Certified in Governance, Risk and Compliance (CGRC) (formerly CAP)

What is the CGRC certification?

The (ISC)² Certified in Governance, Risk and Compliance credential — formerly known as the Certified Authorization Professional (CAP) — validates your understanding and skills within the field of GRC. It confirms that you know how to assess risk, establish security requirements and create documentation using a broad range of security frameworks. It is ideal for U.S. government officials who manage information system security for the Department of Defense (DoD), and it meets the requirements of DoD Directive 8570. Private-sector individuals who manage risk will also find the credential valuable because it shows a firm grasp of aligning business objectives with risk management and regulatory compliance.

Get your free Cybersecurity development playbook to learn more about how the certification may fit into various cybersecurity careers.

CGRC (formerly CAP) exam objectives

The CAP certification was officially renamed Certified in Governance, Risk and Compliance (CGRC) on February 15, 2023. However, the seven exam domains, also known as objectives, did not change. The domains were last updated by (ISC)² August 2021.

Learn more about the CGRC domains.

Is CGRC (formerly CAP) a good certification?

The CGRC certification from (ISC)² isn’t suited for every cybersecurity professional, but it’s ideal for information security and information assurance practitioners who work in governance, risk and compliance (GRC) roles.

Anyone who needs to understand, apply and/or implement a risk management program for IT systems will benefit from the certification, but government employees, in particular, will find that it demonstrates the skills that are highly in demand within public sector IT.


What are the CGRC (formerly CAP) requirements?

To qualify for the (ISC)² CGRC certification, you must pass the exam (700 out of 1,000 points) and have at least two years of cumulative paid work experience in one or more of the seven domains.

A candidate who doesn’t have the required work experience to become a CGRC may become an associate of (ISC)² by successfully passing the CGRC examination. The associate of (ISC)² will then have three years to earn the two years of required experience.


CGRC (formerly CAP) exam FAQs

The (ISC)² CGRC certification is for security practitioners whose role includes advocating for security risk management while pursuing information system authorization to support an organization’s mission and operations.

  • Is the CGRC the same as the CAP certification?
    • Yes, (ISC)² changed the name of the CAP certification to Certified in Governance, Risk and Compliance (CGRC) on February 15, 2013. Per the update from (ISC)²:

      • Only the exam name is changing
      • Those studying for the CAP exam should continue studying as all exam content remains the same
      • Other requirements, such as experience, are not changing
      • Those who earned CAP certification before the name change will receive a notification to update their digital credential to CGRC
  • What is the CGRC (formerly CAP) exam outline and structure?
  • How hard is the CGRC (formerly CAP) exam?
    • The (ISC)² CGRC certification is primarily an intermediate-level certification. To become CGRC certified, individuals must have at least two years of paid work experience in at least one of the exam’s seven domains. Passing the exam requires scoring 700 out of 1,000 points.

      CGRC pass rates vary depending on an individual’s experience, study habits and test-taking strategies. Infosec’s CGRC (formerly CAP) Training Boot Camp comes with an Exam Pass Guarantee.


  • Is CGRC (formerly CAP) harder than CISSP?
    • The (ISC)² CISSP exam tests a broad range of skills required for designing, implementing and maintaining a cybersecurity program. The CGRC is a good-fit certification for those tasked with authorizing and maintaining information systems.

      While the CISSP requires broad, how-to security knowledge, the CGRC certification is specifically for security practitioners who advocate for security risk management in pursuit of information system authorization.

      For more on the CISSP, read Seven top security certifications you should have in 2022.

  • How do you take the CGRC (formerly CAP) exam?
    • Pearson VUE is the global administrator of all (ISC)² exams, and all CGRC exams must be taken in person at a Pearson Vue test center. To take your CGRC exam, create a Pearson VUE account, find a test location near you and schedule your exam.

  • How much does the CGRC (formerly CAP) exam cost?
    • The cost of the CGRC (formerly CAP) exam varies by location.

      • U.S. and all other regions not listed below, $599
      • Asia Pacific, $599
      • EMEA, EUR 555
      • United Kingdom, GBP 479
      • Middle East, $599
      • Africa, $599

      Your organization may purchase vouchers for seminars and exams in bulk, which are transferable to anyone in the organization.

      You can find the most up-to-date pricing on the (ISC)² website.

  • How do I earn CPEs and renew my CGRC (formerly CAP)?
    • The CGRC has an annual maintenance fee (AMF): A $125 fee is due upon certification and every year afterward (by the anniversary date of getting certified). If you hold more than one (ISC)² certification, only one fee is required to maintain all your (ISC)² certs.

