CGRC logo
Focused certification exam prep
Start practice
Home / Study Resources / Core Study Guides / CGRC Prerequisites and Experience Requirements

CGRC Prerequisites and Experience Requirements 2026

Updated 11 min read CGRC Exam Prep
Table of Contents
TL;DR
  • CGRC requires two years of paid, full-time work experience in at least one of its seven exam domains.
  • Candidates without qualifying experience can earn an Associate of (ISC)² designation while building credentials.
  • Experience must be endorsed by a current (ISC)² member in good standing before certification is granted.
  • Domain 4 (Implementation of Security and Privacy Controls, 17%) carries the highest exam weight-prioritize it.

What Is the CGRC Certification?

The Certified in Governance, Risk, and Compliance (CGRC) credential-formerly known as the CAP (Certified Authorization Professional)-is an (ISC)² certification designed for professionals who work within structured risk management frameworks, particularly those tied to federal information systems and the NIST Risk Management Framework (RMF). It validates your ability to authorize information systems, manage compliance programs, and implement security and privacy controls across a system's entire lifecycle.

Unlike general security certifications that test broad awareness, the CGRC is deliberately narrow in its focus. It is built for people who live inside governance workflows-writing system security plans, conducting control assessments, and shepherding systems through authorization processes. If your day-to-day work involves RMF, FedRAMP, FISMA, or similar compliance regimes, this certification was written with your job in mind.

Before you register for the exam or start working through CGRC practice tests, you need to confirm that you meet the experience requirements. This article walks through every prerequisite in detail so you can assess your eligibility and plan your path forward.

Why Prerequisites Matter Here: The CGRC is not an entry-level credential. (ISC)² designed it to certify practitioners who already operate inside governance and compliance environments-not candidates who are learning what an authorization boundary is for the first time.

Formal Prerequisites: Education and Experience

The Core Experience Requirement

To earn the full CGRC certification, candidates must demonstrate two years of cumulative, paid, full-time work experience in one or more of the seven CGRC domains. Part-time work and internships can count toward this requirement on a prorated basis, but volunteer work and unpaid positions generally do not qualify.

The two-year threshold is a minimum floor, not a target. In practice, most candidates applying for roles that require or prefer the CGRC bring considerably more experience in governance and compliance functions. The certification itself is typically a credential of confirmation-verifying expertise that already exists-rather than a launching pad into a new field.

Which Domains Count?

Your experience must be directly tied to one or more of the official CGRC exam domains. These are:

  • Domain 1: Security and Privacy Governance, Risk Management, and Compliance Program (16%)
  • Domain 2: Scope of the System (10%)
  • Domain 3: Selection and Approval of Framework, Security, and Privacy Controls (14%)
  • Domain 4: Implementation of Security and Privacy Controls (17%)
  • Domain 5: Assessment/Audit of Security and Privacy Controls (16%)
  • Domain 6: System Compliance (14%)
  • Domain 7: Compliance Maintenance (13%)

Experience in all seven domains is not required-you only need qualifying experience in at least one. However, the exam tests all seven, so gaps in your professional background will become gaps on the exam unless you close them through study. Reviewing the CGRC Exam Format: Question Types and Time Limits will help you understand exactly how each domain is tested and weighted.

Education Waivers

(ISC)² does not offer a formal education-for-experience substitution for the CGRC the way some certifications allow a degree to replace experience years. A relevant bachelor's or master's degree in information security, computer science, or a related field demonstrates academic foundation, but it does not reduce the two-year work experience requirement. Your job history is what counts.

No Experience Yet? The Associate Path

If you pass the CGRC exam but have not yet accumulated two years of qualifying experience, (ISC)² allows you to hold the Associate of (ISC)² designation while you build your credentials. As an Associate, you have six years to earn the required experience and apply for full certification.

This path is particularly useful for professionals who are transitioning from adjacent roles-IT auditing, general IT administration, or policy analysis-into dedicated governance and compliance functions. Passing the exam while you accumulate domain-specific experience means you arrive at full certification having already validated your technical knowledge.

Key Takeaway

If you are one year into a GRC analyst role and ready to study, taking the exam now and holding the Associate designation is a legitimate strategy. You lock in exam credit while continuing to accumulate qualifying experience in domains like System Compliance and Compliance Maintenance.

How Prerequisites Map to the Seven Exam Domains

Understanding which domains your current or past job titles most directly align with helps you write a stronger experience application and identify where your study efforts need to be most concentrated.

Domain 1: Security and Privacy Governance, Risk Management, and Compliance Program (16%)

Roles that qualify: GRC analyst, compliance manager, risk manager, information security officer. This domain covers the organizational frameworks, policies, and governance structures that sit above any single system.

  • Understanding how risk tolerance is defined at the organizational level
  • Familiarity with NIST SP 800-37 and the RMF lifecycle
  • Experience with developing or maintaining a security compliance program

Domain 4: Implementation of Security and Privacy Controls (17%)

The highest-weighted domain on the exam. Roles that qualify: system security engineer, security control implementer, cloud security architect. Candidates must understand how controls from NIST SP 800-53 are actually deployed in real systems-not just selected on paper.

