Browse ISC2 Certification Guides

ISC2 CGRC Cheat Sheet: Risk, Controls, and Governance

April 24, 2026

ISC2 CGRC cheat sheet for risk, controls, governance, traps, and final review.

On this page

Use this cheat sheet for Governance, Risk and Compliance Certification (CGRC) after you know the basics but before you start a timed practice block. The goal is not to memorize a vendor catalog; the goal is to classify the scenario and reject attractive wrong answers quickly.

CGRC answer sequence

Use this when the stem mixes governance, risk treatment, authorization, assessment, or compliance evidence.

    flowchart TD
	  S["Scenario"] --> G["Classify the governance lane"]
	  G --> R["Check risk treatment or control objective"]
	  R --> A["Check assessment, authorization, or monitoring"]
	  A --> V["Verify evidence and ownership"]

First-pass question triage

  1. Name the tested lane before reading the answer choices.
  2. Underline the constraint: security, cost, reliability, latency, governance, implementation effort, or evidence.
  3. Reject answers that solve a neighboring problem but not the stated requirement.
  4. Prefer the smallest correct control, service, workflow, or command that satisfies the constraint.
  5. Look for proof: logs, tests, metrics, policy evidence, deployment status, evaluation results, or user-visible recovery.

What to know cold

Lane Decision rule Reject when
Governance and risk management Align risk appetite, policies, roles, controls, and executive oversight. Jumping to implementation before defining risk and authority.
Authorization and assurance Understand control selection, assessment, evidence, remediation, authorization, and continuous monitoring. Treating authorization as a one-time paperwork step.
Compliance and frameworks Map laws, standards, control catalogs, audit needs, and reporting expectations. Confusing framework compliance with actual risk reduction.
Privacy and data protection Manage data inventory, classification, consent, retention, privacy controls, and impact. Ignoring data lifecycle and subject rights.
Third-party and program management Assess vendors, contracts, SLAs, shared controls, reporting, and ongoing monitoring. Approving suppliers once and never monitoring performance.

Common traps and better instincts

Trap Better instinct
Control list without risk Tie every control to risk, objective, owner, and evidence.
No continuous monitoring GRC programs must keep evidence current as systems and threats change.
Audit as security Audit validates evidence; it does not automatically reduce risk.
Vendor trust without proof Use contracts, attestations, assessments, and monitoring.

Final 15-minute review

If the stem says Start with
least privilege, private access, compliance, or audit identity scope, data boundary, policy enforcement, logging, and ownership
least operational effort managed service, native integration, simple workflow, and fewer moving parts
high availability, recovery, or outage failure domain, recovery objective, health check, rollback, and validation
performance, scale, or cost bottleneck evidence, traffic pattern, sizing, caching, batching, and quotas
troubleshoot, diagnose, or investigate symptom, recent change, logs, metrics, status, dependency, and smallest safe test

Practice fit

Use IT Mastery for the exact product route, practice status, spaced review when available, and close-answer explanation practice as coverage expands.

Open the exact IT Mastery route here: CGRC on MasteryExamPrep.

Decision order

CGRC answers should connect policy, risk, controls, evidence, authorization, monitoring, and accountability.

Revised on Sunday, May 10, 2026
Study Plan