CGRC Exam Update FAQ
On June 15, 2024, ISC2 will update the CGRC credential exam. This exam update is the result of the Job Task Analysis (JTA), which is an analysis of the knowledge, skills and abilities of the credential evaluated by ISC2 members on a triennial cycle. , For more information on this process and upcoming update, please review the FAQs below.
Q: Why are changes being made to the CGRC exam?
A: ISC2 has an obligation to its membership to maintain the relevancy of its credentials. These enhancements are the result of a rigorous, methodical process that ISC2 follows to routinely update its credential exams. This process ensures that the examinations and subsequent continuing professional education requirements encompass the topic areas relevant to the roles and responsibilities of today's practicing cybersecurity professionals with the knowledge, skills and abilities to lead an organization’s information security program.
Q: How is the CGRC exam content changing?
A: Domain 1 title changed to Security and Privacy Governance, Risk Management, and Compliance Program, Domain 2 title changed to Scope of the System and has decreased in weight from 11% to 10%, Domain 3 title changed to Selection and Approval of Framework, Security, and Privacy Controls and has decreased in weight from 15% to 14%, Domain 4 Implementation of Security and Privacy Controls has increased in weight from 16% to 17%, Domain 6 title changed to System Compliance and has increased in weight from 10% to 14%, and Domain 7 title changed to Compliance Maintenance and decreased in weight from 16% to 13%.
More detailed differences to the tasks and subtasks can be found in the exam outline.
On June 15, 2024 the domain weights will update as follows:
| Current Domain | Current Weight | Domain as of June 15, 2024 | Weight Effective June 15, 2024 |
|---|---|---|---|
| DOMAIN 1 | |||
| Information Security Risk Management Program | 16% | Security and Privacy Governance, Risk Management, and Compliance Program | 16% |
| DOMAIN 2 | |||
| Scope of the Information System | 11% | Scope of the System | 10% |
| DOMAIN 3 | |||
| Selection and Approval of Security and Privacy Controls | 15% | Selection and Approval of Framework, Security, and Privacy Controls | 14% |
| DOMAIN 4 | |||
| Implementation of Security and Privacy Controls | 16% | Implementation of Security and Privacy Controls | 17% |
| DOMAIN 5 | |||
| Assessment/Audit of Security and Privacy Controls | 16% | Assessment/Audit of Security and Privacy Controls | 16% |
| DOMAIN 6 | |||
| Authorization/Approval of Information System | 10% | System Compliance | 14% |
| DOMAIN 7 | |||
| Continuous Monitoring | 16% | Compliance Maintenance | 13% |
| Total | 100% | 100% | |
Q: When will these changes go into effect?
A: The CGRC exam will be based on the updated exam outline on June 15, 2024.
Q: In what language will the refreshed CGRC exam be available?
A: The CGRC exam is available in English only.
Q: Will the number of items on the exam, or the time limit for the exam administration change?
A: The CGRC exam will continue to have 125 items, and the exam time will continue to be three hours. A passing grade remains 700 out of 1,000.
Q: If I have been studying for the CGRC exam with material that focuses on the Domains, will I be sufficiently prepared to take the new exam without additional study?
A: ISC2 exams are experiential and include experience-based questions that cannot be learned by studying alone. If you already have experience in the domains covered in CGRC and believe that you have sufficiently studied those domains, you should feel confident that you are qualified to take the new exam and pass it. ISC2 cannot guarantee you will pass the exam.
Q: When will the training course for CGRC be updated to reflect these changes?
A: The Official ISC2 CGRC training course has been updated (as of June 3, 2024) to reflect the changes to the exam outline.