CGRC Exam Update FAQ

On June 15, 2024, ISC2 will update the CGRC credential exam. This exam update is the result of the Job Task Analysis (JTA), which is an analysis of the knowledge, skills and abilities of the credential evaluated by ISC2 members on a triennial cycle. , For more information on this process and upcoming update, please review the FAQs below.

Q: Why are changes being made to the CGRC exam?

A: ISC2 has an obligation to its membership to maintain the relevancy of its credentials. These enhancements are the result of a rigorous, methodical process that ISC2 follows to routinely update its credential exams. This process ensures that the examinations and subsequent continuing professional education requirements encompass the topic areas relevant to the roles and responsibilities of today's practicing cybersecurity professionals with the knowledge, skills and abilities to lead an organization’s information security program.

Q: How is the CGRC exam content changing?

A: Domain 1 title changed to Security and Privacy Governance, Risk Management, and Compliance Program, Domain 2 title changed to Scope of the System and has decreased in weight from 11% to 10%, Domain 3 title changed to Selection and Approval of Framework, Security, and Privacy Controls and has decreased in weight from 15% to 14%, Domain 4 Implementation of Security and Privacy Controls has increased in weight from 16% to 17%, Domain 6 title changed to System Compliance and has increased in weight from 10% to 14%, and Domain 7 title changed to Compliance Maintenance and decreased in weight from 16% to 13%.

More detailed differences to the tasks and subtasks can be found in the exam outline.

On June 15, 2024 the domain weights will update as follows:

Current Domain Current Weight Domain as of June 15, 2024 Weight Effective June 15, 2024
DOMAIN 1
Information Security Risk Management Program 16% Security and Privacy Governance, Risk Management, and Compliance Program 16%
DOMAIN 2
Scope of the Information System 11% Scope of the System 10%
DOMAIN 3
Selection and Approval of Security and Privacy Controls 15% Selection and Approval of Framework, Security, and Privacy Controls 14%
DOMAIN 4
Implementation of Security and Privacy Controls 16% Implementation of Security and Privacy Controls 17%
DOMAIN 5
Assessment/Audit of Security and Privacy Controls 16% Assessment/Audit of Security and Privacy Controls 16%
DOMAIN 6
Authorization/Approval of Information System 10% System Compliance 14%
DOMAIN 7
Continuous Monitoring 16% Compliance Maintenance 13%
Total
100% 100%


Q: When will these changes go into effect?

A: The CGRC exam will be based on the updated exam outline on June 15, 2024.

Q: In what language will the refreshed CGRC exam be available?

A: The CGRC exam is available in English only.

Q: Will the number of items on the exam, or the time limit for the exam administration change?

A: The CGRC exam will continue to have 125 items, and the exam time will continue to be three hours. A passing grade remains 700 out of 1,000.

Q: If I have been studying for the CGRC exam with material that focuses on the Domains, will I be sufficiently prepared to take the new exam without additional study?

A: ISC2 exams are experiential and include experience-based questions that cannot be learned by studying alone. If you already have experience in the domains covered in CGRC and believe that you have sufficiently studied those domains, you should feel confident that you are qualified to take the new exam and pass it. ISC2 cannot guarantee you will pass the exam.

Q: When will the training course for CGRC be updated to reflect these changes?

A: The Official ISC2 CGRC training course has been updated (as of June 3, 2024) to reflect the changes to the exam outline.