ISC2 Certified in Governance, Risk and Compliance (CGRC) Practice Exams
About the ISC2 CGRC exam
Exam at a glance
The ISC2 professional-tier credential for governance, risk, and compliance professionals. CGRC is the only ISC2 certification built around a single framework — the NIST Risk Management Framework (NIST SP 800-37) — making it the natural fit for U.S. federal contractors, agency staff, and any organization that has standardized on NIST controls.
Former name: CAP
CGRC was rebranded from CAP (Certified Authorization Professional) in February 2022. The new name better reflects the broader governance and compliance scope the exam already covered, while keeping the same NIST RMF orientation. Certifications earned under the CAP name automatically converted to CGRC — no retest required.
Domain weighting
- Information Security Risk Management Program: 16%
- Scope of the System: 12%
- Selection and Approval of Security and Privacy Controls: 15%
- Implementation of Security and Privacy Controls: 16%
- Assessment/Audit of Security and Privacy Controls: 17%
- System Compliance: 16%
- Compliance Maintenance: 8%
Core topics tested
- NIST RMF six-step process — Categorize → Select → Implement → Assess → Authorize → Monitor (SP 800-37 Rev. 2).
- Security categorization — FIPS 199 impact levels (Low/Moderate/High) for confidentiality, integrity, and availability.
- Control selection — NIST SP 800-53 Rev. 5 control families, baselines, tailoring, and control inheritance.
- Authorization boundaries — system boundary definition, interconnection agreements, common controls.
- Assessment and authorization (A&A) artifacts — System Security Plan (SSP), Security Assessment Report (SAR), Plan of Action and Milestones (POA&M), Authorization to Operate (ATO).
- Continuous monitoring — ongoing control assessments, configuration management, change control, security metrics.
- Privacy controls — NIST SP 800-53 Rev. 5 privacy baseline, PII handling, privacy impact assessments.
- Compliance maintenance — ATO renewal, decommissioning, system disposal, contingency planning.
Prerequisites
Two years of cumulative paid work experience in one or more of the seven CGRC domains. Pass without the experience and you earn the Associate of ISC2 designation, with three years to gain the qualifying experience.
Why take this certification
- The GRC credential for federal work. CGRC maps directly to NIST RMF, which is mandatory for U.S. federal information systems under FISMA. If your organization sells to or supports federal agencies, CGRC is the go-to credential — and it appears explicitly on many DoD and civilian-agency role descriptions.
- Lower experience bar than CISSP. Two years vs. five — CGRC is reachable earlier in a GRC career, while still carrying the ISC2 ANSI/ISO 17024 accreditation that hiring managers recognize.
- Pairs naturally with CISSP. CISSP gives you the eight-domain breadth; CGRC gives you the deep RMF mechanics required to actually shepherd a system through assessment, authorization, and ongoing monitoring. Many GRC analysts and ISSOs hold both.
- Privacy is now first-class. The Rev. 5 update to NIST SP 800-53 promoted privacy controls alongside security controls, and CGRC tests both — useful for roles that intersect with GDPR, HIPAA, and state privacy laws as well.
What you'll learn for the CGRC exam
CGRC is process-driven. The exam tests whether you can walk a system through the NIST Risk Management Framework — categorize it correctly, pick the right control baseline, implement and document controls, get them assessed, secure an Authorization to Operate, and keep the authorization current via continuous monitoring. Most questions present an RMF-step scenario and ask which action, artifact, or role is correct for that point in the lifecycle.
Knowledge areas you'll be tested on
- Risk Management Program: establishing program scope, roles and responsibilities (AO, SO, ISSO, ISSM, AODR), risk tolerance, integration with enterprise risk.
- System scoping: defining authorization boundaries, identifying common controls, documenting interconnections, characterizing the information system.
- Categorization and selection: FIPS 199 impact analysis, FIPS 200 minimum requirements, NIST SP 800-53 baseline selection, tailoring controls, overlays.
- Implementation: documenting controls in the System Security Plan, control inheritance from common-control providers, hybrid controls, compensating controls.
- Assessment: NIST SP 800-53A assessment procedures, security control assessor (SCA) role, evidence collection, Security Assessment Report (SAR).
- Authorization: POA&M development, residual risk analysis, ATO package preparation, ATO decision types (full, interim, denial), authorization termination.
- Continuous monitoring: ongoing control assessments, configuration change control, vulnerability management, security impact analysis, ConMon strategy.
- Privacy: privacy categorization, PII inventory, privacy impact assessments (PIA), privacy controls in SP 800-53 Rev. 5.
Thinking patterns CGRC tests
- Following the RMF lifecycle in order — recognizing what step a scenario sits in and which artifact or role is responsible.
- Distinguishing among roles — AO authorizes, SCA assesses, ISSO documents day-to-day, SO operates. Many questions hinge on "who decides?"
- Reading FIPS 199 and SP 800-53 categorically — Low/Moderate/High has concrete control-family implications.
- Treating compliance as continuous — ATO is not a one-time event but an ongoing posture maintained through ConMon.
How the practice exams help
Each free question and every premium exam mirrors the RMF-step scenario style ISC2 uses on the live test. Detailed explanations cover not just why the right answer is right but which RMF step, NIST publication, and role the question is testing — so you build the framework mental model the exam rewards. Every attempt randomizes question and answer order so you learn the reasoning, not the position.
How to prepare for the CGRC exam
CGRC preparation is unusually framework-anchored: most of the test maps directly to specific NIST publications. A successful plan combines structured study of the official ISC2 CGRC materials with primary-source reading of the NIST RMF documents and extensive scenario practice. Recommended approach:
- Read the NIST primary sources (3–4 weeks). Start with NIST SP 800-37 Rev. 2 (the RMF itself), then NIST SP 800-53 Rev. 5 (control catalog) and NIST SP 800-53A Rev. 5 (assessment procedures). These are the spine of the exam — no third-party guide replaces the primary text.
- Work through the Official ISC2 CGRC Study Guide (3–4 weeks). The official guide structures the seven domains into digestible chapters and provides domain-aligned practice questions. Pair each chapter with the relevant NIST publication section.
- Take timed practice exams (2–3 weeks). Build stamina for 3 hours of linear testing across 125 questions. Track which domains pull your score down and revisit those chapters. Aim for consistent 80%+ on quality practice tests before scheduling.
- Review high-yield topics in the final week. FIPS 199 categorization tables, SP 800-53 control family acronyms (AC, AU, CM, CP, IA, IR, etc.), the six RMF steps in order with their inputs and outputs, and the role distinctions (AO, SO, ISSO, ISSM, SCA, AODR) are heavily tested and easy to refresh.
Recommended timeline
8–12 weeks of focused study (10–15 hours per week) is typical for working GRC professionals or federal IT staff. Candidates new to NIST RMF should plan 12–16 weeks to absorb the primary publications.
Official resources
Download the official CGRC exam outline and review the ISC2 Insights blog for current domain coverage. ISC2 also offers Official Online Self-Paced and Instructor-Led Training that maps directly to the live exam blueprint, and a free RMF reference card is available from the NIST Risk Management Project page.