ISC CGRC Actual Free Exam Questions & Community Discussion

Exam Code/Number: CGRC
Exam Name/Title: Certified in Governance Risk and Compliance
Certification Provider: ISC
Corresponding Certification: ISC Certification

Exam Questions: 725
Updated On: Jun 02, 2026

Question #49

Testing must include an assessment of the _____________ as described in the system security plan, as recorded in the risk assessment, and reflected in the accreditation boundary; all should be the same.
Response:

A. All of the above

B. None of these

C. Authorization Boundary

D. System Boundary

E. Network Boundary

Discussion 0

Correct Answer: D Vote an answer

Question #50

A written plan for recovering one or more information systems at an alternate facility in response to a major hardware or software failure or destruction of facilities.
Response:

A. Common Vulnerability Scoring System (CVSS)

B. Disaster Recovery Plan (DRP)

C. Continuity of Operations Plan (COOP)

D. Common Vulnerability and Exposures (CVE)

Discussion 0

Correct Answer: B Vote an answer

Question #51

Who has the responsibility to review and ensure that only substantive items are incorporated in the plan of action and milestones?
Response:

A. Authorizing Official

B. Common Control Provider

C. Information System Owner

D. Information Owner

Discussion 0

Correct Answer: A Vote an answer

Question #52

According to RMF which role has a primary responsibility to report the security status of the information system to the AO & other appropriate organizational officials on an ongoing basis IAW monitoring strategy (ISSO, CCP, ISSM, AO)?
Response:

A. Information system security officer (ISSO)

B. Senior information assurance officer (SIAO)

C. Common Control Provider

D. Independent assessor

Discussion 0

Correct Answer: C Vote an answer

Question #53

Once the System Owner selects the controls he wants to Continuously Monitor, he should coordinate with AO, AODR, and ___________.
Response:

A. AODR

B. AO

C. ISSO

D. CISO

Discussion 0

Correct Answer: D Vote an answer

Question #54

Guarding against improper information modification or destruction, and includes ensuring information non- repudiation and authenticity.
Response:

A. Integrity

B. Authenticity

C. Confidentiality

D. Availability

Discussion 0

Correct Answer: A Vote an answer

Question #55

DIACAP applies to the acquisition, operation, and sustainment of any DoD system that collects, stores, transmits, or processes unclassified or classified information since December 1997.
What phases are identified by DIACAP?
Each correct answer represents a complete solution. Choose all that apply.
Response:

A. Re-Accreditation

B. Accreditation

C. Validation

D. Identification

E. Verification

F. System Definition

Discussion 0

Correct Answer: A,C,E,F Vote an answer

Question #56

Amy is the project manager for her company. In her current project the organization has a very low tolerance for risk events that will affect the project schedule. Management has asked Amy to consider the affect of all the risks on the project schedule.
What approach can Amy take to create a bias against risks that will affect the schedule of the project? Response:

A. She can filter all risks based on their affect on schedule versus other project objectives.

B. She can have the project team pad their time estimates to alleviate delays in the project schedule.

C. She can create an overall project rating scheme to reflect the bias towards risks that affect the project schedule.

D. She can shift risk-laden activities that affect the project schedule from the critical path as much as possible.

Discussion 0

Correct Answer: C Vote an answer

Question #57

Tailoring refers to the process by which a security control baseline is modified based on all but one of the following:
Response:

A. The specification of organization-defined parameters in controls via explicit assignement and selection statements.

B. The security categorization of the information system

C. The specification of compensating controls

D. The application of scoping guidance

Discussion 0

Correct Answer: B Vote an answer

Question #58

Normally the requirements documented in the __________ ________ document will formulate the scope of SCA testing.
Response:

A. Contingency Plan

B. Security Plan

C. Assessment Plan

D. Remediation plan

Discussion 0

Correct Answer: B Vote an answer

Question #59

FITSAF stands for Federal Information Technology Security Assessment Framework. It is a methodology for assessing the security of information systems. Which of the following FITSAF levels shows that the procedures and controls have been implemented?
Response:

A. Level 3

B. Level 5

C. Level 1

D. Level 4

E. Level 2

Discussion 0

Correct Answer: A Vote an answer

Question #60

Why is the early selection of assessors important to organizations implementing a systems security engineering approach?
Response:

A. Early selection of assessors complete security control assessments in a timely manner

B. Early selection of assessors voilates security requirements

C. Early selection of assessors assess all implement security controls

D. Early selection of assessors support verification and validation activities that occur throughout the system life cycle

Discussion 0

Correct Answer: D Vote an answer

Download Free ISC CGRC Demo

Simply submit your e-mail address below to get started with our free demo of your ISC CGRC exam.