200+ Free CGRC Practice Questions

Pass your ISC2 CGRC Certified in Governance, Risk and Compliance exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

~70% Pass Rate

200+ Questions

100% Free

1 / 200

Question 1

Score: 0/0

Which document establishes the overall security and privacy posture of an organization and defines the framework for managing risk?

System Security Plan (SSP)

Information System Contingency Plan (ISCP)

Risk Management Framework (RMF)

Enterprise Risk Management Policy

to track

Sample CGRC Practice Questions

Try these sample questions to test your CGRC exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 200+ question experience with AI tutoring.

1Which document establishes the overall security and privacy posture of an organization and defines the framework for managing risk?

A.System Security Plan (SSP)

B.Information System Contingency Plan (ISCP)

C.Risk Management Framework (RMF)

D.Enterprise Risk Management Policy

Explanation: The Enterprise Risk Management Policy establishes the organization's overall security and privacy posture. It defines the governance structure, risk appetite, and strategic approach to managing risk across the enterprise. While the SSP documents controls for a specific system, the ISCP addresses continuity planning, and the RMF is the process framework, the Enterprise Risk Management Policy provides the high-level strategic direction for the entire GRC program.

2According to NIST SP 800-37 Rev. 2, who is ultimately responsible for the security and privacy risks associated with an information system?

A.Chief Information Officer (CIO)

B.Authorizing Official (AO)

C.System Owner

D.Senior Accountable Official for Risk Management

Explanation: The Senior Accountable Official for Risk Management (or Risk Executive) is ultimately responsible for security and privacy risks across the organization. The Authorizing Official makes risk acceptance decisions for specific systems, the System Owner manages day-to-day operations, and the CIO oversees IT resources. However, the Senior Accountable Official holds the highest level of responsibility for enterprise risk management, ensuring risk decisions align with organizational risk tolerance.

3What is the primary purpose of a risk assessment in the context of security and privacy governance?

A.To eliminate all security risks

B.To identify, estimate, and prioritize risk to organizational operations and assets

C.To implement technical security controls

D.To comply with audit requirements

Explanation: Risk assessment identifies, estimates, and prioritizes risks to organizational operations, assets, individuals, other organizations, and the Nation. It does not eliminate all risks (impossible), implement controls (that comes after), or exist solely for audit compliance. The assessment provides decision-makers with information to determine appropriate risk responses based on the organization's risk tolerance and available resources.

4In the NIST Risk Management Framework, during which step does the organization categorize the information system based on impact analysis?

A.Step 0: Prepare

B.Step 1: Categorize

C.Step 2: Select

D.Step 3: Implement

Explanation: Step 1 (Categorize) is when the organization categorizes the information system based on impact analysis. This step uses FIPS 199 and NIST SP 800-60 to determine the potential impact on confidentiality, integrity, and availability. The categorization drives control selection in subsequent steps. Step 0 involves organizational preparation, Step 2 involves control selection, and Step 3 involves control implementation.

5An organization is establishing its compliance program and needs to define the acceptable level of risk that aligns with its business objectives. What document should be created first?

A.Risk Assessment Report

B.Risk Appetite Statement

C.Business Impact Analysis

D.Security Control Baseline

Explanation: The Risk Appetite Statement defines the acceptable level of risk an organization is willing to accept in pursuit of its strategic objectives. It provides guidance for risk-based decision-making and informs control selection. The Risk Assessment Report documents identified risks, the Business Impact Analysis examines operational impacts, and the Security Control Baseline specifies required controls—all of which should align with the established risk appetite.

6Which of the following BEST describes the relationship between governance, risk management, and compliance (GRC)?

A.They are separate functions that operate independently

B.Governance establishes the framework, risk management identifies threats, and compliance ensures adherence

C.Compliance is the only function that matters for certification

D.Risk management is a subset of compliance activities

Explanation: GRC is an integrated approach where Governance establishes the organizational structure, policies, and strategic direction; Risk Management identifies, assesses, and responds to threats; and Compliance ensures adherence to regulatory requirements and internal policies. They work together synergistically rather than independently. Risk management is not merely a subset of compliance—it's a strategic function that informs both governance and compliance decisions.

7A multinational corporation needs to align its privacy program with international requirements. Which framework would be MOST appropriate for establishing a baseline privacy governance program?

