CGRC (formerly CAP) exam objectives
The CAP certification was officially renamed Certified in Governance, Risk and Compliance (CGRC) on February 15, 2023. However, the seven exam domains, also known as objectives, did not change. The domains were last updated by (ISC)² August 2021.
-
Information security risk management program (16%)
Covers the basics of security risk management programs, processes and international legal requirements. Also includes the pertinent risk management frameworks, such as NIST, COBIT, ISO 27001 and ISO 31000.
-
Scope of the information system (11%)
Covers the scope, architecture and purpose of an information system. Also includes the type of information processed and transmitted and its impact level on confidentiality, integrity and availability (FIPS 199 and ISO/IEC 27002).
-
Selection and approval of security and privacy controls (15%)
Covers selecting and tailoring security and privacy controls, developing a continuous control monitoring strategy, and reviewing and approving a security plan/information security management system.
-
Implementation of security and privacy controls (16%)
Covers implementing selected controls in accordance with current industry standards (TSSIT, USGCB, NIST, STIGs, CIS, GDPR and others).
-
Assessment/audit of security and privacy controls (16%)
Covers audits, their preparation and how to move from initial assessment and auditing to executing remediation action plans, policies and final reports.
-
Authorization/approval of information system (10%)
Covers compiling security and privacy approval documents, determining system risk and treatment options, and authorizing and approving an information system.
-
Continuous monitoring (16%)
Covers determining the impact of changes to an information system, including supply chain risk analysis and cyber event response planning, revising monitoring strategies based on change and decommissioning a system.
Learn more about the CGRC domains.
Is CGRC (formerly CAP) a good certification?
The CGRC certification from (ISC)² isn’t suited for every cybersecurity professional, but it’s ideal for information security and information assurance practitioners who work in governance, risk and compliance (GRC) roles.
Anyone who needs to understand, apply and/or implement a risk management program for IT systems will benefit from the certification, but government employees, in particular, will find that it demonstrates the skills that are highly in demand within public sector IT.
Watch the video to learn how the newly named CGRC certification has changed — and where it’s headed in the future.
What are the CGRC (formerly CAP) requirements?
To qualify for the (ISC)² CGRC certification, you must pass the exam (700 out of 1,000 points) and have at least two years of cumulative paid work experience in one or more of the seven domains.
A candidate who doesn’t have the required work experience to become a CGRC may become an associate of (ISC)² by successfully passing the CGRC examination. The associate of (ISC)² will then have three years to earn the two years of required experience.
CGRC (formerly CAP) exam FAQs
The (ISC)² CGRC certification is for security practitioners whose role includes advocating for security risk management while pursuing information system authorization to support an organization’s mission and operations.
-
Is the CGRC the same as the CAP certification?
Yes, (ISC)² changed the name of the CAP certification to Certified in Governance, Risk and Compliance (CGRC) on February 15, 2013. Per the update from (ISC)²:
- Only the exam name is changing
- Those studying for the CAP exam should continue studying as all exam content remains the same
- Other requirements, such as experience, are not changing
- Those who earned CAP certification before the name change will receive a notification to update their digital credential to CGRC
-
What is the CGRC (formerly CAP) exam outline and structure?
The CGRC exam consists of 125 multiple-choice questions. Test-takers have three hours to complete the exam.
Read (ISC)² CGRC exam details and process to learn more.
-
How hard is the CGRC (formerly CAP) exam?
The (ISC)² CGRC certification is primarily an intermediate-level certification. To become CGRC certified, individuals must have at least two years of paid work experience in at least one of the exam’s seven domains. Passing the exam requires scoring 700 out of 1,000 points.
CGRC pass rates vary depending on an individual’s experience, study habits and test-taking strategies. Infosec’s CGRC (formerly CAP) Training Boot Camp comes with an Exam Pass Guarantee.
-
Is CGRC (formerly CAP) harder than CISSP?
The (ISC)² CISSP exam tests a broad range of skills required for designing, implementing and maintaining a cybersecurity program. The CGRC is a good-fit certification for those tasked with authorizing and maintaining information systems.
