In the most recent ISC2 Cybersecurity Workforce Study, respondents ranked GRC second (35%), behind only cloud computing security, when it came to skills that are most in-demand for security professionals who are looking to advance their careers through new jobs and promotions.

Why get ISC2 CGRC certified?

  • Capitalize on the rising demand for Governance, Risk and Compliance (GRC) expertise by earning the CGRC certification by ISC2.
  • The CGRC is a proven way to demonstrate your knowledge and skills to integrate governance, performance management, risk management and regulatory compliance within your organization.
  • CGRC professionals utilize frameworks to integrate security and privacy within organizational objectives, better enabling stakeholders to make informed decisions regarding data security, compliance, supply chain risk management and more.

Earn your ISC2 CGRC Certification – Be a Governance, Risk and Compliance Leader.

Overview

Official ISC2 Certified in Governance, Risk and Compliance (CGRC) provides a comprehensive review of the knowledge required for authorizing and maintaining information systems within the NIST Risk Management Framework. This training course will help students review and refresh their knowledge and identify areas they need to study for the CGRC exam.

Content aligns with and comprehensively covers the seven domains of the ISC2 CGRC Common Body of Knowledge (CBK®). Official courseware is developed by ISC2 – creator of the CGRC CBK – to ensure your training is relevant and up-to-date. Our instructors are verified security experts who hold the CGRC and have completed intensive training to teach ISC2 content.

Cybersecurity is not optional. It’s Operational. Don’t wait for a breach. Build the skills. Earn the badge. Lead the defense. Explore our Top Cybersecurity Skills for Malaysia’s Digital Future campaign.

Be the reason your organization survives the next cyberattack.

Skills Covered

  • Identify and describe the steps and tasks within the NIST Risk Management Framework (RMF).
  • Apply common elements of other risk management frameworks using the RMF as a guide.
  • Describe the roles associated with the RMF and how they are assigned to tasks within the RMF.
  • Execute tasks within the RMF process based on assignment to one or more RMF roles.
  • Explain organizational risk management and how it is supported by the RMF.

Prerequisites

To qualify for this cybersecurity certification, you must pass the exam and have at least two years of cumulative, paid work experience in one or more of the seven domains of the ISC2 CGRC Exam Outline.

Learn more about CGRC Experience Requirements.

Don’t have enough experience yet? You can still pass the CGRC exam and become an Associate of ISC2 while you earn the required work experience.

Target Audience

This course is for individuals planning to pursue the CGRC certification. The CGRC is ideal for IT, information security and information assurance practitioners and contractors who use the RMF in federal government, military, civilian roles, local governments and private sector organizations. Roles include:

  • ISSOs, ISSMs and other infosec/information assurance practitioners who are focused on security assessment and authorization (traditional C&A) and continuous monitoring issues.
  • Executives who must “sign off” on Authority to Operate (ATO).
  • Inspector generals (IGs) and auditors who perform independent reviews.
  • Program managers who develop or maintain IT systems.
  • IT professionals interested in improving cybersecurity and learning more about the importance of lifecycle cybersecurity risk management.

Course Curriculum

Module 1: Prepare

  • Explain the purpose and value of preparation.
  • Identify references associated with the Prepare step.
  • Identify other risk management frameworks and their relationship to RMF tasks.
  • Identify relevant security and privacy regulations
  • Complete selected Prepare Tasks for the example system

Module 2: Categorize

  • Explain the purpose and value of categorization.
  • Identify references associated with the Categorize step.
  • List the references, processes, and outcomes that define Risk Management Framework (RMF) Task C-1: System Description.
  • Describe a system’s architecture.
  • Describe an information system’s purpose and functionality.
  • Describe and document a system’s characteristics.
  • List the references, processes and outcomes that define RMF Task C-2: Security Categorization.
  • Categorize an information system.
  • List the references, processes and outcomes that define RMF Task C-3: Security Categorization Review and Approval.
  • Describe the review and approval process for security categorization.
  • Categorize the example systems.