  • Configuring technical controls such as access management and audit logging
  • Documenting control implementation in a System Security Plan (SSP)
  • Addressing privacy control requirements alongside security controls

Domain 5: Assessment/Audit of Security and Privacy Controls (16%)

Roles that qualify: IT auditor, security assessor, third-party assessment organization (3PAO) analyst. This domain covers the mechanics of control testing-how assessors verify that implemented controls work as documented.

  • Developing Security Assessment Plans (SAPs)
  • Executing interviews, examination, and testing procedures
  • Writing findings into a Security Assessment Report (SAR)

Domains 2, 3, 6, and 7 cover system scoping, control selection, formal authorization decisions, and ongoing compliance monitoring respectively. Experience in any one of these areas is sufficient to meet the domain requirement, but your exam preparation needs to be comprehensive across all seven regardless of your professional background.

Who Hires CGRC-Certified Professionals?

The CGRC has a distinctly federal and federal-adjacent employment market. The credential is particularly valued by employers who must comply with FISMA, operate within the Defense Department's cybersecurity framework, or deliver cloud services under FedRAMP. Common hiring organizations include:

  • Federal civilian agencies such as the Department of Homeland Security, the Department of Defense, and civilian cabinet agencies with substantial IT infrastructure
  • Defense contractors and system integrators supporting government IT programs where CGRC or CAP experience is often listed as a required or preferred qualification in contracts
  • Cloud service providers (CSPs) pursuing FedRAMP authorization, where dedicated GRC staff are needed to maintain continuous monitoring and compliance documentation
  • Healthcare organizations navigating HIPAA security rule requirements alongside NIST-aligned frameworks
  • State and local government agencies increasingly adopting NIST RMF as a governance structure
Job Title Alignment: The most common job titles held by CGRC candidates and certified professionals include Information System Security Officer (ISSO), Authorization Official (AO) designee, GRC Analyst, Compliance Program Manager, and Security Control Assessor. If your title matches or is adjacent to one of these, your experience is almost certainly qualifying.

If you are evaluating whether your current role builds toward CGRC eligibility, the practical test is whether your work directly touches the RMF steps: Prepare, Categorize, Select, Implement, Assess, Authorize, and Monitor. Time spent in any of these steps maps to one or more of the seven domains.

The Application and Endorsement Process

Submitting Your Application

After passing the CGRC exam, candidates submit an online application through the (ISC)² candidate portal. The application asks you to describe your work experience in each domain where you are claiming credit. You should be specific: list project names, system names, and the frameworks you worked within. Vague descriptions like "assisted with compliance activities" are far weaker than "served as ISSO for a GSS system undergoing FISMA annual assessment using NIST SP 800-53A Rev. 5 test procedures."

The Endorsement Requirement

Your application must be endorsed by an active (ISC)² member in good standing. The endorser is attesting that your claimed experience is accurate and legitimate. They do not need to have been your direct supervisor, but they should have firsthand knowledge of your professional work. If you do not know a current (ISC)² member, (ISC)² can serve as the endorser of last resort, though this adds processing time.

After Submission

Once endorsed and approved, you enter the certification maintenance cycle. CGRC holders must earn Continuing Professional Education (CPE) credits and pay an Annual Maintenance Fee (AMF) to keep the certification active. The ongoing commitment to CPE is itself a professional activity that keeps certified practitioners current with the evolving governance landscape-domains like Compliance Maintenance (Domain 7) reflect content that genuinely changes as frameworks are updated.

Documenting Your Experience Effectively

Many candidates underestimate how important the quality of experience documentation is. Here is how to approach it methodically:

  1. Map each job role to specific domains. Go through your resume and for each position, identify which CGRC domains your responsibilities touched. Be explicit about which RMF steps you participated in and in what capacity.
  2. Use framework-specific language. References to NIST SP 800-37, NIST SP 800-53, FedRAMP, FISMA, and CNSS standards signal to reviewers that your experience is domain-authentic.
  3. Quantify scope where possible. Describing the number of systems you supported, the classification level, or the size of the organization adds credibility without requiring you to disclose sensitive information.
  4. Get your endorser aligned. Talk to your endorser before you submit. Make sure they are comfortable with the scope and characterization of your experience as described in the application.

The documentation process is also excellent preparation for the exam itself. Articulating what you actually did in each domain forces you to think about which knowledge areas you know deeply versus those you have touched only superficially. Those gaps are exactly what to focus on in your CGRC exam practice before test day.

Domain-Aligned Study Schedule

For candidates who have met the experience requirements and are preparing to sit for the exam, a domain-weighted study plan reflects the actual exam blueprint rather than a generic weekly template. The schedule below assumes roughly eight weeks of preparation time and weights study hours to mirror domain exam weight.

