ISC2 · CGRC
Validates expertise in information security governance, risk management, and compliance, covering security and privacy governance, risk management, compliance and audit, information system authorization, and continuous monitoring.
Questions
850
Duration
180 minutes
Passing Score
700/1000
Difficulty
ProfessionalLast Updated
Feb 2026
Use this CGRC practice exam to prepare for Certified in Governance, Risk and Compliance (CGRC) with realistic questions, detailed explanations, and focused study modes. The practice bank includes 850 questions for ISC2 CGRC, so you can review the exam steadily instead of relying on one long cram session.
As you practice, pay extra attention to patterns in your missed answers. Start with short sessions to identify weak areas, then move into timed quizzes once your accuracy is consistent.
The explanations are especially useful when you want to connect exam wording to the responsibilities and scenarios described in the official certification guidance. Use the free preview first, then unlock the full question bank when you are ready to build a complete study routine.
The Certified in Governance, Risk and Compliance (CGRC) is a professional-level certification offered by ISC2 that validates expertise in designing, implementing, and maintaining information security governance, risk, and compliance programs. Formerly known as the Certified Authorization Professional (CAP), it was officially rebranded as the CGRC on February 15, 2023, reflecting its broader applicability beyond U.S. federal authorization frameworks to enterprise GRC practices globally. The credential demonstrates a practitioner's ability to advocate for security risk management in pursuit of information system authorization in accordance with legal and regulatory requirements, spanning frameworks such as NIST RMF, COBIT, ISO/IEC standards, and FedRAMP.
The certification covers seven domains encompassing the full lifecycle of information system compliance: governance program establishment, system scoping, control selection and approval, control implementation, assessment and audit, system compliance authorization, and ongoing compliance maintenance. It is accredited by the ANSI National Accreditation Board (ANAB) under ISO/IEC Standard 17024, and is approved by the U.S. Department of Defense under DoDM 8140.03, making it a recognized credential in both private sector and federal government environments.
The CGRC is designed for IT, information security, and information assurance professionals who work in or aspire to governance, risk management, and compliance roles. Target job titles include cybersecurity auditors, compliance officers, GRC architects, GRC managers, risk and compliance project managers, enterprise risk managers, and information assurance managers. It is best suited for mid-career professionals who operate at the intersection of security and regulatory frameworks, particularly those who manage authorization processes or oversee compliance programs.
Candidates who do not yet meet the experience requirements but pass the exam may become an Associate of ISC2 while they accumulate the necessary work history. The certification is especially relevant for professionals working in or with U.S. federal agencies, defense contractors, or organizations subject to NIST-based compliance mandates, though its updated scope makes it equally applicable to global enterprises managing multi-framework compliance obligations.
Candidates must have a minimum of two cumulative years of paid work experience in one or more of the seven CGRC domains. There is no requirement that experience span all domains — depth in a single relevant domain such as risk management, compliance auditing, or security control assessment qualifies. No specific prior certification is required, though familiarity with foundational information security concepts, risk management principles, and regulatory frameworks (NIST SP 800-37, NIST SP 800-53, ISO/IEC 27001, FedRAMP) is strongly recommended as these underpin the entire CBK.
Candidates who pass the CGRC exam but lack the requisite experience may hold the Associate of ISC2 designation while working toward the two-year threshold. Practical exposure to system authorization or accreditation processes, security control selection and implementation, or compliance auditing in a professional environment significantly improves readiness for the exam.
The CGRC exam consists of 125 items delivered over 3 hours. Questions include both traditional multiple-choice and advanced item types, which may include drag-and-drop, hotspot, and other scenario-based formats designed to assess applied knowledge rather than rote memorization. The exam is administered through Pearson VUE at authorized testing centers and via online proctoring.
Scoring uses a scaled model with a maximum of 1,000 points, and the passing score is 700 out of 1,000. The exam does not use negative scoring. Candidates who fail may retake the exam; ISC2 enforces a mandatory 30-day waiting period after the first failed attempt, 90 days after the second, and 180 days after the third and any subsequent attempts.
The CGRC commands strong salary premiums in the cybersecurity market. According to Certification Magazine's Salary Survey 75, CGRC holders earn an average of $118,980 annually in the United States and $114,150 globally, positioning it among the higher-paying ISC2 credentials. The certification aligns directly with roles such as GRC analyst, compliance officer, information assurance manager, risk manager, and cybersecurity auditor — positions that are in sustained demand as organizations face expanding regulatory obligations under frameworks including CMMC, FedRAMP, HIPAA, and SOC 2.
The CGRC's DoD 8140.03 approval makes it particularly valuable for professionals pursuing or maintaining positions within U.S. federal agencies and defense contractors, where authorized practitioners are required by policy. The credential reached 5,000 worldwide holders in early 2026, reflecting growing global adoption beyond its federal roots. In the 2024 ISC2 Cybersecurity Workforce Study, GRC ranked among the top technical skills in demand at 13% — just behind risk assessment and management — signaling strong and sustained employer appetite for credentialed GRC practitioners.
5 sample questions with answers and explanations. Start a practice session to test yourself across all 850 questions.
