If you work in governance, risk and compliance and you have looked at the ISC2 CGRC, you have probably hit the same wall everyone hits. The search results are full of dump sites and training providers telling you it is the best decision of your career, and none of them will tell you who should not take it. So let us settle whether the ISC2 CGRC is worth it in 2026 with a single honest question up front: does your work touch US federal frameworks like NIST RMF and FedRAMP?
If yes, the CGRC is one of the sharpest, best targeted certifications you can hold, and it punches well above its weight in government and defence contracting. If no, there is a strong chance CRISC or CISA serves your career better, and this post will explain exactly why rather than talk you into an exam booking.
What the ISC2 CGRC Actually Is
CGRC stands for Certified in Governance, Risk and Compliance. It is the ISC2 credential for professionals who authorise and maintain information systems inside a formal risk management framework.
The important piece of history is this: CGRC was formerly known as CAP, the Certified Authorization Professional. ISC2 rebranded it, and the name change matters more than it looks. "Certified Authorization Professional" told you precisely what the certification was about, which is the authorisation of systems under the NIST Risk Management Framework. The broader "Governance, Risk and Compliance" name suggests a much wider remit than the exam actually tests.
That gap between the name and the content is the single most common reason people pick this exam and then regret it. The CGRC is not a general GRC credential. It is an RMF and system authorisation credential wearing a general GRC jacket.
Exam Tip: If you are picturing enterprise risk registers, board reporting and ISO 27001 audit work, the CGRC is not aimed at you. It is aimed at the person who builds and defends a System Security Plan and shepherds a system to an Authority to Operate.
CGRC Exam Details at a Glance
Here are the facts as ISC2 publishes them. The current exam outline has been in effect since 15 June 2024.
| Detail | Specification |
|---|---|
| Questions | 125 |
| Duration | 3 hours |
| Format | Multiple choice and advanced item types |
| Passing score | 700 out of 1000 points |
| Exam fee (Americas) | US $599 |
| Language | English |
| Delivery | Pearson VUE testing centres |
| Experience required | 2 years cumulative, paid |
| Annual Maintenance Fee | US $135 |
| CPE requirement | 60 credits over 3 years |
A few of these deserve a note.
The CGRC exam is not adaptive. Unlike the ISC2 CC exam, every CGRC candidate answers the same fixed 125 questions in three hours. That gives you roughly 1.4 minutes per question, which is comfortable for an exam of this type. Time pressure is rarely why people fail the CGRC.
The passing score is 700 out of 1000 on a scaled model. That is not a raw 70 per cent. ISC2 scales scores and evaluates your overall performance rather than requiring you to pass each domain individually, so a weak domain can be offset by strength elsewhere.
The Seven CGRC Domains and Their Weights
The exam covers seven domains. The weights are worth studying carefully because they tell you where the exam actually lives.
| # | Domain | Weight |
|---|---|---|
| 1 | Security and Privacy Governance, Risk Management, and Compliance Program | 16% |
| 2 | Scope of the System | 10% |
| 3 | Selection and Approval of Framework, Security, and Privacy Controls | 14% |
| 4 | Implementation of Security and Privacy Controls | 17% |
| 5 | Assessment/Audit of Security and Privacy Controls | 16% |
| 6 | System Compliance | 14% |
| 7 | Compliance Maintenance | 13% |
What the weights are telling you
Notice how flat this distribution is. The heaviest domain is 17 per cent and the lightest is 10 per cent. There is no dominant domain you can cram and no domain small enough to safely ignore. Skipping any single domain leaves 10 to 17 per cent of the exam unanswered, and with a 700 scaled pass mark that is not a gamble worth taking.
Notice also what the seven domains describe when you read them in order. Scope the system, select controls, implement controls, assess controls, authorise, then maintain compliance. That is the NIST Risk Management Framework lifecycle, start to finish. The exam is organised around the RMF because the RMF is the job.
Domain 4 is where candidates lose points
Implementation of Security and Privacy Controls is the heaviest domain at 17 per cent, and it is the one that punishes pure theory. Candidates who have read about controls but never had to document their implementation, justify a compensating control, or defend a residual risk acceptance tend to find these questions frustratingly ambiguous.
Domains 5 and 6, at 16 and 14 per cent, reward the same practical exposure. Between them, the three "do the work" domains account for 47 per cent of the exam.
CGRC Cost: The Real Number
The $599 exam fee is not the whole cost, so let us be complete.
- Exam fee: US $599 in the Americas.
- Annual Maintenance Fee: US $135 per year. This is a single ISC2 AMF that covers your ISC2 certifications, so if you already hold the CISSP or another ISC2 credential, adding CGRC does not add a second AMF.
- Associate AMF: If you pass the exam but do not yet have the two years of experience, you become an Associate of ISC2 and pay a reduced US $50 annual fee until you certify.
- CPEs: 60 credits over the three-year cycle, roughly 20 per year. These are a time cost rather than a cash cost if you are sensible about sourcing them.
- Study materials: Highly variable. Official ISC2 self-paced training runs into four figures. Practice questions and self-study will cost you a fraction of that.
The Associate route is genuinely useful and underused. You can sit and pass the CGRC before you have the experience, then convert to full certification once you hit two years. The $50 Associate fee is cheaper than the full AMF while you wait.
Do You Qualify? The Experience Requirement
You need two years of cumulative, paid work experience in one or more of the seven CGRC domains.
That "one or more" phrasing is more generous than most people assume. You do not need two years across all seven domains. Two years of paid work in a single domain satisfies the requirement. If you have spent two years doing control assessments, that counts on its own.
