ISC2 Certification

CGRC Practice Test

Prepare for the Certified in Governance, Risk and Compliance exam with free practice tests modeled after the real CGRC format. Each test has 20 questions with a proportional timer matching the actual exam pace of approximately 1.4 minutes per question.

12Practice Tests
240Total Questions
7Domains Covered
100%Free Forever

Mixed Set — CGRC Practice Tests

Questions distributed across all 7 domains according to the official ISC2 exam blueprint effective June 2024. Higher-weighted domains like Implementation of Security and Privacy Controls appear more frequently — just like the real exam.

01
CGRC Practice Test 1
20 Qs · ~29 min
Start Test →
02
CGRC Practice Test 2
20 Qs · ~29 min
Start Test →
03
CGRC Practice Test 3
20 Qs · ~29 min
Start Test →
04
CGRC Practice Test 4
20 Qs · ~29 min
Start Test →
05
CGRC Practice Test 5
20 Qs · ~29 min
Start Test →

Domain Wise — CGRC Mock Tests

Target individual CGRC domains with focused practice. Each mock test covers 20 questions from a single domain to help you master the Risk Management Framework lifecycle and governance principles tested across all seven areas of the CBK.

D1
Security and Privacy Governance, Risk Management, and Compliance Program
GRC program principles, policy hierarchy, risk appetite and tolerance, governance frameworks, regulatory compliance requirements, and organizational oversight structures
16% Exam Weight Start Test →
D2
Scope of the System
System boundaries, information types, FIPS 199 categorization, confidentiality/integrity/availability impact levels, system architecture, and initial System Security Plan development
10% Exam Weight Start Test →
D3
Selection and Approval of Framework, Security, and Privacy Controls
NIST SP 800-53 control selection, FIPS 200 baselines, control tailoring and overlays, risk-based control decisions, and approval documentation
14% Exam Weight Start Test →
D4
Implementation of Security and Privacy Controls
Control implementation across 20 NIST SP 800-53 families, compensating controls, system boundaries, implementation documentation, and evidence collection strategies
17% Exam Weight Start Test →
D5
Assessment/Audit of Security and Privacy Controls
NIST SP 800-53A assessment methods, SP 800-115 testing techniques, Security Assessment Reports (SAR), assessment planning, and auditor independence requirements
16% Exam Weight Start Test →
D6
System Compliance
Authorization packages, Plans of Action and Milestones (POA&M), Authorization to Operate (ATO) decisions, residual risk acceptance, and authorizing official responsibilities
14% Exam Weight Start Test →
D7
Compliance Maintenance
Continuous monitoring strategy, ongoing authorization, configuration and change management, incident response integration, and system lifecycle compliance through decommissioning
13% Exam Weight Start Test →

About the CGRC Certification Exam

Everything you need to know about the CGRC exam format, eligibility requirements, and what makes this credential the leading choice for governance, risk, and compliance professionals worldwide.

What Is the CGRC?

The Certified in Governance, Risk and Compliance (CGRC) is an advanced cybersecurity certification offered by ISC2. Formerly known as the Certified Authorization Professional (CAP), it was rebranded in February 2023 to reflect its expanded global scope beyond U.S. federal RMF-focused roles. The CGRC validates a professional's ability to integrate governance, risk management, and regulatory compliance within an organization — aligning IT security objectives with broader business goals and enabling stakeholders to make informed decisions about data security and privacy risks.

The CGRC is recognized under U.S. DoDM 8140.03, making it a sought-after credential for federal government and Department of Defense professionals. It is also valued across commercial sectors, regulated industries, and international organizations. CGRC-certified professionals typically hold roles such as Information System Security Officer (ISSO), Information System Security Manager (ISSM), Authorizing Official Designated Representative (AODR), Compliance Manager, Risk Analyst, and GRC Analyst, with salaries commonly ranging from $95,000 to $150,000+ in the United States.

Exam Format (2026)

Testing method: Computer-based testing at authorized Pearson VUE testing centers worldwide or via remote proctoring.

Questions: 125 multiple-choice questions.

Duration: 3 hours (approximately 1.4 minutes per question).

Question types: Scenario-based multiple-choice; select the single best answer from four options.

