Certified in Governance, Risk and Compliance (CGRC) Practice Test

The CGRC is designed for IT, information security, and information assurance professionals who work in or aspire to governance, risk management, and compliance roles. Target job titles include cybersecurity auditors, compliance officers, GRC architects, GRC managers, risk and compliance project managers, enterprise risk managers, and information assurance managers. It is best suited for mid-career professionals who operate at the intersection of security and regulatory frameworks, particularly those who manage authorization processes or oversee compliance programs.

Candidates who do not yet meet the experience requirements but pass the exam may become an Associate of ISC2 while they accumulate the necessary work history. The certification is especially relevant for professionals working in or with U.S. federal agencies, defense contractors, or organizations subject to NIST-based compliance mandates, though its updated scope makes it equally applicable to global enterprises managing multi-framework compliance obligations.

Candidates must have a minimum of two cumulative years of paid work experience in one or more of the seven CGRC domains. There is no requirement that experience span all domains — depth in a single relevant domain such as risk management, compliance auditing, or security control assessment qualifies. No specific prior certification is required, though familiarity with foundational information security concepts, risk management principles, and regulatory frameworks (NIST SP 800-37, NIST SP 800-53, ISO/IEC 27001, FedRAMP) is strongly recommended as these underpin the entire CBK.

Candidates who pass the CGRC exam but lack the requisite experience may hold the Associate of ISC2 designation while working toward the two-year threshold. Practical exposure to system authorization or accreditation processes, security control selection and implementation, or compliance auditing in a professional environment significantly improves readiness for the exam.

The CGRC exam consists of 125 items delivered over 3 hours. Questions include both traditional multiple-choice and advanced item types, which may include drag-and-drop, hotspot, and other scenario-based formats designed to assess applied knowledge rather than rote memorization. The exam is administered through Pearson VUE at authorized testing centers and via online proctoring.

Scoring uses a scaled model with a maximum of 1,000 points, and the passing score is 700 out of 1,000. The exam does not use negative scoring. Candidates who fail may retake the exam; ISC2 enforces a mandatory 30-day waiting period after the first failed attempt, 90 days after the second, and 180 days after the third and any subsequent attempts.

• 1.Domain 1 – Security and Privacy Governance, Risk Management, and Compliance Program (16%): Covers principles of governance, risk management, and compliance; applicable regulatory and legal requirements; security concepts (confidentiality, integrity, availability, non-repudiation, privacy); system development life cycle phases; and establishment of organizational compliance programs using frameworks such as NIST, COBIT, and ISO/IEC standards.
• 2.Domain 2 – Scope of the System (10%): Addresses characterizing and documenting information systems, identifying information types and applicable security categories, and defining system boundaries in alignment with relevant compliance frameworks and organizational mission requirements.
• 3.Domain 3 – Selection and Approval of Framework, Security, and Privacy Controls (14%): Focuses on identifying control baselines, selecting appropriate control enhancements, tailoring controls to system-specific conditions, documenting control selections, and obtaining stakeholder approval in accordance with applicable frameworks.
• 4.Domain 4 – Implementation of Security and Privacy Controls (17%): Covers developing implementation strategies, deploying technical and administrative controls, documenting how controls are implemented, identifying residual risks, and applying compensating controls where standard controls cannot be fully implemented.
• 5.Domain 5 – Assessment/Audit of Security and Privacy Controls (16%): Encompasses planning and preparing security and privacy control assessments, conducting compliance verification activities, analyzing and reporting assessment findings, and developing risk response and remediation plans based on identified weaknesses.
• 6.Domain 6 – System Compliance (14%): Involves compiling and submitting authorization packages, determining the overall risk posture of the system, making or supporting formal authorization decisions, and documenting compliance status with appropriate authorizing officials.
• 7.Domain 7 – Compliance Maintenance (13%): Addresses ongoing change management activities, continuous monitoring of security controls, periodic compliance audits and reviews, reporting security status to stakeholders, and managing system decommissioning and disposal in compliance with applicable requirements.

• Download and study the official CGRC Exam Outline from ISC2's website first — it lists every domain, task statement, and knowledge area that may appear on the exam, and should serve as your master study checklist.
• Use ISC2's Official CGRC Adaptive Online Self-Paced Training, which employs AI-driven gap analysis to identify your weakest domains and prioritizes those areas in your study plan rather than spending equal time across all seven domains.
• Build a strong working knowledge of NIST SP 800-37 (Risk Management Framework), NIST SP 800-53 (Security and Privacy Controls), and NIST SP 800-53A (Assessment Procedures) — these documents underpin a majority of exam scenarios, particularly in Domains 3, 4, 5, and 6.
• Practice with ISC2's Official CGRC Practice Tests under timed conditions. The exam includes advanced item types beyond standard multiple choice, so familiarity with scenario-based and drag-and-drop formats reduces surprises on exam day.
• Join the ISC2 Official CGRC Online Study Group to engage with peers preparing for the same exam. Discussing real-world GRC scenarios helps reinforce conceptual understanding and exposes you to different interpretations of control implementation and authorization decisions.
• For Domain 1 and Domain 7, supplement ISC2 materials with reading on COBIT 2019 and ISO/IEC 27001 governance structures, as the updated CGRC CBK explicitly tests multi-framework GRC program design beyond the NIST-only scope of the legacy CAP credential.
• Use the Official ISC2 CGRC Flash Cards for daily micro-study sessions focused on key terminology, framework mappings, and control families — particularly useful for reinforcing Domain 2 (system scoping) and Domain 6 (compliance authorization) vocabulary.

The CGRC commands strong salary premiums in the cybersecurity market. According to Certification Magazine's Salary Survey 75, CGRC holders earn an average of $118,980 annually in the United States and $114,150 globally, positioning it among the higher-paying ISC2 credentials. The certification aligns directly with roles such as GRC analyst, compliance officer, information assurance manager, risk manager, and cybersecurity auditor — positions that are in sustained demand as organizations face expanding regulatory obligations under frameworks including CMMC, FedRAMP, HIPAA, and SOC 2.

The CGRC's DoD 8140.03 approval makes it particularly valuable for professionals pursuing or maintaining positions within U.S. federal agencies and defense contractors, where authorized practitioners are required by policy. The credential reached 5,000 worldwide holders in early 2026, reflecting growing global adoption beyond its federal roots. In the 2024 ISC2 Cybersecurity Workforce Study, GRC ranked among the top technical skills in demand at 13% — just behind risk assessment and management — signaling strong and sustained employer appetite for credentialed GRC practitioners.