CGRC: (ISC)² CGRC
Browse certifications
Exam Resources
Official learning paths, exam details, skills measured, and community resources to supplement your study.
About the CGRC Exam
Master the governance, risk, and compliance lifecycle
The (ISC)² Certified in Governance, Risk and Compliance (CGRC) certification — formerly CAP — validates the ability to integrate governance, risk management, and compliance within an organisation using the NIST Risk Management Framework, FIPS 199/200, and SP 800-53 controls.
Who Should Take This Exam?
The CGRC is designed for IT professionals with some hands-on experience. 6-12 months of hands-on experience recommended.
Typical study time: 4-8 weeks of focused study
Exam Quick Facts
| Detail | Value |
|---|---|
| Exam Code | CGRC |
| Title | (ISC)² CGRC |
| Duration | 180 minutes |
| Questions | 125 |
| Pass Score | 700 / 1000 |
| Cost | $599 USD |
| Provider | Pearson VUE |
| Validity | 3 years (CPE required) |
| Question Types | Multiple choice, Advanced innovative |
Exam Domains & Weights
The CGRC exam covers 7 domains. Focus your study time based on the weights below — higher-weighted domains have more exam questions.
| Domain | Weight | Practice Qs |
|---|---|---|
| Security and Privacy Governance, Risk Management, and Compliance Program | 16% | 32 |
| Scope of the System | 10% | 20 |
| Selection and Approval of Framework, Security, and Privacy Controls | 14% | 28 |
| Implementation of Security and Privacy Controls | 17% | 34 |
| Assessment/Audit of Security and Privacy Controls | 16% | 32 |
| System Compliance | 14% | 28 |
| Compliance Maintenance | 13% | 26 |
| Total | 100% | 200 |
💡 Study tip: Implementation of Security and Privacy Controls carries the most weight (17%) — start there. Scope of the System has the least (10%), but don’t skip it — exam questions can come from any domain.
Practice Exam — 200 Questions
Prepare for the CGRC with our 200-question practice exam covering all 7 exam domains. Every question includes detailed explanations and maps to official exam objectives.
What you get:
- ✅ Exam simulation mode with timer
- ✅ Spaced repetition for weak areas
- ✅ Detailed explanations for every question
- ✅ Progress tracking across domains
- ✅ 20 free questions — no account needed
ISC² Certification Path
Start with CC (Certified in Cybersecurity) for entry-level, then SSCP for technical security, then CISSP for management. CISSP concentrations (ISSAP, ISSEP, ISSMP) come after CISSP.
Related ISC² Certifications
If you’re studying for the CGRC, you might also be interested in these ISC² certifications:
- CC: (ISC)² Certified in Cybersecurity — 200 practice questions
- CCSP: (ISC)² CCSP — 200 practice questions
- CISSP-ISSAP: (ISC)² CISSP-ISSAP — 200 practice questions
- CISSP-ISSEP: (ISC)² CISSP-ISSEP — 200 practice questions
- CISSP-ISSMP: (ISC)² CISSP-ISSMP — 200 practice questions
Study Tips
- Start with the heaviest domain — focus your time where the exam focuses its questions
- Use our practice exam — try the 20 free questions first to gauge your readiness
- Review explanations — don’t just check if you got it right; read why each answer is correct
- Simulate exam conditions — use the timed exam mode to practice under pressure
Frequently asked questions
The CGRC questions I hear most often — usually ‘is this still the CAP cert?’ and ‘do I need a GRC role to take it?’
Is CGRC the same as CAP? #
Do I need GRC work experience to take CGRC? #
How is CGRC different from CISSP? #
How long does CGRC take to prepare for? #
Is CGRC worth $599 for a private-sector role? #
Frequently Asked Questions
1. Is CGRC the same as CAP?
Yes — ISC² renamed CAP (Certified Authorization Professional) to CGRC (Certified in Governance, Risk and Compliance) in 2023. Same body of knowledge, updated to align with current NIST Risk Management Framework, FIPS 199 / 200, and SP 800-53 controls. Older study materials labelled as CAP still cover roughly the right scope — just check they reference the current NIST RMF cycle (Categorize, Select, Implement, Assess, Authorize, Monitor). If your study guide pre-dates NIST RMF 7-step (2018+), get newer material.
2. Do I need GRC work experience to take CGRC?
Yes — 2 years of cumulative paid work experience in at least 2 of the 7 CGRC domains. If you don't yet have the experience, you can sit the exam and become an Associate of ISC² — you have 3 years from passing to gain the experience and convert to full CGRC status. Common qualifying roles: GRC analyst, risk manager, compliance officer, internal auditor, security control assessor, government contractor handling FedRAMP / FISMA workloads.
3. How is CGRC different from CISSP?
CGRC is narrower and deeper — focused entirely on the risk management framework, control selection, assessment, and ongoing compliance lifecycle. CISSP is broader and shallower — covers 8 domains across all of cybersecurity (architecture, asset security, comms, IAM, ops, etc.) at a manager level. GRC roles typically value CGRC more than CISSP. Pure security architecture roles value CISSP more. Many senior compliance professionals carry both.
4. How long does CGRC take to prepare for?
Four to eight weeks of focused study for candidates already working in GRC. Longer (12-16 weeks) if you're transitioning from a different security speciality. The exam covers 7 domains heavily based on NIST RMF — start with Implementation of Security and Privacy Controls (17%, the largest weight) and Security and Privacy Governance (16%). The [official ISC² Study Guide](https://www.isc2.org/certifications/cgrc) is the canonical resource — pair it with practice questions for the multiple-choice exam format.
5. Is CGRC worth $599 for a private-sector role?
Depends on your target. CGRC is especially valuable for: US government contractors (FedRAMP, FISMA, DoD work), healthcare (HIPAA program managers), financial services (SOX, GLBA compliance), and any role tied to NIST 800-53 controls. For pure private-sector security engineering or generic IT, the $599 fee plus annual maintenance ($135) might be better spent on CISSP or a cloud security cert. CGRC pays off where NIST RMF or FedRAMP appears in the job description.