Passing score: 700 on a scaled score of 1,000 points.

Exam fee: $599 USD via Pearson VUE (ISC2 member discounts may apply).

Eligibility Requirements

Experience: Minimum of 2 years of cumulative paid work experience in one or more of the seven CGRC CBK domains.

Associate path: Candidates without the required experience may pass the exam first and earn the Associate of ISC2 designation, then accumulate the 2 years of experience within 3 years.

Endorsement: A current ISC2-certified professional must endorse your application within 9 months of passing the exam.

Ethics: All candidates must subscribe to the ISC2 Code of Professional Ethics.

Renewal: Earn 60 CPE credits every 3 years (minimum 20 per year) plus annual maintenance fees.

CGRC Domain Weights — June 2024 Exam Outline

The CGRC exam is built around seven domains aligned to the Risk Management Framework lifecycle. Domain weights below reflect the updated ISC2 exam outline effective June 15, 2024.

DomainTopicWeight
Domain 1Security and Privacy Governance, Risk Management, and Compliance Program16%
Domain 2Scope of the System10%
Domain 3Selection and Approval of Framework, Security, and Privacy Controls14%
Domain 4Implementation of Security and Privacy Controls17%
Domain 5Assessment/Audit of Security and Privacy Controls16%
Domain 6System Compliance14%
Domain 7Compliance Maintenance13%

How Our Practice Tests Are Designed

RMF-aligned question style — Every question is written to reflect the scenario-based format ISC2 uses on the real CGRC exam. You encounter situations drawn from the full Risk Management Framework lifecycle — from initial program setup through system categorization, control selection, implementation, assessment, authorization, and ongoing compliance maintenance.

Blueprint-aligned mixed sets — Mixed practice tests distribute questions proportionally across all 7 domains per the official ISC2 exam outline effective June 2024. Domain 4 (Implementation) at 17% and Domains 1 and 5 at 16% each appear most frequently, reflecting their higher weight on the real exam.

Proportional timer — The real CGRC exam allows 3 hours for 125 questions, approximately 1.4 minutes per question. Each 20-question practice test is timed at about 29 minutes to match this pace and build the time discipline you need before exam day.

Domain-specific deep dives — Use domain-wise tests to concentrate on areas where your preparation needs the most work. This is especially effective for mastering the high-weight domains — Implementation (17%), Governance/Risk/Compliance Program (16%), and Assessment/Audit (16%) — that together account for nearly half the exam.

CGRC Exam Preparation Tips

Study Strategy

Master the RMF lifecycle end-to-end: The CGRC is fundamentally a test of the NIST Risk Management Framework. Study each RMF step in sequence — Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor — and understand the key NIST publications (SP 800-37, SP 800-53, SP 800-53A, SP 800-115) associated with each step.

Prioritize Domains 1, 4, and 5: These three domains collectively represent 49% of the exam. Allocate significant study time to understanding GRC program principles, control implementation evidence, and assessment methodologies before moving into the lower-weight domains.

Learn the roles and artifacts: CGRC questions frequently test your knowledge of who does what and which documents are produced at each RMF step — SSPs, SARs, POA&Ms, and ATOs. Knowing these artifacts and the roles responsible for them (ISSO, ISSM, AO, AODR) is critical.

Test-Taking Strategy

Flag and revisit: The CGRC exam format allows you to flag uncertain questions and return to them before submitting. Commit to your best answer, flag items where you are unsure, and revisit them after completing the remaining questions with fresh perspective.

Pace yourself to 1.4 minutes per question: With 125 questions over 3 hours, you have roughly 84 seconds per item on average. Use our 29-minute timed practice sessions to internalize this rhythm so you are not caught off guard by the clock on exam day.

Think in terms of "best practice," not just "correct": CGRC scenarios often present multiple plausible answers. Choose the response that best aligns with RMF step sequence, proper roles and responsibilities, and documented NIST guidance — not simply the technically accurate one.

