(ISC)² CGRC certification training

Updated June 18, 2025

Test Pass Academy has expert security instructors that have been doing the (ISC)² Certified in Governance, Risk and Compliance Certification Training since it first came out. Our security instructors are well known in the industry not only as top level instructors with rave reviews, but also as top level security professionals who pass along real world examples to the class. Our experts have a vast understanding of security and a remarkable teaching ability making it easy to PASS the CGRC Exam on the 1st attempt. Our 3 day CGRC bootcamp will provide you with a fast proven method for mastering all 7 domains. If you are looking to pass the CGRC exam, you found the right place. The CGRC certification covers the RMF (Risk Management Framework) at an extensive level. It is the only certification under the DoD8140.03 Mandate that aligns to each of the RMF steps. This 3 day bootcamp is geared for the Government, Military and Contractors seeking 8140 compliance.

Class Updated: 3 Day Fast-Trac Format:

SCHEDULE

QUESTIONS?

What will I learn in the CGRC Bootcamp?

Our bootcamp focuses on preparing students through a combination of lecture, review of the entire 7 domains, drill sessions, extensive mentoring, practice questions and answer sessions all topped off with a full practice exam. Our instructors don't just teach from a textbook, they design, write and update our curriculum. Our materials are always up to date and synchronized with the latest exam objectives. Our instructors are constantly updating our curriculum to match any change that may arise.

The CGRC Exam is a 3 hour multiple choice exam with 125 questions and a passing score of 700 needed. The CGRC Exam is computerized and can be taken at any Pearson Professional Center.

The CGRC credential is appropriate for commercial markets, civilian and local governments, and the U.S. Federal government including the State Department and the Department of Defense (DoD). See CGRC and DoD 8140.03. Job functions such as authorization officials, system owners, information owners, information system security officers, and certifiers as well as all senior system managers apply.

CGRC Class Includes:

3 Days of the Top CGRC Training in the Industry
Instruction by a High-Level Certified CGRC Expert
(ISC)² CGRC | RMF Courseware - Continually Updated
CGRC | RMF Practice Questions & Quizzes
Snacks and Beverages Provide Daily
Live Online Class Hours: 9:00 - 5:00 Central Time
Exam is not administered during class
CGRC Exam Fee INCLUDED
Free Exam Retake included

Upon completion of the (ISC)² CGRC Course, you will demonstrate competence and learn to master:

Domain 1: Security and Privacy Governance, Risk Management, and Compliance Program

1.1 - Demonstrate knowledge in security and privacy governance, risk management, and compliance program

Principles of governance, risk management, and compliance
Risk management and compliance frameworks using national and international standards and guidelines for security and privacy requirements (e.g., National Institute of Standards and Technology (NIST), cybersecurity framework, Control Objectives for Information and Related Technology (COBIT), International Organization for Standardization/International Electrotechnical Commission (ISO/IEC))
System Development Life Cycle (SDLC) (e.g., requirements gathering, design, development, testing, and operations/maintenance/disposal)
Information lifecycle for each data type processed, stored, or transmitted (e.g., retaining, disposal/destruction, data flow, marking)
Confidentiality, integrity, availability, non-repudiation, and privacy concepts
System assets and boundary descriptions
Security and privacy controls and requirements
Roles and responsibilities for compliance activities and associated frameworks

1.2 - Demonstrate knowledge in security and privacy governance, risk management and compliance program processes

Establishment of compliance program for the applicable framework

1.3 - Demonstrate knowledge of compliance frameworks, regulations, privacy, and security requirements

Familiarity with compliance frameworks (e.g., International Organization for Standardization/International Electrotechnical Commission (ISO/IEC), Federal Risk and Authorization Management Program (FedRAMP), Payment Card Industry Data Security Standard (PCI-DSS), Cybersecurity Maturity Model Certification)
Familiarity with other national and international laws and requirements for security and privacy (e.g., Federal Information Security Modernization Act (FISMA), Health Insurance Portability and Accountability Act (HIPAA), executive orders, General Data Protection Regulation (GDPR))

Domain 2: Scope of the System

2.1 - Describe the system

System name and scope documented
System purpose and functionality

2.2 - Determine security compliance required

Information types processed, stored, or transmitted
Security objectives outlined for each information type based on national and international security and privacy compliance requirements (e.g., Federal Information Processing Standards (FIPS), International Organization for Standardization/International Electrotechnical Commission (ISO/IEC), data protection impact assessment)
Risk impact level determined for system based on the selected framework