Preview — answers shown1. A system owner completes Task S-1 (Control Selection) for a new Moderate-impact customer relationship management system by selecting all 304 controls from the NIST SP 800-53 Rev 5 Moderate baseline. During Task S-2 (Control Tailoring), the system owner identifies that the system architecture uses a managed cloud database service that does not provide direct operating system access to customers, making several controls related to OS-level configuration technically not applicable. What tailoring activity should the system owner apply? (Select one!)
Explanation
Scoping considerations are a tailoring activity that allows removal of controls not applicable due to technology decisions, operational environment, or other factors. When a managed cloud service eliminates customer access to operating system layers, OS-level configuration controls are not applicable to the customer responsibility and should be scoped out with documented rationale. Controls cannot be inherited without verification and documentation of the provider's implementation—this requires either common control authorization or a third-party attestation. Compensating controls are for situations where the security objective must be met through alternative means, not for controls that are architecturally not applicable. Requesting provider architecture changes to accommodate control implementation is unrealistic and undermines the architectural benefits of managed services.
2. A Cloud Service Provider is pursuing FedRAMP authorization at the Moderate baseline level. The organization has implemented automated vulnerability scanning that runs weekly and delivers results within 24 hours. Which FedRAMP continuous monitoring requirement is NOT being met? (Select one!)
Explanation
FedRAMP continuous monitoring requires monthly vulnerability and configuration scans with results delivered within the monthly reporting cycle. While weekly scanning exceeds the minimum frequency requirement, the question context suggests uncertainty about the 72-hour deliverable requirement versus the stated 24-hour delivery. However, the monthly deliverables package is the actual requirement, not a specific hourly timeframe. The organization's weekly scanning is more frequent than required and is acceptable. Penetration testing under FedRAMP Moderate is required annually by a 3PAO, not quarterly. Significant change notifications must be submitted as they occur, but automated scanning is part of routine continuous monitoring, not significant change reporting. The core requirement is monthly scan deliverables as part of the monthly continuous monitoring package.
3. During Task P-5 common control identification, a Risk Executive must publish a list of common controls available for inheritance by organizational systems. Which control family contains controls that are explicitly NOT candidates for common controls? (Select one!)
Explanation
Program Management (PM) family controls are foundational and organizational in nature and are explicitly NOT candidates for common controls in NIST SP 800-53 Rev 5. PM controls establish the overarching governance, policy, and program management structures that apply across the entire organization rather than being implemented by a provider and inherited by systems. Physical and Environmental Protection controls are excellent candidates for common controls, particularly for shared data centers where multiple systems inherit physical security measures. Media Protection controls for organizational handling procedures and Maintenance controls for enterprise contracts are both typical common control candidates. The PM family's unique organizational governance role makes it unsuitable for the provider-inheritor model.
4. An Authorizing Official receives the authorization package during Task R-2 for a new High-impact medical records system. The SAR shows CA-2 Security Assessments conducted by an internal audit team reporting to the CIO. The system processes protected health information subject to HIPAA requirements. What concern should the AO raise regarding the assessment? (Select one!)
Explanation
SP 800-53A Rev 5 requires assessor independence appropriate to the system's impact level and risk. For High-impact systems, assessors should be independent of the system development, implementation, and operational chain of command. Internal auditors reporting to the CIO may lack sufficient independence when the CIO is responsible for information security program oversight. The AO determines the appropriate independence level—absolute independence is not universally required, but for High-impact health systems, organizational independence from IT management increases assessment credibility. High-impact systems do not mandate external third-party assessors in all cases, though greater independence is expected. HIPAA compliance may involve specialized knowledge, but general security assessors can assess technical controls. Internal audit teams can assess CA controls if they maintain appropriate independence from the functions being assessed.
5. An organization operates multiple cloud service offerings and wants to designate physical security controls at its two data centers as common controls available for inheritance. The physical security program includes PE-2 Physical Access Authorizations, PE-3 Physical Access Control, PE-6 Monitoring Physical Access, and PE-8 Visitor Access Records. Which step must be completed before any system can inherit these common controls? (Select one!)
Explanation
NIST SP 800-37 Rev 2 explicitly requires that common controls must be authorized separately before they are available for inheritance by organizational systems. The Common Control Provider must complete a full assessment and authorization process with an AO signing an authorization decision for the common control set. Without this authorization, no system can rely on the controls for their own authorization. Publishing a catalog, documenting in SSPs, or SAISO designation are all necessary steps but cannot occur until the common controls themselves are authorized. Systems inherit both the controls and their compliance status.
Certified Cloud Security Professional (CCSP)
CCSP · 850 questions
Certified Information Systems Security Professional (CISSP)
CISSP · 850 questions
Information Systems Security Architecture Professional (ISSAP)
ISSAP · 850 questions
Information Systems Security Engineering Professional (ISSEP)
ISSEP · 850 questions
Systems Security Certified Practitioner (SSCP)
SSCP · 849 questions
Certified Secure Software Lifecycle Professional (CSSLP)
CSSLP · 841 questions
$17.99
One-time access to this exam