How many questions are in the CGRC exam?

The CGRC exam consists of 125 questions to complete in 3 hours. Questions are multiple choice with a single correct answer. The exam uses a scaled scoring model with a passing score of 700 out of 1000.

What is the CGRC passing score?

The passing score is 700 out of 1000 on a scaled scoring model. The CGRC focuses heavily on NIST Risk Management Framework processes and federal information security compliance, so candidates benefit from deep familiarity with NIST SP 800 series publications.

What is the CGRC exam cost and retake policy?

The CGRC exam costs $599 USD. If you fail, you must wait 30 days before retaking. After a second failure, wait 90 days. After a third failure, wait 180 days. You pay the full fee for each attempt. ISC2 does not offer refunds.

CGRC Practice Exam - 20 Free Questions

Question 1 of 20 Domain

Exam Complete!

You answered 0 out of 20 questions correctly

Ready for the Complete Exam?

Get access to all 1,500 practice questions across 12 full practice exams

About the CGRC Exam

The Certified in Governance, Risk and Compliance (CGRC) is ISC2's certification for professionals working at the intersection of information security, risk management, and regulatory compliance. Formerly known as the CAP (Certified Authorization Professional), the CGRC was rebranded in 2022 to reflect its broader applicability beyond the U.S. federal government context. The certification validates expertise in the full lifecycle of information security authorization and compliance—from establishing risk management programs through continuous monitoring—using the NIST Risk Management Framework (RMF) as its core reference standard.

The CGRC exam consists of 125 questions to complete in 3 hours, with a passing score of 700 out of 1000. The exam costs $599 USD and requires 2 years of cumulative paid work experience in one or more of the 7 CGRC domains. The certification is particularly valuable for IT risk managers, compliance officers, security governance professionals, information system security officers (ISSOs), and anyone responsible for obtaining and maintaining security authorizations for information systems—especially in U.S. federal government and defense contractor environments where FISMA and NIST RMF compliance is mandatory.

CGRC 7 Domains and Weighting:

Domain 1: Information Security Risk Management Program (16%) - Establishing and managing information security risk management programs, integrating risk management into organizational processes, defining roles and responsibilities (Authorizing Official, System Owner, ISSO), and aligning security programs with organizational risk tolerance and mission objectives
Domain 2: Scope of the Information System (11%) - Identifying and documenting the boundary of information systems, conducting system characterization, establishing system interconnections and data flows, defining system categorization (FIPS 199, NIST SP 800-60), and developing System Security Plans (SSP)
Domain 3: Selection and Approval of Security and Privacy Controls (15%) - Selecting security controls from NIST SP 800-53, tailoring control baselines for specific system environments, documenting control selections in System Security Plans, obtaining management approval for selected controls, and integrating privacy controls (SP 800-53 Privacy Controls)
Domain 4: Implementation of Security and Privacy Controls (16%) - Implementing selected security controls, documenting control implementation in security plans and procedures, identifying control inheritance from common control providers, integrating security controls into system development lifecycle, and managing supply chain risk during implementation
Domain 5: Assessment/Audit of Security and Privacy Controls (16%) - Planning security control assessments, selecting and executing assessment methods (interviews, examination, testing), documenting assessment results in Security Assessment Reports (SARs), identifying control deficiencies and weaknesses, and preparing Plans of Action and Milestones (POA&Ms) to address findings
Domain 6: Authorization/Approval of Information System (10%) - Preparing authorization packages (SSP, SAR, POA&M), briefing Authorizing Officials on system risk, supporting AO risk acceptance decisions, obtaining Authorizations to Operate (ATOs), and documenting interim authorization decisions
Domain 7: Continuous Monitoring (16%) - Developing continuous monitoring strategies, monitoring security control effectiveness over time, analyzing security metrics and reporting to management, managing configuration changes with security impact analysis, and maintaining ongoing authorization through continuous monitoring programs

The CGRC certification is valid for 3 years, requiring 60 CPE credits over the cycle and an annual maintenance fee. The credential is particularly valuable for professionals in U.S. federal agencies, defense contractors, and regulated industries where FISMA compliance and NIST RMF implementation are operational requirements. Many CGRC holders work as ISSOs, security control assessors, risk analysts, and compliance managers responsible for maintaining ATO packages and continuous monitoring programs.

