Career Employer

Your FREE Certified in Governance, Risk and Compliance (CGRC) Practice Test 2026 – 270+ Q&A

Realistic ISC2 Governance, Risk and Compliance practice questions across all seven NIST RMF-based domains, with instant scoring and answer explanations.

Master questions to boost your score

How ready are you?

To find us again, just search “Career Employer CGRC

By

Click Start Test above to launch a full-length CGRC practice test weighted like the real ISC2 exam, or drill a single domain — from the Information Security Risk Management Program through Continuous Monitoring. Every question includes a clear explanation so you learn the reasoning, not just the answer.

The ISC2 CGRC (Certified in Governance, Risk and Compliance, formerly CAP) is awarded by ISC2 and validates a professional’s ability to authorize and maintain information systems using the NIST Risk Management Framework (RMF).

[1][2] These free practice questions mirror ISC2’s published CGRC exam outline and the seven RMF-based domains it covers.

To round out your prep, pair these with our free study guide, flashcards.

CGRC is one of the 9 ISC2 certifications — explore all our ISC2 practice tests to compare and prep across the whole family.

CGRC Exam at a Glance

CGRC Exam at a glance
DetailCGRC Exam
Certifying BodyISC2
Former NameCertified Authorization Professional (CAP)
Framework BasisNIST Risk Management Framework (RMF)
Total Questions~125 multiple-choice
Time LimitUp to 4 hours
FormatProctored, computer-based via Pearson VUE
Passing Score700 out of 1000 (scaled)
Domains7
Eligibility2 years of cumulative paid experience in 1+ CGRC domains
Recertification60 CPE credits per 3-year cycle plus annual maintenance fee

What Is on the CGRC Exam?

The CGRC exam covers seven domains built around the NIST RMF lifecycle: Information Security Risk Management Program, Scope of the System, Selection and Approval of Controls, Implementation of Controls, Assessment/Audit of Controls, Authorization/Approval of System, and Continuous Monitoring.[2]

Continuous Monitoring is the largest domain, with the Information Security Risk Management Program close behind. Our full practice test is weighted to match the exam outline:

CGRC exam weighting by domain (ISC2 exam outline)
Information Security Risk Management Program16% · ≈20 Qs
Scope of the System14% · ≈17 Qs
Selection and Approval of Security and Privacy Controls14% · ≈17 Qs
Implementation of Security and Privacy Controls13% · ≈16 Qs
Assessment/Audit of Security and Privacy Controls14% · ≈17 Qs
Authorization/Approval of System14% · ≈17 Qs
Continuous Monitoring16% · ≈20 Qs
CGRC practice test — ISC2 Governance, Risk and Compliance practice questions by domain with explanations

Practice Questions by Domain

Use Start Test for a full weighted CGRC simulation, or open the hub and pick a single domain to drill your weak spot. After each full exam, your results show a per-domain breakdown so you know exactly where to focus — most candidates need the most reps in the assessment, authorization, and continuous monitoring steps of the RMF.

What Are the Requirements for the CGRC?

To earn the CGRC, you need at least two years of cumulative, paid work experience in one or more of the seven CGRC domains.

[3] If you pass the exam before meeting the experience requirement, you become an Associate of ISC2 and have up to three years to earn the required experience.

You must also agree to the ISC2 Code of Ethics and be endorsed by an existing ISC2 certified professional before the credential is awarded.

How Do You Register for the CGRC Exam?

You register for the CGRC directly through ISC2 and its testing partner, Pearson VUE. The U.S. registration fee is around $599, with pricing set in local currency by region.

[4] After registering, you receive authorization to schedule the proctored, computer-based exam at a Pearson VUE testing center near you.[5]

Review ISC2’s current registration page for exact fees and rescheduling rules, as pricing can change by region and over time.

What Is the Passing Score for the CGRC?

The passing score for the CGRC is a scaled score of 700 out of 1000.[1] The exam is scored on your overall performance across all seven domains, not on a per-domain basis.