Frequently Asked Questions

How many questions are on the real CGRC exam?+
The CGRC exam consists of 125 multiple-choice questions. All questions are scenario-based, requiring you to select the single best answer from four options. The exam is fixed-form — every candidate receives the same number of questions regardless of performance. You have 3 hours to complete the full exam at a Pearson VUE testing center or via remote proctoring.
What is the passing score for the CGRC exam?+
You need a scaled score of 700 out of 1,000 points to pass. ISC2 uses scaled scoring, which means your raw number of correct answers is converted to a scaled value. The 700 threshold does not correspond to answering exactly 70% of questions correctly — it reflects demonstrated competency across the seven CGRC domains as determined by ISC2's psychometric methodology.
How long should I study for the CGRC?+
Most candidates with a background in information security or GRC roles prepare in 2 to 3 months at 8 to 12 hours per week. Those new to the Risk Management Framework may benefit from a longer 3 to 4 month study plan. Focusing on NIST publications and scenario-based practice is more effective than memorization alone, as the exam tests application of RMF concepts rather than simple recall.
Are these CGRC practice tests free?+
Yes. All CGRC practice tests on Security Practice Test are completely free with no account or sign-up required. Select any mixed set or domain-wise test and begin immediately — there are no paywalls, subscriptions, or hidden fees of any kind.
How are questions distributed across CGRC domains in mixed tests?+
Mixed practice tests follow the official ISC2 exam blueprint effective June 2024. Domain 4 (Implementation of Security and Privacy Controls) at 17% appears most frequently, followed by Domains 1 and 5 at 16% each, Domain 3 and 6 at 14% each, Domain 7 at 13%, and Domain 2 at 10%. This distribution mirrors the real exam so your practice reflects actual exam conditions.
Can I retake the CGRC exam if I fail?+
Yes. ISC2 allows up to four exam attempts within any rolling 12-month period. After a first failed attempt you must wait 30 days before rescheduling. After a second failed attempt the waiting period is 60 days, and after a third failure you must wait 90 days before your fourth attempt. Each attempt requires full payment of the exam registration fee.
Do I need work experience before taking the CGRC exam?+
You can sit for the CGRC exam before meeting the experience requirement. ISC2 awards full CGRC certification only after you verify a minimum of 2 years of cumulative paid work experience in one or more of the seven CGRC CBK domains. If you pass without the experience, you earn the Associate of ISC2 designation and have 3 years to accumulate the required experience before applying for full certification.
What is the relationship between CGRC and the DoD 8140 mandate?+
The CGRC is recognized under U.S. Department of Defense Manual (DoDM) 8140.03, which establishes the DoD Cyberspace Workforce Framework. It is the only ISC2 certification specifically aligned to each step of the NIST Risk Management Framework, making it a preferred credential for DoD and federal civilian professionals in roles such as ISSO, ISSM, system owner, and authorizing official. It satisfies DoD workforce requirements for RMF-related job roles.

Ready to Test Your CGRC Knowledge?

Start with a mixed set to assess your readiness across all seven domains, then use domain-wise tests to sharpen the specific areas where you need the most practice.

Start CGRC Practice Test 1 →

Authors

  • Security Practice Test Editorial Team
    : Author

    Security Practice Test Editorial Team is the expert content team at SecurityPracticeTest.com dedicated to producing authoritative cybersecurity certification exam-prep resources. We create comprehensive practice tests, study materials, and exam-focused content for top security certifications including CompTIA Security+, SecurityX, PenTest+, CISSP, CCSP, SSCP, Certified in Cybersecurity (CC), CGRC, CISM, SC-900, SC-200, AZ-500, AWS Certified Security - Specialty, Professional Cloud Security Engineer, OSCP+, GIAC certifications, CREST certifications, Check Point, Cisco, Fortinet, and Palo Alto Networks exams. Our content is developed through careful review of official exam objectives, cybersecurity knowledge domains, and practical job-relevant concepts to help learners build confidence, strengthen understanding, and prepare effectively for certification success.
  • Sudhanshu Thakur - Reviewer
    : Reviewer

    Enterprise Technology and Digital Transformation Professional with 18+ years of experience in enterprise software, SaaS, industrial automation, and business consulting. Formerly associated with Rockwell Automation, Tech Mahindra, Emerson, ABB, L&T Infotech, and Hewlett Packard Enterprise.