ISC2 CGRC Guide: Governance, Risk and Compliance Certification

ISC2 CGRC exam guide covering governance, risk, controls, and compliance decisions.

This Governance, Risk and Compliance Certification guide helps CGRC candidates focus on what the exam tests, where close answers usually split, and which review page to use next.

Use the study plan to sharpen risk, control, and incident-response decisions, the cheat sheet for last-mile review, the sample questions for decision practice, the FAQ for scope checks, the resources page for ISC2 exam references, and the glossary when control names blur together.

At a glance

Item	Guide value
Vendor	ISC2
Exam or credential	Governance, Risk and Compliance Certification
Code or shorthand	CGRC
Study level	GRC practitioner
IT Mastery page	CGRC exam page
Guide shape	Start-here page, study plan, cheat sheet, FAQ, resources, and glossary.

Scope map

Lane	What to master	Common weak answer
Governance and risk management	Align risk appetite, policies, roles, controls, and executive oversight.	Jumping to implementation before defining risk and authority.
Authorization and assurance	Understand control selection, assessment, evidence, remediation, authorization, and continuous monitoring.	Treating authorization as a one-time paperwork step.
Compliance and frameworks	Map laws, standards, control catalogs, audit needs, and reporting expectations.	Confusing framework compliance with actual risk reduction.
Privacy and data protection	Manage data inventory, classification, consent, retention, privacy controls, and impact.	Ignoring data lifecycle and subject rights.
Third-party and program management	Assess vendors, contracts, SLAs, shared controls, reporting, and ongoing monitoring.	Approving suppliers once and never monitoring performance.

How to use this guide

Start with the study plan if you need a short path through the exam scope.
Use the cheat sheet before a mixed practice set and again when you want a fast control review.
Check the FAQ when you are deciding whether this exam is the right IT Mastery lane.
Use the resources page for official references and current exam details.
Use the glossary when two services, controls, roles, or terms feel interchangeable.

Exam decision habit

CGRC answers should connect policy, risk, controls, evidence, authorization, monitoring, and accountability.

Source status

Use the current ISC2 exam page for live exam details, including name, status, pricing, duration, delivery method, languages, retirement or beta changes, and domain weights where applicable.

In this section

ISC2 CGRC Cheat Sheet: Risk, Controls, and Governance
ISC2 CGRC cheat sheet for risk, controls, governance, traps, and final review.
ISC2 CGRC Study Plan: 30, 60, and 90 Days
ISC2 CGRC 30-, 60-, and 90-day study plan with topic order, review loops, and final-week priorities.
ISC2 CGRC Sample Questions with Explanations
ISC2 CGRC sample questions with explanations, traps, topic labels, and IT Mastery route links.
ISC2 CGRC FAQ: Exam Format, Topics, and Prep
ISC2 CGRC FAQ for exam format, topics, prep strategy, practice, and common candidate traps.
ISC2 CGRC Resources: Official Links and Study Tools
ISC2 CGRC resources for official links, blueprint checks, study tools, and source review.
ISC2 CGRC Glossary: Risk, Controls, and Governance Terms
ISC2 CGRC glossary of risk, controls, and governance terms, traps, and decision cues.

Revised on Sunday, May 10, 2026

CCSP

CISSP