CGRC Study Guide 2026

Everything you need to pass the CGRC exam in one place: the exam format, every topic to study, real practice questions with explanations, flashcards, and full-length practice tests. Free, no sign-up needed.

📋 CGRC Exam Format at a Glance

125
Questions
180 min
Time Limit
70.00%
Passing Score

📚 CGRC Topics to Study (21)

✍️ Sample CGRC Questions & Answers

1. In the NIST RMF, information system categorization is which step of the framework?
Step 2 – Categorize

Categorize is Step 2 of the NIST RMF, occurring after the Prepare step and before the Select step.

2. Adequate Security is:
Commensurate with risk

Explanation: Adequate security is commensurate with risk, meaning that security measures should be proportionate to the level of risk faced by an organization. This approach ensures that resources are allocated appropriately to address the most significant risks while avoiding over or under-investment in security measures. Options a, c, and d represent incomplete or inaccurate descriptions of adequate security, as security measures should not solely be based on maximum harm, legal requirements regardless of cost, or projected budgets.

3. A 'LOW' impact level in FIPS 199 indicates that loss of the security objective would have what type of effect?
Limited adverse effects on organizational operations, assets, or individuals

FIPS 199 defines LOW impact as loss of confidentiality, integrity, or availability that could be expected to have a limited adverse effect on organizational operations, assets, or individuals.

4. Which federal law requires all federal agencies to categorize their information and information systems using FIPS 199?
Federal Information Security Modernization Act (FISMA)

FISMA requires federal agencies to comply with FIPS publications, including FIPS 199, for categorizing information and information systems.

5. In the context of CGRC, what is the primary purpose of a security control baseline?
To provide a starting set of controls for a given impact level

A security control baseline provides a pre-defined set of minimum controls selected based on the system's impact level (Low, Moderate, or High).

6. In Certified Governance Risk and Compliance, what role does an audit serve in regulatory compliance?
To systematically examine and verify compliance with regulations and standards

Audits provide systematic, independent examination of processes, records, and activities to verify compliance with applicable regulations, standards, and internal policies.

🎯 Free CGRC Practice Tests

📖 CGRC Guides & Articles

Your CGRC Study Path
1. Learn with Flashcards → 2. Drill Practice Tests → 3. Take the Full Exam Simulation
CGRC Study Guide 2026 — Exam Format, Topics & Practice Questions