ProfessionalVendor-neutralISC2· issued from US

CGRC

(ISC)2 Certified in Governance, Risk and Compliance

Official page at ISC2 ↔ Compare with another cert

Exam fee

$599

Ongoing

$125/yr AMF · 20 CPE/yr

Study time

60–120 hrs

Delivery

Test center

Validity

3 yrs (renewal cycle)

› Quality score

22.0 / 40

Four-axis SecProve rubric, each 0–10. SecProve editorial assessment — each axis carries a written justification so you can push back on any single call without dismissing the whole score.

Blueprint rigor

How well-defined and rigorous the exam blueprint is.

ISC2 GRC ECO covers risk frameworks, RMF, control assessment.

7.5/10

Practical evidence

Hands-on labs / written reports vs pure MCQ.

Pure MCQ. No control-design artefact.

1.5/10

Currency & upkeep

How aggressively content is kept current with the field.

Refreshed in 2023 (renamed from CAP); content tracks NIST RMF rev2.

7.0/10

Market recognition

How often this signal actually moves a hiring decision.

Recognised in US-federal GRC tracks; modest broader pull.

6.0/10

› Exam format

CAT-based, 100–150 questions, 3 hours, proctored via Pearson VUE. Passing score: 700/1000.

Passing score

700/1000 (scaled)

Retake policy

Fee: $599 per attempt

Wait: 30d between attempts

Cap: 4 attempts/year

30/60/90 day waits for retakes 1/2/3 in a rolling 12-month window.

› Recertification

Valid for 3 years. 30 CPE credits/year + annual AMF (125 USD, shared across all ISC2 certs).

› 3-year cost of ownership

Exam (1×)

$599

AMF (3×)

$375@$125/yr

Total

$974

Excludes study materials, training, retake risk, and lost-wage opportunity. Use as a floor estimate.

› NICE Framework work roles

The NIST NICE work-role IDs this cert maps to. NICCS lookup.

OG-WRL-014OG-WRL-012DD-WRL-001DD-WRL-002DD-WRL-008DD-WRL-009IO-WRL-001IO-WRL-002IO-WRL-003IO-WRL-004

Recognition

Global

Exam languages

› Core domains covered

The 1 domain this cert is centrally about. Passing the exam demonstrates working knowledge of each.

A1Governance, Risk & Compliance

Risk frameworks (NIST RMF, ISO 31000, FAIR), policy development, audit, regulatory compliance, third-party risk.

› Prerequisites

Experience

2 years experience in min. 1 of 7 CGRC domains. Without experience: Associate of ISC2.

› Progression

requiredrecommended

Where this cert fits in the typical learning path. Required edges are vendor-gated; recommended edges reflect de facto industry progression.

Required prereqs (0)

No vendor-gated prereqs.

Recommended priors (1)

Security+CompTIA

CGRC

ISC2

Required by (0)

No certs require this one.

Recommended next (0)

No follow-on certs reference this one yet.

› Study materials

Curated starting points. Not exhaustive — vet each against your learning style and the current exam version.

Official guides

Official (ISC)² CGRC CBK Reference, 3rd Ed. — Wiley/ISC2

Training providers

ISC2 Official CGRC Training

Practice tests

Boson ExSim-Max for CGRC

Free / community

NIST SP 800-37 (free)

› Version & lifecycle

Current version

2024 CBK refresh

Released

2024-04

Renamed from CAP (Certified Authorization Professional) in 2022. Federal RMF / authorization-package focus.

› Salary signal

Federal/regulated GRC analyst, US, 4-7 years.

$105K–$160K

median $130K

Robert Half Salary Guide + Glassdoor 'GRC Analyst' aggregations · 2024 · US base only · p25–p75 range

› How it compares

CISA

CGRC is RMF/authorization-package execution; CISA is broader IS audit.

↔ Compare side-by-side

CRISC

CGRC is operational compliance + RMF; CRISC is risk-program management.

↔ Compare side-by-side

› Careers that commonly pursue this cert

GRC / Compliance Analyst

Manage risk, ensure regulatory compliance, and build governance frameworks. Where security meets business strategy.

See this cert’s domains highlighted on the interactive map, or compare it against the rest of the catalog.

Highlight on the domain map Browse all certifications