Compare this with the CISA requirement of five years of information systems auditing experience, and the CGRC starts to look like the accessible entry point into formal, framework-driven compliance work that it is.
CGRC Salary: What the Data Says
ISC2 publishes an average North America CGRC salary of $134,522.
Treat that figure with the scepticism any vendor-published salary number deserves. It is self-reported by ISC2 members, and the population holding a CGRC skews towards experienced federal contractors and government employees who would command strong salaries with or without the certification. The number reflects who takes the CGRC as much as it reflects what the CGRC does for you.
The honest framing is this. The CGRC will not add $134,000 to your salary. What it does, in the specific market where it is recognised, is get you past the screening filter on federal and defence contracting roles that explicitly list it, and give you credibility in RMF conversations you would otherwise have to earn slowly.
CGRC vs CRISC vs CISA: The Comparison That Matters
This is the decision most readers are actually making, so here it is plainly.
| CGRC | CRISC | CISA | |
|---|---|---|---|
| Body | ISC2 | ISACA | ISACA |
| Focus | System authorisation under RMF | Enterprise IT risk | IT audit and assurance |
| Strongest in | US federal, defence contracting | Private sector risk roles | Audit and assurance, all sectors |
| Experience needed | 2 years | 3 years | 5 years |
| Private-sector recognition | Modest | Strong | Strong |
The pattern is consistent. CRISC leans into risk. CISA leans into audit. CGRC leans into federal frameworks.
Take the CGRC if your work involves NIST RMF, FedRAMP, System Security Plans, control assessments or Authority to Operate packages. In government and defence contracting circles, the CGRC is well understood and specifically valued.
Take CRISC instead if you work in private-sector enterprise risk. CRISC carries considerably more name recognition with commercial hiring managers, and our CRISC deep dive covers where it fits.
Take CISA instead if your path runs through IT audit, assuming you can meet the five-year experience bar. Our CISA vs CISM comparison breaks down that side of the ISACA track.
Exam Tip: The CGRC's weakness is name recognition outside government. A private-sector hiring manager who instantly recognises CISSP and CISA may need the CGRC explained to them. That is a real cost, and no amount of enthusiasm from a training provider makes it go away.
Where CGRC Fits in the ISC2 Track
If you already hold or are considering other ISC2 credentials, here is how the CGRC sits alongside them.
- ISC2 CC is the entry point, free to sit and aimed at newcomers. It is not a prerequisite for anything, CGRC included.
- SSCP is the hands-on practitioner credential. It sits beside CGRC rather than beneath it, covering technical operations where CGRC covers authorisation.
- CISSP remains the broad, senior credential and the one with the most market recognition by a distance. If you can only hold one ISC2 certification and you are not federally focused, it is the CISSP.
- CCSP is the cloud specialism, and pairs naturally with CGRC if your authorisation work is on cloud systems under FedRAMP.
- CSSLP is the secure software development credential, and the least related to CGRC of the family.
The strongest realistic combination for a federal compliance career is CISSP plus CGRC. The CISSP gets you recognised anywhere, and the CGRC proves you can actually run an authorisation package.
How Hard Is the CGRC Exam?
The CGRC is not a memorisation exam and it is not a technically deep one either. It is a process exam.
The difficulty comes from a specific place. The questions ask what should happen next in a defined process, and the answer options are frequently all reasonable-sounding activities. The correct answer is the one that is correct at that point in the RMF lifecycle. If you do not have the sequence internalised, you will find yourself picking between four plausible options with no way to discriminate.
This is why practitioners with two years of real authorisation work often pass with modest study, while well-read candidates with no hands-on exposure struggle. The exam is testing process judgement, and process judgement is hard to acquire from a book alone.
A sensible study approach
- Learn the RMF sequence cold. Not the names of the steps, the logic of why each step precedes the next. If you can explain why control selection comes after system categorisation, you understand the spine of the exam.
- Map each domain to the lifecycle. The seven domains follow the RMF in order. Use that structure rather than fighting it.
- Weight your time by domain. Domains 1, 4 and 5 together account for 49 per cent. Give them the time they deserve without abandoning the 10 per cent Domain 2.
- Practise scenario questions relentlessly. This is the only reliable way to build the process judgement the exam actually measures.
- Read the official exam outline. It is free, it is authoritative, and it lists the tasks you are accountable for.
The Verdict: Is the ISC2 CGRC Worth It in 2026?
Yes, if you work with US federal frameworks. If NIST RMF, FedRAMP, SSPs or ATO packages are part of your working life or your intended next role, the CGRC is worth it. It is well matched to the job, the two-year experience bar is achievable, $599 is reasonable for a credential at this level, and in federal and defence contracting it is properly understood and valued.
No, if you are a general GRC professional in the private sector. The name will tempt you and the content will not serve you. CRISC gives you more recognition and more relevant coverage for enterprise risk work, and CISA does the same for audit.
Probably not, if you are new to the field. The CGRC assumes you understand what a control is, why systems get authorised, and what a compliance programme is for. Start with the ISC2 CC or Security+ and come back to this once you have the grounding.
The CGRC is a good certification with a misleading name. Judge it by what it tests, which is system authorisation under a formal framework, and the decision becomes straightforward.
Ready to Start Practising?
The CGRC rewards process judgement, and process judgement is built by working through scenarios until the RMF sequence becomes second nature. Reading the outline tells you what is on the exam. Practice questions tell you whether you can actually apply it under time pressure.
CertCrush gives you realistic, scenario-driven practice questions with detailed explanations covering why each option is right or wrong, so you learn the reasoning rather than memorising answers. Browse the full course catalogue to see what is available across the ISC2 track and beyond.
Create your free account and start practising today.
