Free ISC2 CGRC Exam Questions

Become ISC2 Certified with updated CGRC exam questions and correct answers

Page: 1 / 79

Total 393 Questions | Updated On: Mar 13, 2026

Add To Cart

Question 1

The purpose of the asset identification task is to identify assets that require protection. Which of the following is not a potential input for this task?

A : Internal stakeholders

B : System information

C : System security plan

D : Business impact analysis

Answer: C

Question 2

Which of the following is true about common controls?

A : Common controls promote more cost-effective and consistent information security across the organization

B : Common controls are easier to implement

C : Common controls are the same as hybrid controls

D : Common controls cannot be implemented in the cloud

Answer: A

Question 3

What are the types of authorization decisions that can be given by an authorizing official? Select all that apply.

A : Authorization to operate

B : Interim authorization to operate

C : Common control authorization

D : Authorization to use

E : Denial of authorization

Answer: A,C,D,E

Question 4

What is the purpose of a security control baseline?

A : To establish a standard set of security controls that can be applied to all federal information systems and organizations

B : To define the criticality of information assets and systems within an organization

C : To establish the requirements for compliance with legal and regulatory frameworks

D : To define the rules for incident response and reporting

Answer: A

Question 5

What is the main purpose of system categorization?

A : Determine if the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security and privacy requirements for the system and the organization.

B : Inform organizational risk management processes and tasks by determining the adverse impact with respect to the loss of confidentiality, integrity, and availability of systems and the information processed, stored, and transmitted by those systems

C : Carry out essential activities to help prepare all levels of the organization to manage its security and privacy risks using the RMF

D : Maintain ongoing situational awareness about the security and privacy posture of the system and organization to support risk management decisions

Answer: B

Page: 1 / 79

Total 393 Questions | Updated On: Mar 13, 2026

Add To Cart