200+ Free CGRC Practice Questions
Pass your ISC2 CGRC Certified in Governance, Risk and Compliance exam on the first try — instant access, no signup required.
Choose Your Practice Session
Select how many questions you want to practice
Questions by Category
About the CGRC Exam
The ISC2 Certified in Governance, Risk and Compliance (CGRC, formerly CAP) validates expertise in the NIST Risk Management Framework (RMF) and related governance, risk, and compliance processes. It covers 7 domains including GRC programs, system categorization, control selection and implementation, assessment, authorization, and continuous monitoring. Requires 2 years of cumulative work experience in one or more CGRC domains.
Questions
125 scored questions
Time Limit
3 hours
Passing Score
700/1000 (70%)
Exam Fee
$599 ((ISC)² / Pearson VUE)
CGRC Exam Content Outline
Security and Privacy Governance, Risk Management, and Compliance Program
GRC framework, enterprise governance, risk assessment methodologies, risk appetite and tolerance, regulatory requirements (FISMA, HIPAA, PCI DSS), and privacy governance including Privacy by Design principles
Scope of the System
System categorization using FIPS 199 and NIST SP 800-60, security objectives (confidentiality, integrity, availability), system boundaries, environments of operation, and major application vs general support system determination
Selection and Approval of Controls
NIST SP 800-53 control selection, security control baselines (Low, Moderate, High), control tailoring (scoping, parameterization, supplementation), compensating controls, and common control identification
Implementation of Security and Privacy Controls
System Security Plan (SSP) development, control implementation documentation, security configuration baselines (CIS, STIGs), DevSecOps integration, and encryption/key management implementation
Assessment/Audit of Controls
Security Assessment Plan (SAP) development, assessment methods (Examine, Interview, Test), NIST SP 800-53A, penetration testing, vulnerability scanning, and Security Assessment Report (SAR) documentation
System Compliance
Authorization to Operate (ATO) process, authorization package (SSP, SAR, POA&M), Plan of Action and Milestones (POA&M), temporary authorizations, and Interconnection Security Agreements (ISA)
Compliance Maintenance
Continuous monitoring strategy (NIST SP 800-137), configuration management, change control, security impact analysis, ongoing authorization concepts, and POA&M maintenance and tracking
How to Pass the CGRC Exam
What You Need to Know
- Passing score: 700/1000 (70%)
- Exam length: 125 questions
- Time limit: 3 hours
- Exam fee: $599
Keys to Passing
- Complete 500+ practice questions
- Score 80%+ consistently before scheduling
- Focus on highest-weighted sections
- Use our AI tutor for tough concepts
CGRC Study Tips from Top Performers
Frequently Asked Questions
What is the ISC2 CGRC exam format?
The ISC2 CGRC exam consists of 125 multiple-choice questions to be completed in 3 hours. The passing score is 700 out of 1000 (70%). Unlike the CC exam, CGRC does not use CAT (Computerized Adaptive Testing) — all candidates receive the same number of questions.
Do I need experience for the ISC2 CGRC certification?
Yes — CGRC requires a minimum of 2 years of cumulative, paid work experience in one or more of the seven CGRC domains. If you do not have the required experience, you can become an Associate of (ISC)² by passing the exam, then you have up to 3 years to obtain the required experience to become fully certified.
What are the 7 domains of ISC2 CGRC?
The CGRC exam covers: (1) Security and Privacy Governance, Risk Management, and Compliance Program (16%): GRC framework, enterprise governance, risk assessment; (2) Scope of the System (10%): FIPS 199 categorization, system boundaries; (3) Selection and Approval of Controls (14%): NIST SP 800-53, control baselines, tailoring; (4) Implementation of Security and Privacy Controls (17%): SSP, configuration baselines; (5) Assessment/Audit of Controls (16%): SAP, assessment methods, testing; (6) System Compliance (14%): ATO, POA&M, authorization; (7) Compliance Maintenance (13%): Continuous monitoring, change control.
What is the NIST Risk Management Framework (RMF)?
The NIST Risk Management Framework (RMF) is a structured process for managing security and privacy risk in federal information systems. It consists of 7 steps: Prepare, Categorize, Select, Implement, Assess, Authorize, and Monitor. CGRC professionals must thoroughly understand RMF as it forms the foundation for the certification.
How long should I study for the ISC2 CGRC exam?
Most candidates study for 8-12 weeks, investing 80-120 hours total. Key study areas: 1) Master the NIST RMF 7-step process; 2) Understand FIPS 199/200 and NIST SP 800-53 controls; 3) Learn system categorization and control selection; 4) Study assessment methods and authorization processes; 5) Review continuous monitoring requirements; 6) Complete 200+ practice questions and score 75%+ consistently.
How is CGRC different from CISSP or CC?
CGRC focuses specifically on governance, risk, and compliance using the NIST RMF framework — ideal for GRC analysts, compliance officers, and security assessors. CISSP is a broader, advanced security management certification covering 8 domains. CC is an entry-level certification requiring no experience. CGRC requires 2 years experience and focuses on authorization and compliance processes.
What jobs can I get with CGRC certification?
CGRC prepares you for roles including: GRC Analyst, Compliance Officer, Security Assessor/Auditor, Risk Manager, Authorization Officer, Information System Security Officer (ISSO), Privacy Officer, and NIST RMF Consultant. These roles are in high demand in government, defense contracting, healthcare, and regulated industries.