A.NIST Cybersecurity Framework

B.ISO/IEC 27001

C.ISO/IEC 27701 (PIMS)

D.COBIT 2019

Explanation: ISO/IEC 27701 (Privacy Information Management System - PIMS) specifically extends ISO/IEC 27001 for privacy management, providing requirements for establishing, implementing, maintaining, and continually improving a privacy program. While NIST CSF addresses privacy considerations, ISO 27001 focuses on information security, and COBIT is an IT governance framework, ISO 27701 is purpose-built for privacy governance aligned with international standards like GDPR.

8What is the primary difference between risk appetite and risk tolerance?

A.They are synonymous terms with no difference

B.Risk appetite is the amount of risk desired; risk tolerance is the amount of risk acceptable

C.Risk appetite is strategic and broad; risk tolerance is tactical and specific

D.Risk tolerance applies only to financial risks

Explanation: Risk appetite is strategic and broad, representing the total amount of risk an organization is willing to accept in pursuit of objectives. Risk tolerance is tactical and specific, defining the acceptable variation in performance or outcomes relative to objectives. Risk appetite is not about desiring risk but accepting it, and risk tolerance applies beyond just financial risks to operational, strategic, and compliance areas.

9According to FIPS 199, how many potential impact levels are defined for categorizing information systems?

A.Two (Low and High)

B.Three (Low, Moderate, and High)

C.Four (Minimal, Low, Moderate, and High)

D.Five (Minimal, Low, Moderate, High, and Critical)

Explanation: FIPS 199 defines three potential impact levels for categorizing information systems: Low, Moderate, and High. These levels apply to each of the three security objectives: Confidentiality, Integrity, and Availability. The overall system categorization is expressed as the high water mark—the highest impact level among the three security objectives.

10An organization is categorizing a system that processes public information but requires high availability for business operations. What is the resulting FIPS 199 categorization?

A.Low-Confidentiality, Low-Integrity, High-Availability (L-L-H)

B.Low-Confidentiality, Moderate-Integrity, High-Availability (L-M-H)

C.Moderate-Confidentiality, Moderate-Integrity, High-Availability (M-M-H)

D.High-Confidentiality, High-Integrity, High-Availability (H-H-H)

Explanation: Public information has Low confidentiality impact. With high availability requirements, the system would typically have Low integrity (public data doesn't require integrity protection for business operations) and High availability. This results in an L-L-H categorization. The high water mark would be High, meaning high baseline controls would apply.

About the CGRC Exam

The ISC2 Certified in Governance, Risk and Compliance (CGRC, formerly CAP) validates expertise in the NIST Risk Management Framework (RMF) and related governance, risk, and compliance processes. It covers 7 domains including GRC programs, system categorization, control selection and implementation, assessment, authorization, and continuous monitoring. Requires 2 years of cumulative work experience in one or more CGRC domains.

Questions

125 scored questions

Time Limit

3 hours

Passing Score

700/1000 (70%)

Exam Fee

$599 ((ISC)² / Pearson VUE)

CGRC Exam Content Outline

16%

Security and Privacy Governance, Risk Management, and Compliance Program

GRC framework, enterprise governance, risk assessment methodologies, risk appetite and tolerance, regulatory requirements (FISMA, HIPAA, PCI DSS), and privacy governance including Privacy by Design principles

10%

Scope of the System

System categorization using FIPS 199 and NIST SP 800-60, security objectives (confidentiality, integrity, availability), system boundaries, environments of operation, and major application vs general support system determination

14%

Selection and Approval of Controls

NIST SP 800-53 control selection, security control baselines (Low, Moderate, High), control tailoring (scoping, parameterization, supplementation), compensating controls, and common control identification

17%

Implementation of Security and Privacy Controls

System Security Plan (SSP) development, control implementation documentation, security configuration baselines (CIS, STIGs), DevSecOps integration, and encryption/key management implementation

16%

Assessment/Audit of Controls

Security Assessment Plan (SAP) development, assessment methods (Examine, Interview, Test), NIST SP 800-53A, penetration testing, vulnerability scanning, and Security Assessment Report (SAR) documentation