Module 3: Select

  • Explain the purpose and value of control selection and allocation.
  • Identify references associated with the Select step.
  • Relate the ISO 27001 Statement of Applicability to the NIST RMF.
  • List the references, processes and outcomes that define RMF Task S-1: Control Selection.
  • List the references, processes and outcomes that define RMF Task S-2: Control Tailoring.
  • Select appropriate security control baselines based on organizational guidance.
  • Tailor controls for a system within a specified operational environment.
  • List the references, processes and outcomes that define RMF Task S-3: Control Allocation.
  • List the references, processes and outcomes that define RMF Task S-4: Documentation of Planned Control Implementations.
  • Allocate security and privacy controls to the system and to the environment of operation.
  • Document the controls for the system and environment of operation in security and privacy plans.
  • List the references, processes and outcomes that define RMF Task S-5: Continuous Monitoring Strategy – System.
  • Develop and implement a system-level strategy for monitoring control effectiveness that is consistent with and supplements the organizational continuous monitoring strategy.
  • List the references, processes and outcomes that define RMF Task S-6: Plan Review and Approval.
  • Review and approve the security and privacy plans for the system and the environment of operation.
  • Allocate security controls for the example system.
  • Tailor security controls for the example system.
  • Draft a continuous monitoring plan for the example system.

Module 4: Implement

  • Explain the purpose and value of implementation.
  • Identify references associated with the Implement step.
  • List the references, processes and outcomes that define RMF Task I-1: Control Implementation.
  • Identify appropriate implementation guidance for control frameworks.
  • Integrate privacy requirements with system implementation.
  • List the references, processes and outcomes that define RMF Task I-2: Update Control Implementation Information.
  • Update a continuous monitoring strategy.
  • Update a control implementation plan.

Module 5: Assess

  • Explain the purpose and value of assessment.
  • Identify references associated with the Assess step.
  • Understand and identify common elements of the NIST process that are included in other frameworks and processes.
  • List the references, processes and outcomes that define RMF Task A-1: Assessor Selection.
  • List the references, processes and outcomes that define RMF Task A-2: Assessment Plan.
  • List the references, processes and outcomes that define RMF Task A-3: Control Assessment.
  • List the references, processes and outcomes that define RMF Task A-4: Assessment Reports.
  • List the references, processes and outcomes that define RMF Task A-5: Remediation Actions.
  • List the references, processes and outcomes that define RMF Task A-6: Plan of Action and Milestones.
  • Develop an assessment plan for identified controls in the example system.
  • Develop a remediation plan for unsatisfied controls in the example system.

Module 6: Authorize

  • Explain the purpose and value of authorization.
  • Identify references associated with the Authorize step.
  • Relate system approvals under organizational processes to the concepts applied in the NIST RMF.
  • List the references, processes and outcomes that define RMF Task R-1: Authorization Package.
  • List the references, processes and outcomes that define RMF Task R-2: Risk Analysis and Determination.
  • List the references, processes and outcomes that define RMF Task R-3: Risk Response.
  • List the references, processes and outcomes that define RMF Task R-4: Authorization Decision.
  • List the references, processes and outcomes that define RMF Task R-5: Authorization Reporting.
  • Develop a risk determination for the example system on the system risk level.
  • Authorize the system for operation.
  • Determine appropriate elements for the Authorization decision document for the example system.

Module 7: Monitor

  • Explain the purpose and value of monitoring.
  • Identify references associated with the Monitor step.
  • List the references, processes and outcomes that define RMF Task M-1: System and Environment Changes.
  • (Coordinate) Integrate cybersecurity risk management with organizational change management.
  • List the references, processes and outcomes that define RMF Task M-2: Ongoing Assessments.
  • Monitor risks associated with supply chain.
  • List the references, processes and outcomes that define RMF Task M-3: Ongoing Risk Response.
  • Understand elements for communication surrounding a cyber event.
  • List the references, processes and outcomes that define RMF Task M-4: Authorization Package Updates.
  • List the references, processes and outcomes that define RMF Task M-5: Security and Privacy Reporting.
  • List the references, processes and outcomes that define RMF Task M-6: Ongoing Authorization.
  • List the references, processes and outcomes that define RMF Task M-7: System Disposal.
  • Discuss Monitor step activities in the example system.

Module 8: CGRC Certification Information

This chapter covers important information about the experience requirements for the Certified Authorization Professional (CGRC) certification and ISC2 exam policies and procedures. Details were based on information as of August 2021. It is recommended that learners go to the ISC2 website www.isc2.org for the most up-to-date information on certification requirements and the exam process.