Domain 3: Selection and Approval of Framework, Security, and Privacy Controls

3.1 - Identify and document baseline and inherited controls

3.2 - Select and tailor controls

Determination of applicable baseline and/or inherited controls
Determination of appropriate control enhancements (e.g., security practices, overlays, mitigating controls)
Specific data handling/marking requirements identified
Control selection documentation
Continued compliance strategy (e.g., continuous monitoring, vulnerability management)
Control allocation and stakeholder agreement

Domain 4: Implementation of Security and Privacy Controls

4.1 - Develop implementation strategy (e.g., resourcing, funding, timeline, effectiveness)

Control implementation aligned with organizational expectations, national or international requirements, and compliance for security and privacy controls
Identification of control types (e.g., management, technical, common, operational control)
Frequency established for compliance documentation reviews and training

4.2 - Implement selected controls

Control implementation consistent with compliance requirements
Compensating or alternate security controls implemented

4.3 - Document control implementation

Residual security risk or planned implementations documented (e.g., Plan of Action and Milestones (POA&M), risk register)
Implemented controls documented consistent with the organization's purpose, scope, and risk profile (e.g., policies, procedures, plans)

Domain 5: Assessment/Audit of Security and Privacy Controls

5.1 - Prepare for assessment/audit

Stakeholder roles and responsibilities established
Objectives, scope, resources, schedule, deliverables, and logistics outlined
Assets, methods, and level of effort scoped
Evidence for demonstration of compliance audited (e.g., previous assessments/audits, system documentation, policies)
Assessment/audit plan finalized

5.2 - Conduct assessment/audit

Compliance capabilities verified using appropriate assessment methods: interview, examine, test (e.g., penetration, control, vulnerability scanning)
Evidence verified and validated

5.3 - Prepare the initial assessment/audit report

Risks identified during the assessment/audit provided
Risk mitigation summaries outlined
Preliminary findings recorded

5.4 - Review initial assessment/audit report and plan risk response actions

Risk response assigned (e.g., avoid, accept, share, mitigate, transfer) based on identified vulnerabilities or deficiencies
Risk response collaborated with stakeholders
Non-compliant findings with newly applied corrective actions reassessed and validated

5.5 - Develop final assessment/audit report

Final compliance documented (e.g., compliant, non-compliant, not applicable)
Recommendations documented when appropriate
Assessment report finalized

5.6 - Develop risk response plan

Residual risks and deficiencies identified
Risk prioritized
Required resources identified (e.g., financial, personnel, and technical) to determine time required to mitigate risk

Domain 6: System Compliance

6.1 - Review and submit security/privacy documents

Security and privacy documentation required to support a compliance decision by the appropriate party (e.g., authorizing official, third-party assessment organizations, agency) compiled, reviewed, and submitted

6.2 - Determine system risk posture

System risk acceptance criteria
Residual risk determination
Stakeholder concurrence for risk treatment options
Residual risks defined in formal documentation

6.3 - Document system compliance

Formal notification of compliance decision
Formal notification shared with stakeholders

Domain 7: Compliance Maintenance

7.1 - Perform system change management

Changes weigh the impact to organizational risk, operations, and/or compliance requirements (e.g., revisions to baselines)
Proposed changes documented and approved by authorized personnel (e.g., Change Control Board (CCB), technical review board)
Deploy to the environment (e.g., test, development, production) with rollback plan
Changes to the system tracked and compliance enforced

7.2 - Perform ongoing compliance activities based on requirements

Frequency established for ongoing compliance activities review with stakeholders
System and assets monitored (e.g., physical and logical assets, personnel, change control)
Incident response and contingency activities performed
Security updates performed and risks remediated/tracked
Evidence collected, testing performed, documentation updated (e.g., service level agreements, third party contracts, policies, procedures), and submission/communication to stakeholders when applicable
Awareness and training performed, documented, and retained (e.g., contingency, incident response, annual security and privacy)
Revising monitoring strategies based on updates to legal, regulatory, supplier, security and privacy requirements

7.3 - Engage in audits activities based on compliance requirements

Required testing and vulnerability scanning performed
Personnel interviews conducted
Documentation reviewed and updated

7.4 - Decommission system when applicable

Requirements for system decommissioning reviewed with stakeholders
System removed from operations and decommissioned
Documentation of the decommissioned system retained and shared with stakeholders

COURSE	CLASS DATES	LOCATION	PRICE	REQUEST QUOTE OR REGISTER
CGRC Certification Training	August 6 - 8, 2025	Live Online	$2,795	QUOTE / REGISTER
CGRC Certification Training	September 24 - 26, 2025	Live Online	$2,795	QUOTE / REGISTER
CGRC Certification Training	November 12 - 14, 2025	Live Online	$2,795	QUOTE / REGISTER