While the CISSP requires broad, how-to security knowledge, the CGRC certification is specifically for security practitioners who advocate for security risk management in pursuit of information system authorization.
For more on the CISSP, read Seven top security certifications you should have in 2022.
-
How do you take the CGRC (formerly CAP) exam?
Pearson VUE is the global administrator of all (ISC)² exams, and all CGRC exams must be taken in person at a Pearson Vue test center. To take your CGRC exam, create a Pearson VUE account, find a test location near you and schedule your exam.
-
How much does the CGRC (formerly CAP) exam cost?
The cost of the CGRC (formerly CAP) exam varies by location.
- U.S. and all other regions not listed below, $599
- Asia Pacific, $599
- EMEA, EUR 555
- United Kingdom, GBP 479
- Middle East, $599
- Africa, $599
Your organization may purchase vouchers for seminars and exams in bulk, which are transferable to anyone in the organization.
You can find the most up-to-date pricing on the (ISC)² website.
-
How do I earn CPEs and renew my CGRC (formerly CAP)?
The CGRC has an annual maintenance fee (AMF): A $125 fee is due upon certification and every year afterward (by the anniversary date of getting certified). If you hold more than one (ISC)² certification, only one fee is required to maintain all your (ISC)² certs.
CGRC CPEs can be earned through (ISC)² events, unique work experience, contributions to the profession, education and/or other professional development opportunities.
Get more information on how to earn CGRC CPE credits by downloading the (ISC)² CPE handbook.
-
How long does the CGRC (formerly CAP) certification last?
(ISC)² requires continuing professional education (CPE) credits over a three-year period for your CGRC certification to remain current, with a recommended 20 CPEs each year.
For more details on earning CPEs and renewal requirements, read the (ISC)² CPE handbook.
Free and self-study CGRC (formerly CAP) materials
Studying for the CGRC exam is the best way to prepare yourself to earn a passing grade. Luckily, there are tons of helpful CGRC resources. Before you start scouting out the best training resources, we recommend looking at the official CGRC/CAP exam outline since it will shed light on what topics you’ll need to study.
CGRC study guides and CGRC books
A number of study guides and books can help you prepare for the CGRC. Since only the exam name was updated in February 2023, you may need to search for books under the CAP exam name. A few of the most popular are:
- The free Ultimate Guide to the CAP from (ISC)²
- Official (ISC)² Guide to the CAP CBK, Second Edition
The (ISC)² training website also offers an online study group, interactive flashcards and a study app. (ISC)² members receive 50% off official (ISC)² textbooks as a member benefit.
Read our CGRC study resources article for more on CGRC study books and tools.
CGRC practice exams and simulations
Practice exams are a great way to gauge your exam readiness. There are even free CGRC dumps that can be found, although it’s against (ISC)² policy to disclose the actual exam questions being used. A few of the most popular CGRC practice question options are under the former cert name, CAP:
- CAP Exam Questions and Annotated Answers: Job Interview Prep and Possible Interview Questions, by Valintine Tata DrPH
- (ISC)² CAP actual Exam Questions and Answers: CAP Certified Authorization Professional 245 Practice Exam Questions by Exam Boost
In addition, many CGRC training courses and content include practice questions. For example, Infosec Skills CGRC (formerly CAP) certification training includes a customizable practice exam with more than 160 questions.
Other free CGRC training resources
There are a number of other free CGRC training materials being produced and shared by the community:
- Forums like TechExams and Reddit allow you to connect directly with others who are studying for or have already taken the CAP.
- YouTube is another great place to connect with cybersecurity practitioners and learn about the CGRC exam. Although most CGRC courses cost money, there are numerous free videos under the old CAP exam name
- Podcasts may not help you directly study for your CGRC exam, but those like the Cyber Work Podcast are a great way to hear about the career and training journeys of fellow IT and cybersecurity professionals.
CGRC (formerly CAP) exam FAQs
The CGRC is an ideal certification for information security practitioners who need to understand, apply and/or implement an information security system. Those who work in the public sector setting find the certification particularly advantageous because CGRC (formerly CAP) meets the U.S. Department of Defense Directive 8570.
