ISC CGRC Actual Free Exam Questions & Community Discussion

Exam Code/Number: CGRC
Exam Name/Title: Certified in Governance Risk and Compliance
Certification Provider: ISC
Corresponding Certification: ISC Certification

Exam Questions: 725
Updated On: Jun 02, 2026

Question #25

Which of the following is NOT a phase of the security certification and accreditation process?
Response:

A. Initiation

B. Security certification

C. Operation

D. Maintenance

Discussion 0

Correct Answer: C Vote an answer

Question #26

According to NIST SP 800-37 Rev 2, What is step five of the Risk Management Framework (RMF) process?
Response:

A. Categorize

B. Monitor

C. Assess

D. Select

Discussion 0

Correct Answer: C Vote an answer

Question #27

Measure of confidence that the security features, practices, procedures, and architecture of an information system accurately mediates and enforces the security policy.
Response:

A. Assurance

B. Adversary

C. Enterprise

D. Countermeasure

Discussion 0

Correct Answer: A Vote an answer

Question #28

You are preparing to start the qualitative risk analysis process for your project. You will be relying on some organizational process assets to influence the process. Which one of the following is NOT a probable reason for relying on organizational process assets as an input for qualitative risk analysis? Response:

A. Information on prior, similar projects

B. Risk databases that may be available from industry sources

C. Review of vendor contracts to examine risks in past projects

D. Studies of similar projects by risk specialists

Discussion 0

Correct Answer: C Vote an answer

Question #29

Which of the following best defines a general support system? Response:

A. An information system used or operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency

B. None of the above

C. An information system in which at least one security objective is assigned a FIPS 199 potential impact value of high.

D. An interconnected set of information resources under the same direct management control that shares common functionality.

Discussion 0

Correct Answer: D Vote an answer

Question #30

Which of the following are the common roles with regard to data in an information classification program?
Each correct answer represents a complete solution. Choose all that apply.
Response:

A. Owner

B. Custodian

C. Editor

D. User

E. Security auditor

Discussion 0

Correct Answer: A,B,D,E Vote an answer

Question #31

What is the 1st task in Security Controls Assessment; where the assessment plan is developed, reviewed, and approved to assess the controls?
Response:

A. Assessment Preparation

B. Assessment Plan

C. Assessment Security

D. Assessment Controls

Discussion 0

Correct Answer: A Vote an answer

Question #32

Which of the following is a subset discipline of Corporate Governance focused on information security systems and their performance and risk management?
Response:

A. Lanham Act

B. Clinger-Cohen Act

C. Computer Misuse Act

D. ISG

Discussion 0

Correct Answer: D Vote an answer

Question #33

Which of the following RMF phases is known as risk analysis? Response:

A. Phase 1

B. Phase 0

C. Phase 2

D. Phase 3

Discussion 0

Correct Answer: C Vote an answer

Question #34

Which of the following C&A professionals plays the role of an advisor? Response:

A. Information System Security Engineer (ISSE)

B. Authorizing Official

C. Chief Information Officer (CIO)

D. Information Owner

Discussion 0

Correct Answer: A Vote an answer

Question #35

What is the MOST appropriate action to take after weaknesses or deficiencies in controls are corrected? Response:

A. The original assessment results are changed

B. The assessment report is generated

C. The system is given an Authority to Operate (ATO)

D. The remediated controls are reassessed

Discussion 0

Correct Answer: D Vote an answer

Question #36

A System Owner (SO) is implementing a new system with their existing organization Information Technology (IT) environment. What objectives are considered when determining possible impact to risk? Response:

A. Integrity, Confidentiality, and Availability

B. Common, Hybrid, and System-Specific

C. Authentication, Authorization, and Accountability

D. Low, Moderate, and High

Discussion 0

Correct Answer: A Vote an answer

Download Free ISC CGRC Demo

Simply submit your e-mail address below to get started with our free demo of your ISC CGRC exam.