Program Highlights
The CGRC: Certified in Governance, Risk, and Compliance (CGRC) Training Course, formerly recognized as the Certified Authorization Professional (CAP), offered by InfosecTrain, is designed to elevate your expertise in security and privacy governance, risk management, and regulatory compliance. This comprehensive updated program provides the tools and knowledge to effectively align security and privacy practices with organizational goals, empowering informed decision-making across critical areas such as data security, compliance management, and supply chain risk mitigation.
- 40-Hour LIVE Instructor-led Training
- Career-oriented Skill-based Course
- Immersive Learning
- Highly Interactive and Dynamic Sessions
- Learn with Real-world Scenarios
- Industry Experts with 18+ Years of Experience
- Career Guidance and Mentorship
- Extended Post Training Support
- Access Recorded Sessions
Learning Schedule
- upcoming classes
- corporate training
- 1 on 1 training
10 Feb - 10 Mar | Online | Weekday | 20:30 - 22:30 IST | BATCH OPEN |
Why Choose Our Corporate Training Solution
- Upskill your team on the latest tech
- Highly customized solutions
- Free Training Needs Analysis
- Skill-specific training delivery
- Secure your organizations inside-out
Why Choose 1-on-1 Training
- Get personalized attention
- Customized content
- Learn at your dedicated hour
- Instant clarification of doubt
- Guaranteed to run
Can't Find a Suitable Schedule? Talk to Our Training Advisor
InfosecTrain’s CGRC: Certified in Governance, Risk, and Compliance Training Course is a comprehensive program designed to enhance your expertise in aligning security and privacy with organizational goals through effective governance, risk management, and compliance practices. The updated course content delves into critical areas, including defining system boundaries, selecting appropriate frameworks and controls, implementing security and privacy measures, auditing and assessing their effectiveness, and ensuring ongoing compliance.
This course equips participants with practical skills and theoretical knowledge to address real-world challenges in governance, risk management, and regulatory compliance. By mastering these principles, you’ll be empowered to make informed decisions, safeguard sensitive data, and establish a robust compliance framework within your organization, making this training a key milestone in your professional journey.
CGRC Exam Domains
Old CGRC Domains | New CGRC Domains |
Domain 1: Information Security Risk Management Program (16%) | Domain 1: Security and Privacy Governance, Risk Management, and Compliance Program (16%) |
Domain 2: Scope of the Information System (11%) | Domain 2: Scope of the System (10%) |
Domain 3: Selection and Approval of Security and Privacy Controls (15%) | Domain 3: Selection and Approval of Framework, Security, and Privacy Controls (14%) |
Domain 4: Implementation of Security and Privacy Controls (16%) | Domain 4: Implementation of Security and Privacy Controls (17%) |
Domain 5: Assessment/Audit of Security and Privacy Controls (16%) | Domain 5: Assessment/Audit of Security and Privacy Controls (16%) |
Domain 6: Authorization/Approval of Information Systems (10%) | Domain 6: System Compliance (14%) |
Domain 7: Continuous Monitoring (16%) | Domain 7: Compliance Maintenance (13%) |
- Domain 1: Security and Privacy Governance, Risk Management, and Compliance Program (16%)
- 1.1 – Demonstrate knowledge in security and privacy governance, risk management, and compliance program
- Principles of governance, risk management, and compliance
- Risk management and compliance frameworks using national and international standards and guidelines for security and privacy requirements (e.g., National Institute of Standards and Technology (NIST), cybersecurity framework, Control Objectives for Information and Related Technology (COBIT), International Organization for Standardization/International Electrotechnical Commission (ISO/IEC))
- System Development Life Cycle (SDLC) (e.g., requirements gathering, design, development, testing, and operations/maintenance/disposal)
- Information lifecycle for each data type processed, stored, or transmitted (e.g., retaining, disposal/destruction, data flow, marking)
- Confidentiality, integrity, availability, non-repudiation, and privacy concepts
- System assets and boundary descriptions
- Security and privacy controls and requirements
- Roles and responsibilities for compliance activities and associated frameworks
