ISC2 CGRC Sample Questions with Explanations

These original sample questions are designed to help you check how the exam topics appear in decision-style prompts. They are not taken from the live exam.

Use these sample questions as a guided self-assessment for Governance, Risk and Compliance Certification (CGRC) topics such as risk framing, control selection, assessment evidence, authorization, continuous monitoring, privacy, third-party risk, and compliance reporting.

Where these questions fit in the CGRC guide

The sample set below is part of the ISC2 CGRC guide path:

• ISC2 certification hub
• CGRC exam guide
• CGRC cheat sheet
• CGRC study plan
• CGRC FAQ
• CGRC resources
• CGRC glossary

CGRC governance and assurance sample questions

Work through each prompt before opening the explanation. CGRC answers should connect policy, risk, controls, evidence, authorization, monitoring, and accountability.

---

Question 1

Topic: Control evidence before authorization

A system owner wants authorization to operate a new platform. Several required controls are documented as planned but not implemented, and no assessment evidence exists yet. What should the GRC practitioner recommend?

• A. Approve authorization immediately because planned controls are listed.
• B. Delete the planned controls from the package so fewer findings appear.
• C. Proceed to production and collect evidence after the next audit cycle.
• D. Complete implementation or risk treatment, assess controls, document evidence, and present residual risk to the authorizing official.

Best answer: D

Explanation: Authorization should be based on implemented controls, assessment evidence, known weaknesses, and residual risk. Planned controls may be tracked, but they do not replace evidence.

Why the other choices are weaker:

• A treats intention as assurance.
• B hides risk instead of managing it.
• C bypasses authorization discipline and delays risk visibility.

What this tests: Control assessment, authorization packages, evidence, residual risk, and accountability.

Related topics: Authorization; Evidence; Control assessment; Residual risk

---

Question 2

Topic: Aligning controls to risk appetite

An organization has a low risk appetite for customer-data exposure. A project proposes storing raw customer identifiers in a broadly accessible analytics workspace. What should happen first?

• A. Approve the design because analytics teams work faster with raw data.
• B. Assess the risk against policy and appetite, then select controls such as minimization, masking, access restrictions, and monitoring.
• C. Remove all governance review so the project can meet its deadline.
• D. Tell users not to misuse the data but leave access unchanged.

Best answer: B

Explanation: CGRC scenarios reward explicit connection between risk appetite, data sensitivity, controls, and monitoring. Broad raw-data access conflicts with a low appetite for exposure unless risk is reduced or formally accepted.

Why the other choices are weaker:

• A prioritizes convenience over stated risk appetite.
• C eliminates governance rather than improving it.
• D relies on guidance without enforceable controls.

What this tests: Risk appetite, data protection, privacy controls, access governance, and monitoring.

Related topics: Risk appetite; Data minimization; Privacy; Access control

---

Question 3

Topic: Monitoring a third-party control

A vendor hosts a critical service and provides annual assurance reports. The contract also includes uptime, breach-notification, and data-handling obligations. What is the strongest ongoing GRC activity?

• A. Approve the vendor once and remove them from the risk register.
• B. Track assurance reports, SLA performance, incidents, remediation status, and contract obligations as part of continuous monitoring.
• C. Rely only on the vendor’s marketing materials.
• D. Share all internal audit findings publicly so the vendor can decide what matters.

Best answer: B

Explanation: Third-party risk is not a one-time approval. Continuous monitoring ties assurance evidence, performance, incidents, remediation, and contractual responsibilities to ongoing risk decisions.

Why the other choices are weaker:

• A ignores ongoing dependency risk.
• C substitutes claims for assurance evidence.
• D exposes internal information without a governed purpose.

What this tests: Third-party risk, continuous monitoring, assurance evidence, SLAs, and vendor governance.

Related topics: Third-party risk; Continuous monitoring; SLAs; Assurance

---

Question 4

Topic: Writing a corrective action plan

An assessment finds that privileged-account reviews are not performed on schedule. Management agrees the weakness must be fixed. What should a useful corrective action plan include?

• A. A clear remediation action, owner, due date, evidence requirement, status tracking, and risk if the action slips.
• B. A statement that the issue is probably low risk without analysis.
• C. A request to stop performing assessments.
• D. A note that privileged accounts are technical and outside governance scope.

Best answer: A

Explanation: Corrective action should be actionable and trackable. Ownership, dates, evidence, status, and risk context turn a finding into a managed remediation item.

Why the other choices are weaker:

• B lacks evidence and does not define remediation.
• C avoids assurance instead of fixing the weakness.
• D ignores that privileged access is a governance and control issue.

What this tests: Remediation planning, POA&M-style tracking, evidence, ownership, and control accountability.

Related topics: Corrective action; Remediation; Privileged access; Evidence

Independent study note

Tech Exam Lexicon and IT Mastery are independent study tools. They are not affiliated with, endorsed by, or sponsored by ISC2 or any certification body.