CGRC – Governance, Risk and Compliance Certification Practice Exam

CGRC – Governance, Risk and Compliance Certification Practice Exam

About CGRC – Governance, Risk and Compliance Certification Exam

The Certified in Governance, Risk and Compliance (CGRC) exam is developed for candidates working as information security practitioner. They serve as advocates for security risk management, aiming to secure information system authorization to uphold an organization's mission and operations while adhering to legal and regulatory standards. Candidates develop competency in the given performance areas including -

• Ability to run Information Security Risk Management Program
  
• Good knowledge of the Information System
• Understanding the selection and approval of Security and Privacy Controls
• Ability to implement of Security and Privacy Controls
• Expertise of Assessment/Audit of Security and Privacy Controls
• Knowledge Authorization/Approval of Information System
• Learn about continuous monitoring

Experience Required

The candidates taking the CGRC – Governance, Risk and Compliance Certification exam are required to have at least 2 years cumulative work experience in one or more of the seven domains of the CGRC CBK.

Note - A candidate lacking the necessary experience for CGRC certification can attain Associate status with ISC2 by passing the CGRC exam. Subsequently, Associates have a three-year window to acquire the requisite two years of relevant experience.

Exam Details

• Exam Duration: 3 hours
• Total Questions: 125 Questions
• Type of Questions: Multiple choice
• Passing Score: 700 out of 1000 points
• Exam language: English

Course Outline

The CGRC – Governance, Risk and Compliance Certification exam covers the following topics

Domain 1 - Understanding  Information Security Risk Management Program (16%)

1.1 Explain about the foundation of an organization information security risk management program

• Learn about Principles of information security
• Learn about Risk management frameworks (Including NIST, COBIT, ISO 27001, ISO 31000)
• Learn about System Development Life Cycle (SDLC)
• Learn about Information system boundary requirements
• Learn about security controls and practices
• Learn about roles and responsibilities in the authorization/approval process

1.2 Explain risk management program process

• Learn about select program management controls
• Learn about privacy requirements
• Learn about third-party hosted information systems

1.3  Explain regulatory and legal requirements

• Learn about governmental, organizational and international regulatory security and privacy requirements
• Learn about other applicable security-related mandates

Domain 2 - Understanding the  Scope of the Information System

2.1 Explain to define the information system

• Learn about the scope of the information system
• Learn about the architecture
• Learn about information system purpose and functionality

2.2 Explain categorization of the information system

• Learn about Identifying the information types processed, stored or transmitted by the information system
• Learn about determining the impact level on confidentiality, integrity, and availability for each information type
• Learn about determining information system categorization and document results

Domain 3 - Understanding selection and approval of Security and Privacy Controls

3.1 Explain identifying and documenting baseline and inherited controls

3.2 Explain selecting and tailoring controls to the system

• Learn about determining applicability of recommended baseline and inherited controls
• Learn about determining appropriate use of control enhancements 
• Learn about documenting  control applicability

3.3 Explain developing continuous control monitoring strategy 

3.4 Explain review and approve security plan/Information Security Management System (ISMS)

Domain 4 - Understanding Implementation of Security and Privacy Controls

4.1 Explain implementing selected controls

• Learn about about determining mandatory configuration settings and verifying implementation in accordance with current industry standards
• Learn about the implementation of controls is consistent with the organizational architecture and associated security and privacy architecture
• Learn about coordinating implementation of inherited controls with control providers
• Learn about determining and implementing compensating/alternate security controls

4.2 Explain about documenting control implementation

• Learn about documenting inputs to the planned controls, their expected behavior and expected outputs or deviations
• Learn about verifying the documented details of the controls meet the purpose, scope and risk profile of the information system
• Learn about obtaining and documenting implementation details from appropriate organization entities (e.g., physical security, personnel security, privacy)

Domain 5 - Understanding Assessment/Audit of Security and Privacy Controls

5.1 Explain Prepare for assessment/audit

• Learn about determining assessor/auditor requirements
• Learn about establishing objectives and scope
• Learn about determining methods and level of effort
• Learn about determining necessary resources and logistics
• Learn about collecting and reviewing artifacts
• Learn about finalizing the assessment/audit plan

5.2 Explain to conduct assessment/audit

• Learn about collecting and documenting assessment/audit evidence
• Learn about assessing/auditing implementation
• Learn about validating compliance using approved assessment methods 

5.3 Explain to prepare the initial assessment/audit report

• Learn about analyzing assessment/audit results and identify vulnerabilities
• Learn about proposing remediation actions

5.4 Explain to review initial assessment/audit report and perform remediation actions

• Learn about determining risk responses
• Learn about applying remediations
• Learn about reassessing and validating the remediated controls

5.5 - Explain to Develop final assessment/audit report

5.6 - Explain to Develop remediation plan

• Learn about analyzing identified residual vulnerabilities or deficiencies
• Learn about prioritizing responses based on risk level
• Learn about identifying resources and determining the appropriate timeframe/schedule required to remediate deficiencies

Domain 6 - Understanding  Authorization/Approval of Information System

6.1 - Explain compile security and privacy authorization/approval documents

• Learn about compile required security and privacy documentation for supporting authorization/approval decision by the designated official

6.2 - Explain determining information system risk

• Learn about evaluating information system risk
• Learn about determining risk treatment options (i.e., accept, avoid, transfer, mitigate, share)
• Learn about determining residual risk

6.3 Explain Authorize/approve information system

• Learn about determining terms of authorization/approval

Domain 7 - Understanding Continuous Monitoring

7.1 Explain impact of changes to information system and environment

• Learn about identifying potential threat and impact to operation of information system and environment
• Learn about analyzing risk due to proposed changes accounting for organizational risk tolerance
• Learn about approving and documenting proposed changes
• Learn about implementing proposed changes
• Learn about validating changes have been correctly implemented
• Learn about performing change management tasks are performed

7.2 Explain ongoing assessments/audits based on organizational requirements

• Learn about monitoring network, physical and personnel activities
• Learn about performing vulnerability scanning activities
• Learn about reviewing automated logs and alerts for anomalies 

7.3 Explain review supply chain risk analysis monitoring activities 

7.4  Explain actively participate in response planning and communication of a cyber event

• Ensure response activities are coordinated with internal and external stakeholders\
• Update documentation, strategies and tactics incorporating lessons learned

7.5 Explain monitoring strategies on the basis of changes to industry developments introduced through legal, regulatory, supplier, security and privacy updates

7.6 - Explain about keeping designated officials updated about the risk posture for continuous authorization/approval

• Learn about determining ongoing information system risk
• Learn about updating risk register, risk treatment, and remediation plan

7.7  Explain Decommission information system

• Learn about determining information system decommissioning requirements
• Learn about communicating decommissioning of information system
• Learn about removing information system from operations

What do we offer?

• Full-Length Mock Test with unique questions in each test set
• Practice objective questions with section-wise scores
• In-depth and exhaustive explanation for every question
• Reliable exam reports to evaluate strengths and weaknesses
• Latest Questions with an updated version
• Tips & Tricks to crack the test
• Unlimited access

What are our Practice Exams?

• Practice exams have been designed by professionals and domain experts that simulate real time exam scenario.
• Practice exam questions have been created on the basis of content outlined in the official documentation.
• Each set in the practice exam contains unique questions built with the intent to provide real-time experience to the candidates as well as gain more confidence during exam preparation.
• Practice exams help to self-evaluate against the exam content and work towards building strength to clear the exam.
• You can also create your own practice exam based on your choice and preference