CGRC – Certified in Governance, Risk and Compliance


Are you preparing for the CGRC examination or want to demonstrate your expertise in risk management frameworks? Certified Authorization Professional (CGRC) online training by CCS Learning Academy helps you to prove your skills and emphatically gain support from the community of cyber security leaders.

The CGRC Certification Training educates candidates on security risk management and information system authorization. In fact, our course will help you to prepare for the Certified Authorization Professional exam by the (ISC)².

If you are looking forward to enrolling yourself in the next CGRC training, feel free to get in touch with us.

*Looking for a flexible schedule (after hours or weekends)?
Please call or email us: 858-208-4141 or

Student financing options are available.

Transitioning military and Veterans, please contact us to sign up for a free consultation on training and hiring options.

Looking for group training? Contact Us

Download PDF of Course Details

This official (ISC)2® Certified in Governance, Risk and Compliance (CGRC) Training prepares you for the CGRC exam. The Certified Authorization Professional (CAP®) has changed its name to Certified in Governance, Risk and Compliance (CGRC). This is only a title change, so the course modules, prerequisites, and delivery remain the same.

An individual certified in Governance, Risk and Compliance (CGRC) is an information security practitioner who advocates for security risk management in pursuit of information system authorization. This is needed to support an organization’s mission and operations in accordance with legal and regulatory requirements.

Passing the CGRC Exam meets U.S. DoD Directive 8140/8570.01 Management (IAM) Level-I and Management (IAM) Level-II requirements.









Course Objectives

The broad spectrum of topics included in the CGRC Common Body of Knowledge (CBK®) ensure its relevancy across all disciplines in the field of information security. Successful candidates are competent in the following seven domains:

  • Information Security Risk Management Program.
  • Scope of the Information System.
  • Selection and Approval of Security and Privacy Controls.
  • Implementation of Security and Privacy Controls.
  • Assessment/Audit of Security and Privacy Controls.
  • Authorization/Approval of Information System.
  • Perform Continuous Monitoring.

Course Outline

  1. Domain 1: Information Security Risk Management Program
    1. Understand the foundation of an organization information security risk management program
      • Principles of information security
      • Risk management frameworks (e.g., National Institute of Standards and Technology (NIST), cyber security framework, Control Objectives for Information and Related Technology (COBIT), International Organization for Standardization (ISO) 27001, International Organization for Standardization (ISO) 31000)
      • System Development Life Cycle (SDLC)
      • Information system boundary requirements
      • Security controls and practices
      • Roles and responsibilities in the authorization/approval process
    2. Understand risk management program processes
      • Select program management controls
      • Privacy requirements
      • Determine third-party hosted information systems
    3. Understand regulatory and legal requirements
      • Familiarize with governmental, organizational and international regulatory security and privacy requirements (e.g., International Organization for Standardization (ISO) 27001, Federal Information Security Modernization Act (FISMA), Federal Risk and Authorization Management Program (FedRAMP), General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA))
      • Familiarize with other applicable security-related mandates
  2. Domain 2: Scope of the Information System
    1. Define the information system
      • Determine the scope of the information system
      • Describe the architecture (e.g., data flow, internal and external interconnections)
      • Describe information system purpose and functionality
    2. Determine categorization of the information system
      • Identify the information types processed, stored or transmitted by the information system
      • Determine the impact level on confidentiality, integrity, and availability for each information type (e.g., Federal Information Processing Standards (FIPS) 199, International Organization for Standardization/ International Electrotechnical Commission (ISO/IEC) 27002, data protection impact assessment)
      • Determine information system categorization and document results
  3. Domain 3: Selection and Approval of Security and Privacy Controls
    1. Identify and document baseline and inherited controls
    2. Select and tailor controls to the system
      • Determine applicability of recommended baseline and inherited controls
      • Determine appropriate use of control enhancements (e.g., security practices, overlays, countermeasures)
      • Document control applicability
    3. Develop continuous control monitoring strategy (e.g., implementation, timeline, effectiveness)
    4. Review and approve security plan/Information Security Management System (ISMS)
  4. Domain 4: Implementation of Security and Privacy Controls
    1. Implement selected controls
      • Determine mandatory configuration settings and verify implementation in accordance with current industry standards (e.g., Information Technology Security Guidance ITSG-33 – Annex 3A, Technical Guideline for Minimum Security Measures, United States Government Configuration Baseline (USGCB), National Institute of Standards and Technology (NIST) checklists, Security Technical Implementation Guides (STIGs), Center for Internet Security (CIS) benchmarks, General Data Protection Regulation (GDPR))
      • Ensure that implementation of controls is consistent with the organizational architecture and associated security and privacy architecture
      • Coordinate implementation of inherited controls with control providers
      • Determine and implement compensating/alternate security controls
    2. Document control implementation
      • Document inputs to the planned controls, their expected behavior, and expected outputs or deviations
      • Verify the documented details of the controls meet the purpose, scope and risk profile of the information system
      • Obtain and document implementation details from appropriate organization entities (e.g., physical security, personnel security, privacy)
  5. Domain 5: Assessment/Audit of Security and Privacy Controls
    1. Prepare for assessment/audit
      • Determine assessor/auditor requirements
      • Establish objectives and scope
      • Determine methods and level of effort
      • Determine necessary resources and logistics
      • Collect and review artifacts (e.g., previous assessments/audits, system documentation, policies)
      • Finalize the assessment/audit plan
    2. Conduct assessment/audit
      • Collect and document assessment/audit evidence
      • Assess/audit implementation and validate compliance using approved assessment methods
    3. Prepare the initial assessment/audit report
      • Analyze assessment/audit results and identify vulnerabilities
      • Propose remediation actions
    4. Review initial assessment/audit report and perform remediation actions
      • Determine risk responses
      • Apply remediations
      • Reassess and validate the remediated controls
    5. Develop final assessment/audit report
    6. Develop remediation plan
      • Analyze identified residual vulnerabilities or deficiencies
      • Prioritize responses based on risk level
      • Identify resources (e.g. financial, personnel, and technical) and determine the appropriate timeframe/ schedule required to remediate deficiencies
  6. Domain 6: Authorization/Approval of Information System
    1. Compile security and privacy authorization/approval documents
      • Compile required security and privacy documentation to support authorization/approval decision by the designated official
    2. Determine information system risk
      • Evaluate information system risk
      • Determine risk treatment options (i.e., accept, avoid, transfer, mitigate, share)
      • Determine residual risk
    3. Authorize/approve information system
      • Determine terms of authorization/approval
  7. Domain 7: Continuous Monitoring
    1. Determine impact of changes to information system and environment
      • Identify potential threat and impact to operation of information system and environment
      • Analyze risk due to proposed changes accounting for organizational risk tolerance
      • Approve and document proposed changes (e.g., Change Control Board (CCB), technical review board)
      • Implement proposed changes
      • Validate changes have been correctly implemented
      • Ensure change management tasks are performed
    2. Perform ongoing assessments/audits based on organizational requirements
      • Monitor network, physical and personnel activities (e.g., unauthorized assets, personnel and related activities)
      • Ensure vulnerability scanning activities are performed
      • Review automated logs and alerts for anomalies (e.g., security orchestration, automation and response)
    3. Review supply chain risk analysis monitoring activities (e.g., cyber threat reports, agency reports, news reports)
    4. Actively participate in response planning and communication of a cyber event
      • Ensure response activities are coordinated with internal and external stakeholders
      • Update documentation, strategies and tactics incorporating lessons learned
    5. Revise monitoring strategies based on changes to industry developments introduced through legal, regulatory, supplier, security and privacy updates
    6. Keep designated officials updated about the risk posture for continuous authorization/approval
      • Determine ongoing information system risk
      • Update risk register, risk treatment and remediation plan
    7. Decommission information system
      • Determine information system decommissioning requirements
      • Communicate decommissioning of information system
      • Remove information system from operations

