CGRC – Certified in Governance, Risk and Compliance
Are you preparing for the CGRC examination or want to demonstrate your expertise in risk management frameworks? Certified Authorization Professional (CGRC) online training by CCS Learning Academy helps you to prove your skills and emphatically gain support from the community of cyber security leaders.
The CGRC Certification Training educates candidates on security risk management and information system authorization. In fact, our course will help you to prepare for the Certified Authorization Professional exam by the (ISC)².
If you are looking forward to enrolling yourself in the next CGRC training, feel free to get in touch with us.
*Looking for a flexible schedule (after hours or weekends)?
Please call or email us: 858-208-4141 or email@example.com.
This official (ISC)2® Certified in Governance, Risk and Compliance (CGRC) Training prepares you for the CGRC exam. The Certified Authorization Professional (CAP®) has changed its name to Certified in Governance, Risk and Compliance (CGRC). This is only a title change, so the course modules, prerequisites, and delivery remain the same.
An individual certified in Governance, Risk and Compliance (CGRC) is an information security practitioner who advocates for security risk management in pursuit of information system authorization. This is needed to support an organization’s mission and operations in accordance with legal and regulatory requirements.
Passing the CGRC Exam meets U.S. DoD Directive 8140/8570.01 Management (IAM) Level-I and Management (IAM) Level-II requirements.
The broad spectrum of topics included in the CGRC Common Body of Knowledge (CBK®) ensure its relevancy across all disciplines in the field of information security. Successful candidates are competent in the following seven domains:
Information Security Risk Management Program.
Scope of the Information System.
Selection and Approval of Security and Privacy Controls.
Implementation of Security and Privacy Controls.
Assessment/Audit of Security and Privacy Controls.
Authorization/Approval of Information System.
Perform Continuous Monitoring.
Domain 1: Information Security Risk Management Program
Understand the foundation of an organization information security risk management program
Principles of information security
Risk management frameworks (e.g., National Institute of Standards and Technology (NIST), cyber security framework, Control Objectives for Information and Related Technology (COBIT), International Organization for Standardization (ISO) 27001, International Organization for Standardization (ISO) 31000)
System Development Life Cycle (SDLC)
Information system boundary requirements
Security controls and practices
Roles and responsibilities in the authorization/approval process
Understand risk management program processes
Select program management controls
Determine third-party hosted information systems
Understand regulatory and legal requirements
Familiarize with governmental, organizational and international regulatory security and privacy requirements (e.g., International Organization for Standardization (ISO) 27001, Federal Information Security Modernization Act (FISMA), Federal Risk and Authorization Management Program (FedRAMP), General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA))
Familiarize with other applicable security-related mandates
Domain 2: Scope of the Information System
Define the information system
Determine the scope of the information system
Describe the architecture (e.g., data flow, internal and external interconnections)
Describe information system purpose and functionality
Determine categorization of the information system
Identify the information types processed, stored or transmitted by the information system
Determine the impact level on confidentiality, integrity, and availability for each information type (e.g., Federal Information Processing Standards (FIPS) 199, International Organization for Standardization/ International Electrotechnical Commission (ISO/IEC) 27002, data protection impact assessment)
Determine information system categorization and document results
Domain 3: Selection and Approval of Security and Privacy Controls
Identify and document baseline and inherited controls
Select and tailor controls to the system
Determine applicability of recommended baseline and inherited controls
Determine appropriate use of control enhancements (e.g., security practices, overlays, countermeasures)
Document control applicability
Develop continuous control monitoring strategy (e.g., implementation, timeline, effectiveness)
Review and approve security plan/Information Security Management System (ISMS)
Domain 4: Implementation of Security and Privacy Controls
Implement selected controls
Determine mandatory configuration settings and verify implementation in accordance with current industry standards (e.g., Information Technology Security Guidance ITSG-33 – Annex 3A, Technical Guideline for Minimum Security Measures, United States Government Configuration Baseline (USGCB), National Institute of Standards and Technology (NIST) checklists, Security Technical Implementation Guides (STIGs), Center for Internet Security (CIS) benchmarks, General Data Protection Regulation (GDPR))
Ensure that implementation of controls is consistent with the organizational architecture and associated security and privacy architecture
Coordinate implementation of inherited controls with control providers
Determine and implement compensating/alternate security controls
Document control implementation
