CGRC Cheat Sheet 2026
The 30 highest-yield CGRC facts, distilled from real exam questions. Print it, save it as a PDF, or study it here — free, no sign-up.
125 questions
180 min time limit
70.00% to pass
- What is a best practice in Certified Governance Risk and Compliance policy development? → A method or technique recognized as superior based on evidence and expert consensus
- What is a best practice in Certified Governance Risk and Compliance authorization process? → A method or technique recognized as superior based on evidence and expert consensus
- In Certified Governance Risk and Compliance, what role does continuing education play in governance principles? → To keep professionals current with evolving standards, technologies, and best practices
- In Certified Governance Risk and Compliance, what is the primary function of strategic planning in audit management? → To set long-term goals and determine the best approach to achieve them
- Under NIST SP 800-122, what is the recommended approach for assessing privacy risk associated with PII? → Evaluate the likelihood of a PII breach and the impact on affected individuals
- Which type of assessment in Certified Governance Risk and Compliance compares an individual's performance to a predetermined standard? → Criterion-referenced assessment
- Under NIST SP 800-60, which federal government function is an example of a 'Management and Support' information type? → Human Resources Management
- What is the primary objective of governance principles in Certified Governance Risk and Compliance? → To ensure competence and proficiency in core governance principles concepts
- Which federal law requires all federal agencies to categorize their information and information systems using FIPS 199? → Federal Information Security Modernization Act (FISMA)
- What is a key benefit of implementing performance metrics in Certified Governance Risk and Compliance risk management framework? → Providing measurable data to track progress and inform decision-making
- In Certified Governance Risk and Compliance, why is policy development knowledge important for professional certification? → It demonstrates competence and ensures practitioners meet established standards
- What is the difference between reliability and validity in Certified Governance Risk and Compliance assessment? → Reliability refers to consistency of results; validity refers to accuracy of measurement
- FIPS 199 defines the security category of an information system based on which three security objectives? → Confidentiality, Integrity, and Availability
- What is the relationship between theory and practice in Certified Governance Risk and Compliance continuous monitoring? → Theory provides the foundation and framework that guides effective practical application
- What is the primary objective of authorization process in Certified Governance Risk and Compliance? → To ensure competence and proficiency in core authorization process concepts
- What is the role of the System Owner in relation to security controls under the RMF? → Ensuring controls are implemented, documented, and maintained for their system
- Which control family in NIST SP 800-53 covers contingency planning, including backup and recovery procedures? → CP – Contingency Planning
- In NIST SP 800-39, risk framing requires that organizations identify: → Risk assumption, risk constraints, risk tolerance, and priorities and trade-offs
- What is a compensating control? → An alternative control used when the required control cannot be implemented
- In NIST SP 800-53, what does the CM control family address? → Configuration Management
- What is a best practice in Certified Governance Risk and Compliance third-party risk? → A method or technique recognized as superior based on evidence and expert consensus
- An updated risk assessment in response to the security control assessment along with inputs from the risk executive helps to determine and prioritize: → Initial remediation actions
- What does validity mean in the context of assessment within Certified Governance Risk and Compliance? → The assessment measures what it is intended to measure
- Which concept ensures that individuals are informed about how their PII will be collected, used, and shared before collection occurs? → Informed consent and notice
- Which type of control is implemented through hardware, software, or firmware to protect information systems? → Technical control
- What does the principle of least privilege mean in the context of access control? → Users are granted only the minimum access required to perform their job functions
- When should security categorization be revisited during the system lifecycle? → Whenever significant changes occur to the system or its operating environment
- What is the purpose of a System Security Plan (SSP) in the RMF process? → To describe the security requirements and controls implemented for a system
- In Certified Governance Risk and Compliance, what role does continuing education play in regulatory requirements? → To keep professionals current with evolving standards, technologies, and best practices
- In Certified Governance Risk and Compliance, what role does an audit serve in regulatory compliance? → To systematically examine and verify compliance with regulations and standards
Turn these facts into recall: