CGRC Certification 2026: Ultimate Guide to Governance, Risk & Compliance (Exam Cost, Domains, Salary & Career Path)

If you want a career that blends strategy, security, and real business impact, the ISC2 CGRC certification is a powerful move. CGRC—Certified in Governance, Risk and Compliance—validates that you can build and run practical GRC programs across global frameworks, from NIST RMF and ISO 27001 to sector regulations. In this ultimate guide, you’ll learn exactly what CGRC covers, how to qualify, what the exam looks like today, how to prepare smart in 6–10 weeks, and how to turn it into real career ROI.

Note: All facts and figures are current as of February 16, 2026, with links to official sources where it matters.

What Is CGRC and Why It Matters

CGRC is an ISC2 certification that proves you can design, implement, and maintain governance, risk, and compliance programs that align with both security and privacy requirements across industries and regions. It replaced the legacy CAP title when ISC2 rebranded the certification as CGRC on February 15, 2023

What makes CGRC stand out:

• It’s aligned to multiple frameworks and regulations (not just U.S. RMF).

• It’s recognized by U.S. DoDM 8140.03 (DoD cyber workforce), and the program is ANAB‑accredited to ISO/IEC 17024—important signals for employers in regulated and government spaces.

• In June 2024, ISC2 refreshed the exam and training to emphasize global relevance, terms, and frameworks, improving its fit for non‑U.S. environments too.

• Adoption is growing: ISC2 reported CGRC surpassed 5,000 holders worldwide by January 14, 2026.

Actionable takeaway:

• If you work (or want to work) in risk, assurance, or compliance—especially in regulated or government settings—CGRC gives you a credible, globally informed way to prove hands‑on GRC capability.

Who CGRC Is For (And Who Might Choose Another Cert)

CGRC is great for:

• GRC analysts and managers

• Information assurance managers

• Security/compliance officers and program leads

• Auditors and assessors

• Third‑party/vendor risk analysts

• Privacy or data protection roles that intersect with security governance

These roles map directly to what ISC2 describes on the CGRC page (including DoDM 8140.03 alignment and ISO/IEC 17024 accreditation).

When another cert might fit better:

• If you want a broad, senior security leadership credential covering 8 deep technical/management domains, CISSP could be more appropriate.

• If your focus is IT risk and controls design aligned to business value and governance, ISACA’s CRISC is a strong complement or alternative.

• If your role is centered on security management leadership and governance strategy, consider ISACA’s CISM.

Actionable takeaway:

• Look at job descriptions you want (titles and frameworks mentioned). If they emphasize RMF/ATO, ISO 27001 audits/ISMS, POA&Ms, risk registers, vendor risk, or evidence management, CGRC is likely the best immediate fit.

Eligibility and Prerequisites

To earn CGRC after passing the exam, ISC2 requires:

• 2 years of cumulative, paid work experience in one or more of the 7 CGRC domains (details in the exam outline).

• No experience yet? You can pass the CGRC exam first and become an Associate of ISC2. You’ll then have 3 years to accumulate the required 2 years of experience to obtain the full certification.

Endorsement and ethics:

• After you pass, you have 9 months to submit your endorsement application. You can be endorsed by an ISC2 member or request ISC2 to endorse you (provide documentation).

• You must agree to the ISC2 Code of Ethics; applications may be audited.

• Some experience can be waived with certain degrees or approved certifications (see the endorsement page for current details).

Actionable takeaway:

• If you’re early in your career, take the “Associate of ISC2” route: pass the exam first to strengthen your job hunt, then complete the 2 years while employed.

Exam Structure and What’s New (June 15, 2024 update)

Current exam facts (global):

• 125 items

• 3 hours

• Multiple‑choice plus advanced item types

• Passing scaled score: 700/1000

• English only

• Delivered via Pearson VUE test centers

Source: ISC2 CGRC Certification Exam Outline (effective June 15, 2024).

Domains and weights:

• Security and Privacy Governance, Risk Management, and Compliance Program – 16%

• Scope of the System – 10%

• Selection and Approval of Framework, Security, and Privacy Controls – 14%

• Implementation of Security and Privacy Controls – 17%

• Assessment/Audit of Security and Privacy Controls – 16%

• System Compliance – 14%

• Compliance Maintenance – 13%

What changed in 2024:

• ISC2 broadened the global scope of the exam and training, updated domain weights/titles, and emphasized international frameworks and regulations.

Retakes and attempts:

• Wait periods: 30 days after the first attempt, 60 after the second, 90 after the third and beyond. Up to four attempts in a 12‑month period (fees apply each time).

