Free ISC2 CGRC Exam Questions

Become ISC2 Certified with updated CGRC exam questions and correct answers

Page: 1 / 79

Total 393 Questions | Updated On: Oct 29, 2025

Add To Cart

Question 1

A small organization has limited resources and is struggling to implement all of the necessary NIST SP 800-53 security controls. Which of the following is the BEST approach for the organization?

A : Implement only those controls that are required by regulation or policy

B : Implement only those controls that are relevant to the organization's risk management strategy

C : Implement only those controls that are easy to implement

D : Outsource the implementation of all security controls to a third-party vendor

Answer: B

Question 2

Which of the following is the best example of a common control?

A : A security policy that is tailored to a specific information system

B : A system administrator who is responsible for the security of a specific information system

C : A firewall that is used to protect multiple information systems

D : A security assessment that is conducted for a specific information system

Answer: C

Question 3

Which of the following factors should be considered when determining residual risk?

A : The cost of implementing additional security controls

B : The likelihood of the identified risks being exploited

C : The personal opinions of the system owners

D : The time it takes to complete the security authorization process

Answer: B

Question 4

Security controls are assessed for a number of reasons. Which of the following are reasons for assessing security controls? Select all that apply.

A : To ensure that the security and privacy controls for managing risk are in place and producing the desired outcomes

B : To satisfy legal and regulatory requirements and avoid paying a fine.

C : To provide a good source of KPIs to senior management.

D : To provide the authorizing official with the information needed to make an authorization decision

E : To maintain ongoing situational awareness about the security and privacy posture of the system and organization to support risk management decisions

Answer: A,D

Question 5

Your organization is preparing to authorize a new information system. As part of the Prepare phase of the NIST SP 800-37 Risk Management Framework, your team is working to identify the system's stakeholders and their roles. Which of the following stakeholders would be responsible for ensuring that the system's security controls are properly implemented and maintained?

A : The system owner

B : The authorizing official

C : The system administrator

D : The security manager

Answer: C

Page: 1 / 79

Total 393 Questions | Updated On: Oct 29, 2025

Add To Cart