Free ISC2 CGRC Exam Questions

Become ISC2 Certified with updated CGRC exam questions and correct answers

Page: 1 / 79

Total 393 Questions | Updated On: Jan 28, 2026

Add To Cart

Question 1

Ratio Corp is in the process of selecting security controls for a new information system. Which of the following is NOT a valid control selection method according to NIST guidelines?

A : Using a risk-based approach to determine the appropriate controls

B : Selecting controls based solely on cost-effectiveness

C : Implementing controls that are required by law, regulation, or policy

D : Adopting controls that are consistent with industry standards and best practices

Answer: B

Question 2

An organization has implemented network segmentation as a security control to prevent unauthorized access to sensitive data. However, the organization has recently experienced a data breach in which an attacker was able to move laterally between different segments of the network. Which of the following is the most likely reason for the failure of this control?

A : Insufficient monitoring and logging of network activity

B : Weaknesses in the organization's access control policies and procedures

C : Failure to regularly test and validate the effectiveness of security controls

D : Inadequate training of network administrators and other staff

Answer: C

Question 3

Which of the following is NOT typically included in the system registration process in the NIST RMF?

A : System identification information, such as the system name and owner

B : The security categorization of the system

C : Organizational policy on system registration

D : The selection and implementation of security controls for the system

Answer: D

Question 4

Security controls are assessed for a number of reasons. Which of the following are reasons for assessing security controls? Select all that apply.

A : To ensure that the security and privacy controls for managing risk are in place and producing the desired outcomes

B : To satisfy legal and regulatory requirements and avoid paying a fine.

C : To provide a good source of KPIs to senior management.

D : To provide the authorizing official with the information needed to make an authorization decision

E : To maintain ongoing situational awareness about the security and privacy posture of the system and organization to support risk management decisions

Answer: A,D

Question 5

Which of the following is a key factor in the success of a security awareness and training program?

A : Use of technical jargon and complex language

B : Delivery of training in a one-time, stand-alone format

C : Alignment with organizational goals and culture

D : Restriction of training to high-risk employees only

Answer: C

Page: 1 / 79

Total 393 Questions | Updated On: Jan 28, 2026

Add To Cart