Actionable takeaway:

• Focus most of your study time on the heaviest domains (Implementation; Governance/Risk/Compliance Program; Assessment/Audit; System Compliance). Treat each as a scenario you must execute end‑to‑end.

Costs, Fees, and Budgeting Smart

Exam fee (typical, region varies):

• U.S. exam fee: $599; reschedule $50; cancel $100 (U.S. pricing shown on ISC2 site—check your region’s currency).

Annual maintenance and CPEs:

• AMF: $135 per year for ISC2 members (covers all your ISC2 certs)

• CPEs: 60 over a 3‑year cycle (suggested 20 per year)

• Associates of ISC2 pay a lower annual fee (U.S. $50) until they certify Sources: ISC2 AMF Overview and Member Policies.

Promotions:

• ISC2 occasionally offers “Peace of Mind” vouchers that include retake protection—always confirm current terms before purchase.

Budgeting tips:

• Start with free/official materials (exam outline, NIST, ISO, FedRAMP docs). Add paid training if your practice results plateau.

• Plan for exam + AMF + optional training/practice tools. Time costs matter too—protect 6–10 weeks of focused study.

Actionable takeaway:

• Book the exam date first (6–10 weeks out). Deadlines create momentum and make it easier to say “no” to distractions.

What You’ll Be Tested On (And How to Think Like the Exam)

CGRC tests whether you can apply frameworks and drive outcomes—not just recite definitions. Expect scenario‑based items about:

• Governance setup: charters, policies/standards, risk appetite, roles and responsibilities, metrics

• Risk management lifecycle: identification, analysis, treatment, acceptance/escalation

• Control selection and tailoring across frameworks (e.g., NIST SP 800‑53; ISO/IEC 27001 Annex A)

• Implementation and evidence: procedures, configurations, change control, training and awareness, logs

• Assessment/audit methods: sampling, interviews, artifact review, continuous monitoring

• Authorization or attestation decisions: criteria, residual risk, POA&M tracking, risk acceptance

• Maintenance: vulnerability and patch cadence, issue management, metrics, improvement cycles

Primary references that sharpen your judgment:

• NIST RMF (SP 800‑37 Rev. 2) for lifecycle and authorization/ongoing monitoring flow.

• NIST SP 800‑53 Rev. 5 for control families and baselines/tailoring (with SP 800‑53B).

• ISO/IEC 27001:2022 high‑level ISMS approach and control linkage.

• FedRAMP Rev 5 ATO pathways and continuous monitoring if working with U.S. federal cloud.

• Sector rules like HIPAA Security Rule for healthcare contexts.

Actionable takeaway:

• Practice mapping a requirement to a control to an evidence artifact. For every domain, ask: “What would I show an auditor?”

A Practical 6–10 Week CGRC Study Plan

Week 0: Book the exam, gather materials

• Pick a test date 6–10 weeks out.

• Download the Exam Outline and create a simple study tracker by domain.

• Create a reference folder: NIST SP 800‑37r2, SP 800‑53r5 (and 53B), ISO/IEC 27001 overview, FedRAMP Rev 5, your sector regs.

Weeks 1–2: Foundations and artifacts

• Read NIST SP 800‑37r2 end‑to‑end (understand each RMF step and artifacts like SSP, SAR, POA&M, continuous monitoring strategy).

• Skim ISO/IEC 27001: scope, context, leadership, planning, operation, performance evaluation, improvement; get familiar with Annex A structure.

• Create templates or annotated outlines for SSP, risk register, POA&M, and policy/standard.

Weeks 3–5: Controls and implementation

• Study SP 800‑53 Rev. 5. Don’t memorize every control—learn families, common enhancements, and tailoring logic. Practice mapping requirements to controls to evidence.

• If you’re in federal cloud, read FedRAMP Rev 5 agency authorization playbooks; learn P‑ATO vs agency ATO, continuous monitoring cadence.

• Do 2–3 short, timed question sets per week. After each set, rewrite your weakest topic in your own words.

Weeks 6–7: Assessment, audit, and compliance

• Build a mini “assessment plan”: scope, sampling, evidence list, interview plan, testing procedures.

• Practice compliance workflows: change control, exception handling/acceptance, issue remediation, POA&M updates, metrics, and reporting.

• Do a full mixed‑domain timed set; review misses by domain weight.

Week 8–9 (optional, if time permits): Final pass and exam drills

• Revisit the heaviest domains: Implementation (17%), Governance/Risk/Compliance Program (16%), Assessment/Audit (16%), System Compliance (14%).