Target Audience

The CGRC is ideal for IT, information security and cybersecurity professionals responsible for governance, risk and compliance within an organization. Roles include:

  • Authorizing Official
  • Cyber GRC Manager
  • Cybersecurity Auditor
  • Cybersecurity Compliance Officer
  • GRC Architect
  • GRC Information Technology Manager
  • GRC Manager
  • Cybersecurity Risk & Compliance Project Manager
  • Cybersecurity Risk & Controls Analyst
  • Cybersecurity Third Party Risk Manager
  • Enterprise Risk Manager
  • GRC Analyst
  • GRC Director
  • GRC Security Analyst
  • System Security Manager
  • System Security Officer
  • Information Assurance Manager


To qualify for the CGRC certification, you must have a minimum of two years of cumulative, paid, full-time work experience in one or more of the seven domains of the CGRC Common Body of Knowledge (CBK).


With CCS Learning Academy, you’ll receive:

  • 5 Day Certified Instructor-led training
  • Official (ISC)² CGRC CBK Training Seminar Student Handbook
  • Collaboration with classmates (not currently available for self-paced course)
  • Real-world learning activities and scenarios
  • Enjoy job placement assistance for the first 12 months after course completion.
  • This course is eligible for CCS Learning Academy’s Learn and Earn Program: get a tuition fee refund of up to 50% if you are placed in a job through CCS Global Tech’s Placement Division*
  • Government and Private pricing available.*

*For more details call: 858-208-4141 or email:


Q:Why is the CAP exam name changing and what is it changing to?
A:The Certified Authorization Professional (CAP) is changing to Certified in Governance, Risk and Compliance (CGRC). Only the name is changing.
This change better represents the knowledge, skills and abilities required to earn and maintain this certification. The subject matter is broader and more inclusive to frameworks used around the world.
Certified in Governance, Risk and Compliance (CGRC) cybersecurity professionals have the knowledge and skills to integrate governance, performance management, risk management and regulatory compliance within the organization while helping the organization achieve objectives, address uncertainty and act with integrity. CGRC professionals align IT goals with organizational objectives as they manage cyber risks and achieve regulatory needs. They utilize frameworks to integrate security and privacy with the organization’s overall objectives, allowing stakeholders to make informed decisions regarding data security and privacy risks.
Q: When will CAP change its name to CGRC?
A: It will officially change on February 15, 2023.
Q: If I already hold the CAP certification, what do I need to do?
A: Your digital certificate will update in your account. You will be sent an email from Credly to accept a new version of the digital badge representing the change to CGRC.
Q:If I have been studying for the CAP exam with material that focuses on the current domains, will I be sufficiently prepared to take the new exam without additional study?
A: Yes, this change is to only the name of the exam. All (ISC)² exams are experiential and include experience-based items that cannot be learned by studying alone. If you already have the required experience in the domains and believe that you have sufficient proficiency in those domains, you should feel confident that you can pass the CGRC exam and meet the experience requirements for full certification.

Shopping Cart