Certified in Governance, Risk and Compliance (CGRC) (formerly CAP)

The ISC2 Certified in Governance, Risk and Compliance credential — formerly known as the Certified Authorization Professional (CAP) — validates your understanding and skills within the field of GRC. It confirms that you know how to assess risk, establish security requirements and create documentation using a broad range of security frameworks. It is ideal for U.S. government officials who manage information system security for the Department of Defense (DoD), and it meets the requirements of DoD Directive 8570. Private-sector individuals who manage risk will also find the credential valuable because it shows a firm grasp of aligning business objectives with risk management and regulatory compliance.

Get your free Cybersecurity development playbook to learn more about how the certification may fit into various cybersecurity careers.

CGRC (formerly CAP) exam objectives

The CAP certification was officially renamed Certified in Governance, Risk and Compliance (CGRC) on February 15, 2023. However, the seven exam domains, also known as objectives, did not change. The domains were last updated by ISC2 in August 2021.

Learn more about the CGRC domains.

Is CGRC (formerly CAP) a good certification?

The CGRC certification from ISC2 isn’t suited for every cybersecurity professional, but it’s ideal for information security and information assurance practitioners who work in governance, risk and compliance (GRC) roles.

Anyone who needs to understand, apply and/or implement a risk management program for IT systems will benefit from the certification, but government employees, in particular, will find that it demonstrates the skills that are highly in demand within public sector IT.

Watch the video to learn how the newly named CGRC certification has changed — and where it's headed in the future.


What are the CGRC (formerly CAP) requirements?

To qualify for the ISC2 CGRC certification, you must pass the exam (700 out of 1,000 points) and have at least two years of cumulative paid work experience in one or more of the seven domains.

A candidate who doesn’t have the required work experience to become a CGRC may become an associate of ISC2 by successfully passing the CGRC examination. The associate of ISC2 will then have three years to earn the two years of required experience.


CGRC (formerly CAP) exam FAQs

The ISC2 CGRC certification is for security practitioners whose role includes advocating for security risk management while pursuing information system authorization to support an organization’s mission and operations.

Is the CGRC the same as the CAP certification?

Yes, ISC2 changed the name of the CAP certification to Certified in Governance, Risk and Compliance (CGRC) on February 15, 2013. Per the update from ISC2:

  • Only the exam name is changing
  • Those studying for the CAP exam should continue studying as all exam content remains the same
  • Other requirements, such as experience, are not changing
  • Those who earned CAP certification before the name change will receive a notification to update their digital credential to CGRC
What is the CGRC (formerly CAP) exam outline and structure?

The CGRC exam consists of 125 multiple-choice questions. Test-takers have three hours to complete the exam.

Read ISC2 CGRC exam details and process to learn more.

How hard is the CGRC (formerly CAP) exam?

The ISC2 CGRC certification is primarily an intermediate-level certification. To become CGRC certified, individuals must have at least two years of paid work experience in at least one of the exam’s seven domains. Passing the exam requires scoring 700 out of 1,000 points.

CGRC pass rates vary depending on an individual’s experience, study habits and test-taking strategies. Infosec’s CGRC (formerly CAP) Training Boot Camp comes with an Exam Pass Guarantee.

Is CGRC (formerly CAP) harder than CISSP?

The ISC2 CISSP exam tests a broad range of skills required for designing, implementing and maintaining a cybersecurity program. The CGRC is a good-fit certification for those tasked with authorizing and maintaining information systems.

While the CISSP requires broad, how-to security knowledge, the CGRC certification is specifically for security practitioners who advocate for security risk management in pursuit of information system authorization.

For more on the CISSP, read Seven top security certifications you should have in 2023.

How do you take the CGRC (formerly CAP) exam?

Pearson VUE is the global administrator of all ISC2 exams, and all CGRC exams must be taken in person at a Pearson Vue test center. To take your CGRC exam, create a Pearson VUE account, find a test location near you and schedule your exam.

How much does the CGRC (formerly CAP) exam cost?

The cost of the CGRC (formerly CAP) exam varies by location.

  • U.S. and all other regions not listed below, $599
  • Asia Pacific, $599
  • EMEA, EUR 555
  • United Kingdom, GBP 479
  • Middle East, $599
  • Africa, $599

Your organization may purchase vouchers for seminars and exams in bulk, which are transferable to anyone in the organization.

You can find the most up-to-date pricing on the ISC2 website.

How do I earn CPEs and renew my CGRC (formerly CAP)?

The CGRC has an annual maintenance fee (AMF): A $125 fee is due upon certification and every year afterward (by the anniversary date of getting certified). If you hold more than one ISC2 certification, only one fee is required to maintain all your ISC2 certs.

CGRC CPEs can be earned through ISC2 events, unique work experience, contributions to the profession, education and/or other professional development opportunities.

Get more information on how to earn CGRC CPE credits by downloading the ISC2 CPE handbook.



How long does the CGRC (formerly CAP) certification last?

ISC2² requires continuing professional education (CPE) credits over a three-year period for your CGRC certification to remain current, with a recommended 20 CPEs each year.

For more details on earning CPEs and renewal requirements, read the ISC2 CPE handbook.


Free and self-study CGRC (formerly CAP) materials

Studying for the CGRC exam is the best way to prepare yourself to earn a passing grade. Luckily, there are tons of helpful CGRC resources. Before you start scouting out the best training resources, we recommend looking at the official CGRC/CAP exam outline since it will shed light on what topics you’ll need to study.

CGRC study guides and CGRC books

A number of study guides and books can help you prepare for the CGRC. Since only the exam name was updated in February 2023, you may need to search for books under the CAP exam name. A few of the most popular are:

The ISC2 training website also offers an online study group, interactive flashcards and a study app. ISC2 members receive 50% off official ISC2 textbooks as a member benefit.

Read our CGRC study resources article for more on CGRC study books and tools.

CGRC practice exams and simulations

Practice exams are a great way to gauge your exam readiness. There are even free CGRC dumps that can be found, although it’s against ISC2 policy to disclose the actual exam questions being used. A few of the most popular CGRC practice question options are under the former cert name, CAP:

  • CAP Exam Questions and Annotated Answers: Job Interview Prep and Possible Interview Questions, by Valintine Tata DrPH
  • ISC2² CAP Actual Exam Questions and Answers: CAP Certified Authorization Professional 245 Practice Exam Questions by Exam Boost

In addition, many CGRC training courses and content include practice questions. For example, Infosec Skills CGRC (formerly CAP) certification training includes a customizable practice exam with more than 160 questions.

Other free CGRC training resources

There are a number of other free CGRC training materials being produced and shared by the community:

  • Forums like TechExams and Reddit allow you to connect directly with others who are studying for or have already taken the CAP.
  • YouTube is another great place to connect with cybersecurity practitioners and learn about the CGRC exam. Although most CGRC courses cost money, there are numerous free videos under the old CAP exam name
  • Podcasts may not help you directly study for your CGRC exam, but those like the Cyber Work Podcast are a great way to hear about the career and training journeys of fellow IT and cybersecurity professionals.

CGRC (formerly CAP) exam FAQs

The CGRC is an ideal certification for information security practitioners who need to understand, apply and/or implement an information security system. Those who work in the public sector setting find the certification particularly advantageous because CGRC (formerly CAP) meets the U.S. Department of Defense Directive 8570.

What does a CGRC (formerly CAP) holder do?

The CGRC certification is best suited for information security or information assurance professionals who work within governance, risk and compliance (GRC) roles. CGRC position titles vary widely; searching for IT GRC roles will help you discover plenty of options. A few of the more common include:

  • IT GRC analyst
  • IT GRC manager
  • Compliance analyst
  • Risk management manager
Is CGRC (formerly CAP) worth it?

Because the CGRC certification confirms that you know how to assess risk, establish security requirements and create documentation while using a broad range of security frameworks, government agency and private sector employees find it helpful.

For public-sector employees, it’s particularly important because it meets the U.S. Department of Defense (DoD) directive 8570.1, which requires DoD information assurance and cybersecurity personnel to obtain one of a few pre-approved certifications.

What is the CGRC (formerly CAP) average salary?

The national average salary for popular CGRC jobs will naturally vary based on your experience, location and other factors.

National average salary by job role in July 2022, according to Glassdoor:

Salary.com also has a similar average salary of $112,729 for these positions. Other sources report an average CGRC (formerly CAP) salary of 124,610.

How many people have CGRC (formerly CAP)?

As of July 1, 2022, 4,157 professionals have acquired this certification. Of these, 4,100 are in the U.S.

Where can I find CGRC (formerly CAP) jobs?

The old name for CGRC, CAP, is often listed in job descriptions, and general job boards like IndeedMonsterGlassdoorLinkedIn and CareerBuilder all allow you to search by keywords like “CAP” for CAP jobs. As the new name takes hold, consider searching for CGRC for the new certification or just GRC for general roles covering governance, risk and compliance.

There are also cybersecurity-specific job boards, such as ClearedJobsinfosec-jobs.com and others. Another great way to find CAP job openings is by joining local, national or government-focused cybersecurity groups — such as ISSA or Women in Cybersecurity — joining local meetups or engaging in other cybersecurity forums and websites.

To prepare for your job interview, download our free ebook of cybersecurity interview tips, “How to stand out, get hired and advance your career.”

Paid CGRC (formerly CAP) training and exam prep

How long you need to study for the CGRC exam depends on your existing knowledge and experience — and your method of training.

Live CGRC boot camps

For those looking to get certified quickly, a live online or in-person CGRC boot camp may be the best option. For example, the Infosec five-day CGRC (formerly CAP) Boot Camp allows you to train for and take your CGRC exam in less than one week.

The benefits of a live boot camp include:

  • Live interaction with your instructor and peers: This can be especially useful for advanced or industry-specific certifications where fellow students have real-world experience and situations to share.
  • Complete training package: Most boot camps include everything you need to succeed — from live instruction to exam vouchers to books and practice exams. Infosec’s boot camp also provides extended access to related training courses and hands-on labs to keep your skills sharp after you get certified.
  • Improved pass rates: Boot camp providers like Infosec stand by their training with an Exam Pass Guarantee. That means if you fail your exam on your first attempt, you’ll get a second attempt to pass — for free.

Self-paced CGRC training

For those with more time — and self-discipline — a number of training providers offer paid CGRC courses you can complete at your own pace, including Infosec.

The benefits of on-demand CAP training include:

  • Train at your own pace: Train when it’s convenient for you — whether that’s 30 minutes over your lunch or a few hours on the weekend. There’s no need to set aside 40-60 hours for a week of intense, live instruction.
  • Build an individual training plan: Since you’ll be training by yourself and not with a group, target your training around the domains and objectives you need to learn the most. Consider joining a study group or connecting with peers if you’d like further insights from your peers.
  • Take the exam when you feel ready: With more time to study, you’ll have more time to prepare without feeling like you’ll lose the benefits of the boot camp “exam cram.”

CGRC comparisons and alternatives

Is the CGRC the best certification for you, or would something else be a better fit? Which certification is easier? Which certification should you take first? Which one is better for your career? That all depends on you and your career goals. Check out these articles to learn more: