🚀 Launch Special: $29/mo for life --d --h --m --s Claim Your Price →
CGRC
Coming Soon
Expected availability announced soon

This course is in active development. Preview the scope below and create a free account to be notified the moment it goes live.

Notify me
CGRC ISC2 Coming Soon

CGRC

The CGRC training equips practitioners with the knowledge to manage information security risk, define system scope, select, implement, and assess security and privacy controls, supporting the RMF lifecycle.

180
Minutes
125
Questions
700/1000
Passing Score
$249
Exam Cost

Who Should Take This

Security analysts, risk managers, and compliance professionals with at least two years of experience in authorization or audit processes benefit from this certification. It prepares them to apply, analyze, and evaluate controls across the RMF, advancing their ability to ensure organizational resilience and regulatory adherence.

What's Covered

1 All five domains of the ISC2 Certified in Governance, Risk, and Compliance (CGRC) exam: Domain 1 Information Security Risk Management
2 , Domain 2 Scope of the Information System
3 , Domain 3 Selection and Approval of Security and Privacy Controls
4 , Domain 4 Implementation of Security and Privacy Controls
5 , and Domain 5 Assessment/Audit of Security and Privacy Controls

What's Included in AccelaStudy® AI

Adaptive Knowledge Graph
Practice Questions
Lesson Modules
Console Simulator Labs
Exam Tips & Strategy
20 Activity Formats

Course Outline

66 learning goals
1 Domain 1: Information Security Risk Management
3 topics

Risk Management Foundations

  • Define information security risk management terminology including threat, vulnerability, likelihood, impact, risk appetite, risk tolerance, residual risk, and inherent risk within organizational governance contexts.
  • Identify risk management frameworks including NIST SP 800-37, ISO 27005, NIST CSF, COBIT, and COSO ERM and describe how each supports organizational risk governance.
  • Describe the NIST Risk Management Framework seven-step lifecycle: prepare, categorize, select, implement, assess, authorize, and monitor as defined in NIST SP 800-37 Revision 2.
  • Apply the NIST RMF Prepare step to establish organizational risk context including risk management strategy, organizational risk tolerance levels, and common control identification.

Risk Assessment Processes

  • Apply qualitative risk assessment methodologies using likelihood-impact matrices, risk heat maps, and risk scoring to prioritize identified threats against organizational information systems.
  • Describe quantitative risk analysis techniques including single loss expectancy, annualized rate of occurrence, annualized loss expectancy, and Monte Carlo simulation for financial risk modeling.
  • Evaluate risk assessment results to recommend risk treatment strategies — avoidance, mitigation, transfer, or acceptance — aligned with organizational risk appetite and compliance requirements.
  • Apply threat modeling methodologies including STRIDE, PASTA, and attack trees to identify and document threats to information systems during the risk assessment process.

Legal and Regulatory Compliance

  • Identify federal information security laws and directives including FISMA, OMB Circular A-130, FIPS 199, FIPS 200, and Executive Orders governing cybersecurity requirements for federal agencies.
  • Describe industry-specific compliance requirements including HIPAA, PCI DSS, SOX, GLBA, and GDPR and identify how they impose security and privacy control requirements on organizations.
  • Analyze organizational compliance obligations to determine which regulatory frameworks apply, identify overlapping control requirements, and recommend a unified compliance strategy.
2 Domain 2: Scope of the Information System
3 topics

System Categorization

  • Describe the FIPS 199 security categorization process and apply confidentiality, integrity, and availability impact levels (low, moderate, high) to information types processed by an information system.
  • Apply NIST SP 800-60 guidance to map organizational information types to provisional impact levels and adjust categorization based on mission criticality and data sensitivity.
  • Evaluate system categorization decisions by reviewing information type mappings, impact level justifications, and high-water mark calculations for overall system security categorization.

Authorization Boundary Definition

  • Define authorization boundary concepts and describe how system boundaries delineate the scope of security control responsibility, including subsystems, interconnections, and shared services.
  • Apply authorization boundary definition principles to identify system components, external interfaces, data flows, and interconnected systems that fall within or outside the boundary.
  • Analyze system architecture diagrams and data flow documentation to validate authorization boundary completeness and identify missing components or undocumented interconnections.