- 1.2 – Demonstrate knowledge in security and privacy governance, risk management, and compliance program processes
- Establishment of compliance program for the applicable framework 1.3 – Understand regulatory and legal requirements
- 1.3 – Demonstrate knowledge of compliance frameworks, regulations, privacy, and security requirements
- Familiarity with compliance frameworks (e.g., International Organization for Standardization/International Electrotechnical Commission (ISO/IEC), Federal Risk and Authorization Management Program (FedRAMP), Payment Card Industry Data Security Standard (PCI-DSS), Cybersecurity Maturity Model Certification)
- Familiarity with other national and international laws and requirements for security and privacy (e.g., Federal Information Security Modernization Act (FISMA), Health Insurance Portability and Accountability Act (HIPAA), executive orders, General Data Protection Regulation (GDPR))
- 1.1 – Demonstrate knowledge in security and privacy governance, risk management, and compliance program
- Domain 2: Scope of the System (10%)
- 2.1 – Describe the system
- System name and scope documented
- System purpose and functionality
- 2.2 – Determine security compliance required
- Information types processed, stored, or transmitted
- Security objectives outlined for each information type based on national and international security and privacy compliance requirements (e.g., Federal Information Processing Standards (FIPS), International Organization for Standardization/International Electrotechnical Commission (ISO/IEC), data protection impact assessment)
- Risk impact level determined for system based on the selected framework
- 2.1 – Describe the system
- Domain 3: Selection and Approval of Framework, Security, and Privacy Controls (14%)
- 3.1 – Identify and document baseline and inherited controls
- 3.2 – Select and tailor controls
- Determination of applicable baseline and/or inherited controls
- Determination of appropriate control enhancements (e.g., security practices, overlays, mitigating controls)
- Specific data handling/marking requirements identified
- Control selection documentation
- Continued compliance strategy (e.g., continuous monitoring, vulnerability management)
- Control allocation and stakeholder agreement
- Domain 4: Implementation of Security and Privacy Controls (17%)
- 4.1 – Develop implementation strategy (e.g., resourcing, funding, timeline, effectiveness)
- Control implementation aligned with organizational expectations, national or international requirements, and compliance for security and privacy controls
- Identification of control types (e.g., management, technical, common, operational control)
- Frequency established for compliance documentation reviews and training
- 4.2 – Implement selected controls
- Control implementation consistent with compliance requirements
- Compensating or alternate security controls implemented
- 4.3 – Document control implementation
- Residual security risk or planned implementations documented (e.g., Plan of Action and Milestones (POA&M), risk register)
- Implemented controls documented consistent with the organization’s purpose, scope, and risk profile (e.g., policies, procedures, plans)
- 4.1 – Develop implementation strategy (e.g., resourcing, funding, timeline, effectiveness)
- Domain 5: Assessment/Audit of Security and Privacy Controls (16%)
- 5.1 – Prepare for assessment/audit
- Stakeholder roles and responsibilities established
- Objectives, scope, resources, schedule, deliverables, and logistics outlined
- Assets, methods, and level of effort scoped
- Evidence for demonstration of compliance audited (e.g., previous assessments/audits, system documentation, policies)
- Assessment/audit plan finalized
- 5.2 – Conduct assessment/audit
- Compliance capabilities verified using appropriate assessment methods: interview, examine, test (e.g., penetration, control, vulnerability scanning)
- Evidence verified and validated
- 5.3 – Prepare the initial assessment/audit report
- Risks identified during the assessment/audit provided
- Risk mitigation summaries outlined
- Preliminary findings recorded
- 5.4 – Review initial assessment/audit report and plan risk response actions
- Risk response assigned (e.g., avoid, accept, share, mitigate, transfer) based on identified vulnerabilities or deficiencies
- Risk response collaborated with stakeholders
- Non-compliant findings with newly applied corrective actions reassessed and validated
- 5.5 – Develop final assessment/audit report
- Final compliance documented (e.g., compliant, non-compliant, not applicable)
