PracticeStudy GuidesBlogFlashcardsEspañol
All Practice Exams

100+ Free ServiceNow CIS-RC Practice Questions

Pass your ServiceNow Certified Implementation Specialist - Risk and Compliance (CIS-RC) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
Not published Pass Rate
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0

In ServiceNow Policy and Compliance Management, what is the correct hierarchy for mapping regulatory content to operational requirements?

A
B
C
D
to track
2026 Statistics

Key Facts: ServiceNow CIS-RC Exam

60

Exam Questions

ServiceNow mainline format

90 min

Exam Duration

ServiceNow mainline format

$300

Exam Fee

ServiceNow mainline pricing

Private

Cut Score

Not publicly disclosed

GRC

Track

ServiceNow IRM

Pearson VUE

Delivery

Test center or OnVUE

The ServiceNow CIS-RC exam uses 60 questions in 90 minutes and is delivered by Pearson VUE. The current ServiceNow IRM platform covers Policy and Compliance Management (Authority Documents, Citations, Policies, Control Objectives, Controls, Indicators, Tests), Risk Management (Risk Framework, Risk Register, KRIs, Heat Maps, Bowtie), Audit Management (Plans, Engagements, Tasks, Findings, Recommendations), and Continuous Authorization and Monitoring. ServiceNow does not publish a public pass rate or fixed cut score; mainline pricing is approximately $300 USD with discounted retakes.

Sample ServiceNow CIS-RC Practice Questions

Try these sample questions to test your ServiceNow CIS-RC exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1In ServiceNow Policy and Compliance Management, what is the correct hierarchy for mapping regulatory content to operational requirements?
A.Policy -> Authority Document -> Citation -> Control Objective -> Control
B.Authority Document -> Citation -> Policy -> Control Objective -> Control
C.Citation -> Authority Document -> Control -> Policy -> Control Objective
D.Control -> Control Objective -> Citation -> Authority Document -> Policy
Explanation: The standard ServiceNow GRC mapping flow is Authority Document (e.g., HIPAA, PCI DSS) -> Citation (specific clause) -> Policy (internal interpretation) -> Control Objective (what must be achieved) -> Control (the actual operational test). This top-down mapping is fundamental to traceability and is heavily tested.
2What is the primary purpose of an Authority Document in ServiceNow GRC?
A.To assign remediation tasks to control owners
B.To represent an external regulation, framework, or standard that drives compliance requirements
C.To run automated scoring on risks
D.To store vendor risk assessment scores
Explanation: An Authority Document represents an external source of compliance obligations such as HIPAA, SOX, PCI DSS, NIST 800-53, or ISO 27001. It is the root record that drives Citations, Policies, and ultimately Controls in the compliance hierarchy.
3Which record type in Policy and Compliance Management represents a specific clause or section within an Authority Document?
A.Control Objective
B.Citation
C.Indicator
D.Policy Statement
Explanation: A Citation represents an individual clause, paragraph, or section within an Authority Document. Citations are the granular regulatory requirements that map to internal Control Objectives and Controls.
4What distinguishes a Control Objective from a Control in ServiceNow GRC?
A.A Control Objective is automated; a Control is manual
B.A Control Objective is the goal or outcome, while a Control is the specific test or activity that verifies the objective is met
C.A Control Objective is created by auditors; a Control is created by risk managers
D.Control Objectives apply only to vendors; Controls apply only to internal entities
Explanation: Control Objectives describe what must be achieved (the desired state), such as 'Ensure least-privilege access.' Controls are the specific, testable activities that demonstrate the objective is met, such as 'Quarterly access review of privileged accounts.' One Control Objective often has multiple Controls.
5What is the role of an Indicator in ServiceNow Policy and Compliance Management?
A.It is a key risk metric tracked for executive dashboards
B.It is a configuration item used to detect a control failure
C.It is the technical or procedural test executed against an Indicator Source to determine whether a Control is operating effectively
D.It is the authoritative regulation citation
Explanation: An Indicator is a test (manual, automated via script, or pulled from an Indicator Source) that evaluates a Control. Indicators produce pass/fail results that flow into Continuous Monitoring and ultimately drive Issues when Controls fail.
6An organization needs to map both NIST 800-53 and ISO 27001 to a single internal control. What ServiceNow GRC capability supports this?
A.Many-to-many mapping between Citations and Controls via Control Objectives
B.Each Control can map to only one Authority Document; you must create duplicate Controls
C.Only Audit Management supports multi-framework mapping
D.You must use a custom scripted business rule to merge frameworks
Explanation: ServiceNow GRC supports many-to-many relationships between Citations (across multiple Authority Documents) and Control Objectives, and between Control Objectives and Controls. This means a single internal Control can satisfy multiple regulatory frameworks, eliminating duplicate testing.
7What is the primary function of Profile Scoping in ServiceNow GRC?
A.To determine which entities (CIs, business services, departments, vendors) a Policy or Control applies to
B.To configure the user interface for the GRC Workspace
C.To assign roles to compliance team members
D.To define risk appetite thresholds
Explanation: Profile Scoping links Policies, Controls, Risks, and other GRC records to specific Profiles (entity records), determining what the requirement applies to. For example, a SOX control applies only to financially-relevant systems, scoped via Profiles.
8In Risk Management, which two risk values typically appear in a Risk record after controls are evaluated?
A.Inherent risk and Target risk only
B.Inherent risk and Residual risk
C.Residual risk and Vendor risk
D.Bowtie risk and Heat-map risk
Explanation: Inherent risk represents the risk before any controls are applied (the raw exposure). Residual risk represents the remaining exposure after controls are applied and tested. Target risk is also tracked but is the desired future state, not a calculated value.
9A control test fails during Continuous Monitoring. What record does ServiceNow automatically create to track the failure?
A.A Risk record
B.An Issue record
C.An Audit Finding
D.An Authority Document update
Explanation: When an Indicator returns a failed result, ServiceNow GRC automatically creates an Issue record. The Issue links to the failed Control and is the parent for any Remediation tasks. Issues are the central failure-tracking record across Compliance, Risk, and Audit.
10What is the relationship between an Issue and a Remediation task?
A.An Issue is closed only when all related Remediation tasks are closed
B.Remediation tasks must be created before Issues
C.Issues and Remediation tasks are unrelated record types
D.Remediation tasks replace Issues once accepted
Explanation: An Issue represents the identified problem (e.g., failed control, audit finding, gap) and a Remediation task is the actionable work item assigned to fix it. An Issue typically remains open until all its Remediation tasks are completed and the Issue is verified as resolved.