Dates & Locations

Let’s make it work for you

Can’t find a date that fits? Need to train your whole team? Looking for a discount?
Speak to one of our learning experts today.

x Clear all selections

July 20, 2026 - July 24, 2026

Location: Online
Modal: VILT
Availability: TBC
Exam:
Included
RM 9500

July 20, 2026 - July 24, 2026

Location: Kuala Lumpur
Modal: ILT
Availability: TBC
Exam:
Included
RM 9500

September 7, 2026 - September 11, 2026

Location: Online
Modal: VILT
Availability: TBC
Exam:
Included
RM 9500

September 7, 2026 - September 11, 2026

Location: Kuala Lumpur
Modal: ILT
Availability: TBC
Exam:
Included
RM 9500

November 23, 2026 - November 27, 2026

Location: Online
Modal: VILT
Availability: TBC
Exam:
Included
RM 9500

November 23, 2026 - November 27, 2026

Location: Kuala Lumpur
Modal: ILT
Availability: TBC
Exam:
Included
RM 9500
Trainocate exam and cert

Exam & Certification

CGRC: Certified in Governance, Risk and Compliance.

CGRC, a vendor-neutral cybersecurity credential, recognizes your knowledge, skills and abilities to authorize and maintain information systems within the RMF. It proves you know how to formalize processes to assess risk and establish security documentation.

Training & Certification Guide

The CGRC exam evaluates expertise across seven domains. (Think of domains as topics you need to master based on your professional experience and education.) Passing the exam demonstrates that you have the advanced technical skills and knowledge to understand governance, risk and compliance, and can authorize and maintain information systems utilizing various risk management frameworks, as well as best practices, policies and procedures.

  • Compliance Maintenance: 13%
  • Security and Privacy Governance, Risk Management and Compliance Program: 16%
  • System Compliance: 14%
  • Assessment/Audit of Security and Privacy Controls: 16%
  • Scope of the System: 10%
  • Implementation of Security and Privacy Controls: 17%
  • Selection and Approval of Framework, Security and Privacy Controls: 14%

 

The Continuing Professional Education (CPE) credit requirement helps you maintain your competencies following initial certification. By developing and enhancing skills through CPE activities, you make an important investment in yourself while increasing value to customers and employers:

Join webinars

  • Think Tanks
  • Security Briefings
  • Knowledge Vault
  • Security Congress

Read and write

  • Read a book directly related to CGRC and submit a 150-word review
  • Author an information security article published in a journal or magazine
  • Review an educational white paper related to the CGRC

Attend trainings and events

  • ISC2 Chapter meetings
  • Prepare or attend an educational presentation related to the CGRC exam outline domains
  • ISC2 Certificates – Grow your skills with quick learning averaging 3.5 hours per certificate that focuses on high demand subject matter.
  • ISC2 Courses – Dive deeper into learning with actionable strategies you can apply immediately to strengthen your organization’s security.
  • ISC2 Express Courses – Grow your cybersecurity knowledge at home or on the go with fast, flexible learning that delivers real-world results.
  • Discount pricing for ICS2 events and industry events, including ISC2 Security Congress

Volunteer

  • Become a Safe and Secure Online Ambassador and spread your knowledge about cyber safety in your community
  • Volunteer to help develop ISC2 certification exams

  • Career opportunities and advancement: Raise visibility and credibility and create new career opportunities
  • Credibility: Demonstrate a solid foundation to mitigate and respond to cyberthreats.
  • Versatile skills: Build vendor-neutral skills that can be applied to different technologies and methodologies.
  • Solid foundation: Be better prepared to stem cyberattacks and inspire a safe and secure cyber world.
  • Membership in a strong peer network: Become an ISC2 member, unlocking exclusive resources, educational tools and peer-to-peer networking opportunities.
  • Higher salaries: Earn more. In 2023, Certification Magazine’s annual survey lists an average salary of $118,980 (in U.S.) and $114,150 (globally).
  • Expanded knowledge: Reach a deeper, better and broader understanding of the exam outline.
  • Stronger skill set: Expand the skills and knowledge needed to fulfill organizational duties.

Frequently Asked Questions

The Certified in Governance, Risk and Compliance (CGRC) is an information security practitioner who champions system security commensurate with an organization’s mission and risk tolerance, while meeting legal and regulatory requirements.

CGRC, a vendor-neutral cybersecurity credential, recognizes your knowledge, skills and abilities to authorize and maintain information systems within the RMF. It proves you know how to formalize processes to assess risk and establish security documentation. CGRC is particularly well-suited for IT, information security and cybersecurity practitioners who manage risk in information systems. It is also recommended for any practitioner involved in authorizing and maintaining information systems.

Speak to a Training Consultant

All courses are HRD Claimable.
Get in touch with our team via the form or WhatsApp us on +6011-5119 6631

Preferred mode of training
Checkboxes