System Documentation

  • Describe the components of a system security plan (SSP) including system description, security categorization, control implementation statements, interconnection details, and responsible personnel.
  • Apply SSP development procedures to document system architecture, data flows, control implementation details, and planned remediation actions in accordance with NIST SP 800-18 guidance.
  • Identify interconnection security agreement (ISA) and memorandum of understanding (MOU) requirements for systems that share data or services across organizational authorization boundaries.
3 Domain 3: Selection and Approval of Security and Privacy Controls
4 topics

Control Baseline Selection

  • Describe the NIST SP 800-53 security and privacy control catalog structure including control families, base controls, control enhancements, and the relationship between controls and requirements.
  • Apply FIPS 200 and NIST SP 800-53B to select initial control baselines (low, moderate, high) based on the system's FIPS 199 security categorization and organizational requirements.
  • Identify the NIST SP 800-53 control families including Access Control (AC), Audit and Accountability (AU), Configuration Management (CM), Incident Response (IR), and Risk Assessment (RA) and describe their primary security objectives.

Control Tailoring and Supplementation

  • Apply control tailoring activities including scoping, parameterization, compensating controls, and organizational-defined parameters to adapt baseline controls to system-specific requirements.
  • Evaluate the adequacy of tailored control sets by comparing selected controls against threat assessments, risk tolerance, and compliance requirements to identify gaps requiring supplemental controls.
  • Describe the concept of common controls, system-specific controls, and hybrid controls and explain how common control providers share security responsibilities across organizational systems.
  • Apply control allocation decisions to assign controls as common, system-specific, or hybrid based on organizational infrastructure, shared services, and system authorization boundaries.

Privacy Controls

  • Identify NIST SP 800-53 privacy control families and describe how privacy controls address personally identifiable information (PII) processing, consent management, and data minimization requirements.
  • Apply privacy impact assessment (PIA) procedures to evaluate how information systems collect, use, store, and share PII and determine whether additional privacy controls are required.
  • Analyze the adequacy of privacy control implementations by reviewing PII data flows, retention policies, and third-party sharing agreements against privacy regulatory requirements.

FedRAMP Control Requirements

  • Describe the FedRAMP authorization process including initial authorization, agency authorization, and JAB provisional authorization pathways for cloud service providers.
  • Apply FedRAMP control baseline requirements (Low, Moderate, High) to identify additional controls and parameters beyond standard NIST baselines required for cloud service authorization.
4 Domain 4: Implementation of Security and Privacy Controls
3 topics

Control Implementation Planning

  • Apply control implementation strategies to translate selected NIST SP 800-53 controls into technical, operational, and management security measures within the system architecture.
  • Describe how to document control implementation details in the SSP including implementation status, responsible entities, implementation descriptions, and planned completion dates for partially implemented controls.
  • Evaluate control implementation evidence to verify that documented implementations accurately reflect the operational state of security and privacy controls in the production environment.

Technical Control Implementation

  • Apply access control implementation requirements (AC family) including account management, access enforcement, information flow enforcement, and session management controls.
  • Apply audit and accountability control requirements (AU family) including audit event generation, audit record content, audit storage, and audit review and analysis.
  • Apply system and communications protection controls (SC family) including boundary protection, transmission confidentiality, cryptographic protection, and denial-of-service protection.
  • Apply identification and authentication control requirements (IA family) including multi-factor authentication, identifier management, authenticator management, and cryptographic module authentication.

Operational and Management Control Implementation

  • Apply configuration management control requirements (CM family) including baseline configuration, configuration change control, security impact analysis, and least functionality enforcement.
  • Apply contingency planning control requirements (CP family) including contingency plan development, testing, alternate storage and processing sites, and system recovery procedures.
  • Apply incident response control requirements (IR family) including incident response training, testing, handling, monitoring, and reporting procedures.
  • Apply personnel security control requirements (PS family) including position risk designation, personnel screening, termination procedures, and access agreements.
  • Analyze control implementation gaps to identify deficiencies, determine compensating controls, and document remediation requirements in the plan of action and milestones (POA&M).
5 Domain 5: Assessment/Audit of Security and Privacy Controls
4 topics

Security Assessment Planning

  • Describe the NIST SP 800-53A assessment methodology including assessment objectives, assessment methods (examine, interview, test), and the depth and coverage attributes for each method.
  • Apply security assessment plan development procedures to define assessment scope, methodology, team composition, rules of engagement, and deliverable requirements.
  • Determine appropriate assessment methods and depth for each control based on system categorization, control criticality, and organizational assessment requirements.

Assessment Execution

  • Execute control assessments using the examine method to review documentation including SSPs, policies, procedures, configuration settings, and system architecture diagrams.
  • Execute control assessments using the interview method to gather information from system owners, administrators, security personnel, and end users about control implementation and operation.
  • Execute control assessments using the test method to validate technical controls through vulnerability scanning, configuration auditing, and functional testing of security mechanisms.
  • Analyze assessment evidence to determine control effectiveness, identify findings as satisfied or other-than-satisfied, and document the rationale for each determination.

