OCEG

OCEG is a non-profit organization that develops standards for governance, risk management, and compliance. Its certifications cover the design, implementation, and auditing of programs that integrate these business functions.

2Exams

Available Exams

GRCA

GRC Auditor

GRCP

GRC Professional

The Organization Behind GRC

In 2002, following the corporate collapses of Enron and WorldCom, Scott Mitchell founded the Open Compliance and Ethics Group (OCEG). The following year, the organization introduced a new acronym to the corporate lexicon: GRC, standing for Governance, Risk Management, and Compliance. Prior to this, organizations typically handled these functions in isolated departments.

Today, OCEG reports over 150,000 members globally. The organization operates as a non-profit think tank, publishing open-source standards that define how companies should integrate their risk and compliance efforts. For IT professionals, particularly those in security and audit roles, OCEG provides a structured approach to connecting technical controls with business objectives.

Continue Reading

The OCEG Frameworks

The foundation of the OCEG certification program is the GRC Capability Model, commonly known as the Red Book. This standard details the practices required to achieve what OCEG calls "Principled Performance"—the ability to reliably achieve objectives while addressing uncertainty and acting with integrity.

The Red Book divides GRC into four components: Learn, Align, Perform, and Review. Candidates must understand how to establish governance structures, evaluate risk appetite, and execute compliance monitoring across these four areas.

A companion document, the GRC Assessment Model or Burgundy Book, outlines how to audit these capabilities. Together, these two texts form the core of the OCEG exam syllabus.

Core Certifications

OCEG offers specific credentials based on its published standards. The two primary exams available for professionals are the GRCP (GRC Professional) and the GRCA (GRC Auditor).

The GRCP (GRC Professional) validates your ability to design and implement a GRC program. It tests your knowledge of the Red Book's four components. The exam consists of 100 multiple-choice and scenario-based questions. Candidates have 120 minutes to complete it, and a passing score requires 70 correct answers.

The GRCA (GRC Auditor) targets professionals who provide assurance over GRC activities. It tests the procedures documented in the Burgundy Book alongside general audit concepts. You must understand how to plan assessments, evaluate control design, and report findings to leadership. Like the GRCP, the GRCA exam gives you 120 minutes to answer 100 questions, with a 70 percent passing threshold.

The Open-Book Exam Experience

OCEG administers its exams online in an open-book format. Candidates can reference the official models and search the internet during the test.

This format changes the preparation strategy. Memorizing definitions provides limited value when you can look them up. Instead, the exams test applied reasoning. Scenario-based questions present realistic organizational challenges, such as a regulatory shift affecting compliance scope or a control failure requiring root cause analysis. You must select the best governance or risk response based on the OCEG framework.

Preparation time varies heavily based on prior experience. Professionals already working in IT audit or compliance often report spending two to ten hours reviewing the specific OCEG models before testing. Those transitioning from purely technical roles require more time to absorb the business-focused terminology.

Market Position

Technical certifications prove you can configure a firewall or manage a cloud environment. OCEG certifications prove you understand why those technical controls exist from a legal and business perspective.

Employers value this perspective in senior roles. Chief Information Security Officers, IT Audit Managers, and Risk Analysts use GRC frameworks to align IT operations with corporate strategy. Holding a GRCP or GRCA credential signals to hiring managers that you can bridge the gap between technical execution and board-level risk management.

OCEG requires eight hours of continuing education annually to maintain active certification status. For IT professionals moving into management, these credentials provide the exact vocabulary needed to justify technical expenditures to business leaders.