🧩 CGRC
Certified in Governance, Risk and Compliance (formerly CAP by ISC²)

🔑 Advanced certifications with a comprehensive focus on cybersecurity, risk management, policy, auditing, and governance.

Full name: Certified in Governance, Risk and Compliance (CGRC)
Issuing organization: (ISC)²
Reputation and global recognition: Highly respected certification for professionals managing system authorization, governance, and regulatory compliance within the Risk Management Framework (RMF). Especially recognized in the U.S. federal government and defense sectors.

Covered domains:
1. Information Security Risk Management Program
2. Scope of the Information System
3. Selection and Approval of Security and Privacy Controls
4. Implementation of Security and Privacy Controls
5. Assessment/Audit of Security and Privacy Controls
6. Authorization/Approval of Information System
7. Continuous Monitoring
Depth of content: Highly theoretical and compliance-focused, covering full lifecycle of NIST RMF and FISMA requirements
Technologies and tools included: Not tool-specific, but exposure to tools like eMASS, XACTA, and automated GRC platforms may be implied
Relevance in the current job market: Crucial for GRC, ISSO, and compliance roles in regulated environments
Mapping to frameworks: NIST SP 800-37, SP 800-53, FISMA, DoD 8140, FedRAMP, NICE Framework (Governance, Risk Management, and Compliance specialty areas)

Prior certifications or experience required?: 1 year of cumulative paid experience in one or more of the CGRC domains
Expected skill level: Intermediate to advanced
Required knowledge: Governance models, system authorization processes, regulatory frameworks (e.g., NIST, FISMA), security control selection

Total cost: $599 USD (exam only)
Study materials or lab access included?: No; official materials are sold separately
Discounts: Available for (ISC)² members, students, and veterans through special programs

Recommended study hours: 80–100 hours
Self-paced or instructor-led: Both available
Learning modes: Official self-paced course, instructor-led training, or third-party providers (e.g., InfoSec Institute, Cybrary)

Job roles: Information Systems Security Officer (ISSO), GRC Analyst, Risk Manager, Security Control Assessor (SCA), Compliance Analyst
Career goals: Perfect for professionals managing system lifecycle authorization and compliance in federal and enterprise systems
Type: Managerial, compliance-focused

Does it expire?: Yes, valid for 3 years
Renewal process: 60 CPEs over 3 years + annual maintenance fee (~$125 USD/year)

Official documentation: (ISC)² CGRC Official Study Guide, CBK
Recommended books: NIST SP 800-37, 800-53, RMF Handbook by Stephen D. Gantz
Online labs or platforms: No hands-on labs, but policy and compliance case studies available in training
YouTube channels, community guides: Some walkthroughs available; best supplemented by community forums and study groups
Online communities: (ISC)² Community, Reddit r/cybersecurity, LinkedIn GRC groups, Discord study servers

Is it frequently mentioned in job postings?: Yes, especially for jobs in federal agencies, DoD contractors, and regulated sectors
Does it boost your profile with recruiters?: Definitely – critical for compliance-focused positions and RMF roles
Is it recognized by top companies or certain countries?: Strongly recognized in the U.S. government, defense, and critical infrastructure sectors
What’s the average salary?: $95,000–125,000 USD/year, depending on clearance, region, and responsibilities

Is it part of a larger learning path?: Yes – often taken alongside or after Security+, CISM, or CRISC
What can you study after completing it?: CISA, CRISC (for audit/risk), CISSP (for broader leadership path)
How does it compare or complement other certs?: CGRC is more focused on U.S. RMF than CISSP; complements audit-heavy certs like CISA and risk certs like CRISC

🧩 CGRCCertified in Governance, Risk and Compliance (formerly CAP by ISC²)