- Recommendations documented when appropriate
- Assessment report finalized
- 5.6 – Develop risk response plan
- Residual risks and deficiencies identified
- Risk prioritized
- Required resources identified (e.g., financial, personnel, and technical) to determine time required to mitigate risk
- 5.1 – Prepare for assessment/audit
- Domain 6: System Compliance (14%)
- 6.1 – Review and submit security/privacy documents
- Security and privacy documentation required to support a compliance decision by the appropriate party (e.g., authorizing official, third-party assessment organizations, agency) compiled, reviewed, and submitted
- 6.2 – Determine system risk posture
- System risk acceptance criteria
- Residual risk determination
- Stakeholder concurrence for risk treatment options
- Residual risks defined in formal documentation
- 6.3 – Document system compliance
- Formal notification of compliance decision
- Formal notification shared with stakeholders
- 6.1 – Review and submit security/privacy documents
- Domain 7: Compliance Maintenance (13%)
- 7.1 – Perform system change management
- Changes weigh the impact to organizational risk, operations, and/or compliance requirements (e.g., revisions to baselines)
- Proposed changes documented and approved by authorized personnel (e.g., Change Control Board (CCB), technical review board)
- Deploy to the environment (e.g., test, development, production) with rollback plan
- Changes to the system tracked and compliance enforced
- 7.2 – Perform ongoing compliance activities based on requirements
- Frequency established for ongoing compliance activities review with stakeholders
- System and assets monitored (e.g., physical and logical assets, personnel, change control)
- Incident response and contingency activities performed
- Security updates performed and risks remediated/tracked
- Evidence collected, testing performed, documentation updated (e.g., service level agreements, third party contracts, policies, procedures), and submission/communication to stakeholders when applicable
- Awareness and training performed, documented, and retained (e.g., contingency, incident response, annual security, and privacy)
- Revising monitoring strategies based on updates to legal, regulatory, supplier, security and privacy requirements
- 7.3 – Engage in audit activities based on compliance requirements
- Required testing and vulnerability scanning performed
- Personnel interviews conducted
- Documentation reviewed and updated
- 7.4 – Decommission system when applicable
- Requirements for system decommissioning reviewed with stakeholders
- System removed from operations and decommissioned
- Documentation of the decommissioned system retained and shared with stakeholders
- 7.1 – Perform system change management
- Cybersecurity Auditors
- Cybersecurity Compliance Officers
- GRC Architects
- GRC Managers
- Cybersecurity Risk and Compliance Project Managers
- Cybersecurity Risk and Controls Analysts
- Cybersecurity Third-Party Risk Managers
- Enterprise Risk Managers
- GRC Analysts
- GRC Directors
- Information Assurance Managers
- Minimum Requirement: Two years of full-time experience in one or more domains of the CGRC exam outline.
- Alternative Experience: Part-time work and internships can contribute to the experience requirement.
- Associate Path: Without the required experience, pass the CGRC exam to become an Associate of (ISC)².
- Timeframe for Associates: Associates must gain two years of experience within three years.
Note:
- CGRC® is a registered mark of The International Information Systems Security Certification Consortium (ISC)².
- We are not an authorized training partner of (ISC)².
Exam Format | Multiple-choice |
Number of Questions | 125 |
Exam Duration | 180 minutes |
Passing Score | 700 out of 1000 |
Exam Language | English |
Testing center | Pearson VUE Testing Center |
You will be able to:
- Grasp the principles of security and privacy governance, risk management, and compliance to align organizational objectives with regulatory standards.
- Identify and establish clear system boundaries and objectives to meet organizational and regulatory requirements.
- Analyze, select, and gain approval for appropriate security and privacy frameworks and controls tailored to mitigate organizational risks.
- Apply practical skills to implement and integrate effective security and privacy controls within organizational operations.
- Develop the expertise to evaluate and audit the effectiveness of implemented security and privacy controls to ensure compliance and operational integrity.
