IT & Cybersecurity
ISC2 CGRC℠Governance, Risk and Compliance Certification
ISC2 CGRC (Certified in Governance, Risk and Compliance), formerly CAP (Certified Authorization Professional), is the authorization and continuous-monitoring specialty cert from ISC2. It is built around the NIST Risk Management Framework (RMF) and validates the ability to authorize information systems, select and assess security and privacy controls, and run continuous monitoring programs for federal and federal-contractor environments. The seven-domain blueprint maps directly to RMF steps, which makes CGRC the standard credential for ISSOs, A&A specialists, and FedRAMP 3PAO assessors working on FISMA, FedRAMP, or CMMC-adjacent compliance programs.
30 free questions · no credit card · cancel anytime
Exam facts
Everything you need to know about the ISC2 CGRC℠ exam.
- Passing score
- 700 / 1000
- Format & length
- 125 questions · 3 hours
- Voucher cost
- ~$599 USD
- Prerequisites
- 2 years cumulative experience in 1+ of the 7 CGRC domains (Associate of ISC2 path available)
- Validity
- 3 years (90 CPE hours required, plus $135 annual maintenance fee)
What’s tested
Key topics on the ISC2 CGRC℠ exam.
The Cert Climb question bank is mapped to every domain on the official ISC2 CGRC℠ exam blueprint, so what you study is what the test asks.
- Information Security Risk Management Program
- Scope of the Information System
- Selection & Approval of Security & Privacy Controls
- Implementation of Security & Privacy Controls
- Assessment/Audit of Security & Privacy Controls
- Authorization/Approval of Information System
- Continuous Monitoring
Who it’s for
Built for the people taking this exam.
ISSOs, authorization and accreditation specialists, federal compliance analysts, and defense-contractor GRC staff who work directly with NIST RMF, FedRAMP, or FISMA processes. Often paired with CISSP on senior federal cybersecurity resumes.
Why it matters in 2026
The career signal.
CGRC is DoD 8140-approved and one of the few certs that maps cleanly to ISSO and Authorization-track work roles. It is the standard credential for federal RMF practitioners, and FedRAMP 3PAO firms specifically recruit CGRCs to staff control-assessment engagements. With just over 5,000 holders worldwide as of 2026, the cert is still relatively scarce, which keeps cleared-contractor demand strong and salaries elevated. Anyone moving into federal compliance work (FedRAMP, FISMA, CMMC adjacent) will eventually need CGRC or equivalent.
Sample question
What a ISC2 CGRC℠ question looks like.
A statute that imposes fines on unauthorized individuals who deliberately access restricted information is an example of which of the following?
Why: Risk deterrence refers to mechanisms — such as laws, penalties, or policies — designed to discourage exploitation of a vulnerability even when it is technically feasible. A law imposing fines for unauthorized data access is a classic deterrence measure. Technical controls rely on technology (e.g., encryption, firewalls) to enforce confidentiality, integrity, or availability. Risk avoidance involves withdrawing from activities that carry a given risk. Physical controls restrict or observe physical access, such as locks, guards, and surveillance cameras.
What you get
Everything you need to actually pass.
Full question bank
499 questions covering every objective on the official ISC2 CGRC℠ exam blueprint, with detailed explanations on every option — right and wrong.
Quiz modes
Timed exam simulation, missed-only review, topic drills, and a daily question of the day. Practice the way you study best.
Flashcards
Spaced-repetition flashcards generated from each topic. Pull them up on a phone in the gap between meetings.
Progress tracking
See per-topic accuracy and answered counts. Find weak areas before they cost you on test day.
Per-category premium
Unlocking ISC2 CGRC℠ unlocks every other IT & Cybersecurity exam in the Cert Climb catalog — pay once, stack credentials.
No-fluff explanations
Every wrong answer comes with a 2-3 sentence explanation of why it’s wrong, not just “the correct answer is X.” Pattern recognition is the whole game.
Read while you study
ISC2 CGRC℠ articles & study guides
CompTIA Security+ (SY0-701) Study Guide — Pass on Your First Try in 2026
A no-fluff Security+ study plan: the SY0-701 domain weights, the 12 acronyms that crush most failures, performance-based question strategy, and a 6-week schedule that works for full-time learners.
How to Study for an IT Certification (and Actually Pass): A Practical 2026 Playbook
Most certification advice is about books. The hard part is the schedule, the focus, and the test-day mental game. Here's the system that's worked across CompTIA, Cisco, ISC2, and AWS.
FAQ
Frequently asked questions about ISC2 CGRC℠
How many questions does the ISC2 CGRC℠ bank have?
499 questions, organized into 7 subject areas mapped to the official exam objectives.
Is the free trial really free?
Yes. 30 questions, no credit card, no email-trap, no “activate by Friday or pay” spam. You either upgrade because the bank’s good, or you don’t.
What does premium cost?
Premium is sold per category and unlocks every IT & Cybersecurity exam in the Cert Climb catalog. Plans are 1-month, 3-month, or 12-month — see the upgrade modal for current pricing.
How current is the ISC2 CGRC℠ content?
We track exam version updates and refresh the bank within weeks of new objectives. Where the version of an exam matters (e.g. CompTIA SY0-701 vs. SY0-601), question explanations call it out.
Can I cancel my subscription anytime?
Yes. Cancellation is one click from your profile. Your access continues through the end of the period you’ve already paid for.
Stop researching. Start drilling.
30 free questions on ISC2 CGRC℠ — no card, no commitment.
Start free trial