Goodbye (ISC)² CAP, hello new CGRC certification

Infosec instructor and returning guest Leighton Johnson talks about the recent (ISC)² CAP certification change: the Certified Authorization Professional (CAP) is now Certified in Governance, Risk and Compliance (CGRC). Why are they changing the name of the CAP certification? Is the CAP content going to change as well? What does this mean for the future? Let’s figure this out together.

0:00 – CAP vs. CGRC certification
1:40 – What jobs require a CGRC certification?
2:50 – Why change the CAP name to CGRC?
4:17 – Is CAP exam content different from CGRC?
6:00 – Should I upgrade CAP to CGRC?
7:35 – Study tips for the CGRC exam
9:13 – Learn more about CGRC
9:53 – Outro

  • Transcript
    • [00:00:00] Chris Sienko: Today we’ve got a cap in the hack. And no, I’m not Dr. Seuss and that is not a spoonerism. Cyber Work Hack welcomes instructor Leighton Johnson to discuss the (ISC)2 certification, formerly known as the CAP or the Certified Authorization Professional, and which as of yesterday, is now the Certified in Governance, Risk and Compliance Certification or the CGRC. So what’s changed? Well, not much now, but like the weather in the Midwest, big changes could be coming sooner than you think. So do your due diligence today and join me for this Cyber Work Hack.

      [00:00:36] CS: Welcome to a new episode of Cyber Work Hacks. Purpose of the spinoff of our popular Cyber Work podcast is to take a single fundamental question and give you a quick, clear and actionable solution. Today’s guest is InfoSec instructor and returning guest, Leighton Johnson. Leighton has been on Cyber Work several times, and he was one of our first Cyber Work Hack’s guest, back before we even knew what it was going to be called, talking about the changes to the CISM certification.

      Today, we’re talking certs yet again. This time, it’s all about (ISC)2’s very recent announcement that, to quote (ISC)2’s homepage, “(ISC)2 will be changing the name of the Certified Authorization Professional certification to Certified in Government, Risk and Compliance. That’s CAP changing to CGRC.” But as the bard said, “What’s in a name?” And in this case, is there anything to this name? Is there more to the name change that will affect present and future aspirants to the GCRC and what will they need to study?” I don’t know. Let’s figure this out together. Thanks for joining me today, Leighton.

      [00:01:39] Leighton Johnson: I’m glad to be here, Chris.

      [00:01:41] CS: So anyone currently studying for the CAP should hopefully know what the CAP is for. But for listeners who are currently window shopping for their future careers, what type of jobs or careers require the CAP certification? Can you break down the work of Government, Risk and Compliance previously known as Authorization?

      [00:01:59] LJ: Okay. This particular certification is about ensuring that you know how to make sure that systems are going to be set up, working and meet their compliance requirements for the organization from a regulatory standpoint. Initially, CAP was designed around handling the risk management framework, construct that the US government utilizes for its own systems across all the federal government. They’re looking at – there are, of course, other organizations doing that nowadays and around the world, not just in the US. Given that the first (ISC)2 is international, they have to pay attention to that. Part of this is about the fact that they’re shifting it to be more and more purposeful for outside US government.

      [00:02:50] CS: Okay. The name changed to CGRC takes it out of the realm of just being specifically sort of US federal government type certification.

      [00:03:01] LJ: Right. They’re doing it in stages. Ten years ago, they updated CAP’s contents. They started including in that point some international efforts around ISO 27000, information security management system guidance that most of the European organizations utilize and started bringing in some other areas. This time, actually, what they’re doing is they are literally changing the name, leaving the rest of the material alone for right now. I would expect that next year, which is about the right cycle, they update them about every two to three years. The last time being done was in the spring of 2021. I would expect that next year when they do their update, they’ll bring in more flavors from other organizations and other activities around ensuring that the governance guidance, the performance guidance, as well as the risk guidance is a little bit more generic than being particularly focused on just 837 risk management framework guidance, which is what it’s been since it came out.

      [00:04:18] CS: Got it. Apart from the change of name, nothing’s really changing with the cert this year specifically, but it did change in 2021, right?

      [00:04:26] LJ: I mean, they’re changing it next week. It’s February 15th when it goes into effect. They really haven’t changed anything. They’d left the domain structures. They’d left the weights the same. They left the information relatively the same. They’re expanding it out a little bit as they go along, given that there are obviously more than just six or seven steps like there is in the risk management framework that you have to deal with governance and risk management.
      As part of this effort, they’re leaving it as it is right now. So people who are studying for the CAP, you don’t have to worry, it’s the same material, that type of thing. They actually just sent me a new book, I literally got it yesterday. It’s the same material, because I had the old one beforehand, because I’ve had the CAP since it came out and that type of thing, because that’s my background.

      As part of that, they’re still staying, they’re still working through these efforts. I mean, it was last changed in August 2021, so I would expect that 2023, late 2023, early 2024, the (ISC)2 cycle will kick in, and they’ll start going back, and talking to subject matter experts and updating it based on job task analysis like they typically do.

      [00:06:00] CS: Now, if you’re currently CAP certified, and recently CAP certified, will you need to upgrade your cert specifically for CGRC anytime soon?

      [00:06:11] LJ: They’re going to do it for you. They’re doing everything for you. Literally, come the 15th of February, we’ll be able to download the new certificate that shows that we have this new one, it will go into the records and get automatically updated, those types of things. It won’t take any of the differences involved in this. And so, they’re doing all that for you. So anybody who already has one, (ISC)2 will let you know what you need to do, which is literally probably just sign in and download the new certificate.

      [00:06:47] CS: Okay. Now, but speaking to that, when the new changes do come, and I know I’m speaking in the future here. Will you have to simply re up the way you do now, where your certification period expires, and then you’ll be studying GCRC, but you’re not going to have to do like a catchup thing between then and when you need to recertify?

      [00:07:09] LJ: No, they won’t do any catchup in this one. They’re going to leave it all pretty much the same. As part of these efforts, you still got to have your two years minimum experience in one or more of the seven areas and all that kinds of stuff. But, and you know, all the rest of it for redoing and renewing your certification will all stay the same as it normally does.

      [00:07:34] CS: Great. Finally, do you have any study or strategy tips for anyone in the governance, risk and compliance sector who’s considering working towards the CGRC or is maybe studying right now?

      [00:07:48] LJ: Understand compliance and the legal scenario, sitting behind compliance for where you work for yourself, and then understand what they’re talking about when they start talking about compliance from an enterprise perspective. Because they are two different pictures, honestly. I’ve worked in this field for over 20 years, since the GRC term came into existence after Sarbanes Oxley came out in 2002. I will tell you, what you see written down, what they tell you it is, is different than what the viewpoint is for governance, risk and compliance when you’re working it. So understand there are two different views. One is probably a superset of the other, so always pay attention to making sure you cover all the areas around risk, cover all the areas around security controls that monitor and manage your risk, and do risk responses. If you have a security background, that helps, but that’s not required. Okay? You can do it doing compliance, you can do it doing auditing, you can do it doing various if you’re in risk management. All of those areas count. All of those areas work with this as part of those efforts.

      [00:09:13] CS: Awesome. If our listeners want to check out the CGRC and its requirements in more detail, where should they look online?

      [00:09:21] LJ: Go to isc2.org, number one. There’s a banner across the top that says certifications and then you just pull it down. Before next Wednesday, you can see the one that says CAP. After next Wednesday, it will say CGRC. It tells you then all the requirements you have to do about meeting the two-year mechanism, so you can take it and all that kind of stuff as far as that goes. So from that point forward, you’ll be fine.

      [00:09:53] CS: I have amazing news for you, Leighton. We’re in future right now and the CAP change over happened yesterday. So everybody can go check it out right now. Leighton Johnson, thank you as always for walking me through this –

      [00:10:06] LJ: Okay. Oh, yeah. Right. The change happened yesterday, I got it.

      [00:10:08] CS: Yeah, absolutely. Man, the future is now.

      [00:10:10] LJ: Yes, indeed.

      [00:10:11] CS: All right. Thank you again for your time and thanks to everyone who’s watching this episode. If this video helped you out, please share it with colleagues on forums or on your social media accounts and definitely subscribe to our podcast feed and YouTube page. Just type in Cyber Work in any of them and you’re on your way. I got plenty more of these hacks to come, so if you have any topics that you want us to cover, drop them in the comments. And until then, we’ll see you next time. Take care.

      [00:10:35] CS: Hey, if you’re worried about choosing the right cybersecurity career, click here to see the 12 most in-demand cybersecurity roles. I asked experts working in the field how to get hired and how to do the work of the security roles so you can choose your study with confidence. I’ll see you there.

Free cybersecurity training resources!

Infosec recently developed 12 role-guided training plans — all backed by research into skills requested by employers and a panel of cybersecurity subject matter experts. Cyber Work listeners can get all 12 for free — plus free training courses and other resources.

Weekly career advice

Learn how to break into cybersecurity, build new skills and move up the career ladder. Each week on the Cyber Work Podcast, host Chris Sienko sits down with thought leaders from Booz Allen Hamilton, CompTIA, Google, IBM, Veracode and others to discuss the latest cybersecurity workforce trends.

Q&As with industry pros

Have a question about your cybersecurity career? Join our special Cyber Work Live episodes for a Q&A with industry leaders. Get your career questions answered, connect with other industry professionals and take your career to the next level.

Level up your skills

Hack your way to success with career tips from cybersecurity experts. Get concise, actionable advice in each episode — from acing your first certification exam to building a world-class enterprise cybersecurity culture.