Raw scores are converted to a scaled score, which keeps the passing standard consistent as item difficulty varies between forms — so 700 does not correspond to a fixed percentage correct.

Your score report indicates whether you passed and, if not, provides domain-level feedback to focus study before a retake.

How Hard Is the CGRC?

ISC2 does not publish a single official first-time pass rate for the CGRC exam.

The exam is moderately challenging mainly because of its breadth — it tracks the full NIST RMF lifecycle from categorizing systems through continuous monitoring.

Difficulty comes from applying governance, risk, and compliance concepts to scenario-based questions rather than recalling isolated facts. Many items ask for the most appropriate next step in the authorization process.

~125
Exam questions
multiple-choice
700
Passing scaled score
out of 1000
7
Domains
NIST RMF-based

The takeaway: candidates with hands-on RMF or authorization experience know parts of the material well but must deliberately study the domains outside their day-to-day work — especially control selection, assessment, and continuous monitoring.

What to Expect on Exam Day

The CGRC is a proctored, computer-based exam delivered at a Pearson VUE testing center.[5] Arrive at least 30 minutes early to check in and bring two valid, unexpired government-issued IDs whose names match your ISC2 registration. You’ll store phones and personal items in a locker; no notes are allowed.

After a short tutorial, you have up to 4 hours to answer about 125 multiple-choice questions. Because items are scenario-based and span all seven domains, pace yourself and don’t over-invest in any one question — flag and return as needed.

ISC2 provides a score report indicating whether you passed. Having simulated the full timing with practice tests makes that clock feel routine.

How to Use This CGRC Practice Test

  • Recreate exam conditions. Take the full test timed, with no notes.
  • Diagnose, then drill. Use a full CGRC simulation to find weak domains, then drill them.
  • Study outside your specialty. The RMF steps you don’t use daily are the score-movers.
  • Think in process steps. Many items ask for the most appropriate next step in the RMF.
  • Learn the why. Read every explanation — understanding beats memorizing.

Why Get CGRC Certified?

The CGRC signals to employers that you can authorize and maintain information systems within governance, risk, and compliance frameworks — valuable in government, defense, healthcare, and any regulated industry that relies on the NIST RMF.[1][3] These free CGRC practice tests are the most efficient way to get exam-ready.

Conclusion

Passing the CGRC comes down to mastering the full NIST RMF lifecycle across all seven domains rather than leaning on a single specialty. Use this free CGRC practice test to find your weak domains, drill them to mastery, and reinforce them with our study guide, flashcards so you walk in confident on test day.

CGRC Practice Test FAQ

The Certified in Governance, Risk and Compliance (CGRC), formerly the Certified Authorization Professional (CAP), is awarded by ISC2. It validates a professional's ability to authorize and maintain information systems using risk management frameworks such as the NIST Risk Management Framework (RMF), and it is delivered as a proctored, computer-based test through Pearson VUE.

References

  1. 1.ISC2. “CGRC Certification.” ISC2.org, 2026.
  2. 2.ISC2. “CGRC Certification Exam Outline.” ISC2.org.
  3. 3.ISC2. “CGRC Experience Requirements.” ISC2.org.
  4. 4.ISC2. “Exam Pricing and Registration.” ISC2.org.
  5. 5.Pearson VUE. “ISC2 Testing (scheduling).” PearsonVUE.com.
  6. 6.ISC2. “Continuing Professional Education (CPE) Requirements.” ISC2.org.
Career Employer

Career Employer is the ultimate resource to help you get started working the job of your dreams. We cover topics from general career information, career searching, exam preparation with free study materials, career interviewing, and becoming successful in your career of choice.

Follow Us:

All Posts

Career Employer’s Editorial Process

Here at Career Employer, we focus a lot on providing factually accurate information that is always up to date. We strive to provide correct information using strict editorial processes, article editing, and fact-checking for all of the information found on our website. We only utilize trustworthy and relevant resources. To find out more, make sure to read our full editorial process page here.