About This Course:

The Certified in Governance, Risk and Compliance (CGRC) course, offered by (ISC)², is designed for professionals who manage and authorize information systems within a risk management framework. Formerly known as the Certified Authorization Professional (CAP), CGRC focuses on applying the NIST Risk Management Framework (RMF) to ensure the confidentiality, integrity, and availability of information systems.

Course Objectives:

• Purpose and importance of a risk management program

• Roles and responsibilities

• Risk tolerance and appetite

• Integrating security and risk management into system development lifecycle

• Regulatory and legal requirements

• Security categorization of information systems

• System boundaries and environment of operation

• Types of information processed, stored, or transmitted

• Impact levels (Confidentiality, Integrity, Availability)

• Baseline control selection (NIST SP 800-53)

• Tailoring and documenting controls

• Risk-based decision-making

• System-specific, common, and hybrid controls

• Implementing technical, administrative, and physical controls

• Configuration and deployment

• Documentation and evidence of control implementation

• Tools and technologies used in control implementation

• Assessment planning and preparation

• Conducting assessments (manual, automated, hybrid)

• Documenting assessment results

• Risk analysis and impact determination

• Risk determination and acceptance

• Developing the authorization package

• Communicating risks to authorizing officials

• Authorization decision and documentation

• Ongoing assessment of security and privacy controls

• Configuration management and change control

• Incident response and reporting

• Updates to risk management documentation

• Metrics and reporting for continuous improvement

Audience:

• Information Security Officers

• Risk and Compliance Managers

• IT Security Auditors

• Security Control Assessors

Prerequisites:

• At least two years of cumulative, paid work experience in one or more of the seven domains of the CGRC Common Body of Knowledge (CBK).

• A solid understanding of security and privacy frameworks such as NIST RMF, FISMA, and related compliance requirements is highly recommended.

• Candidates who do not yet meet the experience requirement can still take the exam and become an (ISC)² Associate, gaining full certification once they meet the work experience requirement.