Why Take This Certification?

Essential for U.S. Federal Government and Defense Contractor Roles: CGRC (formerly CAP) is one of the certifications recognized under DoD Directive 8570.01-M for Information Assurance Management (IAM) roles. For professionals working with FISMA-regulated systems, obtaining and maintaining Authorizations to Operate (ATOs), or supporting RMF assessment and authorization activities in federal agencies or defense contractors, CGRC validates the exact knowledge framework these roles require. The U.S. federal government employs more than 20,000 security authorization professionals, and CGRC is the recognized credential for this specialized career path.
Deep Alignment with NIST RMF and SP 800-53: CGRC is uniquely focused on the NIST Risk Management Framework—the security and privacy risk management process used by U.S. federal agencies and increasingly adopted by private sector organizations. NIST SP 800-53 (Security and Privacy Controls) is one of the most comprehensive security control catalogs in existence, referenced by FedRAMP, CMMC, HIPAA compliance programs, and many enterprise GRC frameworks. CGRC candidates develop deep expertise in selecting, implementing, assessing, and monitoring NIST controls—skills directly transferable to any organization using NIST-based compliance frameworks.
Bridges Technical Security and Compliance/Governance Functions: CGRC occupies a unique position between pure technical security certifications (SSCP, CISSP) and pure compliance credentials. It requires understanding both the technical implementation of security controls and the governance processes for authorizing systems and managing ongoing compliance. This dual technical-governance orientation makes CGRC holders valuable in roles that serve as the bridge between IT security teams and compliance or audit functions—roles that are increasingly in demand as organizations face growing regulatory requirements.
Growing Demand for GRC Professionals Across Industries: As regulatory environments become more complex (GDPR, CCPA, CMMC, SOC 2, HIPAA, PCI-DSS), organizations across all industries need professionals who can design and manage comprehensive GRC programs. CGRC's rebranding from CAP reflects ISC2's expansion of the credential's relevance beyond federal government to private sector compliance programs. Risk managers, compliance officers, internal auditors, and security governance professionals in financial services, healthcare, and technology sectors benefit from CGRC's structured approach to risk management and compliance program design.

What You'll Learn in the CGRC Exam

The CGRC exam tests expertise in the complete information security authorization lifecycle, from establishing risk management programs through continuous monitoring of deployed systems. The exam is grounded in NIST frameworks—particularly the Risk Management Framework (NIST SP 800-37), Security and Privacy Controls (NIST SP 800-53), Security Assessment Guidelines (NIST SP 800-53A), and Continuous Monitoring (NIST SP 800-137). Candidates must demonstrate both conceptual understanding of GRC principles and practical knowledge of how those principles are applied through specific frameworks, processes, and documentation requirements.

Risk Management Program Establishment and System Scoping

Information Security Risk Management Programs: Designing risk management program structures aligned with organizational missions and risk tolerance, defining roles within the NIST RMF (Authorizing Official, System Owner, Information System Security Officer, Security Control Assessor, Common Control Provider), integrating security risk management into enterprise risk management frameworks, and ensuring privacy risk management is embedded alongside security risk management processes.
System Categorization and Boundary Definition: Applying FIPS 199 and NIST SP 800-60 to categorize information systems by impact level (Low, Moderate, High) based on confidentiality, integrity, and availability impacts, defining system boundaries and documenting system interconnections, developing System Security Plans (SSPs) that accurately describe system purpose, architecture, and security control implementations, and managing the documentation throughout the system lifecycle.
Security Control Selection and Tailoring: Selecting appropriate security control baselines from NIST SP 800-53 based on system categorization, applying tailoring guidance to add, remove, or modify controls based on specific system environments and risk assessments, documenting control selections and justifications, ensuring privacy controls are integrated with security controls, and managing the approval process for control selections with organizational stakeholders.