How We Help You Succeed
Vision
Goal
Skill-Building
Mentoring
Direction
Support
Success
Career Transformation
Projected increase in roles related to Governance, Risk, and Compliance (GRC)
Risk Mitigation in organizations implementing GRC frameworks
Organizations plan to hire professionals skilled in GRC to enhance their risk management and compliance strategies.
Organizations committed to training existing staff on GRC principles and practices to strengthen their governance and risk management capabilities.
Technology
Healthcare
Retail
Government
Manufacturing
Finance
Your Trusted Instructors
18+ Years Of Experience
13+ Years of Experience
Words Have Power
The training was awesome. Helped me clear my concepts and also reduced my preparation time to 1/3rd. Thank you, trainer, for all your dedication to bring your gladiators to pace.
I loved the training. Coming for more soon. The trainer is easily reachable and helpful.. I loved the staggered payment option given.
I must say the admin team is excellent and punctual. The trainers are actually the nerve of the team and know how to engage with the students across all the topics.
Thoroughly enjoyed the course and the continuous support from the entire team..
It was a good experience. Looking forward to career growth with Infosectrain. Thank you
Really interesting courses are delivered by really knowledgeable instructors. Worth the fees
Success Speaks Volumes
Get a Sample Certificate
Frequently Asked Questions
What is the CGRC certification, and how is it different from CAP?
CGRC (Certified in Governance, Risk, and Compliance) is the updated version of the Certified Authorization Professional (CAP). It focuses on security and privacy governance, risk management, and compliance practices, aligning with modern organizational needs.
Who is the targeted audience for the CGRC certification?
The targeted audience for the CGRC certification includes:
- Cybersecurity Auditor
- Cybersecurity Compliance Officer
- GRC Architect
- GRC Manager
- Cybersecurity Risk & Compliance Project Manager
- Cybersecurity Risk & Controls Analyst
- Cybersecurity Third-party Risk Manager
- Enterprise Risk Manager
- GRC Analyst
- GRC Director
- Information Assurance Manager
What are the prerequisites for enrolling in the CGRC training course?
The prerequisites for enrolling in the CGRC training course are:
- Minimum Requirement: Two years of full-time experience in one or more domains of the CGRC exam outline.
- Alternative Experience: Part-time work and internships can contribute to the experience requirement.
- Associate Path: Without the required experience, pass the CGRC exam to become an Associate of ISC2.
- Timeframe for Associates: Associates must gain two years of experience within three years.
What are the domains covered in the latest CGRC course?
The latest course includes the following domains:
- Domain 1: Security and Privacy Governance, Risk Management, and Compliance Program (16%)
- Domain 2: Scope of the System (10%)
- Domain 3: Selection and Approval of Framework, Security, and Privacy Controls (14%)
- Domain 4: Implementation of Security and Privacy Controls (17%)
- Domain 5: Assessment/Audit of Security and Privacy Controls (16%)
- Domain 6: System Compliance (14%)
- Domain 7: Compliance Maintenance (13%)
Is the CGRC certification program accredited or recognized by industry associations or organizations?
The CGRC certification program is recognized and follows standards like ANAB and ISO/IEC 17024.
Are there any exams or assessments associated with the CGRC certification program?
The CGRC exam is a 180-minutes test with 125 multiple-choice questions. The passing score is 700 out of 1000 points, and the exam is conducted in English at Pearson VUE Testing Centers.
What is the pass score for the CGRC certification exam?
The passing score is 700 out of 1000 points.
Can I access course materials and resources after completing the CGRC certification program?
Yes, you can access course materials and resources after completing the CGRC certification training.
Is there a renewal or recertification process for the CGRC certification, and how often is it required?
The CGRC certification is valid for three years. Holders must comply with Continuing Professional Education (CPE) policies and pay a yearly maintenance fee. The renewal process involves satisfying the CAP CPE requirement and paying the annual maintenance fee (AMF), which is $125 for members and $50 for associates.
How can I contact the course administrators or instructors for further questions or assistance?
For further questions or assistance regarding the CGRC certification program, you can contact the service and support team of InfosecTrain.