Assessment Reporting and Authorization

  • Describe the components of a security assessment report (SAR) including executive summary, assessment methodology, findings, risk determinations, and recommendations for remediation.
  • Apply SAR development procedures to compile assessment findings, risk ratings, and remediation recommendations into a structured report that supports the authorizing official's risk-based decision.
  • Describe the authorization decision types including Authorization to Operate (ATO), Denial of Authorization, and Interim Authorization and identify the conditions under which each is appropriate.
  • Evaluate authorization package completeness by reviewing the SSP, SAR, and POA&M to determine whether the package provides sufficient information for an authorizing official's risk acceptance decision.
  • Apply plan of action and milestones (POA&M) management procedures to track findings, assign remediation responsibilities, set completion dates, and update status as deficiencies are resolved.

Continuous Monitoring

  • Describe the NIST SP 800-137 continuous monitoring framework including monitoring strategy development, metrics selection, frequency determination, and ongoing authorization support.
  • Implement continuous monitoring activities including automated vulnerability scanning, configuration compliance checks, control reassessment scheduling, and security status reporting.
  • Evaluate continuous monitoring data to identify security posture changes, assess risk impact of newly discovered vulnerabilities, and determine whether reauthorization is required.
  • Apply ongoing authorization procedures to maintain system ATO status through continuous monitoring evidence, periodic control reassessment, and timely POA&M updates.
6 Domain 6: Supply Chain Risk Management
2 topics

Supply Chain Risk Fundamentals

  • Define supply chain risk management (SCRM) concepts including supply chain threats, counterfeit component risks, vendor dependencies, and the relationship between SCRM and organizational risk management.
  • Identify NIST SP 800-161 supply chain risk management practices and describe how the SR (Supply Chain Risk Management) control family in NIST SP 800-53 addresses supply chain threats.
  • Describe software supply chain security concepts including software bill of materials (SBOM), code signing, dependency analysis, and secure software development attestation (NIST SSDF).

Third-Party Risk Assessment

  • Apply third-party risk assessment procedures including vendor security questionnaires, SOC 2 report review, penetration test result analysis, and compliance certification verification.
  • Evaluate third-party service provider security posture by analyzing assessment results, identifying residual risks, and recommending contractual security requirements and monitoring obligations.
  • Apply vendor management lifecycle procedures including due diligence, contract negotiation with security clauses, ongoing monitoring, and vendor offboarding with data disposition verification.

Scope

Included Topics

  • All five domains of the ISC2 Certified in Governance, Risk, and Compliance (CGRC) exam: Domain 1 Information Security Risk Management (16%), Domain 2 Scope of the Information System (11%), Domain 3 Selection and Approval of Security and Privacy Controls (15%), Domain 4 Implementation of Security and Privacy Controls (21%), and Domain 5 Assessment/Audit of Security and Privacy Controls (16%), plus ongoing authorization activities and supply chain risk management.
  • Associate-level governance, risk, and compliance knowledge including NIST Risk Management Framework (RMF), NIST SP 800-37, NIST SP 800-53, NIST SP 800-53A, FedRAMP, FISMA, security categorization (FIPS 199), control baselines, continuous monitoring, authorization to operate (ATO), and plan of action and milestones (POA&M) management.
  • Practical GRC topics including system security plans (SSP), security assessment reports (SAR), authorization packages, risk assessments, control implementation, evidence collection, supply chain risk management (SCRM), third-party risk assessment, privacy impact assessments, and organizational risk governance structures.
  • Scenario-based reasoning requiring application of the RMF lifecycle, selection and tailoring of security controls, assessment methodology planning, authorization decision support, and continuous monitoring program implementation.

Not Covered

  • Deep technical implementation of security controls at the engineering level beyond what is needed for GRC assessment and authorization activities.
  • Advanced penetration testing techniques, exploit development, and offensive security operations not required for CGRC assessment activities.
  • Vendor-specific GRC tool administration (e.g., Archer, ServiceNow GRC, Xacta) beyond conceptual understanding of GRC automation capabilities.
  • Legal practice, contract law, and detailed procurement procedures beyond security and privacy compliance requirements in supply chain contexts.
  • Advanced cryptographic engineering, key management system design, and cryptanalysis beyond awareness needed for control assessment.

Official Exam Page

Learn more at ISC2

Visit

CGRC is coming soon

Adaptive learning that maps your knowledge and closes your gaps.

Create Free Account to Be Notified

Trademark Notice

(ISC)²®, CISSP®, CCSP®, SSCP®, CSSLP®, and all (ISC)² certification marks are registered trademarks of (ISC)². (ISC)² does not endorse this product.

AccelaStudy® and Renkara® are registered trademarks of Renkara Media Group, Inc. All third-party marks are the property of their respective owners and are used for nominative identification only.