Course
digicode: CGRC
ISC2 Governance, Risk and Compliance (CGRC)
Course facts
Download as PDF- Understanding the fundamentals of Governance, Risk & Compliance (GRC) and the integration of security, risk, and compliance requirements into business processes
- Knowledge of national and international security and privacy frameworks such as NIST, ISO/IEC, COBIT, PCI-DSS, FedRAMP, or GDPR and their application in a compliance context
- Defining and delineating systems, information assets, and security requirements while taking into account risk and data protection requirements
- Independently selecting, evaluating, and adapting security and data protection controls based on established frameworks and regulatory requirements
- Knowledge of the implementation of technical and organizational security measures within IT and compliance architectures
- Application of methods for auditing, evaluating, and verifying the effectiveness of security and data protection controls
- Understanding of how to handle risks, vulnerabilities, and non-conformities, as well as the definition of appropriate risk response strategies
- Knowledge of the creation, maintenance, and documentation of compliance documentation and audit reports
- Application of processes for continuous compliance, change management, monitoring, and security maintenance throughout the entire system lifecycle
- Knowledge of the importance of security governance, continuous monitoring, and resilience-oriented compliance strategies in a corporate context
1 Governance, Risk, and Compliance (GRC)
Fundamentals of governance, risk, and compliance programs in the areas of information security and data protection: regulatory requirements, risk management, security policies, and the organizational management of security and compliance initiatives.
2 Scope of the System
Definition and delineation of systems and their security scope: identification of critical assets, business processes, and data flows, as well as the classification of security and data protection requirements within the organizational context.
3 Selection and Approval of Framework, Security, and Privacy Controls
Selection and approval of security and privacy controls based on established frameworks and standards: evaluation of appropriate measures for risk mitigation and alignment with regulatory and business requirements.
4 Implementation of Security and Privacy Controls
Implementation of technical and organizational security and privacy measures: implementation of controls within processes, systems, and architectures to ensure protection, resilience, and compliance.
5 Assessment/Audit of Security and Privacy Controls
Assessment and auditing of security and privacy controls: Conducting assessments, audits, and effectiveness reviews to identify vulnerabilities, compliance gaps, and opportunities for optimization.
6 System Compliance
Ensuring system compliance with internal policies as well as external regulatory and legal requirements: monitoring, documenting, and reporting on compliance status and security measures.
7 Compliance Maintenance
Continuous maintenance of compliance and security levels: ongoing review, adaptation, and improvement of controls, processes, and governance structures in light of new risks, threats, and regulatory changes.
Consists of the following modules
- ISC2 Governance, Risk and Compliance (CGRC)
- Exam Voucher für CGRC (CGRCP)
The CGRC certification is ideal for you if you want to not only implement security, risk, and compliance requirements operationally, but also strategically manage governance, cyber risks, and regulatory requirements. It is particularly relevant for:
- Governance, Risk, and Compliance (GRC) professionals who want to systematically establish or further develop security and compliance programs
- IT security officers and security managers who need to align regulatory requirements with technical security measures
- Risk managers and internal auditors who assess cyber risks, conduct audits, and monitor compliance requirements
- IT and security consultants who advise clients on governance, risk, and compliance issues and prepare them for audits or certifications
- Compliance officers and data protection officers who need to integrate and demonstrate security, data protection, and regulatory requirements
- IT managers, system administrators, and project managers responsible for ensuring systems are operated securely and in compliance
- Professionals in regulated industries such as financial services, healthcare, public administration, or critical infrastructure who must implement security and compliance requirements
- CISSP®, CISM®, CISA®, or ISO 27001-certified professionals who wish to specifically expand their profile to include governance, risk, and compliance competencies
To obtain CGRC certification, you must hold a valid CGRC® certification and have at least two years of cumulative full-time professional experience in one or more of the areas covered by the current CGRC exam syllabus.
Alternatively:
You have at least two years of cumulative full-time professional experience in one or more areas of the current CGRC exam syllabus. A bachelor’s or master’s degree in computer science, information technology, or a related field, or an ISC2-recognized certification, can substitute for up to one year of the required professional experience. Part-time employment and internships can also be counted toward this requirement.
Don’t have enough experience yet? Become an «Associate of ISC2»
If you don’t yet have the necessary practical experience, that’s no obstacle to your career:
- You pass the CGRC exam
- You receive «Associate of ISC2» status
- You then have three years to gain the missing professional experience and finalize your CGRC certification
Exam Format
- Exam duration: 3 hours
- Number of questions: 125
- Format: Multiple choice & extended question types
- Passing score: 70% (700 out of 1,000 points)
- Language: English
- Exam content: The 7 domains
- Domain 1: Security and Data Protection Governance, Risk and Compliance Management Program - 16%
- Domain 2: System Scope and System Boundaries - 10%
- Domain 3: Selection and Approval of Frameworks and Security and Data Protection Controls - 14%
- Domain 4: Implementation of Security and Data Protection Controls - 17%
- Domain 5: Evaluation and Auditing of Security and Data Protection Controls - 16%
- Domain 6: System Compliance - 14%
- Domain 7: Maintaining Compliance - 13%
Applying for certification
Once you have passed the CGRC® exam, you can apply for the official ISC2 certificate. To do so, you must sign the ISC2 Code of Ethics, and your professional experience must be verified by an actively certified ISC2 professional. Certification must be completed within nine months of the exam date. If you are unable to find a suitable person, ISC2 will assist you in validating your application.
Recertification
The CISSP® certificate is valid for three years. To maintain your certification, you must provide proof of continuing professional education (CPE) and pay the annual maintenance fee (AMF) to ISC2. This ensures that your expertise remains up to date and your status as a Certified Professional remains active.