CGRC Cheat Sheet 2026

The 30 highest-yield CGRC facts, distilled from real exam questions. Print it, save it as a PDF, or study it here — free, no sign-up.

125 questions
180 min time limit
70.00% to pass
  1. What is a best practice in Certified Governance Risk and Compliance policy development? A method or technique recognized as superior based on evidence and expert consensus
  2. What is a best practice in Certified Governance Risk and Compliance authorization process? A method or technique recognized as superior based on evidence and expert consensus
  3. In Certified Governance Risk and Compliance, what role does continuing education play in governance principles? To keep professionals current with evolving standards, technologies, and best practices
  4. In Certified Governance Risk and Compliance, what is the primary function of strategic planning in audit management? To set long-term goals and determine the best approach to achieve them
  5. Under NIST SP 800-122, what is the recommended approach for assessing privacy risk associated with PII? Evaluate the likelihood of a PII breach and the impact on affected individuals
  6. Which type of assessment in Certified Governance Risk and Compliance compares an individual's performance to a predetermined standard? Criterion-referenced assessment
  7. Under NIST SP 800-60, which federal government function is an example of a 'Management and Support' information type? Human Resources Management
  8. What is the primary objective of governance principles in Certified Governance Risk and Compliance? To ensure competence and proficiency in core governance principles concepts
  9. Which federal law requires all federal agencies to categorize their information and information systems using FIPS 199? Federal Information Security Modernization Act (FISMA)
  10. What is a key benefit of implementing performance metrics in Certified Governance Risk and Compliance risk management framework? Providing measurable data to track progress and inform decision-making
  11. In Certified Governance Risk and Compliance, why is policy development knowledge important for professional certification? It demonstrates competence and ensures practitioners meet established standards
  12. What is the difference between reliability and validity in Certified Governance Risk and Compliance assessment? Reliability refers to consistency of results; validity refers to accuracy of measurement
  13. FIPS 199 defines the security category of an information system based on which three security objectives? Confidentiality, Integrity, and Availability
  14. What is the relationship between theory and practice in Certified Governance Risk and Compliance continuous monitoring? Theory provides the foundation and framework that guides effective practical application
  15. What is the primary objective of authorization process in Certified Governance Risk and Compliance? To ensure competence and proficiency in core authorization process concepts
  16. What is the role of the System Owner in relation to security controls under the RMF? Ensuring controls are implemented, documented, and maintained for their system
  17. Which control family in NIST SP 800-53 covers contingency planning, including backup and recovery procedures? CP – Contingency Planning
  18. In NIST SP 800-39, risk framing requires that organizations identify: Risk assumption, risk constraints, risk tolerance, and priorities and trade-offs
  19. What is a compensating control? An alternative control used when the required control cannot be implemented
  20. In NIST SP 800-53, what does the CM control family address? Configuration Management
  21. What is a best practice in Certified Governance Risk and Compliance third-party risk? A method or technique recognized as superior based on evidence and expert consensus
  22. An updated risk assessment in response to the security control assessment along with inputs from the risk executive helps to determine and prioritize: Initial remediation actions
  23. What does validity mean in the context of assessment within Certified Governance Risk and Compliance? The assessment measures what it is intended to measure
  24. Which concept ensures that individuals are informed about how their PII will be collected, used, and shared before collection occurs? Informed consent and notice
  25. Which type of control is implemented through hardware, software, or firmware to protect information systems? Technical control
  26. What does the principle of least privilege mean in the context of access control? Users are granted only the minimum access required to perform their job functions
  27. When should security categorization be revisited during the system lifecycle? Whenever significant changes occur to the system or its operating environment
  28. What is the purpose of a System Security Plan (SSP) in the RMF process? To describe the security requirements and controls implemented for a system
  29. In Certified Governance Risk and Compliance, what role does continuing education play in regulatory requirements? To keep professionals current with evolving standards, technologies, and best practices
  30. In Certified Governance Risk and Compliance, what role does an audit serve in regulatory compliance? To systematically examine and verify compliance with regulations and standards
Turn these facts into recall: