ISC2 Certified in Governance, Risk and Compliance (CGRC) Cert Prep
3h 16mIntermediate2026-03-13
Authors

Infosec Institute
Course details
The ISC2 Certified in Governance, Risk, and Compliance (CGRC) certification vets the skills of an information security practitioner who champions security risk management to secure the necessary information system authorization. This authorization is crucial for supporting an organization's operations and mission while ensuring strict adherence to all legal and regulatory requirements. A CGRC professional acts as a key advocate, bridging security practice with organizational and legal necessities. In this course, learn how to prepare for topics covered in the core domains of the exam: Security and Privacy Governance, Risk Management, and Compliance Program; Scope of the System; Selection, Approval, and Implementation of Controls; Assessment/Audit of Controls; and System Compliance. This CGRC is an ideal fit for IT, information security, and information assurance practitioners currently working in or aspiring to land a GRC role.
Learning objectives
Evaluate and apply the governance, risk management, and compliance (GRC) program structure across an enterprise, including the establishment of security and privacy policies and procedures.
Determine and scope the authorization boundary and system categorization to accurately define the security and privacy requirements for an information system.
Select and implement the appropriate security and privacy controls from established frameworks (for example, NIST RMF/CSF) and document their implementation details.
Perform or interpret assessments/audits of implemented security and privacy controls to determine their effectiveness and compliance with regulatory mandates, organizational policies, and the system's security plan.
Develop and execute strategies for system compliance and compliance maintenance throughout the system's lifecycle, including continuous monitoring, authorization, and managing control changes and updates.
Learning objectives
Evaluate and apply the governance, risk management, and compliance (GRC) program structure across an enterprise, including the establishment of security and privacy policies and procedures.
Determine and scope the authorization boundary and system categorization to accurately define the security and privacy requirements for an information system.
Select and implement the appropriate security and privacy controls from established frameworks (for example, NIST RMF/CSF) and document their implementation details.
Perform or interpret assessments/audits of implemented security and privacy controls to determine their effectiveness and compliance with regulatory mandates, organizational policies, and the system's security plan.
Develop and execute strategies for system compliance and compliance maintenance throughout the system's lifecycle, including continuous monitoring, authorization, and managing control changes and updates.
Concepts
Certified Governance Risk Management and Compliance Overview
- Course overview
Security and Privacy Governance, Risk Management, and Compliance Program
- Security and privacy governance, risk management, and compliance program introduction
- Principles of information security
- Risk
- Risk response
- Security authorization process
- NIST risk management framework
- CGRC government documentation
Scope of the System
- Prepare phase overview
- Organization-level tasks - P-1 to P-3
- Organization-level tasks - P-4 to P-7
- Organization-level tasks review
- System-level tasks
- System-level tasks - P-8 to P-9
- System-level tasks P-10 to P-11
- Review the seven system-level data governance roles
- System-level tasks - P-12 to P-13
- System-level tasks - P-14 to P-17
- System-level task - P-18
- Review prepare tasks at system level
Categorization of a System
- Phase 1 - Categorize overview
- Security categorization organization and guidance
- Security categorization process
- Define and categorize a system
- National security systems (NSS)
- Security categorization review and approval
- RMF to SDLC mapping
Selection of Security and Privacy Controls
- Phase 2 - Select overview
- Select phase guiding documentation
- Baseline selection approach vs organization-generated selection approach
- Control tailoring
- Control allocation
- Control documentation and continuous monitoring
- Security and privacy plan approval process
- Select phase document review
Implementation of Security and Privacy Controls
- Implementation guides and other resources
- Unofficial POA&M
- Implementation phase review
- Phase 3 - Implement overview
- Control implementation, responsibility, and compliance
Assessment and Audit of Security and Privacy Controls
- Phase 4 - Assess overview
- Assessor selection
- Develop, review, and approve assessment plans
- Control assessment
- SDLC phases to RMF steps mapping
- SAR and PAR report preparation
- Remediation options
- POA&M preparation
- Assessment phase review
System Compliance and Authorization
- Phase 5 - Authorization overview
- Authorization package assembly
- Risk analysis and risk response
- Authorization decision types
- Authorization decisions drills
- Authorization reporting
- Phase 5 - Authorization review
Compliance Maintenance
- Phase 6 - Monitor overview
- Monitor and assess controls
- Ongoing assessments and risk response
- Authorization package updates and security and privacy reporting
- Ongoing authorization and system disposal
- Monitor review
CGRC Layout and Testing
- CGRC layout and testing, certification process, exam and study prep, and post-exam
Related courses
- SSCP Cert Prep: The Basics
- SSCP Cert Prep: 2 Access Controls
- ISC2 Certified in Cybersecurity (CC) Cert Prep
- ISC2 Certified Cloud Security Professional (CCSP) Cert Prep
- ISC2 Systems Security Certified Practitioner (SSCP) (2024) Cert Prep
- ISC2 Information Systems Security Engineering Professional (ISSEP) Cert Prep by Infosec
- CSSLP Cert Prep: 7 Software Deployment, Operations, and Maintenance
- CSSLP Cert Prep: 1 Secure Software Concepts
Related learn paths
- Prepare for the ISC2 Information Systems Security Professional (CISSP) Certification Exam (2021)
- Prepare for the ISC2 Certified Cloud Security Professional (CCSP) Certification Exam (2022)
- Prepare for the ISC2 Certified Secure Software Lifecycle Professional (CSSLP) Certification
- Prepare for the ISC2 Systems Security Certified Practitioner (SSCP) Exam
- Prepare for the AWS Certified Cloud Practitioner (CLF-C01) Certification Exam