Document inputs to the planned controls, their expected behavior, and expected outputs or deviations
Verify the documented details of the controls meet the purpose, scope and risk profile of the information system
Obtain and document implementation details from appropriate organization entities (e.g., physical security, personnel security, privacy)
Domain 5: Assessment/Audit of Security and Privacy Controls
Prepare for assessment/audit
Determine assessor/auditor requirements
Establish objectives and scope
Determine methods and level of effort
Determine necessary resources and logistics
Collect and review artifacts (e.g., previous assessments/audits, system documentation, policies)
Finalize the assessment/audit plan
Collect and document assessment/audit evidence
Assess/audit implementation and validate compliance using approved assessment methods
Prepare the initial assessment/audit report
Analyze assessment/audit results and identify vulnerabilities
Propose remediation actions
Review initial assessment/audit report and perform remediation actions
Determine risk responses
Reassess and validate the remediated controls
Develop final assessment/audit report
Develop remediation plan
Analyze identified residual vulnerabilities or deficiencies
Prioritize responses based on risk level
Identify resources (e.g. financial, personnel, and technical) and determine the appropriate timeframe/ schedule required to remediate deficiencies
Domain 6: Authorization/Approval of Information System
Compile security and privacy authorization/approval documents
Compile required security and privacy documentation to support authorization/approval decision by the designated official
Actively participate in response planning and communication of a cyber event
Ensure response activities are coordinated with internal and external stakeholders
Update documentation, strategies and tactics incorporating lessons learned
Revise monitoring strategies based on changes to industry developments introduced through legal, regulatory, supplier, security and privacy updates
Keep designated officials updated about the risk posture for continuous authorization/approval
Determine ongoing information system risk
Update risk register, risk treatment and remediation plan
Decommission information system
Determine information system decommissioning requirements
Communicate decommissioning of information system
Remove information system from operations
The CGRC is ideal for IT, information security and cybersecurity professionals responsible for governance, risk and compliance within an organization. Roles include:
Cyber GRC Manager
Cybersecurity Compliance Officer
GRC Information Technology Manager
Cybersecurity Risk & Compliance Project Manager
Cybersecurity Risk & Controls Analyst
Cybersecurity Third Party Risk Manager
Enterprise Risk Manager
GRC Security Analyst
System Security Manager
System Security Officer
Information Assurance Manager
To qualify for the CGRC certification, you must have a minimum of two years of cumulative, paid, full-time work experience in one or more of the seven domains of the CGRC Common Body of Knowledge (CBK).
With CCS Learning Academy, you’ll receive:
5 Day Certified Instructor-led training
Official (ISC)² CGRC CBK Training Seminar Student Handbook
Collaboration with classmates (not currently available for self-paced course)
Real-world learning activities and scenarios
Enjoy job placement assistance for the first 12 months after course completion.
This course is eligible for CCS Learning Academy’s Learn and Earn Program: get a tuition fee refund of up to 50% if you are placed in a job through CCS Global Tech’s Placement Division*
Q:Why is the CAP exam name changing and what is it changing to?
A:The Certified Authorization Professional (CAP) is changing to Certified in Governance, Risk and Compliance (CGRC). Only the name is changing.
This change better represents the knowledge, skills and abilities required to earn and maintain this certification. The subject matter is broader and more inclusive to frameworks used around the world.
Certified in Governance, Risk and Compliance (CGRC) cybersecurity professionals have the knowledge and skills to integrate governance, performance management, risk management and regulatory compliance within the organization while helping the organization achieve objectives, address uncertainty and act with integrity. CGRC professionals align IT goals with organizational objectives as they manage cyber risks and achieve regulatory needs. They utilize frameworks to integrate security and privacy with the organization’s overall objectives, allowing stakeholders to make informed decisions regarding data security and privacy risks.
Q: When will CAP change its name to CGRC?
A: It will officially change on February 15, 2023.
Q: If I already hold the CAP certification, what do I need to do?
A: Your digital certificate will update in your account. You will be sent an email from Credly to accept a new version of the digital badge representing the change to CGRC.
Q:If I have been studying for the CAP exam with material that focuses on the current domains, will I be sufficiently prepared to take the new exam without additional study?
A: Yes, this change is to only the name of the exam. All (ISC)² exams are experiential and include experience-based items that cannot be learned by studying alone. If you already have the required experience in the domains and believe that you have sufficient proficiency in those domains, you should feel confident that you can pass the CGRC exam and meet the experience requirements for full certification.