ISC2 CGRC Certification

Certification guide

Certified in Governance, Risk and Compliance (CGRC) is ISC2’s credential for the people who get systems authorized — the practitioners who carry an information system through categorization, control selection, implementation, assessment, and the formal risk-acceptance decision, then keep it compliant for the rest of its life. Formerly known as CAP, it is the recognized certification for Risk Management Framework (RMF) and FedRAMP work, and it holds a place on the U.S. DoD 8140 approved list — which makes it a career staple for federal, defense-contractor, and regulated-industry GRC roles.

The exam was refreshed effective June 15, 2024, and the update matters: ISC2 embedded AI governance throughout the outline. Alongside the classic RMF material — FIPS 199 categorization, NIST SP 800-53 baselines and tailoring, assessment methods, authorization packages, continuous monitoring — today’s CGRC expects you to reason about the NIST AI RMF, ISO/IEC 42001, the EU AI Act, model training versus inference boundaries, and treating ML weight updates as formal system changes. Our practice questions reflect that current outline, not the pre-2024 one.

3-hour exam 125 items Multiple choice + advanced item types Pass: 700/1000 scaled Pearson VUE 2 yrs experience (or Associate of ISC2)

Security and Privacy Governance, Risk Management, and Compliance Program

Domain 1 · 16%

GRC principles and the frameworks that carry them — NIST, COBIT, ISO/IEC 27001 — plus the SDLC, the information lifecycle, roles and responsibilities, and the regulatory landscape from FISMA and HIPAA to GDPR, FedRAMP, PCI DSS, and CMMC. The AI refresh adds governance boards, the NIST AI RMF, and ISO/IEC 42001.

Scope of the System

Domain 2 · 10%

Describing the system and drawing its authorization boundary: information types, FIPS 199 security objectives and the high water mark, impact levels, and privacy screening. Modern scoping includes embedded algorithms in COTS software and the line between model training environments and inference endpoints.

Selection and Approval of Framework, Security, and Privacy Controls

Domain 3 · 14%

Baselines and inherited controls, then tailoring — scoping considerations, compensating controls, organization-defined parameters, overlays, and enhancements — followed by control allocation, documentation, stakeholder agreement, and the continuous monitoring strategy that gets written before anything is built.

Implementation of Security and Privacy Controls

Domain 4 · 17%

The heaviest domain: implementation strategy (resourcing, funding, timeline, effectiveness), control types, executing selected and compensating controls, and documenting everything — as-built SSP descriptions, POA&M entries, risk registers, and the policies and procedures that prove controls fit the organization.

Assessment/Audit of Security and Privacy Controls

Domain 5 · 16%

Planning and conducting assessments with the interview–examine–test methods, validating evidence, writing initial and final reports, dispositioning findings as compliant / non-compliant / not applicable, choosing risk responses, reassessing corrected findings, and building the risk response plan.

System Compliance

Domain 6 · 14%

The authorization decision itself: compiling and submitting the package, determining risk posture and residual risk against acceptance criteria, stakeholder concurrence, and the formal decision — ATO, denial, interim authorizations, ongoing authorization — with its terms, conditions, and notifications.

Compliance Maintenance

Domain 7 · 13%

Life after authorization: change management and security impact analysis, continuous monitoring, incident response and contingency exercises, security updates, evidence collection, awareness training, audits, revising the monitoring strategy as requirements shift, and — eventually — decommissioning the system properly.

Our CGRC practice exams mirror the real thing: 125 questions per attempt, a three-hour timer, and domain weighting matched to the official outline, with a plain-language explanation behind every question. ISC2 scores the live exam on a 700-out-of-1000 scale; we set the pass mark at 70% as the honest raw-score equivalent, so a passing run here means genuine coverage across all seven domains — not luck in the heavy ones.

CGRC Training

The RMF life cycle for the ISC2 CGRC exam, one lesson at a time.

51 lessons 4h 59m read 7 modules
Subscribe to start

ISC2 CGRC — Practice Exam A

Full-length CGRC practice exam — 125 original questions weighted to the official ISC2 exam outline (effective June 15, 2024): Governance, Risk Management & Compliance Program 16%…

125 questions 180 min pass 70%
Subscribe to start

Trademark notice & independence. ISC2®, CGRC®, CISSP®, and CBK® are registered marks of ISC2, Inc. Certifym.net is operated by Certifym Exam Services LLC and is not affiliated with, endorsed by, or sponsored by ISC2, Inc. Certification names and marks are used solely to identify the certifications for which our independent practice materials are designed. The CGRC exam outline and its domain structure are the property of ISC2, Inc.; candidates should download the official, current exam outline directly from isc2.org.

All questions, answers, and explanations on Certifym are original content created for practice purposes. They are not actual ISC2 examination questions and are not represented as such. Practicing with these materials does not guarantee a passing result on any live certification exam.