14%

System Compliance

Authorization to Operate (ATO) process, authorization package (SSP, SAR, POA&M), Plan of Action and Milestones (POA&M), temporary authorizations, and Interconnection Security Agreements (ISA)

13%

Compliance Maintenance

Continuous monitoring strategy (NIST SP 800-137), configuration management, change control, security impact analysis, ongoing authorization concepts, and POA&M maintenance and tracking

How to Pass the CGRC Exam

What You Need to Know

Passing score: 700/1000 (70%)
Exam length: 125 questions
Time limit: 3 hours
Exam fee: $599

Keys to Passing

Complete 500+ practice questions
Score 80%+ consistently before scheduling
Focus on highest-weighted sections
Use our AI tutor for tough concepts

CGRC Study Tips from Top Performers

1Master the NIST RMF 7-step process (Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor) — this is the foundation of the entire exam

2Understand FIPS 199 system categorization — know how to determine confidentiality, integrity, and availability impact levels (Low, Moderate, High)

3Study NIST SP 800-53 control families and the differences between Low, Moderate, and High baselines

4Learn control tailoring concepts: scoping, parameterization, supplementation, and compensating controls

5Understand assessment methods from NIST SP 800-53A: Examine, Interview, and Test

6Know the authorization package components: SSP (System Security Plan), SAR (Security Assessment Report), and POA&M (Plan of Action and Milestones)

7Review continuous monitoring requirements from NIST SP 800-137 and ongoing authorization concepts

8Practice with scenario-based questions that test application of RMF concepts to real-world situations

Frequently Asked Questions

What is the ISC2 CGRC exam format?

The ISC2 CGRC exam consists of 125 multiple-choice questions to be completed in 3 hours. The passing score is 700 out of 1000 (70%). Unlike the CC exam, CGRC does not use CAT (Computerized Adaptive Testing) — all candidates receive the same number of questions.

Do I need experience for the ISC2 CGRC certification?

Yes — CGRC requires a minimum of 2 years of cumulative, paid work experience in one or more of the seven CGRC domains. If you do not have the required experience, you can become an Associate of (ISC)² by passing the exam, then you have up to 3 years to obtain the required experience to become fully certified.

What are the 7 domains of ISC2 CGRC?

The CGRC exam covers: (1) Security and Privacy Governance, Risk Management, and Compliance Program (16%): GRC framework, enterprise governance, risk assessment; (2) Scope of the System (10%): FIPS 199 categorization, system boundaries; (3) Selection and Approval of Controls (14%): NIST SP 800-53, control baselines, tailoring; (4) Implementation of Security and Privacy Controls (17%): SSP, configuration baselines; (5) Assessment/Audit of Controls (16%): SAP, assessment methods, testing; (6) System Compliance (14%): ATO, POA&M, authorization; (7) Compliance Maintenance (13%): Continuous monitoring, change control.

What is the NIST Risk Management Framework (RMF)?

The NIST Risk Management Framework (RMF) is a structured process for managing security and privacy risk in federal information systems. It consists of 7 steps: Prepare, Categorize, Select, Implement, Assess, Authorize, and Monitor. CGRC professionals must thoroughly understand RMF as it forms the foundation for the certification.

How long should I study for the ISC2 CGRC exam?

Most candidates study for 8-12 weeks, investing 80-120 hours total. Key study areas: 1) Master the NIST RMF 7-step process; 2) Understand FIPS 199/200 and NIST SP 800-53 controls; 3) Learn system categorization and control selection; 4) Study assessment methods and authorization processes; 5) Review continuous monitoring requirements; 6) Complete 200+ practice questions and score 75%+ consistently.

How is CGRC different from CISSP or CC?

CGRC focuses specifically on governance, risk, and compliance using the NIST RMF framework — ideal for GRC analysts, compliance officers, and security assessors. CISSP is a broader, advanced security management certification covering 8 domains. CC is an entry-level certification requiring no experience. CGRC requires 2 years experience and focuses on authorization and compliance processes.

What jobs can I get with CGRC certification?

CGRC prepares you for roles including: GRC Analyst, Compliance Officer, Security Assessor/Auditor, Risk Manager, Authorization Officer, Information System Security Officer (ISSO), Privacy Officer, and NIST RMF Consultant. These roles are in high demand in government, defense contracting, healthcare, and regulated industries.