Control Implementation, Assessment, Authorization, and Continuous Monitoring

Security Control Implementation: Documenting control implementation in SSPs and implementation procedures, identifying common controls inherited from organizational common control providers, managing security control implementation during system development and integration, addressing supply chain risk through control implementation decisions, and ensuring control implementations are consistent with security policy requirements.
Security Assessment and Authorization Packages: Planning and executing security control assessments using NIST SP 800-53A assessment procedures (interviews, examination, testing), documenting assessment results in Security Assessment Reports (SARs), identifying deficiencies and developing Plans of Action and Milestones (POA&Ms) with realistic remediation timelines, preparing complete authorization packages for Authorizing Official review, and supporting risk-based authorization decisions including Authorizations to Operate (ATOs), Interim ATOs, and Denials of ATO.
Continuous Monitoring Programs: Developing Continuous Monitoring Strategies (CMS) that define monitoring frequency, reporting requirements, and ongoing assessment activities, implementing automated tools for continuous monitoring (SCAP-compliant scanning tools, SIEM, vulnerability scanners), managing configuration changes through formal change control with security impact analysis, reporting security status to authorizing officials through regular security metrics and dashboards, and maintaining ongoing system authorization through documented monitoring results and risk acceptance decisions.

How to Prepare for the CGRC Exam

CGRC preparation typically requires 2-4 months for professionals with GRC or federal security experience, and 4-6 months for candidates newer to NIST frameworks. The exam's heavy focus on NIST RMF processes means that familiarity with NIST Special Publications (particularly SP 800-37, SP 800-53, SP 800-53A, and SP 800-137) is essential—not just conceptual familiarity, but working knowledge of how these frameworks interact, what specific processes they define, and how documentation artifacts (SSP, SAR, POA&M) fit into the overall authorization lifecycle.

Study the Official CGRC Study Guide and NIST Publications (4-6 weeks): Start with the Official ISC2 CGRC Study Guide (Sybex), which covers all 7 domains aligned with the exam outline. Critically, supplement with direct reading of key NIST publications—this is not optional for CGRC. At minimum, read NIST SP 800-37 (Risk Management Framework), review NIST SP 800-53 Rev. 5 (Security and Privacy Controls) for control families and control descriptions, and study NIST SP 800-53A for assessment procedures. The NIST Cybersecurity Framework (CSF) and FIPS 199/200 are also tested. Many candidates find that reading actual NIST publications clarifies concepts that study guides summarize too abstractly.
Gain Practical RMF Experience or Use Simulation Tools (ongoing): Hands-on experience with the RMF authorization process is the most valuable preparation for CGRC. If your current role involves working on ATOs, SSPs, or security assessments, actively connect your work to CGRC domain content. If you lack direct RMF experience, explore NIST's online tools and templates: the National Checklist Program, SCAP content, and the Risk Management Framework Quick Start Guides. The DoD's eMASS system documentation provides insight into how RMF is implemented in practice. Understanding the flow of documentation—SSP → SAR → POA&M → ATO package—is critical for exam scenarios about authorization activities.
Complete Practice Questions Focused on RMF Process and NIST Controls (3-4 weeks): Work through at least 500 practice questions, with particular attention to questions testing the sequence of RMF steps, the roles and responsibilities within the authorization process, and the specific documentation artifacts produced at each stage. CGRC questions frequently present scenarios asking which step comes next in the RMF, what documentation artifact addresses a specific finding, or what action an ISSO should take in a given situation. Understanding the "why" behind each RMF step and being able to match documentation artifacts (SSP, SAR, POA&M, authorization package) to their purposes is essential.
Review FISMA, FedRAMP, and Related Compliance Frameworks (final 2 weeks): In the final preparation phase, review FISMA requirements (key provisions, reporting requirements, system categorization mandates), FedRAMP authorization processes for cloud systems, OMB memoranda related to federal information security, and the relationship between CGRC domains and federal compliance requirements. Many CGRC candidates find that questions about compliance program management, privacy program integration, and organizational risk tolerance are more challenging than questions about specific NIST controls—invest time in understanding the governance and program management aspects. Review the official ISC2 CGRC certification page for the current exam outline.

