Governance, Risk & Compliance

CGRC

Learn how governance, risk management, and security controls work together across enterprise and regulated environments.

Level
Intermediate
Duration
5 Days
Exam Included
Yes
Certification
ISC2 CGRC
Partner Brochure ↓
ISC2 Official Training Premier Partner
Why It Matters

Why this course matters

Every regulated organization — federal agencies, banks, hospitals, insurers, cloud providers — runs on the same backbone: governance, risk, and compliance. CGRC is the ISC2 credential that proves you can authorize systems, manage risk, and operate inside frameworks like NIST RMF.

It's the certification that opens doors into federal contracting, FedRAMP, HIPAA, and enterprise security program roles.

Is This Course Right For Me?

Could this be a good fit for you?

This course is a good fit if you are:

  • Working in or moving into cybersecurity, compliance, or risk management.
  • Supporting federal, defense, healthcare, or financial services systems.
  • Responsible for authorization packages, ATOs, or continuous monitoring.
  • Looking for an ISC2 credential that focuses on governance rather than hands-on engineering.
What You'll Learn

What's covered in the curriculum

  • Governance and enterprise risk management
  • Risk assessment methodology
  • Security controls (NIST SP 800-53)
  • The NIST Risk Management Framework
  • Authorization processes and ATO packages
  • Continuous monitoring
  • Compliance management
  • Security documentation
  • Control assessments and POA&Ms
What You'll Be Able To Do

What you'll be able to do after this course

When you finish this course, you won't just be able to recite a framework — you'll be able to contribute to real governance work. Specifically, you'll be able to:

01

Run a system through the full Risk Management Framework

Take an information system from categorization through control selection, implementation, assessment, authorization, and continuous monitoring.

02

Build and defend an authorization package

Assemble the System Security Plan, risk assessment, security assessment report, and POA&M that an Authorizing Official needs to make a risk-based decision.

03

Assess security controls in practice

Plan and execute control assessments, gather evidence, document findings, and recommend corrective actions.

04

Translate compliance requirements into operating procedures

Take FISMA, FedRAMP, HIPAA, PCI, or internal policy requirements and turn them into controls, evidence, and monitoring routines the business can actually run.

05

Operate confidently inside a regulated GRC function

Speak the same language as auditors, ISSOs, ISSMs, AOs, and program management offices, and contribute to enterprise risk decisions.

Real-World Scenarios

Scenarios you'll recognize after this course

These are the kinds of situations graduates step into on the job — not theoretical exercises.

  • 01Preparing a system for an Authority to Operate decision
  • 02Closing out findings from an annual security control assessment
  • 03Updating a POA&M and tracking remediation across teams
  • 04Mapping a new regulatory requirement to existing security controls
  • 05Reviewing a vendor's FedRAMP package as part of a procurement
Career Pathways

Where you'll use these skills

You don't need to work for an AI or tech company. Organizations across nearly every industry are implementing governance programs and need professionals who can support them.

Industries hiring

  • Federal Government
  • Defense and Intelligence
  • Healthcare
  • Financial Services
  • Cloud Service Providers
  • Consulting
  • Insurance
  • Energy and Utilities

Common job titles

  • GRC Analyst
  • Cyber Risk Manager
  • Compliance Manager
  • Information Security Manager
  • Security Control Assessor
  • ISSO / ISSM
  • Authorization Analyst
  • Governance Lead

A day in the life

  • Reviewing a System Security Plan ahead of an ATO decision
  • Coordinating a control assessment with system owners
  • Documenting risk acceptance memos for the Authorizing Official
  • Updating continuous monitoring metrics for executive reporting
  • Walking an auditor through evidence for a sampled control family
Why organizations need these skills

Regulated organizations cannot operate without people who understand how governance, risk, and compliance intersect. CGRC-credentialed professionals are the connective tissue between security engineering, executive risk decisions, and the auditors and regulators who hold organizations accountable.

Estimated Salary Outlook
$95,000 – $160,000+

Compensation varies based on location, experience, industry, employer, and existing credentials. CACE does not guarantee employment, promotion, or salary outcomes.

Certification & Exam

The credential and how you'll earn it

Certification awarded

ISC2 CGRC

Upon passing the exam and meeting ISC2's experience requirements (or earning Associate of ISC2 status), you receive the official ISC2 CGRC credential.

Prerequisites

There are no prerequisites to attend the course. While professional experience is recommended before pursuing the full CGRC certification, anyone can take the training and sit for the exam if they meet ISC2's eligibility requirements.

Exam information

Format
125 multiple choice questions
Duration
3 hours
Passing score
700 / 1000
Delivery
Pearson VUE testing centers
Voucher
Included
FAQs

Frequently asked questions

  • No. This program is designed for professionals from business, legal, audit, risk, compliance, and security backgrounds. Technical experience is helpful but not required.

Develop the governance, risk, and compliance skills used across enterprise security programs.

Request information

Interested in CGRC?

Share your details and a member of our team will follow up with cohort dates, tuition, and enrollment guidance.

Programs or topics of interest

Select one or more — and more programs are available on request. Tell us in the details below.

Talk to a human first

Not sure which program fits? Chat live with Avery, our enrollment advisor, for a quick consult on certifications, cohorts, payment plans, and group pricing.