      CGRC CPEs can be earned through (ISC)² events, unique work experience, contributions to the profession, education and/or other professional development opportunities.

      Get more information on how to earn CGRC CPE credits by downloading the (ISC)² CPE handbook.



  • How long does the CGRC (formerly CAP) certification last?

Free and self-study CGRC (formerly CAP) materials

Studying for the CGRC exam is the best way to prepare yourself to earn a passing grade. Luckily, there are tons of helpful CGRC resources. Before you start scouting out the best training resources, we recommend looking at the official CGRC/CAP exam outline since it will shed light on what topics you’ll need to study.

CGRC study guides and CGRC books

A number of study guides and books can help you prepare for the CGRC. Since only the exam name was updated in February 2023, you may need to search for books under the CAP exam name. A few of the most popular are:

The (ISC)² training website also offers an online study group, interactive flashcards and a study app. (ISC)² members receive 50% off official (ISC)² textbooks as a member benefit.

Read our CGRC study resources article for more on CGRC study books and tools.

CGRC practice exams and simulations

Practice exams are a great way to gauge your exam readiness. There are even free CGRC dumps that can be found, although it’s against (ISC)² policy to disclose the actual exam questions being used. A few of the most popular CGRC practice question options are under the former cert name, CAP:

  • CAP Exam Questions and Annotated Answers: Job Interview Prep and Possible Interview Questions, by Valintine Tata DrPH
  • (ISC)² CAP actual Exam Questions and Answers: CAP Certified Authorization Professional 245 Practice Exam Questions by Exam Boost

In addition, many CGRC training courses and content include practice questions. For example, Infosec Skills CGRC (formerly CAP) certification training includes a customizable practice exam with more than 160 questions.

Other free CGRC training resources

There are a number of other free CGRC training materials being produced and shared by the community:

  • Forums like TechExams and Reddit allow you to connect directly with others who are studying for or have already taken the CAP.
  • YouTube is another great place to connect with cybersecurity practitioners and learn about the CGRC exam. Although most CGRC courses cost money, there are numerous free videos under the old CAP exam name
  • Podcasts may not help you directly study for your CGRC exam, but those like the Cyber Work Podcast are a great way to hear about the career and training journeys of fellow IT and cybersecurity professionals.

CGRC (formerly CAP) exam FAQs

The CGRC is an ideal certification for information security practitioners who need to understand, apply and/or implement an information security system. Those who work in the public sector setting find the certification particularly advantageous because CGRC (formerly CAP) meets the U.S. Department of Defense Directive 8570.

  • What does a CGRC (formerly CAP) holder do?
    • The CGRC certification is best suited for information security or information assurance professionals who work within governance, risk and compliance (GRC) roles. CGRC position titles vary widely; searching for IT GRC roles will help you discover plenty of options. A few of the more common include:

      • IT GRC analyst
      • IT GRC manager
      • Compliance analyst
      • Risk management manager
  • Is CGRC (formerly CAP) worth it?
    • Because the CGRC certification confirms that you know how to assess risk, establish security requirements and create documentation while using a broad range of security frameworks, government agency and private sector employees find it helpful.

      For public-sector employees, it’s particularly important because it meets the U.S. Department of Defense (DoD) directive 8570.1, which requires DoD information assurance and cybersecurity personnel to obtain one of a few pre-approved certifications.

  • What is the CGRC (formerly CAP) average salary?
  • How many people have CGRC (formerly CAP)?
    • As of July 1, 2022, 4,157 professionals have acquired this certification. Of these, 4,100 are in the U.S.

  • Where can I find CGRC (formerly CAP) jobs?
    • The old name for CGRC, CAP, is often listed in job descriptions, and general job boards like IndeedMonsterGlassdoorLinkedIn and CareerBuilder all allow you to search by keywords like “CAP” for CAP jobs. As the new name takes hold, consider searching for CGRC for the new certification or just GRC for general roles covering governance, risk and compliance.

      There are also cybersecurity-specific job boards, such as ClearedJobsinfosec-jobs.com and others. Another great way to find CAP job openings is by joining local, national or government-focused cybersecurity groups — such as ISSA or Women in Cybersecurity — joining local meetups or engaging in other cybersecurity forums and websites.

      To prepare for your job interview, download our free ebook of cybersecurity interview tips, “How to stand out, get hired and advance your career.”

CGRC comparisons and alternatives

Is the CGRC the best certification for you, or would something else be a better fit? Which certification is easier? Which certification should you take first? Which one is better for your career? That all depends on you and your career goals. Check out these articles to learn more: