SecProve
ProfessionalVendor-neutralGIAC· issued from US

GCCC

GIAC Critical Controls Certification

GIAC Critical Controls Certification

Official page at GIAC↔ Compare with another cert
Exam fee
$979
Ongoing
$0/yr AMF · 9 CPE/yr
Study time
100–200 hrs
Delivery
Hybrid
Validity
4 yrs (renewal cycle)

› Quality score

24.5 / 40

Four-axis SecProve rubric, each 0–10. SecProve editorial assessment — each axis carries a written justification so you can push back on any single call without dismissing the whole score.

Blueprint rigor
How well-defined and rigorous the exam blueprint is.
Critical Controls Certification — maps CIS controls to operational tasks.
7.5/10
Practical evidence
Hands-on labs / written reports vs pure MCQ.
Open-book MCQ.
4.5/10
Currency & upkeep
How aggressively content is kept current with the field.
Refreshed alongside CIS Controls v8 publication.
7.0/10
Market recognition
How often this signal actually moves a hiring decision.
Recognised in CIS-aligned defence shops.
5.5/10

› Exam format

75 questions + CyberLive, 3 hours, open-book, proctored via Pearson VUE. Passing score: ~70%.

Passing score
71% (scaled per attempt)
Retake policy
Fee: $999 per attempt
Wait: 30d between attempts

30-day wait between attempts. SANS course bundles typically include 2 attempts.

› Recertification

Valid for 4 years. Renewal via 36 CPE credits or renewal exam (479 USD). Each GIAC cert separately.

› NICE Framework work roles

The NIST NICE work-role IDs this cert maps to. NICCS lookup.

OG-WRL-016OG-WRL-012
Recognition
Global
Exam languages
en

› Core domains covered

The 2 domains this cert is centrally about. Passing the exam demonstrates working knowledge of each.

A1Governance, Risk & Compliance

Risk frameworks (NIST RMF, ISO 31000, FAIR), policy development, audit, regulatory compliance, third-party risk.

A25Security Architecture & Engineering

Reference architectures, control frameworks (NIST SP 800-53, CIS Controls), secure-by-design patterns, threat modeling, trust-boundary design, technology standards.

› Prerequisites

Experience

No formal prerequisites. Associated SANS course strongly recommended.

› Progression

requiredrecommended

Where this cert fits in the typical learning path. Required edges are vendor-gated; recommended edges reflect de facto industry progression.

Required prereqs (0)

No vendor-gated prereqs.

Recommended priors (1)
GSECGIAC / SANS
GCCC
GIAC
Required by (0)

No certs require this one.

Recommended next (0)

No follow-on certs reference this one yet.

› Study materials

Curated starting points. Not exhaustive — vet each against your learning style and the current exam version.

Official guides
  • CIS Controls + SANS SEC566 Course MaterialsSANS
Practice tests
  • GIAC Practice Tests (2 included with exam)

› Version & lifecycle

Current version
Aligned to CIS Controls v8
Released
2023-06

› Salary signal

Security control implementer / GRC engineer, US, 3-5 years.

$100K$150K
median $120K

Robert Half Salary Guide · 2024 · US base only · p25–p75 range

› How it compares

vs
CISA

GCCC is hands-on CIS Controls implementation; CISA is broader IS audit.

↔ Compare side-by-side

› Careers that commonly pursue this cert

Vulnerability Management Lead

Owns the end-to-end find → prioritize → fix → verify loop at scale, now increasingly AI-driven.

Threat Exposure Management / Attack Surface Analyst

External-first role: inventories what an attacker can see, tracks what's new, and drives closure through the org. The outside-in counterpart to vuln management.

See this cert’s domains highlighted on the interactive map, or compare it against the rest of the catalog.

Highlight on the domain mapBrowse all certifications