ISC2 CGRC glossary of risk, controls, and governance terms, traps, and decision cues.
Use this glossary when Governance, Risk and Compliance Certification (CGRC) terms start to blur together. The goal is practical recognition, not encyclopedia coverage.
| Term | Exam meaning |
|---|---|
| Control | Safeguard or countermeasure selected to reduce risk. |
| Risk appetite | Amount and type of risk leadership is willing to accept. |
| Authorization | Formal decision to operate a system based on risk and evidence. |
| Continuous monitoring | Ongoing assessment of controls, risk, and system change. |
| Control assessment | Testing or review of whether controls are implemented and effective. |
| Third-party risk | Risk created by vendors, suppliers, contractors, or service providers. |
| Pair | How to separate them |
|---|---|
| Governance and risk management vs Authorization and assurance | Ask which layer the scenario is testing, then match the answer to that layer only. |
| Control vs evidence | A control changes behavior; evidence proves behavior or supports investigation. |
| Managed service vs custom build | Managed services win for lower operational effort unless the requirement needs unsupported customization. |
| Prevention vs detection | Prevention blocks or reduces a bad event; detection finds or reports that it happened. |
Do not memorize terms in isolation. For each term, write one scenario where it is the best answer, one scenario where it is a distractor, and one signal that proves it worked.