• Two days before: do a half‑length timed set and stop studying early the night before.

Exam‑day prep

• Verify Pearson VUE ID requirements and check‑in policies; confirm testing location and arrival time; know reschedule/cancel rules.

• Plan your time: 125 questions in 180 minutes (~1.4 minutes per item). Flag time‑sinks and return later.

Actionable takeaway:

• Keep a single “one‑page brain” sheet per domain: key steps, who’s responsible, top artifacts, key metrics, and a sample scenario.

The CGRC Exam Domains, Explained with Real‑World Scenarios

1. Security and Privacy Governance, Risk Management, and Compliance Program (16%)

• What it tests: Can you build and oversee a GRC program that aligns with organizational goals, risk appetite, and legal/regulatory drivers?

• You should know: Policy hierarchy, charters, RACI, risk appetite vs tolerance, oversight bodies, KPIs/KRIs, escalation paths.

• Scenario example: A fast‑growing fintech expands into new regions. Which program updates are needed to stay compliant? Which roles own which decisions?

2. Scope of the System (10%)

• What it tests: Your ability to define system boundaries, data flows, assets, and stakeholders, including privacy data classifications.

• You should know: Asset inventories, data catalogs, privacy data mapping, trust boundaries, third‑party/system interfaces.

• Scenario example: A SaaS app adds a new analytics microservice. What changes to data flows and system boundary documents are required?

3. Selection and Approval of Framework, Security, and Privacy Controls (14%)

• What it tests: Tailoring and selecting controls across frameworks (e.g., SP 800‑53 families, ISO 27001 Annex A), aligning to risk assessment results.

• You should know: Control scoping, overlays/baselines, compensating controls, tailoring, risk treatment decisions.

• Scenario example: A healthcare org must meet HIPAA Security Rule and ISO 27001. How do you harmonize controls and avoid duplication?.

4. Implementation of Security and Privacy Controls (17%)

• What it tests: Operationalizing controls—procedures, technical configs, training, logging, change control, rollout plans.

• You should know: Implementation evidence, change management, configuration standards, awareness training, roles for execution.

• Scenario example: Rolling out MFA to all privileged admin accounts—what artifacts show correct implementation and ongoing enforcement?

5. Assessment/Audit of Security and Privacy Controls (16%)

• What it tests: Planning and performing assessments, sampling evidence, interviewing staff, documenting results, linking to authorization/attestation.

• You should know: Assessment plans, test procedures, objective evidence, artifact handling, sampling strategies, reporting (SAR), issues and POA&Ms.

• Scenario example: A cloud workload seeks ATO under NIST RMF. Which evidence is sufficient for the AO to make a risk decision?.

6. System Compliance (14%)

• What it tests: Attaining and demonstrating compliance (authorization, attestation, certification), and integrating outcomes with business and risk management.

• You should know: ATO/attestation mechanics, risk acceptance statements, compliance dashboards, stakeholder reporting.

• Scenario example: Management asks whether to accept a medium risk for a critical system to meet a product launch date. What’s your process?

7. Compliance Maintenance (13%)

• What it tests: Continuous monitoring, vulnerability/patch cycles, periodic re‑assessments, exceptions, supplier monitoring, improvement loops.

• You should know: ConMon plans, cadence, triggers, KPI/KRI drift, configuration drift, risk re‑evaluation.

• Scenario example: A new zero‑day impacts your baseline. Which processes kick in? How fast do you update controls, artifacts, and dashboards?

Actionable takeaway:

• For each domain, create one work example you could explain to a peer. If you can walk through steps, roles, artifacts, and decisions, you’re exam‑ready.

Career Outcomes and ROI

Why CGRC can boost your trajectory:

• Market demand is real: In the 2025 ISC2 Cybersecurity Workforce Study, GRC ranked among the top technical skills needed (27% of respondents), and risk assessment at 29%—consistent with organizations maturing their governance and compliance practices.

• Government and regulated‑industry signal: DoDM 8140.03 approval plus ISO/IEC 17024 accreditation makes CGRC easy to interpret for hiring panels in defense, healthcare, finance, and critical infrastructure.

• Roles that commonly cite CGRC skills: GRC analyst/manager, IA manager, compliance officer, auditor/assessor, third‑party risk analyst.

Compensation snapshot (varies widely by sector, region, and experience):

• U.S. GRC Analyst roles commonly fall from the high‑$70Ks to low‑$100Ks; senior roles scale higher with scope and compliance exposure.