Week 1

Domain 1: Governance, Risk, and Compliance Program (16%)

  • Review organizational risk management structures and the RMF Prepare step
  • Study the relationship between system-level risk and enterprise risk appetite
  • Practice scenario questions involving compliance program design decisions
Week 2

Domain 2 + Domain 3: Scope and Control Selection (10% + 14%)

  • Work through system boundary definition scenarios including interconnections and inheritance
  • Study control selection logic: baseline selection, tailoring, and overlay application
  • Practice questions on privacy control selection alongside security controls
Weeks 3-4

Domain 4: Implementation of Security and Privacy Controls (17%) - Highest Priority

  • Deep study of NIST SP 800-53 control families and implementation guidance
  • SSP documentation requirements and inherited versus system-specific controls
  • Privacy control implementation requirements under NIST SP 800-53 Rev. 5
Week 5

Domain 5: Assessment/Audit of Security and Privacy Controls (16%)

  • SAP structure, test method selection, and assessor independence requirements
  • SAR writing conventions and findings classification
  • Practice with scenario questions involving assessor judgment calls
Weeks 6-7

Domains 6 + 7: System Compliance and Compliance Maintenance (14% + 13%)

  • Authorization decision types and Authorizing Official responsibilities
  • Continuous monitoring strategies, automated tools, and reporting cadences
  • Plan of Action and Milestones (POA&M) management over a system's operational life
Week 8

Full Review and Practice Exam Block

  • Complete timed full-length practice exams to simulate exam conditions
  • Target Domain 4 and Domain 1 for final review given their combined 33% weight
  • Review any domains where practice test accuracy is below your target threshold

For a detailed breakdown of how the exam itself is structured and how questions are written, see the CGRC Exam Format: Question Types and Time Limits article, which covers the question style, scenario-based item format, and pacing considerations.

Domain Exam Weight Typical Qualifying Roles Core Study Focus
Domain 1: Governance, Risk, and Compliance 16% GRC Analyst, Risk Manager, CISO staff RMF Prepare step, organizational risk frameworks
Domain 2: Scope of the System 10% ISSO, System Owner staff System boundaries, authorization boundaries, data flows
Domain 3: Control Selection and Approval 14% Security architect, compliance analyst NIST SP 800-53 baselines, tailoring, overlays
Domain 4: Implementation of Controls 17% ISSO, security engineer, SSP author Control families, SSP documentation, privacy controls
Domain 5: Assessment/Audit 16% IT auditor, 3PAO analyst, security assessor SAP/SAR development, test methods, findings
Domain 6: System Compliance 14% AO designee, compliance manager Authorization decisions, risk acceptance, ATO packages
Domain 7: Compliance Maintenance 13% Continuous monitoring analyst, ISSO ConMon programs, POA&M management, reauthorization triggers
Reviewing the Full Requirements: This article covers the prerequisites and experience requirements comprehensively, but the official (ISC)² CGRC candidate information bulletin is the authoritative source. Always verify current requirements directly with (ISC)² before submitting an application, as administrative details can change between certification cycles. You can also revisit the CGRC Prerequisites and Experience Requirements 2026 article for any updated guidance as the certification year progresses.

Frequently Asked Questions

Can I count contract or freelance work toward the two-year experience requirement?

Yes, contract and freelance work can qualify as long as it was compensated and the work directly involved one or more of the seven CGRC domains. You will need to document the nature of the work, the contracting organization, and your specific responsibilities. Your endorser will need to be able to attest to this experience, so choose an endorser who has visibility into your contract history.

Do I need experience in all seven domains, or just one?

The requirement is experience in at least one domain. However, the exam tests all seven domains, so having experience concentrated in only one area means you will need to compensate through study for the domains you have not worked in professionally. Candidates with broader hands-on experience across multiple domains typically find the exam more manageable because they can draw on real-world context for scenario-based questions.

What if I pass the exam but my endorser is slow to respond?

You have nine months from the date you pass the exam to submit an endorsed application. If your endorser is unresponsive and the deadline is approaching, you can request that (ISC)² act as your endorser. This is a built-in fallback specifically for situations where candidates cannot secure timely endorsement from a member. Processing time is longer when (ISC)² serves as endorser, so do not wait until the last minute.

Is military cybersecurity experience relevant for CGRC?

Absolutely. Military experience in cybersecurity roles-particularly those involving the DoD RMF, system authorization, eMASS management, or control assessments on DoD information systems-is directly relevant to multiple CGRC domains. Many military and veteran cybersecurity professionals find that their service experience maps cleanly onto Domains 1, 4, 5, and 6. Document the nature of your work carefully; classified system context can be described at a general level without compromising security.

How do I know if my experience is strong enough before applying?

Review the domain descriptions in the official CGRC exam outline and compare them honestly with your job history. If you can describe specific tasks, deliverables, and decisions you made that align with the domain content-particularly around NIST RMF steps, control documentation, or compliance program operation-your experience is likely qualifying. Working through CGRC practice exam questions is also a useful diagnostic: if domain-specific scenario questions feel grounded and familiar rather than abstract, your experience is translating into exam readiness.

Ready to Start Practicing?

Now that you understand the CGRC prerequisites and how your experience maps to the seven exam domains, the next step is to test your knowledge. Our practice questions are built around the actual domain structure-covering Governance, Control Implementation, Assessment, and Compliance Maintenance with the same scenario-based format you will face on exam day.

Start Free Practice Test
Continue reading:

Ready to pass your CGRC exam?

Put this into practice with free CGRC questions across every exam domain.