-
What does a CGRC (formerly CAP) holder do?
The CGRC certification is best suited for information security or information assurance professionals who work within governance, risk and compliance (GRC) roles. CGRC position titles vary widely; searching for IT GRC roles will help you discover plenty of options. A few of the more common include:
- IT GRC analyst
- IT GRC manager
- Compliance analyst
- Risk management manager
-
Is CGRC (formerly CAP) worth it?
Because the CGRC certification confirms that you know how to assess risk, establish security requirements and create documentation while using a broad range of security frameworks, government agency and private sector employees find it helpful.
For public-sector employees, it’s particularly important because it meets the U.S. Department of Defense (DoD) directive 8570.1, which requires DoD information assurance and cybersecurity personnel to obtain one of a few pre-approved certifications.
-
What is the CGRC (formerly CAP) average salary?
The national average salary for popular CGRC jobs will naturally vary based on your experience, location and other factors.
National average salary by job role in July 2022, according to Glassdoor:
- IT GRC analyst $95,644
- IT GRC manager $109,960
- Compliance analyst $81,944
- Risk management manager $105,556
Salary.com also has a similar average salary of $112,729 for these positions. Other sources report an average CGRC (formerly CAP) salary of 124,610.
-
How many people have CGRC (formerly CAP)?
As of July 1, 2022, 4,157 professionals have acquired this certification. Of these, 4,100 are in the U.S.
-
Where can I find CGRC (formerly CAP) jobs?
The old name for CGRC, CAP, is often listed in job descriptions, and general job boards like Indeed, Monster, Glassdoor, LinkedIn and CareerBuilder all allow you to search by keywords like “CAP” for CAP jobs. As the new name takes hold, consider searching for CGRC for the new certification or just GRC for general roles covering governance, risk and compliance.
There are also cybersecurity-specific job boards, such as ClearedJobs, infosec-jobs.com and others. Another great way to find CAP job openings is by joining local, national or government-focused cybersecurity groups — such as ISSA or Women in Cybersecurity — joining local meetups or engaging in other cybersecurity forums and websites.
To prepare for your job interview, download our free ebook of cybersecurity interview tips, “How to stand out, get hired and advance your career.”
Paid CGRC (formerly CAP) training and exam prep
How long you need to study for the CGRC exam depends on your existing knowledge and experience — and your method of training.
Live CGRC boot camps
For those looking to get certified quickly, a live online or in-person CGRC boot camp may be the best option. For example, the Infosec five-day CGRC (formerly CAP) Boot Camp allows you to train for and take your CGRC exam in less than one week.
The benefits of a live boot camp include:
- Live interaction with your instructor and peers: This can be especially useful for advanced or industry-specific certifications where fellow students have real-world experience and situations to share.
- Complete training package: Most boot camps include everything you need to succeed — from live instruction to exam vouchers to books and practice exams. Infosec’s boot camp also provides extended access to related training courses and hands-on labs to keep your skills sharp after you get certified.
- Improved pass rates: Boot camp providers like Infosec stand by their training with an Exam Pass Guarantee. That means if you fail your exam on your first attempt, you’ll get a second attempt to pass — for free.
Self-paced CGRC training
For those with more time — and self-discipline — a number of training providers offer paid CGRC courses you can complete at your own pace, including companies like Infosec, Cybrary, Udemy and (ISC)².
The benefits of on-demand CAP training include:
- Train at your own pace: Train when it’s convenient for you — whether that’s 30 minutes over your lunch or a few hours on the weekend. There’s no need to set aside 40-60 hours for a week of intense, live instruction.
- Build an individual training plan: Since you’ll be training by yourself and not with a group, target your training around the domains and objectives you need to learn the most. Consider joining a study group or connecting with peers if you’d like further insights from your peers.
- Take the exam when you feel ready: With more time to study, you’ll have more time to prepare without feeling like you’ll lose the benefits of the boot camp “exam cram.”
CGRC comparisons and alternatives
Is the CGRC the best certification for you, or would something else be a better fit? Which certification is easier? Which certification should you take first? Which one is better for your career? That all depends on you and your career goals. Check out these articles to learn more:
