ISC2 Certified in Governance Risk and Compliance

Minimum of two years cumulative work experience in one or more of the CGRC domains.

Target audience

This course is designed for professionals planning to pursue the CGRC certification.

It is particularly suitable for:

• Information systems security officers and managers
• Information assurance and security practitioners
• Executives responsible for authorisation decisions
• Auditors and inspectors performing independent reviews
• Programme and project managers managing IT systems
• IT professionals seeking to strengthen risk and compliance expertise

By the end of this course, learners will be able to:

• Identify and apply the steps within the NIST Risk Management Framework
• Align organisational risk management with NIST RMF processes
• Understand roles and responsibilities within the NIST RMF lifecycle
• Execute NIST RMF tasks across system development and operational phases
• Apply governance, risk, and compliance principles to information systems
• Support authorisation and continuous monitoring processes

Module 1: Information security risk management programme

• Understand organisational risk management principles
• Define governance structures and responsibilities
• Align NIST RMF with enterprise risk strategies
• Identify regulatory and compliance requirements

Module 2: Scope of the information system

• Define system boundaries and components
• Identify stakeholders and system requirements
• Document system characteristics and architecture
• Establish system categorisation

Module 3: Selection and approval of security and privacy controls

• Select appropriate control baselines
• Tailor controls to operational environments
• Allocate controls across systems and environments
• Develop security and privacy plans

Module 4: Implementation of security and privacy controls

• Implement selected controls within systems
• Integrate privacy requirements into implementation
• Update control documentation and monitoring strategies
• Align implementation with organisational policies

Module 5: Assessment and audit of security and privacy controls

• Develop and execute assessment plans
• Conduct control assessments and evaluations
• Produce assessment reports and findings
• Implement remediation and improvement actions

Module 6: Authorisation and approval of information systems

• Develop authorisation packages
• Conduct risk analysis and determination
• Support risk-based decision making
• Produce authorisation reports and documentation

Module 7: Continuous monitoring

• Implement ongoing monitoring strategies
• Assess system and environmental changes
• Manage ongoing risk response activities
• Maintain authorisation through continuous oversight

Hands-on learning

This course emphasises practical application through structured exercises and real-world scenarios aligned to the NIST Risk Management Framework (RMF).

• Example system exercises applying NIST RMF tasks step-by-step
• Practical activities covering all NIST RMF phases from prepare to monitor
• Scenario-based learning focused on system authorisation and compliance
• Instructor-led walkthroughs of NIST RMF implementation
• Peer discussions exploring governance and risk challenges

This approach ensures learners can apply NIST RMF principles effectively within their own organisational environments.

Exams and assessments

This course includes the official ISC2 CGRC exam voucher, a comprehensive range of assessments designed to reinforce learning and prepare learners for the CGRC certification exam.

• Official ISC2 CGRC exam aligned to seven domains of the Common Body of Knowledge
• Exam duration of three hours, taken post course
• Total of 125 multiple-choice questions
• Passing score set at 700 out of 1000

Learners will leave the course with a clear understanding of their strengths and areas for further study, ensuring a focused and effective approach to certification.

What's included

• Expert instruction delivered by an authorised official ISC2 instructor
• Official ISC2 student training guide
• Chapter quizzes to reinforce knowledge retention
• Example system exercises applying NIST RMF steps
• Peer discussions to explore key topics
• End-of-chapter quizzes with detailed explanations