Free ISC2 CGRC Exam Questions

Become ISC2 Certified with updated CGRC exam questions and correct answers

Page: 1 / 79

Total 393 Questions | Updated On: Dec 06, 2025

Add To Cart

Question 1

In the prepare step of the NIST RMF, which of the following should be established to ensure an effective risk management process?

A : A communication process for risk-related information

B : A continuous monitoring strategy

C : A system security plan

D : An incident response plan

Answer: A

Question 2

Which of the following is the best example of a common control?

A : A security policy that is tailored to a specific information system

B : A system administrator who is responsible for the security of a specific information system

C : A firewall that is used to protect multiple information systems

D : A security assessment that is conducted for a specific information system

Answer: C

Question 3

RydSecure is assessing the security controls of a multinational corporation's complex information system. The corporation has several subsidiaries, and the information system contains sensitive financial and customer data. As an authorization professional, you understand the importance of assessor independence in ensuring an unbiased and objective assessment. You have narrowed down the selection to four potential assessors. Each assessor has their own set of circumstances that could potentially affect their independence. Based on the information provided, which assessor is MOST LIKELY to maintain the highest level of independence during the evaluation of the multinational corporation's information system?

A : An assessor who recently completed a consulting engagement for one of the corporation's subsidiaries, during which they reviewed and provided recommendations for improving the subsidiary's security controls

B : An assessor who is married to a high-ranking executive working for one of the corporation's main competitors in the same industry

C : An assessor who has a sibling working in the corporation's IT department, but the sibling is not involved in the development, implementation, or management of the information system's security controls

D : An assessor who, three years ago, worked as an internal auditor for the corporation and was responsible for auditing the information system's security controls but left on good terms

Answer: C

Question 4

During the security controls assessment phase, the security control assessor at Ratio Corp is responsible for testing the effectiveness of the security controls. Which of the following is the most important consideration when conducting security control testing?

A : The number of security controls implemented

B : The potential risks to the information system

C : The availability of skilled personnel to conduct the testing

D : The number of positive reviews of the implemented controls

Answer: B

Question 5

Which of the following best describes the benefits of using automation to support control assessments in the context of an information security program?

A : Automation completely eliminates the need for manual control assessments and human intervention

B : Automation reduces the time and effort required for control assessments by providing continuous monitoring and real-time reporting

C : Automation ensures that all security controls are implemented flawlessly, with no room for error

D : Automation guarantees that all assessed security controls will receive the highest possible effectiveness rating

Answer: B

Page: 1 / 79

Total 393 Questions | Updated On: Dec 06, 2025

Add To Cart