Actionable takeaway:

• In interviews, translate CGRC knowledge to measurable outcomes: audit cycles shortened, control exceptions reduced, evidence management improved, ATO/attestation timelines met, or vendor risk issues resolved faster.

Real‑World Use Cases: Turning Frameworks into Results

CGRC is not just about passing a test—it’s the toolkit for practical change. Here’s how it shows up at work:

• Launch or level‑up a GRC program

  • Write/refresh your governance charter; align policies/standards with regulatory drivers; set KPIs/KRIs; define roles and escalation. This is core to Domain 1.

• Select and tailor controls across frameworks

  • Harmonize SP 800‑53 with ISO 27001 Annex A to avoid redundancy; define compensating controls with clear risk justifications.

• Ensure smooth authorizations and attestations

  • For RMF/ATO: produce an SSP, run assessments, create a SAR, and maintain a POA&M; ensure continuous monitoring is real, not just paperwork.

  • For FedRAMP: understand agency ATO vs JAB P‑ATO, Rev 5 control mappings, and ConMon obligations.

• Maintain compliance as systems change

  • Tie change management to control impacts; update artifacts automatically where possible; track exceptions and risk acceptance; report trends and improvements to leadership.

• Coordinate sector regulations

  • In healthcare, align HIPAA Security Rule with your ISMS and RMF practices; build data classification and privacy mapping into your scope and evidence strategy.

Actionable takeaway:

• Build a simple “control‑to‑evidence matrix” that shows each control, its owner, the specific artifact, and review cadence. This wins hearts during audits and keeps teams aligned.

Step‑by‑Step: Your 60‑Day CGRC Action Plan

Day 1–3: Commit and collect

• Register your exam date (6–10 weeks out).

• Download the Exam Outline; highlight domain weights and objectives.

• Gather primary references (SP 800‑37r2, SP 800‑53r5/53B, ISO 27001, FedRAMP Rev 5).

Week 1:

• Read SP 800‑37r2 once through; sketch the RMF lifecycle with key artifacts.

• Create 1‑page templates for SSP, risk register, POA&M.

Week 2:

• Skim ISO 27001; note alignment points with your policies and controls.

• Do 30–40 mixed practice items to baseline your timing and gaps.

Weeks 3–4:

• Deep dive SP 800‑53r5 control families and tailoring logic.

• Build your control‑to‑evidence matrix and populate with 10–15 controls.

Weeks 5–6:

• Draft a short assessment/audit plan and test a sample control (interview questions, artifact list, sampling approach).

• Do two timed sets this week; analyze misses by domain.

Week 7:

• Revisit the top‑weight domains (1, 4, 5, 6). Summarize each with steps, roles, artifacts, metrics, and a 60‑second scenario pitch.

Week 8 (final):

• One half‑length timed set early in the week; light review only after that.

• Confirm Pearson VUE logistics and ID; sleep well before test day.

Post‑pass:

• Submit endorsement within 9 months; line up an endorser or use ISC2 endorsement. Add CGRC to your resume and LinkedIn, with 3–5 bullets naming frameworks and outcomes (e.g., led ISO 27001 surveillance audit with zero major NCs).

Actionable takeaway:

• Keep all your notes in one living doc with headings by domain. If you can teach each domain back in 3–5 minutes, you’re ready.

FAQs

How difficult is CGRC? What’s the pass rate?

• ISC2 does not publish pass rates. Expect scenario‑based items that test application of frameworks, evidence, and judgment across the lifecycle.

Can I take CGRC without experience?

• Yes. Pass the exam to become an Associate of ISC2; you then have 3 years to accrue 2 years of relevant experience to earn the full certification.

What are the maintenance requirements?

• 60 CPEs over 3 years (suggested 20/year) and an annual AMF of $135 for members.

How much does it cost to take the exam?

• U.S. exam fee is $599; reschedule $50; cancel $100 (check your regional pricing/currency).

How does CGRC compare to CISSP/CRISC/CISM?

• CGRC focuses on GRC execution and authorizations across frameworks. CISSP is broader technical/managerial leadership. CRISC emphasizes IT risk and control; CISM focuses on security management leadership.

Conclusion:
CGRC is a career‑builder if you want to turn policy into practice—governance into metrics, risk into decisions, and controls into evidence. With a globally updated exam, DoDM 8140.03 approval, and ANAB accreditation, it signals that you can run real GRC programs, not just talk about them. Book your date, follow the 60‑day plan, and focus on scenarios, artifacts, and outcomes. Then bring those wins into your next interview—and your next role.