
Risk Management Framework (RMF), the
CGRC extends beyond, embracing broader
Governance, Risk, and Compliance (GRC)
principles that hold universal relevance. This
certification elevates your professional
standing, signifying your commitment to
enhancing skills, reinforcing organizational
security, and continuous professional
development. Yet, due to the absence of an
official (ISC)² guide to the CGRC CBK at this
time, exam preparation may appear daunting.
This article elucidates the resources and
strategies I deployed in my exam preparation.

Exam Domains

The CGRC examination encompasses seven

key domains, each corresponding to a distinct
step in the Risk Management Framework
(RMF) as outlined in the NIST SP 800-37 Rev.
2. Understanding the RMF is paramount as it
forms the basis of the CGRC exam domains:

1. Information Security Risk Management

Program (Prepare) : This domain
establishes the basis for an organization's
information security risk management program,
echoing the 'Prepare' phase in the RMF. Key
elements include principles of information
security, risk management frameworks, System
Development Life Cycle (SDLC), security
controls and practices, and various roles and
responsibilities. Refer to NIST SP 800-30 Rev.
1, SP 800-37 Rev. 2, SP 800-39, SP 800-160
Vol. 1, SP 800-64 for comprehensive
understanding.

2. Scope of the Information System

(Categorize) : Aligned with the 'Categorize'
step in the RMF, this domain focuses on
defining the information system, determining its
scope, describing its architecture and
functionality, and categorizing the information
system. References include FIPS 199, SP 800-
60 Vol. 1 Rev.1.

3. Selection and Approval of Security and

Privacy Controls (Select) : Mirroring the
'Select' step in the RMF, this domain focuses on
the selection and tailoring of controls,
development of a continuous control monitoring
strategy, and the review and approval of the
security plan. Consult FIPS 200, SP 800-53
Rev. 5, SP 800-53B for additional insights.

4. Implementation of Security and Privacy

Controls (Implement) : This domain,
corresponding to the 'Implement' step in the
RMF, involves implementation and
documentation of selected controls, and
requires familiarity with various industry
standards and guidelines. SP 800-70, Rev. 4
provides additional information.

5. Assessment/Audit of Security and Privacy

Controls (Assess) : Reflecting the 'Assess'
step in the RMF, this domain covers the
preparation, conduction, and analysis of
assessments or audits, and development of
remediation plans. To delve into this domain,
refer to SP 800-53A Rev. 5, SP 800-115.

6. Authorization/Approval of the Information

System (Authorize) : Matching the
'Authorize' step in the RMF, this domain involves
compiling security and privacy authorization
documents, evaluating information system risk,
and making decisions on terms of authorization.
Check out NIST SP 800-37 Rev. 2 for
comprehensive understanding.

7. Continuous Monitoring (Monitor) :

Corresponding to the 'Monitor' step in the RMF,
this domain involves determining the impact of
changes to the information system, performing
ongoing assessments, reviewing supply chain
risk, and responding to a cyber event. The NIST
publications SP 800-37 Rev. 2, SP 800-53A
Rev. 5, SP 800-137, SP 800-88, SP 800-100,
SP 800-128 will provide extensive knowledge
for this domain.

The following infographic summarizes the NIST

RMF (*):

NIST RMF (Courtesy: Aron Lange)

* Courtesy: Aron Lange

Study Resources

Effectively preparing for the CGRC exam

requires an understanding of a wide range of
materials and resources. Key study resources
include:

1. NIST Publications : The National Institute of

Standards and Technology (NIST) publications
are pivotal to the understanding of the CGRC
exam content. They provide the foundational
concepts and processes that underpin each
domain of the exam. It's recommended to get a
summary understanding of each relevant NIST
publication mentioned in the Exam Domains
section.

2. (ISC)² Resources : The Ultimate Guide to

the CGRC, the CGRC exam outline, official
CGRC flashcards, and CBK suggested
references can be downloaded or further
checked from the (ISC)² website. These
resources provide essential information about
the exam pattern and key topics.

3. ISO Documents : Summaries of ISO 27001

and ISO 27002 are also crucial for grasping the
different terminology used in ISO documents
and NIST publications. These standards provide
international best practices for information
security management.

Study Tips and Strategies

1. Understand the RMF Process : The RMF is

the foundation of the CGRC domains. A crucial
part of your preparation should be to
understand each task, its inputs, and
outcomes, and the roles and responsibilities
involved in each task within each step of the
RMF. This understanding will give you a deep
insight into the interconnections among the
CGRC domains.

2. Mapping RMF and SDLC : Mapping the

respective steps of the NIST RMF and the NIST
Basic SDLC (NIST SP 800-64 Rev.2) can be
very beneficial. Understanding this mapping
can provide you with a more comprehensive
perspective on how the various aspects of risk
management come together in practice.

3. Focus on Key Topics : Each domain has key

topics that carry more weight in the exam. It's
important to understand these topics
thoroughly. Refer back to the CGRC exam
outline and guide for the key areas.

4. Understand the Key Concepts : Don’t just

memorize the terms and definitions, strive to
understand them. Try to relate the theoretical
concepts to real-world scenarios to better
comprehend their application.

5. Practice : Practice makes perfect. As the

official (ISC)² guide to the CGRC CBK is not yet
available, utilizing resources such as the CISSP-
ISSEP sample questions, especially those
related to risk management, can be extremely
helpful. Use the CGRC flashcards and other
practice questions available to reinforce what
you've learned. This not only aids in
memorization but also helps you understand
how to apply the knowledge in different
scenarios.

Conclusion

Preparing for the CGRC exam is undoubtedly a

rigorous process, but with the right resources
and study strategies, success is within reach.
Remember, your goal is not just to pass the
exam but to truly understand and apply the
principles of IT governance, risk, and
compliance. With focused and dedicated
preparation, you'll be well-equipped to ace the
CGRC exam and enhance your professional
standing in the field of IT governance.

Yusuf Purna 1w
Chief Cyber Risk Officer | Advancing Cybersecurity Th…

In addition to my guidelines, here's a free and

excellent course to help you understand the NIST
Risk Management Framework. Happy learning,
everyone!

https://csrc.nist.gov/projects/risk-
management/rmf-course

Like · Reply 1 Reaction

John Humphrey 2mo

(ISC)2 CISSP, SSCP | AWS CCP | Microsoft: MCSA:Sec…

Thank you for your contribution to the

community. It will definitely help my learning
process.

Like · Reply 1 Reaction

Yusuf Purna 2mo

Chief Cyber Risk Officer | Advancing Cybersecurity Th…

Grateful for your time spent on this CGRC exam

guide. If you've embarked on this journey using
these steps, please share your insights and
experiences - every input helps us grow.

Like · Reply 1 Reaction

Vasanth K 2mo
Information Systems Auditor at YOGANANDH and RAM…

Very informative... Thank you so much sir...

Like · Reply 1 Reaction

Osama Ali 3mo

Cyber Security Analyst

I was just reading about this cert yesterday.

Thanks for sharing

Like · Reply 1 Reaction

See more comments