The CGRC rewards professionals with genuine GRC and compliance experience, particularly those who have worked with NIST frameworks in federal, defense, or regulated industry environments. Candidates who have written SSPs, participated in security assessments, maintained POA&Ms, or supported ATO processes will find the exam validates skills they actively apply. For candidates without direct RMF experience, invest time in reading actual NIST publications and working through case studies that walk through the complete authorization lifecycle. Budget 150-250 hours of study time depending on prior RMF exposure.

Frequently Asked Questions

Are these actual exam questions?

No. All Nex Arc practice questions are original content created by certified professionals based on official exam guides and publicly available documentation. We do not offer brain dumps, leaked questions, or actual exam content. Using or distributing real exam questions violates certification provider agreements and can result in certification revocation. Our questions are designed to test the same knowledge and skills as the real exam, using different scenarios and wording.

How many questions are in the actual CGRC exam?

The CGRC exam consists of 125 multiple-choice questions to complete in 3 hours. Each question has one correct answer. The exam uses a scaled scoring model with a passing score of 700 out of 1000. Our premium course includes 1,500 practice questions across 12 full practice exams with detailed explanations.

What's the passing score?

The passing score is 700 out of 1000 on a scaled scoring model. CGRC questions are heavily grounded in NIST framework processes and documentation requirements. Candidates who have genuine experience with RMF authorization activities typically find the exam reflects real-world GRC work very closely.

How do I access the full CGRC practice exam?

Click on the "Buy Now" button in the sidebar to purchase the complete course. After payment, you'll have instant access to all 12 practice exams with 1,500 questions with detailed explanations and lifetime access.

What are the prerequisites for the CGRC exam?

CGRC requires 2 years of cumulative, paid, full-time work experience in one or more of the 7 CGRC domains. This includes IT work, information security, or direct GRC experience. Without the experience requirement, candidates who pass the exam become an Associate of ISC2 and have 2 years to gain the required experience for full CGRC certification. Endorsement from an ISC2 member is required after passing to achieve full certification.

How long is the CGRC certification valid?

The CGRC certification is valid for 3 years. To maintain it, you must earn 60 CPE (Continuing Professional Education) credits over the 3-year cycle—20 CPE per year minimum—and pay an annual maintenance fee to ISC2. CPE credits can be earned through GRC training, security conferences, writing compliance content, or participating in ISC2 community activities. After 3 years, recertify by completing CPE requirements or retaking the exam.

What is the exam cost and retake policy?

The CGRC exam costs $599 USD. If you don't pass on your first attempt, you must wait 30 days before retaking. After the second failed attempt, wait 90 days. After the third failed attempt, wait 180 days (6 months). There is no limit to the number of attempts, but you pay the full $599 fee for each attempt. ISC2 does not offer refunds. Thorough preparation with NIST publications and practice questions improves first-attempt pass rates significantly.

What is the difference between CGRC and CISSP, and do I need both?

CGRC and CISSP serve different purposes and audiences. CISSP is the premier general security leadership certification, covering 8 broad domains including cryptography, network security, physical security, and security operations—validated strategic security knowledge for security managers and architects with 5+ years experience. CGRC is a specialized compliance and authorization certification, deeply focused on NIST RMF processes, security control documentation, and continuous monitoring programs—validated for compliance officers, ISSOs, and GRC professionals with 2+ years experience. For federal government and defense contractor roles requiring both security leadership and RMF expertise, holding both credentials is advantageous. For private sector compliance roles, CGRC may be more directly relevant than CISSP. Many CGRC holders pursue CISSP as they grow into broader security leadership responsibilities.

ISC2 Certified in Governance, Risk and Compliance (CGRC) Practice Exams 2026