About the ServiceNow CIS-RC Exam

The ServiceNow CIS-RC exam validates implementation skills for the Risk and Compliance track of ServiceNow IRM. The blueprint covers Policy and Compliance Management, Risk Management, Audit Management, Continuous Authorization and Monitoring, common GRC foundation, and integrations with the CMDB and Vendor Risk Management.

Questions

60 scored questions

Time Limit

90 minutes

Passing Score

Not publicly disclosed

Exam Fee

$300 USD (ServiceNow / Pearson VUE)

ServiceNow CIS-RC Exam Content Outline

30%

Policy and Compliance Management

Authority Documents, Citations, Policies, Control Objectives, Controls, Indicators, Tests, Issues, attestations, and many-to-many mappings.

25%

Risk Management

Risk Framework, Risk Register, KRIs, Heat Maps, inherent vs residual vs target risk, Bowtie analysis, scoring engines, and risk treatment.

15%

Audit Management

Audit Plans, Engagements, Tasks, Workpapers, Findings, Recommendations, sampling, evidence, and remediation tracking.

15%

Continuous Authorization and Monitoring

CAM, Indicator Sources, NIST RMF and FedRAMP alignment, integrations through IntegrationHub, and continuous evidence.

15%

Common GRC Foundation

Profile Scoping, Entity Hierarchy, CMDB and CSDM alignment, GRC Workspace, GRC Mobile, IRM vs IRM Advanced, VRM integration, and reporting.

How to Pass the ServiceNow CIS-RC Exam

What You Need to Know

  • Passing score: Not publicly disclosed
  • Exam length: 60 questions
  • Time limit: 90 minutes
  • Exam fee: $300 USD

Keys to Passing

  • Complete 500+ practice questions
  • Score 80%+ consistently before scheduling
  • Focus on highest-weighted sections
  • Use our AI tutor for tough concepts

ServiceNow CIS-RC Study Tips from Top Performers

1Memorize the Authority Document -> Citation -> Policy -> Control Objective -> Control mapping flow; many questions assume this hierarchy.
2Practice the difference between Indicators (tests on controls) and KRIs (risk metrics) - they are commonly confused on the exam.
3Use a Personal Developer Instance to walk through Profile Scoping, Entity Hierarchy, and a sample Authority Document so the data model becomes muscle memory.
4Drill the Issue lifecycle: failed Indicator -> Issue -> Remediation tasks, plus how Audit Findings can also create Issues so reporting consolidates.
5Know the difference between inherent, residual, and target risk and how scoring engines and calculator groups recompute scores when controls fail.
6Be ready to choose Attestation vs Indicator and Audit Engagement vs Risk Assessment in scenario questions - the exam tests judgment, not just definitions.

Frequently Asked Questions

What does the ServiceNow CIS-RC exam cover?

CIS-RC validates implementation skills for ServiceNow IRM Risk and Compliance content: Policy and Compliance Management (Authority Documents, Citations, Policies, Controls, Indicators, Issues), Risk Management (Risk Framework, Register, KRIs, Heat Maps), Audit Management (Plans, Engagements, Findings), Continuous Authorization and Monitoring, and the common GRC foundation including Profiles, Entity Hierarchy, and CMDB integration.

How many questions are on CIS-RC and how long is the exam?

ServiceNow's mainline specialist exams use approximately 60 questions in 90 minutes and are delivered through Pearson VUE at a test center or via OnVUE remote proctoring where available. Items are multiple-choice and multiple-select.

What score do I need to pass CIS-RC?

ServiceNow does not publish a fixed public passing percentage. Your result is compared against an internal cut score that is not publicly shared and is not always 70%. Aim for consistent strong performance across all six domains rather than targeting a single number.

What does CIS-RC cost in 2026?

Mainline specialist exam pricing is approximately $300 USD for the initial attempt. Retakes for CIS exams are typically discounted. Registration goes through ServiceNow University, and the exam is delivered by Pearson VUE.

What should I focus on most heavily for CIS-RC?

Spend the most time on Policy and Compliance Management (mappings, Indicators, Issues) and Risk Management (Risk Framework, KRIs, Heat Maps). Then make sure you can confidently explain Audit Management workflows (Engagements -> Tasks -> Findings -> Recommendations -> Issues), the relationship between IRM and VRM, and how Profile Scoping/Entity Hierarchy interact with the CMDB.